Skip to content

fix(management): refresh user name/email from ID-token claims on login#6671

Open
Amilliox wants to merge 2 commits into
netbirdio:mainfrom
Amilliox:main
Open

fix(management): refresh user name/email from ID-token claims on login#6671
Amilliox wants to merge 2 commits into
netbirdio:mainfrom
Amilliox:main

Conversation

@Amilliox

@Amilliox Amilliox commented Jul 5, 2026

Copy link
Copy Markdown

Problem

On subsequent logins, GetUserFromUserAuth only updates last_login but never refreshes name/email from the ID-token claims. Users created by older versions keep empty name/email forever, and those running with IdpManagerConfig.ManagerType: "none" also see blank fields.

Fix

After retrieving the user, check if userAuth.Name or userAuth.Email differ from stored values (and are non-empty). If so, update and save — mirroring the existing JWT group sync (JWTGroupsClaimName) pattern.

Scope

  • 1 file: management/server/user.go
  • +13 lines
  • No new dependencies
  • No config changes
  • No IdP API calls
  • No SCIM/license needed

Fixes #6652
Related #2073

Summary by CodeRabbit

  • Bug Fixes
    • During login, the app now refreshes the stored user profile details (name and/or email) from the latest authentication token claims when available.
    • If updating those saved details fails, login still succeeds and the sign-in flow remains reliable.

@CLAassistant

CLAassistant commented Jul 5, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5581cfe-e2de-494e-b80b-21d02648b2fd

📥 Commits

Reviewing files that changed from the base of the PR and between 4e0b245 and 173f9c1.

📒 Files selected for processing (1)
  • management/server/user.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • management/server/user.go

📝 Walkthrough

Walkthrough

Updates the login flow to refresh stored user Name and Email from non-empty token claims when they differ, persisting the change via SaveUser and logging failures without blocking login.

Changes

Login-time user profile sync

Layer / File(s) Summary
Refresh Name/Email from token claims
management/server/user.go
On login, compares userAuth claims for Name and Email with stored user values, updates the record when they differ, and logs debug output if saving fails.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Poem

A bunny hopped at login light,
To tidy names and emails right.
The claims came in, the store caught up,
A tiny sync in one swift hop,
And now the fields all shine so bright. 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description omits required template sections like Issue ticket and link, Stack, Checklist, and Documentation. Rewrite the description to match the template, including the issue link, stack, checklist items, and documentation selection.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the login-time refresh of user name/email from ID-token claims.
Linked Issues check ✅ Passed The change matches #6652 by refreshing stored name/email from existing ID-token claims on login without extra IdP calls.
Out of Scope Changes check ✅ Passed The scope stays in management/server/user.go and only adds the requested login-time field refresh plus save-failure rollback.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

On subsequent logins, GetUserFromUserAuth only updated last_login but
never refreshed name/email from the ID-token claims. Users created by
older versions keep empty name/email forever, and those running with
IdpManagerConfig.ManagerType: "none" also see blank fields.

This change reads name/email from the login ID-token (already available
in userAuth) and updates the stored record if they differ — mirroring
the existing JWT group sync (JWTGroupsClaimName) pattern.

No extra IdP API call, no background job, no SCIM, no license needed.

Fixes netbirdio#6652
Related netbirdio#2073

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
management/server/user.go (1)

232-248: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Avoid full-row user saves here.

GetUserFromUserAuth reads the user without a lock, then calls SaveUser, which persists the whole record. That can overwrite unrelated concurrent changes on the same user row. Use a scoped update for name/email here, similar to SaveUserLastLogin, instead of saving the full user object.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@management/server/user.go` around lines 232 - 248, The user refresh logic in
GetUserFromUserAuth is doing a full SaveUser after updating only name/email,
which can overwrite unrelated concurrent changes. Replace that persistence path
with a scoped store update for just the name/email fields, following the pattern
used by SaveUserLastLogin or a similar narrow update helper, and keep the
existing GetUserByUserID and logging flow intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@management/server/user.go`:
- Around line 245-247: The user update flow in user.go leaves the in-memory User
mutated even when am.Store.SaveUser fails, so callers can receive Name/Email
values that were never persisted. In the save path around SaveUser, capture the
original values before mutating and restore them if the save returns an error,
or otherwise return the pre-update user state on failure. Keep the fix localized
to the update logic that logs “failed to update user name/email” and returns the
user from the same method.

---

Outside diff comments:
In `@management/server/user.go`:
- Around line 232-248: The user refresh logic in GetUserFromUserAuth is doing a
full SaveUser after updating only name/email, which can overwrite unrelated
concurrent changes. Replace that persistence path with a scoped store update for
just the name/email fields, following the pattern used by SaveUserLastLogin or a
similar narrow update helper, and keep the existing GetUserByUserID and logging
flow intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b2618edd-894a-4876-b8e8-b348c135e72c

📥 Commits

Reviewing files that changed from the base of the PR and between 3aa6c02 and 2f3779c.

📒 Files selected for processing (1)
  • management/server/user.go

Comment thread management/server/user.go
If SaveUser fails after mutating user.Name/user.Email, restore the
original values so callers do not see unsaved changes.
@sonarqubecloud

sonarqubecloud Bot commented Jul 5, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Refresh user name/email from the ID-token claims on login (parity with JWT group sync)

2 participants