fix legacy email identity backfill grants

backend/internal/service/auth_service.go

@@ -796,7 +796,7 @@ func (s *AuthService) backfillEmailIdentityOnSuccessfulLogin(ctx context.Context
 	if s == nil || user == nil || user.ID <= 0 {
 		return
 	}
-	identity, created := s.ensureEmailAuthIdentity(ctx, user)
+	identity, created := s.ensureEmailAuthIdentity(ctx, user, "auth_service_login_backfill")
 	if s.shouldApplyEmailFirstBindDefaults(ctx, user.ID, identity, created) {
 		if err := s.ApplyProviderDefaultSettingsOnFirstBind(ctx, user.ID, "email"); err != nil {
 			logger.LegacyPrintf("service.auth", "[Auth] Failed to apply email first bind defaults: user_id=%d err=%v", user.ID, err)
@@ -810,13 +810,17 @@ func (s *AuthService) shouldApplyEmailFirstBindDefaults(
 	identity *dbent.AuthIdentity,
 	created bool,
 ) bool {
+	source := emailAuthIdentitySource(identity.Metadata)
+	if source == "auth_service_login_backfill" {
+		return false
+	}
 	if created {
 		return true
 	}
 	if s == nil || s.entClient == nil || userID <= 0 || identity == nil || identity.UserID != userID {
 		return false
 	}
-	if emailAuthIdentitySource(identity.Metadata) != "auth_service_dual_write" {
+	if source != "auth_service_dual_write" {
 		return false
 	}
 
@@ -863,7 +867,7 @@ func (s *AuthService) hasProviderGrantRecord(
 	return rows.Next(), rows.Err()
 }
 
-func (s *AuthService) ensureEmailAuthIdentity(ctx context.Context, user *User) (*dbent.AuthIdentity, bool) {
+func (s *AuthService) ensureEmailAuthIdentity(ctx context.Context, user *User, source string) (*dbent.AuthIdentity, bool) {
 	if s == nil || s.entClient == nil || user == nil || user.ID <= 0 {
 		return nil, false
 	}
@@ -872,6 +876,9 @@ func (s *AuthService) ensureEmailAuthIdentity(ctx context.Context, user *User) (
 	if email == "" || isReservedEmail(email) {
 		return nil, false
 	}
+	if strings.TrimSpace(source) == "" {
+		source = "auth_service_dual_write"
+	}
 
 	client := s.entClient
 	if tx := dbent.TxFromContext(ctx); tx != nil {
@@ -900,7 +907,7 @@ func (s *AuthService) ensureEmailAuthIdentity(ctx context.Context, user *User) (
 			SetProviderSubject(email).
 			SetVerifiedAt(time.Now().UTC()).
 			SetMetadata(map[string]any{
-				"source": "auth_service_dual_write",
+				"source": strings.TrimSpace(source),
 			}).
 			OnConflictColumns(
 				authidentity.FieldProviderType,