fix(auth): derive SSO display name from email local-part#23
Merged
UsamaSadiq merged 3 commits intoJun 2, 2026
Conversation
oauth2-proxy was putting the Cognito sub UUID into x-auth-request-user instead of a human-readable username, so newly-provisioned SSO users landed with a UUID as their User.name. Drop the header read in the ForwardAuth middleware and use the email local-part instead — the same value both apps already fell back to when the header was absent; we're promoting that fallback to the only source. Existing users with UUID names are not auto-corrected: the middleware does not re-sync the name field on subsequent logins. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adjusts ForwardAuth/SSO user provisioning so a newly created SSO user’s User.name is always derived from the email local-part, avoiding cases where oauth2-proxy forwards a UUID into the previous X-Auth-Request-User header.
Changes:
- Remove
X-Auth-Request-Useras an input to SSO display-name derivation; use email local-part only. - Consolidate SSO provisioning tests to reflect the single name-derivation path.
- Update
AUTH_TYPEenvironment variable JSDoc to remove the stale header mention and document the new behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
server/middlewares/authentication.ts |
Stop reading x-auth-request-user and set provisioned User.name from the email local-part. |
server/middlewares/authentication.test.ts |
Remove the now-obsolete test branch that depended on x-auth-request-user. |
server/env.ts |
Update AUTH_TYPE documentation to match current SSO header usage and naming behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
A malformed X-Auth-Request-Email with no local part (e.g. "@example.com") normalises to "@<DEFAULT_EMAIL_DOMAIN>", yielding an empty localPart. Since User.name enforces a min length of 1, provisioning failed with an opaque validation error. Source localPart from parseEmail and reject empty local parts up front with an AuthenticationError for a deterministic failure mode. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
UsamaSadiq
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
x-auth-request-userheader read in the ForwardAuth middleware — oauth2-proxy was putting the CognitosubUUID into that header, so newly-provisioned SSO users landed with a UUID (e.g.892ae5ac-0021-…) as theirUser.name.authentication.test.tsinto one — after the fix, thex-auth-request-user-absent branch is the only branch. Also update theAUTH_TYPEJSDoc inenv.tsto drop the stale mention ofX-Auth-Request-User.Existing users with UUID
namevalues are not auto-corrected — the middleware does not re-sync the field on subsequent logins. A backfill is out of scope here.Test plan
yarn test server/middlewares/authentication.test.tspassesyarn tsc --noEmitpassescognito:usernameis the baresubUUID lands athttps://foss-wiki.local.moneta.devwithUser.name= email local-part, not the UUIDSELECT email, name FROM users ORDER BY "createdAt" DESC LIMIT 5;reflects the new behavior🤖 Generated with Claude Code