Let Authentik own forward-auth user emails; add forward-auth tests

For SSO users the email address is the IdP match key, so allowing them
to edit it in Veola orphaned the row on next sign-in. PostEmailPrefs now
keeps the synced Authentik email for forward users (only the deal-alert
and digest toggles stay editable); the settings form renders the field
read-only with a Managed by Authentik note. Local break-glass users keep
an editable field.

Add forward-auth integration tests over the full Routes() chain: trusted
proxy provisions an admin, untrusted peer's spoofed headers are ignored,
role re-syncs per request, and the email-prefs round trip confirms a form
cannot change a forward user's IdP email.
This commit is contained in:
prosolis
2026-06-20 11:26:02 -07:00
parent 7c95e4fd4e
commit 2fd4019103
4 changed files with 364 additions and 91 deletions

View File

@@ -108,6 +108,13 @@ func (a *App) PostEmailPrefs(w http.ResponseWriter, r *http.Request) {
return
}
email := strings.TrimSpace(r.PostFormValue("email"))
// Forward-auth (Authentik) owns the address: it is the IdP match key, kept
// in sync on every request. Never overwrite it from the form, or the next
// sign-in would no longer match and orphan the row. Users change their
// email in Authentik; only the opt-in toggles are editable here.
if cur.AuthSource == "forward" {
email = cur.Email
}
dealAlerts := r.PostFormValue("email_deal_alerts") == "1"
weeklyDigest := r.PostFormValue("email_weekly_digest") == "1"