From 24fc02ff1f1358d7b6ad46cb5406832b929e7565 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sat, 3 Jan 2026 21:45:29 -0300 Subject: [PATCH] portal: enforce Keycloak required actions --- backend/atlas_portal/provisioning.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/backend/atlas_portal/provisioning.py b/backend/atlas_portal/provisioning.py index f42018a..b231a07 100644 --- a/backend/atlas_portal/provisioning.py +++ b/backend/atlas_portal/provisioning.py @@ -181,12 +181,16 @@ def provision_access_request(request_code: str) -> ProvisionResult: email = contact_email.strip() if not email: raise RuntimeError("missing verified email address") + email_is_verified = bool(email_verified_at) + required_actions = ["UPDATE_PASSWORD", "CONFIGURE_TOTP"] + if not email_is_verified: + required_actions.append("VERIFY_EMAIL") payload = { "username": username, "enabled": True, "email": email, - "emailVerified": bool(email_verified_at), - "requiredActions": ["CONFIGURE_TOTP"], + "emailVerified": email_is_verified, + "requiredActions": required_actions, "attributes": {MAILU_EMAIL_ATTR: [mailu_email]}, } created_id = admin_client().create_user(payload)