fix(auth): source AuthUser.id from Kratos external_id, add identityId

AuthUser.id is now always public.users.id (the Kratos identity's
external_id) rather than the Kratos identity id, and a new identityId
field carries the Kratos id for admin/Kratos operations. This fixes
PostHog identify, tRPC telemetry, and team resolution, which all expect
public.users.id.

- identity.ts mappers require external_id (no silent fallback to the
  Kratos id) and set identityId.
- getAuthContext refuses a session whose identity has no external_id; the
  edge gate (isKratosSessionActive) rejects it too, so the user is routed
  to /sign-in instead of looping, where a fresh login re-runs bootstrap
  and backfills external_id.
- Drop the updateUser override that re-stamped the Kratos id over id.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: ben-fornefeld

src/core/modules/auth/models.ts

@@ -1,5 +1,8 @@
 export type AuthUser = {
+  // public.users.id, sourced from the Kratos identity's external_id.
   id: string
+  // Ory Kratos identity id (the OAuth2 subject); used for Kratos/admin ops.
+  identityId: string
   email: string | null
   name: string | null
   avatarUrl: string | null

src/core/server/auth/ory/identity.ts

@@ -5,8 +5,18 @@ import { z } from 'zod'
 import { l } from '@/core/shared/clients/logger/logger'
 import type { AuthUser } from '../types'
 
-type FromOryIdentityOptions = {
-  userId?: string
+// AuthUser.id is always public.users.id (the identity's external_id), never the
+// Kratos identity id. A provisioned user always has one; getAuthContext refuses
+// sessions without it, so reaching here without an external_id is an invariant
+// violation we fail loudly on rather than mislabel the user.
+function requireExternalId(identity: {
+  id: string
+  external_id?: string | null
+}): string {
+  if (!identity.external_id) {
+    throw new Error(`Ory identity ${identity.id} has no external_id`)
+  }
+  return identity.external_id
 }
 
 export const oryIdentityTraitsSchema = z
@@ -58,6 +68,7 @@ function readPublicPicture(metadataPublic: unknown): string | null {
 // with an admin lookup when those are needed (e.g. the profile query).
 export function fromKratosSessionIdentity(identity: {
   id: string
+  external_id?: string | null
   traits?: unknown
   metadata_public?: unknown
 }): AuthUser {
@@ -66,7 +77,8 @@ export function fromKratosSessionIdentity(identity: {
     source: 'kratos_session',
   })
   return {
-    id: identity.id,
+    id: requireExternalId(identity),
+    identityId: identity.id,
     email: readString(traits, 'email'),
     name: readString(traits, 'name'),
     avatarUrl: readPublicPicture(identity.metadata_public),
@@ -79,10 +91,7 @@ export function fromKratosSessionIdentity(identity: {
 // Rich path: build the user from a full Kratos Identity (traits + credentials).
 // Used wherever we've fetched the identity via the admin API — admin lookups and
 // the live profile query.
-export function fromOryIdentity(
-  identity: Identity,
-  options: FromOryIdentityOptions = {}
-): AuthUser {
+export function fromOryIdentity(identity: Identity): AuthUser {
   const traits = parseOryTraits(identity.traits, {
     identityId: identity.id,
     source: 'admin_identity',
@@ -98,7 +107,8 @@ export function fromOryIdentity(
   const canChangePassword = hasPasswordCredential && !hasOidcCredential
 
   return {
-    id: options.userId ?? identity.id,
+    id: requireExternalId(identity),
+    identityId: identity.id,
     email,
     name,
     avatarUrl,

src/core/server/auth/ory/kratos-session-edge.ts

@@ -5,6 +5,10 @@ import { APP_OWNED_COOKIES } from './session-cookie'
 // reads next/headers and can't run in the edge runtime, so we hit Kratos
 // directly with the request's cookies. This gates redirects only —
 // authoritative enforcement happens server-side in getAuthContext.
+//
+// external_id is required so this gate agrees with getAuthContext: a session
+// without it is half-provisioned and getAuthContext rejects it, so we must too,
+// otherwise the user loops between /sign-in and /dashboard.
 export async function isKratosSessionActive(
   request: NextRequest
 ): Promise<boolean> {
@@ -22,8 +26,11 @@ export async function isKratosSessionActive(
       { headers: { cookie, accept: 'application/json' } }
     )
     if (!response.ok) return false
-    const session = (await response.json()) as { active?: boolean }
-    return session.active === true
+    const session = (await response.json()) as {
+      active?: boolean
+      identity?: { external_id?: string | null }
+    }
+    return session.active === true && !!session.identity?.external_id
   } catch {
     return false
   }

src/core/server/auth/ory/session.ts

@@ -46,6 +46,22 @@ export async function getAuthContext(): Promise<AuthContext | null> {
   const kratos = await readKratosSession()
   if (!kratos?.active || !kratos.identity) return null
 
