fix(scim): make group member add idempotent + build PR images#4
Merged
Conversation
Authentik's outgoing SCIM sync occasionally PATCHes a group with an `add members` operation listing a user that is already a member, triggering a `user_groups_pkey` IntegrityError that bubbled up as a SCIM 409 and aborted the whole sync. Switch the membership insert to `ON CONFLICT (user_id, group_id) DO NOTHING` and dedupe the input set so re-adding existing members is a no-op.
Adds a `pull_request` trigger that pushes the resulting image to GHCR tagged `pr-<number>`, while `latest` stays restricted to the default branch. Lets reviewers pull and validate a PR's container before merge.
Authentik's outgoing SCIM PATCHes a group's members with
`{op:"remove", path:"members", value:[{value:"<id>"}, ...]}` rather
than the RFC 7644 filter syntax `members[value eq "<id>"]`, which we
rejected with 400. Accept the value-list form too, and treat a remove
on `members` with no value as "clear all members". Also log the
request body on any SCIM 400 so future parser gaps are diagnosable
from the app log.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
add membersoperation re-listed an already-present user. Theuser_groupsinsert now usesON CONFLICT (user_id, group_id) DO NOTHINGand dedupes its input, so re-adding existing members is a true no-op.pull_requesttrigger to the image workflow. PRs get pushed to GHCR asghcr.io/netways/struudel:pr-<number>, whilelateststays restricted to the default branch — lets you pull and validate this PR's container on the staging host before merge.Test plan
ghcr.io/netways/struudel:pr-<this-pr-number>docker compose pullwith image swapped to thepr-*tag, thendocker compose up -d app workeruser_groups_pkeyIntegrityError and no SCIM 409 onPATCH /scim/v2/Groups/*latesttag in GHCR is unchanged (still points at the last main build)