Compare commits

..

1 Commits

Author SHA1 Message Date
RaymondVerhoef
2628041c12 fix: make team_members→auth migration boot reliably (#16)
The deployed migration crash-looped PocketBase (502 on every /api call)
for two reasons, both verified against a production-like DB locally:

1. team_members is referenced by relation fields (team_member_id) in
   micro_learning_completions and theme_session_completions, so
   app.delete(team_members) was blocked — and the swallowed error left
   the create to fail with "Collection name must be unique". Fix: before
   dropping team_members, convert those relation fields to plain text
   (consistent with how user_id is stored elsewhere) and rebuild the
   theme_session_completions unique index on the text column.

2. An enabled OAuth2 provider with empty clientId/clientSecret fails
   validation and aborts the migration. Fix: attach the OIDC provider
   only when ENTRA_CLIENT_ID and ENTRA_CLIENT_SECRET are present;
   otherwise create the auth collection without a provider.

Verified locally with the muchobien/pocketbase image: boots clean both
without Entra env (provider-less) and with env (auth-methods returns the
Microsoft OIDC provider).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 18:59:47 +02:00
3 changed files with 56 additions and 66 deletions

View File

@@ -46,13 +46,6 @@
} }
handle_errors { handle_errors {
# Don't mask API errors with the SPA shell — return a proper
# JSON error so the frontend can display a meaningful message.
@api path /api/*
respond @api `{"code":{err.status_code},"message":"Backend unavailable"}` {err.status_code} {
Content-Type application/json
}
rewrite * /index.html rewrite * /index.html
file_server file_server
} }

View File

@@ -12,11 +12,7 @@ services:
container_name: pocketbase-learning container_name: pocketbase-learning
restart: unless-stopped restart: unless-stopped
working_dir: /pb working_dir: /pb
env_file:
- .env.local
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"] command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"]
ports:
- "8090:8090"
volumes: volumes:
- pb_data:/pb/pb_data - pb_data:/pb/pb_data
- ./pb_migrations:/pb/pb_migrations - ./pb_migrations:/pb/pb_migrations

