CDCgov
[Bug] New misconfigured Api User is created when a user changes their own email
Description
When a user edits their own email to change it, the app creates a new Api User with their old email address. This Api User does not have a corresponding Okta user. This can be problematic if someone wants to add a user with the old email address because they'll get the an error that the user already exists. This caused a support request that required manual intervention from engineering to "create" the new user. It also means we're storing invalid users.
Steps to reproduce
How I reproduced in dev4
- Use a temp email tool to generate a new email [email protected].
- Logged in as myself to create a new user with admin permissions with the temp email.
- Used the temp email to log in and activate an account.
- Verified I could see this email in the ApiUser table and that we had an Okta account with the email.
- As the new admin, updated my email to be [email protected].
- Saw an error toast (I think this may only happen if the
oktaMigrationEnabledflag is true). - Verified the existing Api User was updated in the table with the new email and the Okta account also had the new email.
- Saw in Metabase a new Api User was created with the old email (see screenshot with created and updated timestamps).
Expected behavior
When a user updates their email, we shouldn't create any additional Api Users.
Additional context
Reviewing logs for the support issue shows that we are hitting this line: https://github.com/CDCgov/prime-simplereport/blob/95185496cc9aea242fa28a5920d8ae619a2a080f/backend/src/main/java/gov/cdc/usds/simplereport/service/ApiUserService.java#L553 My guess is when the user updates their email some cached context with their identity also needs to be updated otherwise the app will create a new user for the old email still stored in the context.
Additional context for prioritization: This bug was discovered as a part of investigating an issue raised by support and is something causes a headache when it happens.
