fix(enterprise): ensure scim usernames are validated (#7925)

2025-07-06 15:41:45 +00:00 · 2023-06-08 17:59:49 -05:00
parent a4cc883be1
commit 30a635aa5f
3 changed files with 53 additions and 4 deletions
--- a/enterprise/coderd/scim.go
+++ b/enterprise/coderd/scim.go
@ -71,10 +71,6 @@ func (api *API) scimGetUsers(rw http.ResponseWriter, r *http.Request) {
 // This is done to always force Okta to try and create the user, this way we
 // don't need to implement fetching users twice.
 //
-// scimGetUsers intentionally always returns no users. This is done to always force
-// Okta to try and create each user individually, this way we don't need to
-// implement fetching users twice.
-//
 // @Summary SCIM 2.0: Get user by ID
 // @ID scim-get-user-by-id
 // @Security CoderSessionToken
@ -156,6 +152,20 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// The username is a required property in Coder. We make a best-effort
+	// attempt at using what the claims provide, but if that fails we will
+	// generate a random username.
+	usernameValid := httpapi.NameValid(sUser.UserName)
+	if usernameValid != nil {
+		// If no username is provided, we can default to use the email address.
+		// This will be converted in the from function below, so it's safe
+		// to keep the domain.
+		if sUser.UserName == "" {
+			sUser.UserName = email
+		}
+		sUser.UserName = httpapi.UsernameFrom(sUser.UserName)
+	}
+
 	var organizationID uuid.UUID
 	//nolint:gocritic
 	organizations, err := api.Database.GetOrganizations(dbauthz.AsSystemRestricted(ctx))