featuer change for calendar

backend/src/controllers/auth.controller.ts

@@ -91,6 +91,14 @@ class AuthController {
         await userService.updateLastLogin(user.id);
         await userService.updateGroups(user.id, groups);
 
+        // Refresh profile fields from Authentik on every login
+        await userService.updateUser(user.id, {
+          name:               userInfo.name,
+          given_name:         userInfo.given_name,
+          family_name:        userInfo.family_name,
+          preferred_username: userInfo.preferred_username,
+        });
+
         // Audit: returning user login
         auditService.logAudit({
           user_id:       user.id,
@@ -160,10 +168,10 @@ class AuthController {
           user: {
             id:                user.id,
             email:             user.email,
-            name:              user.name,
-            preferredUsername: user.preferred_username,
-            givenName:         user.given_name,
-            familyName:        user.family_name,
+            name:              userInfo.name              || user.name,
+            preferredUsername: userInfo.preferred_username || user.preferred_username,
+            givenName:         userInfo.given_name         || user.given_name,
+            familyName:        userInfo.family_name        || user.family_name,
             profilePictureUrl: user.profile_picture_url,
             isActive:          user.is_active,
             groups,

backend/src/services/events.service.ts

@@ -437,15 +437,6 @@ class EventsService {
   /**
    * Generates an iCal feed for a given token.
    *
-   * NOTE — Group visibility limitation:
-   *   Groups are issued by Authentik and embedded only in the short-lived JWT.
-   *   They are NOT persisted in the database.  For token-based iCal access we
-   *   therefore cannot look up which Authentik groups a user belongs to.
-   *   As a safe fallback this export includes only events where alle_gruppen=TRUE
-   *   (i.e. events intended for everyone).  Authenticated users who request the
-   *   .ics directly via Bearer token already get group-filtered results through
-   *   the normal API endpoints.
-   *
    * Returns null if the token is invalid.
    */
   async getIcalExport(token: string): Promise<string | null> {
@@ -460,14 +451,24 @@ class EventsService {
 
     if (tokenResult.rows.length === 0) return null;
 
-    // Fetch public events: all future events + those that ended in the last 30 days
-    // Only alle_gruppen=TRUE events — see NOTE above about group limitation
+    const userId = tokenResult.rows[0].user_id;
+
+    // Look up user's Authentik groups from DB for group-filtered event visibility
+    const userResult = await pool.query(
+      `SELECT authentik_groups FROM users WHERE id = $1`,
+      [userId]
+    );
+    const userGroups: string[] = userResult.rows[0]?.authentik_groups ?? [];
+
+    // Fetch events visible to this user: public events (alle_gruppen=TRUE) or events
+    // targeting the user's Authentik groups. Includes upcoming events + last 30 days.
     const eventsResult = await pool.query(
       `SELECT v.id, v.titel, v.beschreibung, v.ort, v.datum_von, v.datum_bis, v.ganztaegig, v.abgesagt
        FROM veranstaltungen v
-       WHERE v.alle_gruppen = TRUE
+       WHERE (v.alle_gruppen = TRUE OR v.zielgruppen && $1::text[])
          AND v.datum_bis >= NOW() - INTERVAL '30 days'
-       ORDER BY v.datum_von ASC`
+       ORDER BY v.datum_von ASC`,
+      [userGroups]
     );
 
     const now = new Date();