From 71678a4819509adf0e212aed748b452d1416052b Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 3 Jan 2026 03:11:52 -0300
Subject: [PATCH] fix(portal): persist mailu attributes

---
 backend/atlas_portal/keycloak.py     |  5 +++--
 backend/atlas_portal/provisioning.py | 17 ++++++++++++-----
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/backend/atlas_portal/keycloak.py b/backend/atlas_portal/keycloak.py
index 31a8015..394f81a 100644
--- a/backend/atlas_portal/keycloak.py
+++ b/backend/atlas_portal/keycloak.py
@@ -155,8 +155,9 @@ class KeycloakAdminClient:
         if not isinstance(attrs, dict):
             attrs = {}
         attrs[key] = [value]
-        full["attributes"] = attrs
-        self.update_user(user_id, full)
+        # Keycloak rejects PUTs that include read-only fields from the GET payload (400 Bad Request).
+        # Update only the attributes we intend to change.
+        self.update_user(user_id, {"attributes": attrs})
 
     def get_group_id(self, group_name: str) -> str | None:
         cached = self._group_id_cache.get(group_name)
diff --git a/backend/atlas_portal/provisioning.py b/backend/atlas_portal/provisioning.py
index c44ac3c..5bdfcfa 100644
--- a/backend/atlas_portal/provisioning.py
+++ b/backend/atlas_portal/provisioning.py
@@ -129,13 +129,20 @@ def provision_access_request(request_code: str) -> ProvisionResult:
             try:
                 full = admin_client().get_user(user_id)
                 attrs = full.get("attributes") or {}
+                mailu_from_attr: str | None = None
                 if isinstance(attrs, dict):
                     raw_mailu = attrs.get(MAILU_EMAIL_ATTR)
-                    if isinstance(raw_mailu, list) and raw_mailu and isinstance(raw_mailu[0], str):
-                        mailu_email = raw_mailu[0]
-                    elif isinstance(raw_mailu, str) and raw_mailu:
-                        mailu_email = raw_mailu
-                if not mailu_email:
+                    if isinstance(raw_mailu, list):
+                        for item in raw_mailu:
+                            if isinstance(item, str) and item.strip():
+                                mailu_from_attr = item.strip()
+                                break
+                    elif isinstance(raw_mailu, str) and raw_mailu.strip():
+                        mailu_from_attr = raw_mailu.strip()
+
+                if mailu_from_attr:
+                    mailu_email = mailu_from_attr
+                else:
                     mailu_email = f"{username}@{settings.MAILU_DOMAIN}"
                     admin_client().set_user_attribute(username, MAILU_EMAIL_ATTR, mailu_email)
             except Exception: