Fix Heimdall principal claims pattern for client IDs (LFXV2-922)

[emsearcy]

Description

This PR fixes the Heimdall principal claims pattern for client IDs to match the Auth0 convention.

Changes

• Constants: Renamed MachineUserPrefix to MachineUserSuffix and changed value from "clients@" to "@clients"
• Machine User Detection: Updated logic to use strings.HasSuffix instead of strings.HasPrefix
• Authentication Repository: Modified machine user detection in both main logic and helper method
• Tests: Updated test cases to use the correct suffix pattern ("test-machine@clients")
• Documentation: Updated README to reflect suffix-based machine user identification

Background

While working on the mock data loader and v1 meetings, it was discovered that the PoC implementation had reversed the {client_id}@clients pattern used by Auth0. This change corrects the pattern to align with Auth0's expected format across the indexer service.

Files Modified

• pkg/constants/auth.go - Updated constant name and value
• internal/infrastructure/auth/auth_repository.go - Updated detection logic
• internal/infrastructure/auth/auth_repository_test.go - Updated test cases
• README.md - Updated documentation

Testing

All existing tests continue to pass with the updated logic.

Related Issues

• Related to LFXV2-922: Review & fix local Heimdall principal claims

[coderabbitai]

Walkthrough

This change switches machine user detection from prefix-based identification (clients@) to suffix-based identification (@clients) across the authentication system. The constant is renamed and all related logic, tests, and documentation are updated to reflect this pattern change.

Changes

Cohort / File(s)	Summary
Constants Update pkg/constants/auth.go	Renamed public constant MachineUserPrefix to MachineUserSuffix with value changed from "clients@" to "@clients".
Authentication Implementation internal/infrastructure/auth/auth_repository.go	Updated machine user detection logic to use HasSuffix with MachineUserSuffix instead of HasPrefix with MachineUserPrefix; updated log field names accordingly.
Authentication Tests internal/infrastructure/auth/auth_repository_test.go	Updated test case for isMachineUser to construct input using suffix pattern ("test-machine" + MachineUserSuffix) instead of prefix pattern.
Documentation README.md	Updated description of machine user detection from prefix-based to suffix-based identification.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• The changes are homogeneous across files—consistent application of the same refactoring pattern (prefix → suffix)
• No complex logic, control flow modifications, or new functionality introduced
• Straightforward constant rename propagated through implementation and tests

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing the Heimdall principal claims pattern from prefix to suffix format to match Auth0 conventions.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the context, changes made, and background for the pattern correction.
Linked Issues check	✅ Passed	The PR fully addresses LFXV2-922 requirements: it identifies and corrects the reversed pattern, updates detection logic to use suffix-based matching, and adjusts constants and tests accordingly.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the Heimdall principal claims pattern as specified in LFXV2-922; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ace4782 and b12ba86.

📒 Files selected for processing (4)

• README.md (1 hunks)
• internal/infrastructure/auth/auth_repository.go (2 hunks)
• internal/infrastructure/auth/auth_repository_test.go (1 hunks)
• pkg/constants/auth.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Run golangci-lint before committing code
Run fmt, vet, lint, and test together before committing

Files:

• internal/infrastructure/auth/auth_repository_test.go
• internal/infrastructure/auth/auth_repository.go
• pkg/constants/auth.go

**/*_test.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*_test.go: Run all tests with race detection and coverage
Mock external dependencies using interfaces in internal/mocks/
Include race detection in all test runs

Files:

• internal/infrastructure/auth/auth_repository_test.go

internal/infrastructure/auth/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

V2 authentication: JWT tokens via Authorization header validated against Heimdall service

Files:

• internal/infrastructure/auth/auth_repository_test.go
• internal/infrastructure/auth/auth_repository.go

🧬 Code graph analysis (2)

internal/infrastructure/auth/auth_repository_test.go (1)

pkg/constants/auth.go (1)

• MachineUserSuffix (17-17)

internal/infrastructure/auth/auth_repository.go (1)

pkg/constants/auth.go (1)

• MachineUserSuffix (17-17)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: MegaLinter

🔇 Additional comments (5)

README.md (1)

716-716: LGTM! Documentation accurately reflects the suffix-based pattern.

The documentation update correctly describes the machine user detection pattern change.

internal/infrastructure/auth/auth_repository.go (2)

176-182: LGTM! Machine user detection correctly updated to suffix-based pattern.

The changes properly:

• Use strings.HasSuffix instead of HasPrefix for suffix detection
• Reference the updated constants.MachineUserSuffix constant
• Update the log field name to machine_user_suffix for consistency

---

493-495: LGTM! Helper function correctly updated for suffix-based detection.

The isMachineUser helper function now correctly uses strings.HasSuffix with constants.MachineUserSuffix to identify machine users with the @clients suffix pattern.

internal/infrastructure/auth/auth_repository_test.go (1)

460-476: LGTM! Test correctly updated for suffix-based machine user detection.

The test now properly constructs the machine user principal using the suffix pattern ("test-machine" + constants.MachineUserSuffix), which correctly produces "test-machine@clients". The test coverage includes:

• Machine user with suffix (line 462) ✓
• Regular user without suffix (line 466) ✓
• Email user (line 470) ✓
• Empty principal (line 474) ✓

pkg/constants/auth.go (1)

17-17: Constant rename verification complete — no stray references found.

The searches confirm all usages of the old constant name MachineUserPrefix and the old pattern value "clients@" have been properly updated throughout the codebase. The rename from MachineUserPrefix to MachineUserSuffix and value change from "clients@" to "@clients" is correctly implemented across all files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR corrects the Heimdall principal claims pattern for machine users from a prefix-based approach (clients@{client_id}) to a suffix-based approach ({client_id}@clients) to align with Auth0's standard convention.

• Renamed constant from MachineUserPrefix to MachineUserSuffix with updated value "@clients"
• Updated detection logic throughout the codebase to use HasSuffix instead of HasPrefix
• Modified tests to reflect the corrected pattern

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
pkg/constants/auth.go	Renamed constant and changed value from "clients@" to "@clients"
internal/infrastructure/auth/auth_repository.go	Updated machine user detection to use suffix-based pattern matching and updated log field names
internal/infrastructure/auth/auth_repository_test.go	Updated test case to use correct suffix pattern with the renamed constant
README.md	Updated documentation to reflect suffix-based machine user identification

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

With the change to suffix-based machine user detection, machine user principals now follow the pattern {client_id}@clients. However, the safePrincipalLog function treats any string containing @ as an email address and redacts it to {prefix}@***. This means machine user principals will be logged as {client_id}@*** instead of showing the full identifier.

Consider updating the safePrincipalLog function to check if a principal is a machine user (using isMachineUser()) before applying email redaction logic, since machine user identifiers are not personal information and should be logged in full for debugging purposes.

[Copilot]

The test updates correctly verify the machine user detection logic, but there's missing test coverage for how safePrincipalLog handles machine user principals with the new @clients suffix pattern.

Since machine users now end with @clients, they will be treated as email addresses by safePrincipalLog and redacted. Consider adding a test case in the safePrincipalLog test suite to verify the expected behavior when logging machine user principals (e.g., whether they should be redacted or logged in full).