fix: Hex encode uid in CSV import

src/main.rs

@@ -20,7 +20,7 @@ async fn main() -> ExitCode {
 #[allow(clippy::print_stderr)]
 async fn run_sync() -> Result<()> {
 	let config = {
-		let config_path = std::env::var("FAMEDLY_LDAP_SYNC_CONFIG").unwrap_or("config.yaml".into());
+		let config_path = std::env::var("FAMEDLY_SYNC_CONFIG").unwrap_or("config.yaml".into());
 		let config_path = Path::new(&config_path);
 		match Config::new(config_path) {
 			Ok(config) => config,

src/sources/csv.rs

@@ -79,7 +79,7 @@ impl CsvData {
 			last_name: csv_data.last_name,
 			phone: if csv_data.phone.is_empty() { None } else { Some(csv_data.phone) },
 			preferred_username: Some(csv_data.email.clone()),
-			external_user_id: csv_data.email,
+			external_user_id: hex::encode(csv_data.email),
 			enabled: true,
 		}
 	}

src/user.rs

@@ -1,6 +1,5 @@
 //! User data helpers
 use anyhow::{anyhow, Context, Result};
-use base64::prelude::{Engine, BASE64_STANDARD};
 use uuid::{uuid, Uuid};
 use zitadel_rust_client::v2::users::HumanUser;
 
@@ -79,25 +78,6 @@ impl User {
 	pub fn get_famedly_uuid(&self) -> Result<String> {
 		Ok(Uuid::new_v5(&FAMEDLY_NAMESPACE, self.get_external_id_bytes()?.as_slice()).to_string())
 	}
-
-	/// Get a base64-encoded external user ID, if the ID is raw bytes,
-	/// or a UTF-8 string if not.
-	///
-	/// Note: This encoding scheme is inherently broken, because it is
-	/// impossible to tell apart base64 encoded strings from
-	/// non-base64 encoded strings. We can therefore never know if the
-	/// ID should be decoded or not when re-parsing it, and it may
-	/// create collisions (although this is unlikely).
-	///
-	/// Only use this for Zitadel support.
-	pub fn get_string_id(&self) -> Result<String> {
-		let id = self.get_external_id_bytes()?;
-		Ok(if let Ok(encoded_id) = String::from_utf8(id.clone()) {
-			encoded_id
-		} else {
-			BASE64_STANDARD.encode(id)
-		})
-	}
 }
 
 impl PartialEq for User {

src/zitadel.rs

@@ -2,6 +2,7 @@
 use std::path::PathBuf;
 
 use anyhow::{anyhow, Context, Result};
+use base64::prelude::{Engine, BASE64_STANDARD};
 use futures::{Stream, StreamExt};
 use serde::Deserialize;
 use url::Url;
@@ -162,7 +163,10 @@ impl Zitadel {
 
 		if self.feature_flags.is_enabled(FeatureFlag::SsoLogin) {
 			user.set_idp_links(vec![IdpLink::new()
-				.with_user_id(imported_user.get_string_id().context("Failed to set IDP user ID")?)
+				.with_user_id(
+					get_string_id(imported_user.get_external_id_bytes()?)
+						.context("Failed to set IDP user ID")?,
+				)
 				.with_idp_id(self.zitadel_config.idp_id.clone())
 				// TODO: Figure out if this is the correct value; empty is not permitted
 				.with_user_name(imported_user.email.clone())]);
@@ -306,6 +310,24 @@ fn search_result_to_user(user: ZitadelUser) -> Result<User> {
 	Ok(user)
 }
 
+/// Get a base64-encoded external user ID, if the ID is raw bytes,
+/// or a UTF-8 string if not.
+///
+/// Note: This encoding scheme is inherently broken, because it is
+/// impossible to tell apart base64 encoded strings from
+/// non-base64 encoded strings. We can therefore never know if the
+/// ID should be decoded or not when re-parsing it, and it may
+/// create collisions (although this is unlikely).
+///
+/// Only use this for Zitadel support.
+pub fn get_string_id(external_id_bytes: Vec<u8>) -> Result<String> {
+	Ok(if let Ok(encoded_id) = String::from_utf8(external_id_bytes.clone()) {
+		encoded_id
+	} else {
+		BASE64_STANDARD.encode(external_id_bytes)
+	})
+}
+
 /// Configuration related to Famedly Zitadel
 #[derive(Debug, Clone, Deserialize, PartialEq)]
 pub struct ZitadelConfig {