Remove is_in_allow_list and use preferred_username (the thundermail address) instead of recovery email (Fixes #1329) (#1331)

MelissaAutumn · web-flow · commit 7437c88541fa · 2025-11-12T10:27:33.000-08:00
diff --git a/backend/src/appointment/routes/auth.py b/backend/src/appointment/routes/auth.py
@@ -653,8 +653,7 @@ def oidc_token(
         raise HTTPException(status_code=403, detail=l10n('invalid-credentials'))
 
     oidc_id = token_data.get('sub')
-    email = token_data.get('email')
-    username = token_data.get('username')
+    username = email = token_data.get('preferred_username', token_data.get('username'))
     name = token_data.get('name')
 
     subscriber = repo.external_connection.get_subscriber_by_oidc_id(db, oidc_id)
@@ -665,14 +664,6 @@ def oidc_token(
         subscriber = repo.external_connection.get_subscriber_without_oidc_by_email(db, email)
 
     if not subscriber:
-        is_in_allow_list = utils.is_in_allow_list(db, email)
-
-        if not is_in_allow_list:
-            if not repo.invite.code_exists(db, data.invite_code):
-                raise HTTPException(404, l10n('invite-code-not-valid'))
-            if not repo.invite.code_is_available(db, data.invite_code):
-                raise HTTPException(403, l10n('invite-code-not-valid'))
-
         subscriber = repo.subscriber.create(
             db,
             schemas.SubscriberBase(
@@ -683,18 +674,10 @@ def oidc_token(
             ),
         )
 
+        # FIXME: This functionality doesn't work, but we might re-use it later. If not please delete.
         # Give them 10 invites
         repo.invite.generate_codes(db, INVITES_TO_GIVE_OUT, subscriber.id)
 
-        if not is_in_allow_list:
-            # Use the invite code after we've created the new subscriber
-            used = repo.invite.use_code(db, data.invite_code, subscriber.id)
-
-            # This shouldn't happen, but just in case!
-            if not used:
-                repo.subscriber.hard_delete(db, subscriber)
-                raise HTTPException(500, l10n('unknown-error'))
-
     # FIXME: OIDC should handle this check
     # Only proceed if user account is enabled (which is the default case for new users)
     if subscriber.is_deleted:
@@ -718,7 +701,6 @@ def oidc_token(
             owner_id=subscriber.id,
             token='',  # We don't need token data here
         )
-        print(external_connection_schema)
         repo.external_connection.create(db, external_connection_schema)
 
     return JSONResponse(True)
diff --git a/backend/test/integration/test_auth.py b/backend/test/integration/test_auth.py
@@ -923,7 +923,7 @@ def test_oidc_token_fallback_match_by_email(self, with_db, with_client, make_pro
             mock_introspect.return_value = {
                 'sub': oidc_id,
                 'email': subscriber.email,
-                'username': subscriber.username,
+                'preferred_username': subscriber.email, # preferred_username is the thundermail address
                 'name': subscriber.name,
             }
 

Original file line number	Diff line number	Diff line change
`@@ -923,7 +923,7 @@ def test_oidc_token_fallback_match_by_email(self, with_db, with_client, make_pro`
`923`	`923`	`mock_introspect.return_value = {`
`924`	`924`	`'sub': oidc_id,`
`925`	`925`	`'email': subscriber.email,`
`926`		`- 'username': subscriber.username,`
	`926`	`+ 'preferred_username': subscriber.email, # preferred_username is the thundermail address`
`927`	`927`	`'name': subscriber.name,`
`928`	`928`	`}`
`929`	`929`