Let Authentik own forward-auth user emails; add forward-auth tests
For SSO users the email address is the IdP match key, so allowing them to edit it in Veola orphaned the row on next sign-in. PostEmailPrefs now keeps the synced Authentik email for forward users (only the deal-alert and digest toggles stay editable); the settings form renders the field read-only with a Managed by Authentik note. Local break-glass users keep an editable field. Add forward-auth integration tests over the full Routes() chain: trusted proxy provisions an admin, untrusted peer's spoofed headers are ignored, role re-syncs per request, and the email-prefs round trip confirms a form cannot change a forward user's IdP email.
This commit is contained in:
@@ -108,6 +108,13 @@ func (a *App) PostEmailPrefs(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
email := strings.TrimSpace(r.PostFormValue("email"))
|
||||
// Forward-auth (Authentik) owns the address: it is the IdP match key, kept
|
||||
// in sync on every request. Never overwrite it from the form, or the next
|
||||
// sign-in would no longer match and orphan the row. Users change their
|
||||
// email in Authentik; only the opt-in toggles are editable here.
|
||||
if cur.AuthSource == "forward" {
|
||||
email = cur.Email
|
||||
}
|
||||
dealAlerts := r.PostFormValue("email_deal_alerts") == "1"
|
||||
weeklyDigest := r.PostFormValue("email_weekly_digest") == "1"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user