+  // public.users.id lives only on the Kratos identity's external_id. Without it
+  // the dashboard can't key the user to its own records (PostHog, telemetry,
+  // team membership), so we refuse the half-provisioned session. The edge gate
+  // (isKratosSessionActive) rejects it too, so the user is routed to /sign-in
+  // where a fresh login re-runs bootstrap and backfills external_id.
+  if (!kratos.identity.external_id) {
+    l.error(
+      {
+        key: 'auth_provider:identity_missing_external_id',
+        context: { identity_id: kratos.identity.id },
+      },
+      'Kratos identity has no external_id; treating the session as unauthenticated'
+    )
+    return null
+  }
+
   const tokens = await readOrySessionTokens()
   if (!tokens?.accessToken) return null
 
@@ -65,7 +81,7 @@ export async function getUserProfile(): Promise<AuthUser | null> {
     includeCredential: ACCOUNT_IDENTITY_CREDENTIALS,
   })
 
-  return identity ? fromOryIdentity(identity, { userId: identityId }) : null
+  return identity ? fromOryIdentity(identity) : null
 }
 
 export async function signOut(
@@ -114,9 +130,7 @@ export async function updateUser(
     password: input.password,
   })
 
-  if (!result.ok) return result
-
-  return { ...result, user: { ...result.user, id: identityId } }
+  return result
 }
 
 export async function startReauthForAccountSettings(): Promise<ReauthDispatch> {

tests/integration/auth-ory-account-security.test.ts

@@ -87,6 +87,7 @@ function kratosSession({
     authenticated_at: authenticatedAt,
     identity: {
       id: identityId,
+      external_id: 'e2b-user-id',
       traits: { email: 'ada@example.test', name: 'Ada' },
     },
   }
@@ -119,7 +120,8 @@ describe('Ory account security (Kratos session + e2b_session)', () => {
 
     expect(await getAuthContext()).toEqual({
       user: expect.objectContaining({
-        id: 'kratos-uuid',
+        id: 'e2b-user-id',
+        identityId: 'kratos-uuid',
         email: 'ada@example.test',
         name: 'Ada',
       }),
@@ -133,6 +135,17 @@ describe('Ory account security (Kratos session + e2b_session)', () => {
     expect(await getAuthContext()).toBeNull()
   })
 
+  it('returns null when the Kratos identity has no external_id', async () => {
+    getServerSessionMock.mockResolvedValue({
+      id: 'kratos-session-id',
+      active: true,
+      authenticated_at: new Date(),
+      identity: { id: 'kratos-uuid', traits: { email: 'ada@example.test' } },
+    })
+
+    expect(await getAuthContext()).toBeNull()
+  })
+
   it('returns null when the Kratos session is active but no token is present', async () => {
     getServerSessionMock.mockResolvedValue(kratosSession())
     openOrySessionMock.mockResolvedValue(null)
@@ -168,7 +181,10 @@ describe('Ory account security (Kratos session + e2b_session)', () => {
         credentials: { password: { config: { password: 'new-secret' } } },
       }),
     })
-    expect(result).toMatchObject({ ok: true, user: { id: 'kratos-uuid' } })
+    expect(result).toMatchObject({
+      ok: true,
+      user: { id: 'e2b-user-id', identityId: 'kratos-uuid' },
+    })
   })
 
   it('revokes Ory + Kratos sessions and clears e2b_session after a credential change', async () => {

tests/unit/identity-traits.test.ts

@@ -32,16 +32,51 @@ function sessionIdentity(overrides: {
   traits?: unknown
   metadata_public?: unknown
 }) {
-  return { id: 'identity-1', ...overrides }
+  return { id: 'identity-1', external_id: 'e2b-user-1', ...overrides }
 }
 
 function adminIdentity(overrides: {
   traits?: unknown
   metadata_public?: unknown
 }): Identity {
-  return { id: 'identity-1', ...overrides } as Identity
+  return {
+    id: 'identity-1',
+    external_id: 'e2b-user-1',
+    ...overrides,
+  } as Identity
 }
 
+describe('AuthUser id sourcing', () => {
+  it('sets id from external_id and identityId from the Kratos id', () => {
+    const fromSession = fromKratosSessionIdentity(
+      sessionIdentity({ traits: { email: 'jane@e2b.dev' } })
+    )
+    const fromAdmin = fromOryIdentity(
+      adminIdentity({ traits: { email: 'jane@e2b.dev' } })
+    )
+
+    for (const user of [fromSession, fromAdmin]) {
+      expect(user.id).toBe('e2b-user-1')
+      expect(user.identityId).toBe('identity-1')
+    }
+  })
+
+  it('throws when the identity has no external_id', () => {
+    expect(() =>
+      fromKratosSessionIdentity({
+        id: 'identity-1',
+        traits: { email: 'jane@e2b.dev' },
+      })
+    ).toThrow(/external_id/)
+    expect(() =>
+      fromOryIdentity({
+        id: 'identity-1',
+        traits: { email: 'jane@e2b.dev' },
+      } as Identity)
+    ).toThrow(/external_id/)
+  })
+})
+
 describe('parseOryTraits via identity mappers', () => {
   it('accepts valid traits without logging drift', () => {
     const user = fromKratosSessionIdentity(

tests/unit/user-router.test.ts

@@ -26,6 +26,7 @@ const createCaller = createCallerFactory(userRouter)
 
 const authUser = {
   id: 'user-1',
+  identityId: 'identity-1',
   email: 'old@example.test',
   name: 'Ada',
   avatarUrl: null,