The deployed migration crash-looped PocketBase (502 on every /api call)
for two reasons, both verified against a production-like DB locally:
1. team_members is referenced by relation fields (team_member_id) in
micro_learning_completions and theme_session_completions, so
app.delete(team_members) was blocked — and the swallowed error left
the create to fail with "Collection name must be unique". Fix: before
dropping team_members, convert those relation fields to plain text
(consistent with how user_id is stored elsewhere) and rebuild the
theme_session_completions unique index on the text column.
2. An enabled OAuth2 provider with empty clientId/clientSecret fails
validation and aborts the migration. Fix: attach the OIDC provider
only when ENTRA_CLIENT_ID and ENTRA_CLIENT_SECRET are present;
otherwise create the auth collection without a provider.
Verified locally with the muchobien/pocketbase image: boots clean both
without Entra env (provider-less) and with env (auth-methods returns the
Microsoft OIDC provider).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replaces the client-side PIN login with real authentication against Azure
Entra ID via PocketBase's built-in OAuth2 (OIDC) flow. Every Azure user is
auto-provisioned as a team_member on first login.
- pb_migrations: team_members becomes a PocketBase auth collection (OIDC
provider configured from env); all collections require @request.auth.id
- pb_hooks: provisioning of role (ENTRA_ADMIN_EMAILS allow-list) and
enrollment_status, with admin-role re-sync on every login
- frontend: "Sign in with Microsoft" login, pb.authStore-based session,
TeamManager manages roster/roles (no PIN/manual create)
- infra: Entra env wiring + pb_hooks mount for dev (Labs) and prod
- src/lib/azureAuth.js + tests for the canonical role/allow-list logic
- docs/auth-spec.md
Knowledge base, generated tests and micro-learnings are left untouched.
Existing PIN users are dropped (no migration required, per sign-off).
Closes#16
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>