From d27df1f321a5012b0cc15216507a93d0bdaff410 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Tue, 2 Jun 2026 08:15:24 +0000 Subject: [PATCH] =?UTF-8?q?t3code:=20dispatch=20=E2=80=94=20strip=20@domai?= =?UTF-8?q?n=20from=20X-authentik-username=20(Authentik=20injects=20email)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Authentik injects the full email (e.g. vbarzin@gmail.com), but /etc/ttyd-user-map and dispatch.json key on the local part (vbarzin), so every real login hit 403 'no instance provisioned'. Strip @domain before lookup, matching the terminal stack's tmux-attach.sh. Verified: vbarzin@gmail.com / emil.barzin@gmail.com -> 302 (own instance); unmapped/no-header -> 403. Co-Authored-By: Claude Opus 4.7 --- scripts/t3-dispatch/main.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/t3-dispatch/main.go b/scripts/t3-dispatch/main.go index 3a254be4..cebcc119 100644 --- a/scripts/t3-dispatch/main.go +++ b/scripts/t3-dispatch/main.go @@ -16,6 +16,7 @@ import ( "net/url" "os" "os/exec" + "strings" "sync" "time" ) @@ -99,6 +100,12 @@ func autoPair(e entry, w http.ResponseWriter, r *http.Request) { func handler(w http.ResponseWriter, r *http.Request) { ak := r.Header.Get("X-authentik-username") + // Authentik injects the full email (e.g. vbarzin@gmail.com); /etc/ttyd-user-map + // (and thus dispatch.json) keys on the local part. Strip @domain, matching the + // terminal stack's tmux-attach.sh (`${auth_user%%@*}`). + if i := strings.IndexByte(ak, '@'); i >= 0 { + ak = ak[:i] + } e, ok := lookup(ak) if !ok { http.Error(w, "no t3 instance provisioned for this user", http.StatusForbidden)