Fix Heimdall principal claims pattern for client IDs (LFXV2-922)

README.md

@@ -766,7 +766,7 @@ LOG_LEVEL=debug make run
 - **Heimdall Integration**: All messages validated against JWT service
 - **Multiple Audiences**: Configurable audience validation
 - **Principal Parsing**: Authorization header and X-On-Behalf-Of delegation support
-- **Machine User Detection**: `clients@` prefix identification
+- **Machine User Detection**: `@clients` suffix identification
 
 **Input Validation:**
 

internal/infrastructure/auth/auth_repository.go

@@ -180,12 +180,12 @@ func (r *AuthRepository) ParsePrincipals(ctx context.Context, headers map[string
 			}
 			authorizedPrincipals = append(authorizedPrincipals, principalEntity)
 
-			if strings.HasPrefix(principal, constants.MachineUserPrefix) {
+			if strings.HasSuffix(principal, constants.MachineUserSuffix) {
 				isMachineUser = true
 				r.logger.Info("Machine user detected in authorization header",
 					"auth_id", authID,
 					"principal", r.safePrincipalLog(principal),
-					"machine_user_prefix", constants.MachineUserPrefix)
+					"machine_user_suffix", constants.MachineUserSuffix)
 			}
 
 			r.logger.Debug("Authorization principal parsed successfully",
@@ -486,7 +486,11 @@ func (r *AuthRepository) safePrincipalLog(principal string) string {
 	if principal == "" {
 		return "<empty>"
 	}
-	// Don't log full email addresses for privacy
+	// Machine users are not personal information and should be logged in full for debugging.
+	if r.isMachineUser(principal) {
+		return principal
+	}
+	// Don't log full email addresses for privacy.
 	if strings.Contains(principal, "@") {
 		parts := strings.Split(principal, "@")
 		if len(parts) == 2 {
@@ -498,5 +502,5 @@ func (r *AuthRepository) safePrincipalLog(principal string) string {
 
 // isMachineUser checks if a principal is a machine user
 func (r *AuthRepository) isMachineUser(principal string) bool {
-	return strings.HasPrefix(principal, constants.MachineUserPrefix)
+	return strings.HasSuffix(principal, constants.MachineUserSuffix)
 }

internal/infrastructure/auth/auth_repository_test.go

@@ -452,14 +452,19 @@ func TestAuthRepository_HelperMethods(t *testing.T) {
 		result = repo.safePrincipalLog("user@example.com")
 		assert.Equal(t, "user@***", result)
 
+		// Test machine user principal (should be logged in full)
+		machineUserPrincipal := "test-machine" + constants.MachineUserSuffix
+		result = repo.safePrincipalLog(machineUserPrincipal)
+		assert.Equal(t, machineUserPrincipal, result)
+
 		// Test non-email principal
 		result = repo.safePrincipalLog("machine-user-123")
 		assert.Equal(t, "machine-user-123", result)
 	})
 
 	t.Run("isMachineUser", func(t *testing.T) {
 		// Test machine user
-		result := repo.isMachineUser(constants.MachineUserPrefix + "test-machine")
+		result := repo.isMachineUser("test-machine" + constants.MachineUserSuffix)
 		assert.True(t, result)
 
 		// Test regular user

pkg/constants/auth.go

@@ -14,7 +14,7 @@ const (
 	BearerPrefix = "bearer "
 
 	// Machine user identifier
-	MachineUserPrefix = "clients@"
+	MachineUserSuffix = "@clients"
 
 	// Error messages for authentication
 	ErrInvalidToken          = "invalid token"