member/member-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(identity): rename authentik_sub to user_sub and authentik_user_id to idp_user_id

Browse Source
This commit is contained in:
Chris
2026-03-31 22:32:48 +08:00
parent ed5679948b
commit 4060ebff70
22 changed files with 208 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/api/admin.py
View File

@@ -71,7 +71,7 @@ def grant_permission(
perms_repo = PermissionsRepository(db)
user = users_repo.upsert_by_sub(
authentik_sub=payload.authentik_sub,
user_sub=payload.user_sub,
username=None,
email=payload.email,
display_name=payload.display_name,
@@ -99,7 +99,7 @@ def revoke_permission(
users_repo = UsersRepository(db)
perms_repo = PermissionsRepository(db)
user = users_repo.get_by_sub(payload.authentik_sub)
user = users_repo.get_by_sub(payload.user_sub)
if user is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")

120
app/api/admin_catalog.py
View File

@@ -135,8 +135,8 @@ def _generate_api_key() -> str:
def _sync_member_to_authentik(
*,
authentik_sub: str | None,
authentik_user_id: int | None,
user_sub: str | None,
idp_user_id: int | None,
username: str | None,
email: str | None,
display_name: str | None,
@@ -147,17 +147,17 @@ def _sync_member_to_authentik(
settings = get_settings()
service = AuthentikAdminService(settings=settings)
result = service.ensure_user(
sub=authentik_sub,
sub=user_sub,
email=email,
username=username,
display_name=display_name,
is_active=is_active,
authentik_user_id=authentik_user_id,
idp_user_id=idp_user_id,
)
return {
"authentik_user_id": result.user_id,
"idp_user_id": result.user_id,
"sync_action": result.action,
"authentik_sub": result.authentik_sub or "",
"user_sub": result.user_sub or "",
}
@@ -316,7 +316,7 @@ def list_system_members(
return {
"items": [
MemberRelationItem(
authentik_sub=m.authentik_sub,
user_sub=m.user_sub,
email=m.email,
display_name=m.display_name,
is_active=m.is_active,
@@ -359,7 +359,7 @@ def list_module_members(
return {
"items": [
MemberRelationItem(
authentik_sub=m.authentik_sub,
user_sub=m.user_sub,
email=m.email,
display_name=m.display_name,
is_active=m.is_active,
@@ -567,7 +567,7 @@ def list_members(
"items": [
MemberItem(
id=i.id,
authentik_sub=i.authentik_sub,
user_sub=i.user_sub,
username=i.username,
email=i.email,
display_name=i.display_name,
@@ -587,37 +587,37 @@ def upsert_member(
db: Session = Depends(get_db),
) -> MemberItem:
users_repo = UsersRepository(db)
resolved_sub = payload.authentik_sub
resolved_sub = payload.user_sub
resolved_username = payload.username
authentik_user_id = None
idp_user_id = None
if payload.sync_to_authentik:
seed_sub = payload.authentik_sub or payload.username
seed_sub = payload.user_sub or payload.username
if not seed_sub:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="authentik_sub_or_username_required")
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="user_sub_or_username_required")
sync = _sync_member_to_authentik(
authentik_sub=seed_sub,
authentik_user_id=authentik_user_id,
user_sub=seed_sub,
idp_user_id=idp_user_id,
username=payload.username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
)
authentik_user_id = int(sync["authentik_user_id"])
if sync.get("authentik_sub"):
resolved_sub = str(sync["authentik_sub"])
idp_user_id = int(sync["idp_user_id"])
if sync.get("user_sub"):
resolved_sub = str(sync["user_sub"])
if not resolved_sub:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="authentik_sub_required")
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="user_sub_required")
row = users_repo.upsert_by_sub(
authentik_sub=resolved_sub,
user_sub=resolved_sub,
username=resolved_username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
authentik_user_id=authentik_user_id,
idp_user_id=idp_user_id,
)
return MemberItem(
id=row.id,
authentik_sub=row.authentik_sub,
user_sub=row.user_sub,
username=row.username,
email=row.email,
display_name=row.display_name,
@@ -625,14 +625,14 @@ def upsert_member(
)
@router.patch("/members/{authentik_sub}", response_model=MemberItem)
@router.patch("/members/{user_sub}", response_model=MemberItem)
def update_member(
authentik_sub: str,
user_sub: str,
payload: MemberUpdateRequest,
db: Session = Depends(get_db),
) -> MemberItem:
users_repo = UsersRepository(db)
row = users_repo.get_by_sub(authentik_sub)
row = users_repo.get_by_sub(user_sub)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
@@ -641,29 +641,29 @@ def update_member(
next_display_name = payload.display_name if payload.display_name is not None else row.display_name
next_is_active = payload.is_active if payload.is_active is not None else row.is_active
authentik_user_id = row.authentik_user_id
idp_user_id = row.idp_user_id
if payload.sync_to_authentik:
sync = _sync_member_to_authentik(
authentik_sub=row.authentik_sub,
authentik_user_id=row.authentik_user_id,
user_sub=row.user_sub,
idp_user_id=row.idp_user_id,
username=next_username,
email=next_email,
display_name=next_display_name,
is_active=next_is_active,
)
authentik_user_id = int(sync["authentik_user_id"])
idp_user_id = int(sync["idp_user_id"])
row = users_repo.upsert_by_sub(
authentik_sub=row.authentik_sub,
