nextcloud-mail-sync: harden keycloak fetch

services/nextcloud-mail-sync/cronjob.yaml

@@ -57,7 +57,7 @@ spec:
                 - -c
               env:
                 - name: KC_BASE
-                  value: https://sso.bstein.dev
+                  value: http://keycloak.sso.svc.cluster.local
                 - name: KC_REALM
                   value: atlas
                 - name: MAILU_DOMAIN

services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh

@@ -81,7 +81,7 @@ list_mail_accounts() {
 }
 
 token=$(
-  curl -s -d "grant_type=password" \
+  curl -fsS -d "grant_type=password" \
     -d "client_id=admin-cli" \
     -d "username=${KC_ADMIN_USER}" \
     -d "password=${KC_ADMIN_PASS}" \
@@ -95,13 +95,17 @@ fi
 
 cd /var/www/html
 
-kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000"
+kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000&briefRepresentation=false"
 if [[ -n "${ONLY_USERNAME}" ]]; then
   username_q=$(jq -nr --arg v "${ONLY_USERNAME}" '$v|@uri')
-  kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?username=${username_q}&exact=true&max=1"
+  kc_users_url="${KC_BASE}/admin/realms/${KC_REALM}/users?username=${username_q}&exact=true&max=1&briefRepresentation=false"
 fi
 
-users=$(curl -s -H "Authorization: Bearer ${token}" "${kc_users_url}")
+users=$(curl -fsS -H "Authorization: Bearer ${token}" "${kc_users_url}")
+if ! jq -e 'type == "array"' >/dev/null 2>&1 <<<"${users}"; then
+  echo "ERROR: Keycloak user list is not an array; aborting sync" >&2
+  exit 1
+fi
 
 kc_set_user_mail_meta() {
   local user_id="${1}"