Populate global user display name from id_token on login (ARB-515) (#380)

crthpl · web-flow · commit eac92d0acdbf · 2026-04-13T14:22:33.000-07:00
diff --git a/backend/src/auth.rs b/backend/src/auth.rs
@@ -170,28 +170,39 @@ pub async fn validate_access_and_id(
     })
 }
 
-/// Validate an ID token and return its email if the subject matches `expected_sub`.
+pub struct IdTokenInfo {
+    pub name: Option<String>,
+    pub email: Option<String>,
+}
+
+/// Validate an ID token and return its name and email if the subject matches `expected_sub`.
 ///
 /// # Errors
 /// Fails if the token is invalid or the subject does not match.
-pub async fn validate_id_token_email_for_sub(
+pub async fn validate_id_token_for_sub(
     id_token: &str,
     expected_sub: &str,
-) -> anyhow::Result<Option<String>> {
+) -> anyhow::Result<IdTokenInfo> {
     #[cfg(feature = "dev-mode")]
     if id_token.starts_with("test::") {
         let test_client = validate_test_token(id_token)?;
         if test_client.id != expected_sub {
             anyhow::bail!("sub mismatch");
         }
-        return Ok(test_client.email);
+        return Ok(IdTokenInfo {
+            name: test_client.name,
+            email: test_client.email,
+        });
     }
 
     let id_claims: IdClaims = validate_jwt(id_token).await?;
     if id_claims.sub != expected_sub {
         anyhow::bail!("sub mismatch");
     }
-    Ok(id_claims.email)
+    Ok(IdTokenInfo {
+        name: Some(id_claims.name),
+        email: id_claims.email,
+    })
 }
 
 /// Test-only function to create a `ValidatedClient` from test credentials.
diff --git a/backend/src/global_db.rs b/backend/src/global_db.rs
@@ -132,6 +132,41 @@ impl GlobalDB {
         })
     }
 
+    /// Find a global user by `kinde_id`, creating one with a placeholder
+    /// display name if none exists. Unlike `ensure_global_user`, this does NOT
+    /// update the display name or email of an existing user — use it from
+    /// code paths that don't yet have a trusted name for the user.
+    ///
+    /// # Errors
+    /// Returns an error on database failure.
+    pub async fn find_or_create_global_user(
+        &self,
+        kinde_id: &str,
+        placeholder_name: &str,
+        email: Option<&str>,
+    ) -> Result<GlobalUser, sqlx::Error> {
+        if let Some(user) = self.get_global_user_by_kinde_id(kinde_id).await? {
+            return Ok(user);
+        }
+
+        let id = sqlx::query_scalar::<_, i64>(
+            r"INSERT INTO global_user (kinde_id, display_name, email) VALUES (?, ?, ?) RETURNING id",
+        )
+        .bind(kinde_id)
+        .bind(placeholder_name)
+        .bind(email)
+        .fetch_one(&self.pool)
+        .await?;
+
+        Ok(GlobalUser {
+            id,
+            kinde_id: kinde_id.to_string(),
+            display_name: placeholder_name.to_string(),
+            is_admin: false,
+            email: email.map(String::from),
+        })
+    }
+
     /// Get a global user by `kinde_id`.
     ///
     /// # Errors
diff --git a/backend/src/main.rs b/backend/src/main.rs
@@ -145,25 +145,36 @@ async fn list_cohorts(
         .filter(|v| !v.is_empty())
         .map(str::to_owned);
 
-    let resolved_email = if let Some(id_token) = id_token_email {
-        match backend::auth::validate_id_token_email_for_sub(&id_token, &claims.sub).await {
-            Ok(email) => email,
+    let (resolved_email, id_token_name) = if let Some(id_token) = id_token_email {
+        match backend::auth::validate_id_token_for_sub(&id_token, &claims.sub).await {
+            Ok(info) => (info.email, info.name),
             Err(e) => {
                 tracing::warn!("Invalid x-id-token for /api/cohorts: {e}");
-                claims.email.clone()
+                (claims.email.clone(), None)
             }
         }
     } else {
-        claims.email.clone()
+        (claims.email.clone(), None)
     };
 
-    // Ensure global user exists (creates if needed, same as WS auth flow)
-    let display_name = claims.sub.clone(); // Fallback; WS auth will update with real name
-    let global_user = state
-        .global_db
-        .ensure_global_user(&claims.sub, &display_name, resolved_email.as_deref())
-        .await
-        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+    // Ensure global user exists. Prefer the display name from the id_token so
+    // users who log in but haven't been added to any cohort still get their
+    // real name persisted (previously only the WS auth flow populated the
+    // display name, so these users stayed stuck with their Kinde sub as a
+    // placeholder).
+    let global_user = if let Some(name) = id_token_name.as_deref().filter(|n| !n.is_empty()) {
+        state
+            .global_db
+            .ensure_global_user(&claims.sub, name, resolved_email.as_deref())
+            .await
+            .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
+    } else {
+        state
+            .global_db
+            .find_or_create_global_user(&claims.sub, &claims.sub, resolved_email.as_deref())
+            .await
+            .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
+    };
 
     // Link email-based pre-authorizations if we have an email
     if let Some(email) = &resolved_email {
