use upstream data

odelcroi · odelcroi · commit 1678d25306c8 · 2025-06-10T17:23:52.000+02:00
diff --git a/crates/handlers/src/upstream_oauth2/link.rs b/crates/handlers/src/upstream_oauth2/link.rs
@@ -209,10 +209,6 @@ pub(crate) enum FormData {
         accept_terms: Option<String>,
     },
     Link,
-    Associate {
-        #[serde(default)]
-        username: Option<String>,
-    },
 }
 
 impl ToFormState for FormData {
@@ -653,10 +649,46 @@ pub(crate) async fn post(
             session
         }
 
-        (None, None, FormData::Associate { username }) => {
-            //user already exists, but it is not linked, neither connected
-            //proceed by associating the link and connect the user
+        (None, None, FormData::Link) => {
+            // User already exists, but it is not linked, neither logged in
+            // Proceed by associating the link to the user and log in the user
+            // Upstream_session is used to re-render the username as it is the only source of truth
+            
+            let id_token = upstream_session.id_token().map(Jwt::try_from).transpose()?;
 
+            let provider = repo
+                .upstream_oauth_provider()
+                .lookup(link.provider_id)
+                .await?
+                .ok_or(RouteError::ProviderNotFound(link.provider_id))?;
+            
+            // Let's import the username from the localpart claim
+            let env = environment();
+            
+            let mut context = AttributeMappingContext::new();
+            if let Some(id_token) = id_token {
+                let (_, payload) = id_token.into_parts();
+                context = context.with_id_token_claims(payload);
+            }
+            if let Some(extra_callback_parameters) = upstream_session.extra_callback_parameters() {
+                context = context.with_extra_callback_parameters(extra_callback_parameters.clone());
+            }
+            if let Some(userinfo) = upstream_session.userinfo() {
+                context = context.with_userinfo_claims(userinfo.clone());
+            }
+            let context = context.build();
+            
+            
+            //Claims import must be `require` or `force` at this stage
+            let template = provider
+                .claims_imports
+                .localpart
+                .template
+                .as_deref()
+                .unwrap_or(DEFAULT_LOCALPART_TEMPLATE);
+        
+            let username =  render_attribute_template(&env, template, &context, true)?;
+            
             let maybe_user = repo.user().find_by_username(&username.unwrap()).await?;
 
             if maybe_user.is_some() {
@@ -706,6 +738,7 @@ pub(crate) async fn post(
             let env = environment();
 
             let mut context = AttributeMappingContext::new();
+
             if let Some(id_token) = id_token {
                 let (_, payload) = id_token.into_parts();
                 context = context.with_id_token_claims(payload);
@@ -1250,8 +1283,7 @@ mod tests {
         let request = Request::post(&*mas_router::UpstreamOAuth2Link::new(link.id).path()).form(
             serde_json::json!({
                 "csrf": csrf_token,
-                "action": "associate",
-                "username" : user.username.clone()
+                "action": "link"
             }),
         );
         let request = cookies.with_cookies(request);
diff --git a/templates/pages/upstream_oauth2/login_link.html b/templates/pages/upstream_oauth2/login_link.html
@@ -23,8 +23,7 @@ <h1 class="title">{{ _("mas.upstream_oauth2.login_link.heading") }}</h1>
    
     <form method="POST" class="cpd-form-root">
       <input type="hidden" name="csrf" value="{{ csrf_token }}" />
-      <input type="hidden" name="action" value="associate" />
-      <input type="hidden" name="username" value="{{ linked_user.username }}" />
+      <input type="hidden" name="action" value="link" />
 
       {{ button.button(text=_("mas.upstream_oauth2.login_link.action")) }}
     </form>
