fix: users managed by SCIM should not get their name updated

2025-09-24 17:51:14 +02:00 · 2025-09-22 17:16:23 +02:00 · 2025-09-22 17:16:23 +02:00 · e74ac423c6
commit e74ac423c6
parent 7cec4d6923
2 changed files with 176 additions and 119 deletions
--- a/src/lib/services/user-service.ts
+++ b/src/lib/services/user-service.ts
@ -506,9 +506,30 @@ export class UserService {

        try {
            user = await this.store.getByQuery({ email });
-            // Update user if autCreate is enabled.
-            if (name && user.name !== name) {
-                user = await this.store.update(user.id, { name, email });
+            // Update user if not managed by scim
+            if (name && user.name !== name && !user.scimId) {
+                const currentRole = await this.accessService.getRootRoleForUser(
+                    user.id,
+                );
+                const updatedUser = await this.store.update(user.id, {
+                    name,
+                    email,
+                });
+
+                await this.eventService.storeEvent(
+                    new UserUpdatedEvent({
+                        auditUser: SYSTEM_USER_AUDIT,
+                        preUser: {
+                            ...user,
+                            rootRole: currentRole.id,
+                        },
+                        postUser: {
+                            ...updatedUser,
+                            rootRole: currentRole.id,
+                        },
+                    }),
+                );
+                user = { ...user, ...updatedUser };
            }
        } catch (e) {
            // User does not exists. Create if 'autoCreate' is enabled
--- a/src/test/e2e/services/user-service.e2e.test.ts
+++ b/src/test/e2e/services/user-service.e2e.test.ts
@ -435,6 +435,7 @@ test('updating a user without an email should not strip the email', async () =>
    expect(updatedUser.email).toBe(email);
 });

+describe('loginUserSSO', () => {
    test('should login and create user via SSO', async () => {
        const recordedEvents: Array<{ loginOrder: number }> = [];
        eventBus.on(USER_LOGIN, (data) => {
@ -494,6 +495,11 @@ test('should update user name when signing in via SSO', async () => {
        expect(actualUser.email).toBe(email);
        expect(actualUser.name).toBe('New name!');
        expect(actualUser.rootRole).toBe(viewerRole.id);
+        const { events } = await eventService.getEvents();
+        const updateEvent = events.find(
+            (e) => e.data.id === originalUser.id && e.data.name === 'New name!',
+        );
+        expect(updateEvent).toBeDefined();
    });

    test('should update name if it is different via SSO', async () => {
@ -572,6 +578,36 @@ test('should support a custom root role id when logging in and creating user via
        expect(permissions[0].permission).toBe(CREATE_ADDON);
    });

+    test(`should not update the username if managed by SCIM`, async () => {
+        const email = 'test-1@getunleash.io';
+        const originalName = 'Original Name';
+        const name = 'Updated Name';
+        const createdUser = await userStore.insert({
+            name: originalName,
+            username: 'random-1234',
+            email,
+        });
+        await db
+            .rawDatabase('users')
+            .update({
+                scim_id: '123',
+            })
+            .where({ id: createdUser.id });
+
+        const user = await userService.loginUserSSO({
+            email,
+            autoCreate: true,
+            name,
+        });
+
+        expect(user.name).toBe(originalName);
+
+        // Fetch the user directly from the store to verify
+        const storedUser = await userStore.get(user.id);
+        expect(storedUser!.name).toBe(originalName);
+    });
+});
+
 describe('Should not be able to use any of previous 5 passwords', () => {
    test('throws exception when trying to use a previously used password', async () => {
        const name = 'same-password-is-not-allowed';