From 765cfe803f69fb41f3ee47aecc7d209221f401a0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 12 Jun 2026 21:00:33 +0000
Subject: [PATCH] tripit: tripit-app provider issues sub = user email
 (hybrid-auth identity fix)

Review of tripit slice #50 caught that the provider's default
sub_mode (hashed_user_id) would make Shell JWTs carry a sub that
never matches the email-keyed prod user rows - first app login
would either 500 in placeholder reconciliation or split the user's
identity. sub_mode = user_email makes bearer and forward-auth
resolve the same row. Part of the Android APK work (tripit #50).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/tripit/authentik.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/stacks/tripit/authentik.tf b/stacks/tripit/authentik.tf
index c6aa1a2c..6b2a9921 100644
--- a/stacks/tripit/authentik.tf
+++ b/stacks/tripit/authentik.tf
@@ -51,6 +51,11 @@ resource "authentik_provider_oauth2" "tripit_app" {
   name        = "tripit-app"
   client_id   = "tripit-app"
   client_type = "public"
+  # sub = the user's EMAIL, not the default hashed_user_id: tripit prod users
+  # are email-keyed (forwardauth provisioned id == email), and the backend's
+  # hybrid bearer arm must resolve the SAME user row, not mint a hash-keyed
+  # twin (review finding, tripit #50).
+  sub_mode = "user_email"
 
   authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id
   invalidation_flow  = data.authentik_flow.default_provider_invalidation.id