user_sub=row.user_sub,
username=next_username,
email=next_email,
display_name=next_display_name,
is_active=next_is_active,
authentik_user_id=authentik_user_id,
idp_user_id=idp_user_id,
)
return MemberItem(
id=row.id,
authentik_sub=row.authentik_sub,
user_sub=row.user_sub,
username=row.username,
email=row.email,
display_name=row.display_name,
@@ -671,78 +671,78 @@ def update_member(
)
@router.delete("/members/{authentik_sub}")
@router.delete("/members/{user_sub}")
def delete_member(
authentik_sub: str,
user_sub: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
users_repo = UsersRepository(db)
row = users_repo.get_by_sub(authentik_sub)
row = users_repo.get_by_sub(user_sub)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
service.delete_user(
authentik_user_id=row.authentik_user_id,
idp_user_id=row.idp_user_id,
email=row.email,
username=row.username,
)
db.execute(delete(PermissionGroupMember).where(PermissionGroupMember.authentik_sub == authentik_sub))
db.execute(delete(PermissionGroupMember).where(PermissionGroupMember.user_sub == user_sub))
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.post("/members/{authentik_sub}/password/reset", response_model=MemberPasswordResetResponse)
@router.post("/members/{user_sub}/password/reset", response_model=MemberPasswordResetResponse)
def reset_member_password(
authentik_sub: str,
user_sub: str,
db: Session = Depends(get_db),
) -> MemberPasswordResetResponse:
users_repo = UsersRepository(db)
user = users_repo.get_by_sub(authentik_sub)
user = users_repo.get_by_sub(user_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
result = service.reset_password(
authentik_user_id=user.authentik_user_id,
idp_user_id=user.idp_user_id,
email=user.email,
username=user.username,
)
user = users_repo.upsert_by_sub(
authentik_sub=user.authentik_sub,
user_sub=user.user_sub,
username=user.username,
email=user.email,
display_name=user.display_name,
is_active=user.is_active,
authentik_user_id=result.user_id,
idp_user_id=result.user_id,
)
return MemberPasswordResetResponse(authentik_sub=user.authentik_sub, temporary_password=result.temporary_password)
return MemberPasswordResetResponse(user_sub=user.user_sub, temporary_password=result.temporary_password)
@router.get("/members/{authentik_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
@router.get("/members/{user_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
def get_member_permission_groups(
authentik_sub: str,
user_sub: str,
db: Session = Depends(get_db),
) -> MemberPermissionGroupsResponse:
users_repo = UsersRepository(db)
groups_repo = PermissionGroupsRepository(db)
user = users_repo.get_by_sub(authentik_sub)
user = users_repo.get_by_sub(user_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
group_keys = groups_repo.list_group_keys_by_member_sub(authentik_sub)
return MemberPermissionGroupsResponse(authentik_sub=authentik_sub, group_keys=group_keys)
group_keys = groups_repo.list_group_keys_by_member_sub(user_sub)
return MemberPermissionGroupsResponse(user_sub=user_sub, group_keys=group_keys)
@router.put("/members/{authentik_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
@router.put("/members/{user_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
def set_member_permission_groups(
authentik_sub: str,
user_sub: str,
payload: MemberPermissionGroupsUpdateRequest,
db: Session = Depends(get_db),
) -> MemberPermissionGroupsResponse:
users_repo = UsersRepository(db)
groups_repo = PermissionGroupsRepository(db)
user = users_repo.get_by_sub(authentik_sub)
user = users_repo.get_by_sub(user_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
@@ -753,8 +753,8 @@ def set_member_permission_groups(
if missing:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"group_not_found:{','.join(missing)}")
groups_repo.replace_member_groups(authentik_sub, [g.id for g in groups])
return MemberPermissionGroupsResponse(authentik_sub=authentik_sub, group_keys=unique_group_keys)
groups_repo.replace_member_groups(user_sub, [g.id for g in groups])
return MemberPermissionGroupsResponse(user_sub=user_sub, group_keys=unique_group_keys)
@router.get("/api-clients")
@@ -1023,31 +1023,31 @@ def delete_permission_group(
return {"deleted": 1, "result": "deleted"}
@router.post("/permission-groups/{group_key}/members/{authentik_sub}")
@router.post("/permission-groups/{group_key}/members/{user_sub}")
def add_group_member(
group_key: str,
authentik_sub: str,
user_sub: str,
db: Session = Depends(get_db),
) -> dict[str, str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
row = groups_repo.add_member_if_not_exists(group.id, authentik_sub)
row = groups_repo.add_member_if_not_exists(group.id, user_sub)
return {"membership_id": row.id, "result": "added"}
@router.delete("/permission-groups/{group_key}/members/{authentik_sub}")
@router.delete("/permission-groups/{group_key}/members/{user_sub}")
def remove_group_member(
group_key: str,
authentik_sub: str,
user_sub: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
deleted = groups_repo.remove_member(group.id, authentik_sub)
deleted = groups_repo.remove_member(group.id, user_sub)
return {"deleted": deleted, "result": "removed"}

