🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788)

* add use of immutable claims to identify user object * fix semicolons * update email attribute on change * replace ternary expressions * fix semicolon * chore: add typing * chore: reorder fields in `findOpenIDUser` * refactor: optimize user lookup logic in `findOpenIDUser` function to minimize database roundtrips * refactor: integrate findOpenIDUser for improved user retrieval in refreshController * refactor: improve error logging for invalid refresh tokens in refreshController * ci: mock findUser correctly in openidStrategy tests * test: add unit tests for findOpenIDUser function to enhance user retrieval logic --------- Co-authored-by: Joachim Keltsch <joachim.keltsch@daimlertruck.com>
2025-12-17 00:40:14 +01:00 · 2025-09-23 14:46:53 -04:00 · 2025-09-23 14:46:53 -04:00 · bcec5bfceb
commit bcec5bfceb
parent e4f323e71a
6 changed files with 458 additions and 17 deletions
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -337,6 +337,10 @@ async function setupOpenId() {
        clockTolerance: process.env.OPENID_CLOCK_TOLERANCE || 300,
        usePKCE,
      },
+      /**
+       * @param {import('openid-client').TokenEndpointResponseHelpers} tokenset
+       * @param {import('passport-jwt').VerifyCallback} done
+       */
      async (tokenset, done) => {
        try {
          const claims = tokenset.claims();
@ -354,10 +358,11 @@ async function setupOpenId() {
          }

          const result = await findOpenIDUser({
-            openidId: claims.sub,
-            email: claims.email,
-            strategyName: 'openidStrategy',
            findUser,
+            email: claims.email,
+            openidId: claims.sub,
+            idOnTheSource: claims.oid,
+            strategyName: 'openidStrategy',
          });
          let user = result.user;
          const error = result.error;
@ -436,6 +441,10 @@ async function setupOpenId() {
            user.username = username;
            user.name = fullName;
            user.idOnTheSource = userinfo.oid;
+            if (userinfo.email && userinfo.email !== user.email) {
+              user.email = userinfo.email;
+              user.emailVerified = userinfo.email_verified || false;
+            }
          }

          if (!!userinfo && userinfo.picture && !user.avatar?.includes('manual=true')) {