Show welcome page for any user not yet in customers group

Previously, users already in LDAP but not yet activated (e.g. webhook created the user, or lapsed sub) were redirected to the auth-gated dashboard. Now only active customers (in 'customers' group) skip the welcome page — everyone else sees onboarding with password reset. Made-with: Cursor
2026-03-03 17:20:21 -05:00 · 2026-03-03 17:20:21 -05:00 · aa1201560d
parent c7d19ed20d
commit aa1201560d
1 changed files with 29 additions and 29 deletions
--- a/docker/ss-atlas/internal/handlers/subscription.go
+++ b/docker/ss-atlas/internal/handlers/subscription.go
@ -72,41 +72,41 @@ func (a *App) handleSuccess(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// Check if user is already an active customer (resubscribe case)
 	inGroup, _ := a.ldap.IsInGroup(result.Username, "customers")
-	if inGroup {
+
-		// Returning customer: ensure stack exists, go to dashboard
+	if result.IsNew || !inGroup {
-		stackName := fmt.Sprintf("customer-%s", result.Username)
+		// New or lapsed customer: send password setup email, show onboarding.
-		exists, _ := a.swarm.StackExists(stackName)
+		// Group membership and stack deploy happen on /activate after they log in.
-		if !exists {
+		if err := a.triggerPasswordReset(result.Username); err != nil {
-			if err := a.swarm.DeployStack(stackName, result.Username, a.cfg.TraefikDomain); err != nil {
+			log.Printf("authelia reset trigger failed for %s: %v", username, err)
-				log.Printf("resubscribe: stack deploy failed for %s: %v", result.Username, err)
+		}
-			}
+		data := map[string]any{
 			"Username":     result.Username,
 			"IsNew":        result.IsNew,
 			"Email":        email,
 			"LoginURL":     a.cfg.AutheliaURL,
 			"ResetURL":     a.cfg.AutheliaURL + "/#/reset-password/step1",
 			"ActivateURL":  a.cfg.AppURL + "/activate",
 			"DashboardURL": a.cfg.AppURL + "/dashboard",
 			"InstanceURL":  "https://" + result.Username + "." + a.cfg.CustomerDomain,
 		}
 		if err := a.tmpl.ExecuteTemplate(w, "welcome.html", data); err != nil {
 			log.Printf("template error: %v", err)
 			http.Error(w, "internal error", http.StatusInternalServerError)
 		}
 		log.Printf("resubscribe: %s payment verified, redirecting to dashboard", result.Username)
 		http.Redirect(w, r, a.cfg.AppURL+"/dashboard", http.StatusSeeOther)
 		return
 	}
-	// New or lapsed customer: send password setup email, show onboarding.
+	// Returning active customer: ensure stack exists, go to dashboard
-	// Group membership and stack deploy happen on /activate after they set a password.
+	stackName := fmt.Sprintf("customer-%s", result.Username)
-	if err := a.triggerPasswordReset(result.Username); err != nil {
+	exists, _ := a.swarm.StackExists(stackName)
-		log.Printf("authelia reset trigger failed for %s: %v", username, err)
+	if !exists {
-	}
+		if err := a.swarm.DeployStack(stackName, result.Username, a.cfg.TraefikDomain); err != nil {
-	data := map[string]any{
+			log.Printf("resubscribe: stack deploy failed for %s: %v", result.Username, err)
-		"Username":     result.Username,
+		}
 		"IsNew":        true,
 		"Email":        email,
 		"LoginURL":     a.cfg.AutheliaURL,
 		"ResetURL":     a.cfg.AutheliaURL + "/#/reset-password/step1",
 		"ActivateURL":  a.cfg.AppURL + "/activate",
 		"DashboardURL": a.cfg.AppURL + "/dashboard",
 		"InstanceURL":  "https://" + result.Username + "." + a.cfg.CustomerDomain,
 	}
 	if err := a.tmpl.ExecuteTemplate(w, "welcome.html", data); err != nil {
 		log.Printf("template error: %v", err)
 		http.Error(w, "internal error", http.StatusInternalServerError)
 	}
 	log.Printf("resubscribe: %s payment verified, redirecting to dashboard", result.Username)
 	http.Redirect(w, r, a.cfg.AppURL+"/dashboard", http.StatusSeeOther)
 }
 func (a *App) handlePortal(w http.ResponseWriter, r *http.Request) {