32
app/api/internal.py
View File

@@ -23,7 +23,7 @@ def upsert_user_by_sub(
) -> InternalUpsertUserBySubResponse:
repo = UsersRepository(db)
user = repo.upsert_by_sub(
authentik_sub=payload.sub,
user_sub=payload.user_sub,
username=payload.username,
email=payload.email,
display_name=payload.display_name,
@@ -31,8 +31,8 @@ def upsert_user_by_sub(
)
return {
"id": user.id,
"sub": user.authentik_sub,
"authentik_user_id": user.authentik_user_id,
"user_sub": user.user_sub,
"idp_user_id": user.idp_user_id,
"username": user.username,
"email": user.email,
"display_name": user.display_name,
@@ -40,20 +40,20 @@ def upsert_user_by_sub(
}
@router.get("/permissions/{authentik_sub}/snapshot", response_model=PermissionSnapshotResponse)
@router.get("/permissions/{user_sub}/snapshot", response_model=PermissionSnapshotResponse)
def get_permission_snapshot(
authentik_sub: str,
user_sub: str,
db: Session = Depends(get_db),
) -> PermissionSnapshotResponse:
users_repo = UsersRepository(db)
perms_repo = PermissionsRepository(db)
user = users_repo.get_by_sub(authentik_sub)
user = users_repo.get_by_sub(user_sub)
if user is None:
return PermissionSnapshotResponse(authentik_sub=authentik_sub, permissions=[])
return PermissionSnapshotResponse(user_sub=user_sub, permissions=[])
permissions = perms_repo.list_by_user(user.id, user.authentik_sub)
return PermissionService.build_snapshot(authentik_sub=authentik_sub, permissions=permissions)
permissions = perms_repo.list_by_user(user.id, user.user_sub)
return PermissionService.build_snapshot(user_sub=user_sub, permissions=permissions)
@router.post("/authentik/users/ensure", response_model=AuthentikEnsureUserResponse)
@@ -64,7 +64,7 @@ def ensure_authentik_user(
settings = get_settings()
authentik_service = AuthentikAdminService(settings=settings)
sync_result = authentik_service.ensure_user(
sub=payload.sub,
sub=payload.user_sub,
email=payload.email,
username=payload.username,
display_name=payload.display_name,
@@ -72,17 +72,17 @@ def ensure_authentik_user(
)
users_repo = UsersRepository(db)
resolved_sub = payload.sub or ""
if sync_result.authentik_sub:
resolved_sub = sync_result.authentik_sub
resolved_sub = payload.user_sub or ""
if sync_result.user_sub:
resolved_sub = sync_result.user_sub
if not resolved_sub:
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_missing_sub")
users_repo.upsert_by_sub(
authentik_sub=resolved_sub,
user_sub=resolved_sub,
username=payload.username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
authentik_user_id=sync_result.user_id,
idp_user_id=sync_result.user_id,
)
return AuthentikEnsureUserResponse(authentik_user_id=sync_result.user_id, action=sync_result.action)
return AuthentikEnsureUserResponse(idp_user_id=sync_result.user_id, action=sync_result.action)

2
app/api/internal_catalog.py
View File

@@ -100,7 +100,7 @@ def internal_list_members(
"items": [
{
"id": i.id,
"authentik_sub": i.authentik_sub,
"user_sub": i.user_sub,
"username": i.username,
"email": i.email,
"display_name": i.display_name,

12
app/api/me.py
View File

@@ -21,13 +21,13 @@ def get_me(
try:
users_repo = UsersRepository(db)
user = users_repo.upsert_by_sub(
authentik_sub=principal.sub,
user_sub=principal.sub,
username=principal.preferred_username,
email=principal.email,
display_name=principal.name or principal.preferred_username,
is_active=True,
)
return MeSummaryResponse(sub=user.authentik_sub, email=user.email, display_name=user.display_name)
return MeSummaryResponse(sub=user.user_sub, email=user.email, display_name=user.display_name)
except SQLAlchemyError:
# DB schema compatibility fallback for local bring-up.
return MeSummaryResponse(
@@ -47,13 +47,13 @@ def get_my_permission_snapshot(
perms_repo = PermissionsRepository(db)
user = users_repo.upsert_by_sub(
authentik_sub=principal.sub,
user_sub=principal.sub,
username=principal.preferred_username,
email=principal.email,
display_name=principal.name or principal.preferred_username,
is_active=True,
)
permissions = perms_repo.list_by_user(user.id, user.authentik_sub)
return PermissionService.build_snapshot(authentik_sub=principal.sub, permissions=permissions)
permissions = perms_repo.list_by_user(user.id, user.user_sub)
return PermissionService.build_snapshot(user_sub=principal.sub, permissions=permissions)
except SQLAlchemyError:
return PermissionSnapshotResponse(authentik_sub=principal.sub, permissions=[])
return PermissionSnapshotResponse(user_sub=principal.sub, permissions=[])