Problem
The authorization check in app.py compares current_user != app_owner using exact string matching. Email addresses are case-insensitive (RFC 5321), but Databricks SSO may return different casing in X-Forwarded-Email than what's stored as the app owner.
For example, RC.Guan@databricks.com from SSO doesn't match rc.guan@databricks.com stored in the app description, causing a 403 for the rightful owner.
Affected code
app.py:check_authorization() — HTTP auth checkapp.py:_check_ws_authorization() — WebSocket auth checkapp.py:get_token_owner() — owner resolution (all return paths)app.py:get_request_user() — request user extraction
Fix
Normalize all emails to .lower() at ingestion points.
PR: #114
Problem
The authorization check in
app.pycomparescurrent_user != app_ownerusing exact string matching. Email addresses are case-insensitive (RFC 5321), but Databricks SSO may return different casing inX-Forwarded-Emailthan what's stored as the app owner.For example,
RC.Guan@databricks.comfrom SSO doesn't matchrc.guan@databricks.comstored in the app description, causing a 403 for the rightful owner.Affected code
app.py:check_authorization()— HTTP auth checkapp.py:_check_ws_authorization()— WebSocket auth checkapp.py:get_token_owner()— owner resolution (all return paths)app.py:get_request_user()— request user extractionFix
Normalize all emails to
.lower()at ingestion points.PR: #114