fix: allow OAuth2 sign-up on team_members via @request.context rule (#22)
Every first Microsoft login failed with 403 "Only superusers can perform this action": PocketBase applies the collection createRule to the automatic record creation during OAuth2 sign-up, and team_members was created with createRule null (superuser-only) on the wrong assumption that the OAuth2 flow bypasses it. Since the pre-Azure records were deliberately dropped, every user was a first login and nobody could get in. Reproduced locally against a mock OIDC provider (PocketBase v0.30.4). createRule becomes '@request.context = "oauth2"': record creation is allowed exclusively from within the OAuth2 flow. Anonymous REST creates (which could otherwise pre-seed rogue admin profiles) remain rejected — covered by an explicit test. - pb_migrations/1781000002_allow_oauth2_signup.js: applies the rule on already-migrated environments (Labs); idempotent, guarded, with down - pb_migrations/1781000000_team_members_to_auth.js: same rule for fresh environments (filename unchanged — ledger-safe) - scripts/setup-pb-collections.mjs: fallback entry mirrored - docs/auth-spec.md: ADR 009 + files table Verified with a mock-OIDC matrix (9/9): baseline reproduces the 403 on the old rule; upgrade path heals (first login 200, role/enrollment/name defaults, second login no duplicate, anonymous create still rejected); fresh chain + admin allow-list mapping OK. DoD harness regression 15/15, npm test 112/112. Closes #22 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -44,6 +44,7 @@ Browser (SPA) PocketBase (auth) Entra ID
|
||||
| 006 | Baseline-ledger-sync migratie voor out-of-band geprovisionede DB's | Labs/prod draaide historisch zonder `--migrationsDir`; replay van de historie crashte PB (issue #18). De vroegst-sorterende migratie markeert de historie als applied wanneer schema bestaat maar de ledger leeg is |
|
||||
| 007 | Migratie = structuur, hook = configuratie | De OIDC-provider wordt bij elke start (en per cron-minuut) gereconcilieerd vanuit `ENTRA_*` env door `pb_hooks/entra_oidc.pb.js`; een one-shot migratie die van deploy-time env afhangt kan OAuth2 anders permanent uitschakelen |
|
||||
| 008 | Hook-helpers via `require(`${__hooks}/utils.js`)` | De JSVM draait elke hook-callback als geïsoleerd programma; top-level functies zijn níet in scope op call-time |
|
||||
| 009 | `createRule: '@request.context = "oauth2"'` op `team_members` | PocketBase past de createRule toe op de OAuth2-sign-up (eerste login maakt het record aan); `null` blokkeerde élke eerste login met 403 (issue #22). De context-rule staat alléén de OAuth2-flow toe — anonieme REST-creates blijven geweigerd |
|
||||
|
||||
## Bestanden
|
||||
|
||||
@@ -52,6 +53,7 @@ Browser (SPA) PocketBase (auth) Entra ID
|
||||
| `pb_migrations/1000000000_baseline_ledger_sync.js` | Detecteert een out-of-band geprovisionede DB (schema bestaat, `_migrations`-ledger leeg) en markeert de historische migraties als applied, zodat de replay niet crasht (issue #18). |
|
||||
| `pb_migrations/1781000000_team_members_to_auth.js` | Converteert relation-velden naar text (data blijft behouden), dropt de oude PIN-collection en maakt `team_members` als auth-collection. Idempotent; provider wordt alleen als fast-path meegenomen als de env al aanwezig is. |
|
||||
| `pb_migrations/1781000001_tighten_api_rules.js` | Zet alle niet-systeem-collecties op `@request.auth.id != ""`. |
|
||||
| `pb_migrations/1781000002_allow_oauth2_signup.js` | Zet `createRule = '@request.context = "oauth2"'` op reeds-gemigreerde omgevingen (issue #22). |
|
||||
| `pb_hooks/entra_oidc.pb.js` | Reconcilieert de OIDC-provider vanuit `ENTRA_*` env bij elke start + cron-tick (compare-before-save). |
|
||||
| `pb_hooks/utils.js` | Gedeelde helpers (`resolveRole`, `reconcileEntraOidc`) — per callback binnenhalen via `require()`. |
|
||||
| `pb_hooks/team_members.pb.js` | Auto-provisioning (`role`, `enrollment_status`, naam-fallback) + admin-rol re-sync. |
|
||||
|
||||
Reference in New Issue
Block a user