Commit Graph

2 Commits

Author SHA1 Message Date
RaymondVerhoef
ed1b1eb80f fix: don't crash PocketBase when Entra secrets are absent (#16)
Configuring an enabled OAuth2 provider with empty clientId/clientSecret
fails collection validation, aborting the migration and preventing
PocketBase from starting (502 on every /api call). Attach the OIDC
provider only when ENTRA_CLIENT_ID and ENTRA_CLIENT_SECRET are present;
otherwise create the auth collection without a provider.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 18:23:48 +02:00
RaymondVerhoef
3af105bccd feat: Azure (Entra ID) login as user login (#16)
Replaces the client-side PIN login with real authentication against Azure
Entra ID via PocketBase's built-in OAuth2 (OIDC) flow. Every Azure user is
auto-provisioned as a team_member on first login.

- pb_migrations: team_members becomes a PocketBase auth collection (OIDC
  provider configured from env); all collections require @request.auth.id
- pb_hooks: provisioning of role (ENTRA_ADMIN_EMAILS allow-list) and
  enrollment_status, with admin-role re-sync on every login
- frontend: "Sign in with Microsoft" login, pb.authStore-based session,
  TeamManager manages roster/roles (no PIN/manual create)
- infra: Entra env wiring + pb_hooks mount for dev (Labs) and prod
- src/lib/azureAuth.js + tests for the canonical role/allow-list logic
- docs/auth-spec.md

Knowledge base, generated tests and micro-learnings are left untouched.
Existing PIN users are dropped (no migration required, per sign-off).

Closes #16

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:41:08 +02:00