From b2de05e0a4286bf8a52f8152a42c1ba77e71c5c9 Mon Sep 17 00:00:00 2001
From: Gani Georgiev <gani.georgiev@gmail.com>
Date: Mon, 27 Apr 2026 08:02:07 +0300
Subject: [PATCH] backport sync with v0.37.4

---
 CHANGELOG.md         |  5 +++--
 tools/auth/gitlab.go | 20 +++++++++++++-------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 657dcc88..48148931 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,8 @@
 ## v0.22.42
 
-- (_Backported from v0.37.4_) Adjusted Bitbucket, GitHub and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
-    _The providers also now always send a sepatate emails list internal request since it contains more information about the fetched email than the userinfo endpoint in order to minimize eventual linking security issues caused by custom onpremise setups (e.g. Gitea/Forgejo allows skipping the emails verification if an ENV variable is configured)._
+- (_Backported from v0.37.4_) Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
+    _In case the userinfo data is not sufficient, some of the providers now send a sepatate list emails request in order to minimize eventual linking security issues caused by custom onpremise setups (e.g. Gitea/Forgejo allows skipping the email verification if an ENV variable is configured)._
+
 
 - (_Backported from v0.37.4_) ⚠️ Fixed a pre-hijacking OAuth2 linking vulnerability ([#7662](https://github.com/pocketbase/pocketbase/discussions/7662)).
 
diff --git a/tools/auth/gitlab.go b/tools/auth/gitlab.go
index 09d04b1a..6ed89d3e 100644
--- a/tools/auth/gitlab.go
+++ b/tools/auth/gitlab.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"strconv"
+	"time"
 
 	"github.com/pocketbase/pocketbase/tools/types"
 	"golang.org/x/oauth2"
@@ -34,7 +35,7 @@ func NewGitlabProvider() *Gitlab {
 
 // FetchAuthUser returns an AuthUser instance based the Gitlab's user api.
 //
-// API reference: https://docs.gitlab.com/ee/api/users.html#for-admin
+// API reference: https://docs.gitlab.com/api/users/#retrieve-the-current-user
 func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 	data, err := p.FetchRawUserData(token)
 	if err != nil {
@@ -47,11 +48,12 @@ func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 	}
 
 	extracted := struct {
-		Id        int    `json:"id"`
-		Name      string `json:"name"`
-		Username  string `json:"username"`
-		Email     string `json:"email"`
-		AvatarUrl string `json:"avatar_url"`
+		Id          int    `json:"id"`
+		Name        string `json:"name"`
+		Username    string `json:"username"`
+		Email       string `json:"email"`
+		AvatarUrl   string `json:"avatar_url"`
+		ConfirmedAt string `json:"confirmed_at"`
 	}{}
 	if err := json.Unmarshal(data, &extracted); err != nil {
 		return nil, err
@@ -61,7 +63,6 @@ func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 		Id:           strconv.Itoa(extracted.Id),
 		Name:         extracted.Name,
 		Username:     extracted.Username,
-		Email:        extracted.Email,
 		AvatarUrl:    extracted.AvatarUrl,
 		RawUser:      rawUser,
 		AccessToken:  token.AccessToken,
@@ -70,5 +71,10 @@ func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 
 	user.Expiry, _ = types.ParseDateTime(token.Expiry)
 
+	confirmedAt, err := time.Parse(time.RFC3339, extracted.ConfirmedAt)
+	if err == nil && !confirmedAt.IsZero() {
+		user.Email = extracted.Email
+	}
+
 	return user, nil
 }