viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

t3code: dispatch — strip @domain from X-authentik-username (Authentik injects email)

Browse source 
Authentik injects the full email (e.g. vbarzin@gmail.com), but /etc/ttyd-user-map
and dispatch.json key on the local part (vbarzin), so every real login hit
403 'no instance provisioned'. Strip @domain before lookup, matching the
terminal stack's tmux-attach.sh. Verified: vbarzin@gmail.com / emil.barzin@gmail.com
-> 302 (own instance); unmapped/no-header -> 403.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-02 08:15:24 +00:00
parent b651f137b9
commit d27df1f321
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/t3-dispatch/main.go
View file

@ -16,6 +16,7 @@ import (
"net/url"
"os"
"os/exec"
"strings"
"sync"
"time"
)
@ -99,6 +100,12 @@ func autoPair(e entry, w http.ResponseWriter, r *http.Request) {
func handler(w http.ResponseWriter, r *http.Request) {
ak := r.Header.Get("X-authentik-username")
// Authentik injects the full email (e.g. vbarzin@gmail.com); /etc/ttyd-user-map
// (and thus dispatch.json) keys on the local part. Strip @domain, matching the
// terminal stack's tmux-attach.sh (`${auth_user%%@*}`).
if i := strings.IndexByte(ak, '@'); i >= 0 {
ak = ak[:i]
}
e, ok := lookup(ak)
if !ok {
http.Error(w, "no t3 instance provisioned for this user", http.StatusForbidden)