From ed1b1eb80fdd3c62728ace875c1af6d188f57d77 Mon Sep 17 00:00:00 2001 From: RaymondVerhoef Date: Wed, 24 Jun 2026 18:23:48 +0200 Subject: [PATCH] fix: don't crash PocketBase when Entra secrets are absent (#16) Configuring an enabled OAuth2 provider with empty clientId/clientSecret fails collection validation, aborting the migration and preventing PocketBase from starting (502 on every /api call). Attach the OIDC provider only when ENTRA_CLIENT_ID and ENTRA_CLIENT_SECRET are present; otherwise create the auth collection without a provider. Co-Authored-By: Claude Opus 4.8 --- .../1781000000_team_members_to_auth.js | 37 ++++++++++++------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/pb_migrations/1781000000_team_members_to_auth.js b/pb_migrations/1781000000_team_members_to_auth.js index 7283571..777d749 100644 --- a/pb_migrations/1781000000_team_members_to_auth.js +++ b/pb_migrations/1781000000_team_members_to_auth.js @@ -28,6 +28,28 @@ migrate((app) => { } const tenant = $os.getenv("ENTRA_TENANT_ID") || "common"; + const clientId = $os.getenv("ENTRA_CLIENT_ID"); + const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET"); + + // Only configure the OIDC provider when credentials are actually present. + // PocketBase rejects an enabled OAuth2 provider with an empty clientId / + // clientSecret, which would abort this migration and prevent PocketBase from + // starting at all (502 on every /api call). When the secrets are absent the + // collection is created without a provider; once the ENTRA_* secrets are set, + // configure the provider via the PocketBase admin UI + // (Settings → Auth providers → OIDC) or re-apply this migration. + const oidcProviders = (clientId && clientSecret) ? [ + { + name: "oidc", + clientId: clientId, + clientSecret: clientSecret, + authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize", + tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token", + userInfoURL: "https://graph.microsoft.com/oidc/userinfo", + displayName: "Microsoft", + pkce: true, + }, + ] : []; // 2. Recreate `team_members` as an auth collection (same name → all existing // `user_id` references in test_results, on_demand_attempts, @@ -56,7 +78,7 @@ migrate((app) => { mfa: { enabled: false, duration: 600, rule: "" }, oauth2: { - enabled: true, + enabled: oidcProviders.length > 0, // Map the OIDC userinfo claims onto our fields. mappedFields: { id: "", @@ -64,18 +86,7 @@ migrate((app) => { username: "", avatarURL: "", }, - providers: [ - { - name: "oidc", - clientId: $os.getenv("ENTRA_CLIENT_ID"), - clientSecret: $os.getenv("ENTRA_CLIENT_SECRET"), - authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize", - tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token", - userInfoURL: "https://graph.microsoft.com/oidc/userinfo", - displayName: "Microsoft", - pkce: true, - }, - ], + providers: oidcProviders, }, fields: [