From ace409cf79ca8b96ee07a09863509b83f9b598ba Mon Sep 17 00:00:00 2001
From: Rishab Sidhu <rishab.sidhu@intercom.io>
Date: Mon, 13 Apr 2026 17:12:34 +0100
Subject: [PATCH] Fix script tag validation when both user_id and email are JWT
 signed fields

When both user_id and email are configured as signed_user_fields, they are
deleted from user_details during JWT promotion. The valid? check then finds
neither field and silently suppresses the script tag. Fix by capturing
identity presence before the fields are moved to the JWT payload.

Related to intercom/intercom#430057

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/intercom-rails/script_tag.rb |  4 +++-
 spec/script_tag_spec.rb          | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/intercom-rails/script_tag.rb b/lib/intercom-rails/script_tag.rb
index 3f368af..70fcecd 100644
--- a/lib/intercom-rails/script_tag.rb
+++ b/lib/intercom-rails/script_tag.rb
@@ -54,7 +54,7 @@ def valid?
       return false if user_details[:excluded_user] == true
       valid = user_details[:app_id].present?
       unless @show_everywhere
-        valid = valid && (user_details[:user_id] || user_details[:email]).present?
+        valid = valid && @has_identity
       end
       if nonce
         valid = valid && valid_nonce?
@@ -146,6 +146,8 @@ def user_details=(user_details)
       @user_details = @user_details.with_indifferent_access.tap do |u|
         [:email, :name, :user_id].each { |k| u.delete(k) if u[k].nil? }
 
+        @has_identity = (u[:user_id] || u[:email]).present?
+
         if secret.present?
           if jwt_enabled && u[:user_id].present?
             u[:intercom_user_jwt] ||= generate_jwt
diff --git a/spec/script_tag_spec.rb b/spec/script_tag_spec.rb
index 2f385eb..8287728 100644
--- a/spec/script_tag_spec.rb
+++ b/spec/script_tag_spec.rb
@@ -443,6 +443,22 @@ def user
         expect(decoded_payload['name']).to be_nil
       end
     
+      it 'remains valid when both user_id and email are signed fields' do
+        IntercomRails.config.jwt.signed_user_fields = [:user_id, :email]
+        script_tag = ScriptTag.new(
+          user_details: {
+            user_id: '1234',
+            email: 'test@example.com'
+          },
+          jwt_enabled: true
+        )
+
+        expect(script_tag).to be_valid
+        expect(script_tag.intercom_settings[:intercom_user_jwt]).to be_present
+        expect(script_tag.intercom_settings[:user_id]).to be_nil
+        expect(script_tag.intercom_settings[:email]).to be_nil
+      end
+
       it 'respects empty signed_user_fields configuration' do
         IntercomRails.config.jwt.signed_user_fields = []
         script_tag = ScriptTag.new(