View File

@@ -19,26 +19,42 @@
// re-configure the provider from the PocketBase admin UI (Settings → Auth // re-configure the provider from the PocketBase admin UI (Settings → Auth
// providers) or ship a follow-up migration. // providers) or ship a follow-up migration.
migrate((app) => { migrate((app) => {
// 1. Drop the old PIN-based collection (takes the PIN records with it). // 1. Detach relation fields that point at team_members. PocketBase refuses to
// Other collections (micro_learning_completions, theme_session_completions) // delete a collection that other collections relate to, so before we can
// have relation fields pointing to the old team_members — PocketBase refuses // drop the old PIN-based team_members we convert those relations into plain
// to delete a referenced collection. Remove those relation fields first, // text fields (the id is stored as text — consistent with how user_id is
// delete the old collection, create the new auth collection, then re-add // stored in test_results / on_demand_attempts). Per-user progress is reset
// the relation fields pointing to the new collection. // anyway, so dropping the FK constraint here is acceptable.
const relDeps = [ const deps = [
{ collection: "micro_learning_completions", fieldId: "rel_team_member_id", fieldName: "team_member_id" }, { name: "micro_learning_completions", relId: "rel_team_member_id", textId: "txt_mlc_team_member" },
{ collection: "theme_session_completions", fieldId: "rel_tsc_team_member", fieldName: "team_member_id" }, { name: "theme_session_completions", relId: "rel_tsc_team_member", textId: "txt_tsc_team_member" },
]; ];
for (const dep of deps) {
// Remove blocking relation fields so the old collection can be deleted. let c;
for (const dep of relDeps) { try { c = app.findCollectionByNameOrId(dep.name); } catch (_) { continue; }
try { // Drop any index that references the team_member_id column.
const col = app.findCollectionByNameOrId(dep.collection); c.indexes = (c.indexes || []).filter((idx) => idx.indexOf("team_member_id") === -1);
col.fields.removeById(dep.fieldId); // Replace the relation field with a text field of the same name.
app.save(col); c.fields.removeById(dep.relId);
} catch (_) { /* collection doesn't exist yet — skip */ } c.fields.add(new Field({
type: "text",
id: dep.textId,
name: "team_member_id",
required: false,
min: 0,
max: 0,
}));
app.save(c);
} }
// Recreate the unique (team_member_id, session_week) guard on the text column.
try {
const tsc = app.findCollectionByNameOrId("theme_session_completions");
tsc.indexes.push("CREATE UNIQUE INDEX `idx_theme_session_completions_user_week` ON `theme_session_completions` (`team_member_id`, `session_week`)");
app.save(tsc);
} catch (_) { /* collection missing — skip */ }
// 2. Drop the old PIN-based team_members (now unreferenced).
try { try {
const old = app.findCollectionByNameOrId("team_members"); const old = app.findCollectionByNameOrId("team_members");
app.delete(old); app.delete(old);
@@ -46,15 +62,29 @@ migrate((app) => {
// Collection did not exist — nothing to drop. // Collection did not exist — nothing to drop.
} }
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common"; const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
const clientId = $os.getenv("ENTRA_CLIENT_ID"); const clientId = $os.getenv("ENTRA_CLIENT_ID");
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET"); const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET");
const hasOidc = !!(clientId && clientSecret); // Only configure the OIDC provider when credentials are actually present.
if (!hasOidc) { // PocketBase rejects an enabled OAuth2 provider with an empty clientId /
console.log("WARN: ENTRA_CLIENT_ID / ENTRA_CLIENT_SECRET not set — OIDC provider will not be configured. " + // clientSecret, which would abort this migration and prevent PocketBase from
"Set the env vars and re-apply the migration to enable Azure login."); // starting at all (502 on every /api call). When the secrets are absent the
} // collection is created without a provider; once the ENTRA_* secrets are set,
// configure the provider via the PocketBase admin UI
// (Settings → Auth providers → OIDC) or re-apply this migration.
const oidcProviders = (clientId && clientSecret) ? [
{
name: "oidc",
clientId: clientId,
clientSecret: clientSecret,
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
displayName: "Microsoft",
pkce: true,
},
] : [];
// 2. Recreate `team_members` as an auth collection (same name → all existing // 2. Recreate `team_members` as an auth collection (same name → all existing
// `user_id` references in test_results, on_demand_attempts, // `user_id` references in test_results, on_demand_attempts,
@@ -83,7 +113,7 @@ migrate((app) => {
mfa: { enabled: false, duration: 600, rule: "" }, mfa: { enabled: false, duration: 600, rule: "" },
oauth2: { oauth2: {
enabled: hasOidc, enabled: oidcProviders.length > 0,
// Map the OIDC userinfo claims onto our fields. // Map the OIDC userinfo claims onto our fields.
mappedFields: { mappedFields: {
id: "", id: "",
@@ -91,18 +121,7 @@ migrate((app) => {
username: "", username: "",
avatarURL: "", avatarURL: "",
}, },
providers: hasOidc ? [ providers: oidcProviders,
{
name: "oidc",
clientId: clientId,
clientSecret: clientSecret,
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
displayName: "Microsoft",
pkce: true,
},
] : [],
}, },
fields: [ fields: [
@@ -258,24 +277,6 @@ migrate((app) => {
}); });
app.save(collection); app.save(collection);
// 3. Re-add the relation fields pointing to the new auth collection.
for (const dep of relDeps) {
try {
const col = app.findCollectionByNameOrId(dep.collection);
const newField = new Field({
id: dep.fieldId,
name: dep.fieldName,
type: "relation",
required: true,
collectionId: collection.id,
cascadeDelete: true,
maxSelect: 1,
});
col.fields.add(newField);
app.save(col);
} catch (_) { /* collection doesn't exist — skip */ }
}
}, (app) => { }, (app) => {
// Down: drop the auth collection and recreate the original PIN-based base // Down: drop the auth collection and recreate the original PIN-based base
// collection (without data — the original records are gone). // collection (without data — the original records are gone).