fix(auth): derive SSO display name from email local-part#23
Merged
UsamaSadiq merged 3 commits intoJun 4, 2026
Conversation
oauth2-proxy was putting the Cognito sub UUID into x-auth-request-user instead of a human-readable username, so newly-provisioned SSO users landed with a UUID as their profile fullname. Drop the header read in the ForwardAuth middleware and use the email local-part instead — the same value both apps already fell back to when the header was absent; we're promoting that fallback to the only source. Existing profiles with UUID fullnames are not auto-corrected: the middleware does not re-sync :fullname on subsequent logins. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adjusts the ForwardAuth (x-auth-request-*) authentication middleware so that newly auto-provisioned SSO users always get a stable, human-readable profile.fullname derived from the email local-part (instead of sometimes inheriting an upstream UUID via x-auth-request-user). It also updates the corresponding middleware tests to reflect the new behavior.
Changes:
- Stop reading
x-auth-request-userfor display-name derivation; always use the email local-part when auto-registering. - Update the auto-register tests to no longer set
x-auth-request-user, and assert:fullnameis the email local-part.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| backend/src/app/http/auth_request.clj | Removes dependence on x-auth-request-user and uses email local-part for auto-registered profile display names. |
| backend/test/backend_tests/http_middleware_test.clj | Updates auto-register middleware tests to match the new display-name derivation behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…name Address review on #23: - Middleware: pass nil instead of a pre-split local-part into get-or-register-profile, so that function is the only place deriving the display name (from the resolved email). Removes the duplicate split and the drift risk between the two derivation paths. - Test: re-add x-auth-request-user to the auto-register request with a Cognito-sub-style UUID and keep asserting :fullname is the email local-part. This is the actual regression guard for the reported bug; the prior test dropped the header entirely, so it no longer proved the middleware ignores it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
UsamaSadiq
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
x-auth-request-userheader read in the ForwardAuth middleware — oauth2-proxy was putting the CognitosubUUID into that header, so newly-provisioned SSO users landed with a UUID (e.g.892ae5ac-0021-…) as theirprofile.fullname.x-auth-request-auto-register-*tests: drop the now-unused header from the request maps, and add an explicit assertion that:fullnameequals the email local-part.Existing profiles with UUID
:fullnameare not auto-corrected — the middleware does not re-sync the field on subsequent logins. A backfill is out of scope here.Test plan
pnpm run testfrombackend/passes (focused:backend-tests.http-middleware-test)cognito:usernameis the baresubUUID lands athttps://foss-design.local.moneta.devwithprofile.fullname= email local-part, not the UUIDSELECT email, fullname FROM profile ORDER BY created_at DESC LIMIT 5;reflects the new behavior🤖 Generated with Claude Code