For SSO users the email address is the IdP match key, so allowing them to edit it in Veola orphaned the row on next sign-in. PostEmailPrefs now keeps the synced Authentik email for forward users (only the deal-alert and digest toggles stay editable); the settings form renders the field read-only with a Managed by Authentik note. Local break-glass users keep an editable field. Add forward-auth integration tests over the full Routes() chain: trusted proxy provisions an admin, untrusted peer's spoofed headers are ignored, role re-syncs per request, and the email-prefs round trip confirms a form cannot change a forward user's IdP email.
10 KiB
10 KiB