Compare commits
1 Commits
fix-sso
...
fix/issue-
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
2628041c12 |
15
.github/workflows/deploy-dev.yml
vendored
15
.github/workflows/deploy-dev.yml
vendored
@@ -33,18 +33,3 @@ jobs:
|
||||
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
|
||||
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
|
||||
infra/development/site/deploy-playbook.yml
|
||||
|
||||
# TEMP DIAGNOSTIC — investigating a 502 from pocketbase-learning on this
|
||||
# environment. Remove this step once resolved.
|
||||
- name: TEMP DIAGNOSTIC - pocketbase-learning status and logs
|
||||
if: always()
|
||||
run: |
|
||||
ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key -p 4484 root@46.224.220.37 "
|
||||
cd /opt/learning-platform &&
|
||||
echo '--- docker compose ps ---' &&
|
||||
docker compose ps &&
|
||||
echo '--- pocketbase-learning logs (last 200 lines) ---' &&
|
||||
docker compose logs --tail=200 pocketbase-learning &&
|
||||
echo '--- learning-platform (caddy) logs (last 50 lines) ---' &&
|
||||
docker compose logs --tail=50 learning-platform
|
||||
"
|
||||
|
||||
@@ -12,11 +12,7 @@ services:
|
||||
container_name: pocketbase-learning
|
||||
restart: unless-stopped
|
||||
working_dir: /pb
|
||||
env_file:
|
||||
- .env.local
|
||||
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"]
|
||||
ports:
|
||||
- "8090:8090"
|
||||
volumes:
|
||||
- pb_data:/pb/pb_data
|
||||
- ./pb_migrations:/pb/pb_migrations
|
||||
|
||||
@@ -17,15 +17,15 @@
|
||||
//
|
||||
// Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails),
|
||||
// which carries the canonical, unit-tested version for the frontend/tests.
|
||||
//
|
||||
// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback
|
||||
// via require() — PocketBase's JSVM runs each hook callback below as its own
|
||||
// isolated program, so a shared top-level function here would not be in
|
||||
// scope at call time. See pb_hooks/utils.js for details.
|
||||
|
||||
function resolveRole(email) {
|
||||
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
|
||||
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
|
||||
return allow.indexOf((email || "").toLowerCase()) !== -1 ? "admin" : "user";
|
||||
}
|
||||
|
||||
// On creation (first login): set defaults before the record is persisted.
|
||||
onRecordCreate(function (e) {
|
||||
const { resolveRole } = require(`${__hooks}/utils.js`);
|
||||
const email = e.record.get("email") || "";
|
||||
|
||||
e.record.set("role", resolveRole(email));
|
||||
@@ -45,7 +45,6 @@ onRecordCreate(function (e) {
|
||||
// On every successful auth (incl. OIDC): keep the admin role in sync with the
|
||||
// allow-list, so promoting/demoting an admin only requires an env change.
|
||||
onRecordAuthRequest(function (e) {
|
||||
const { resolveRole } = require(`${__hooks}/utils.js`);
|
||||
const email = e.record.get("email") || "";
|
||||
const want = resolveRole(email);
|
||||
if (e.record.get("role") !== want) {
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
/// <reference path="../pb_data/types.d.ts" />
|
||||
//
|
||||
// Shared helpers for pb_hooks/*.pb.js callbacks.
|
||||
//
|
||||
// PocketBase's JSVM serializes and runs each registered hook callback as its
|
||||
// own isolated program, so a plain top-level function declared in a *.pb.js
|
||||
// file is NOT in scope inside a callback at call time. Reusable helpers must
|
||||
// instead live in a plain (non *.pb.js, so it isn't auto-loaded as a hook)
|
||||
// module and be pulled in per-callback via require(`${__hooks}/utils.js`).
|
||||
// See: https://github.com/pocketbase/pocketbase/discussions/3599
|
||||
//
|
||||
// Loaded modules use a shared registry across callback invocations, so keep
|
||||
// this file stateless.
|
||||
//
|
||||
// Keep resolveRole in sync with src/lib/azureAuth.js's resolveRole (the
|
||||
// canonical, unit-tested version used by the frontend).
|
||||
|
||||
module.exports = {
|
||||
/**
|
||||
* Resolve a user's role from their e-mail and the ENTRA_ADMIN_EMAILS allow-list.
|
||||
* @param {string} email
|
||||
* @returns {"admin"|"user"}
|
||||
*/
|
||||
resolveRole: function (email) {
|
||||
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
|
||||
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
|
||||
return allow.indexOf(String(email || "").toLowerCase()) !== -1 ? "admin" : "user";
|
||||
},
|
||||
};
|
||||
@@ -19,26 +19,42 @@
|
||||
// re-configure the provider from the PocketBase admin UI (Settings → Auth
|
||||
// providers) or ship a follow-up migration.
|
||||
migrate((app) => {
|
||||
// 1. Drop the old PIN-based collection (takes the PIN records with it).
|
||||
// Other collections (micro_learning_completions, theme_session_completions)
|
||||
// have relation fields pointing to the old team_members — PocketBase refuses
|
||||
// to delete a referenced collection. Remove those relation fields first,
|
||||
// delete the old collection, create the new auth collection, then re-add
|
||||
// the relation fields pointing to the new collection.
|
||||
const relDeps = [
|
||||
{ collection: "micro_learning_completions", fieldId: "rel_team_member_id", fieldName: "team_member_id" },
|
||||
{ collection: "theme_session_completions", fieldId: "rel_tsc_team_member", fieldName: "team_member_id" },
|
||||
// 1. Detach relation fields that point at team_members. PocketBase refuses to
|
||||
// delete a collection that other collections relate to, so before we can
|
||||
// drop the old PIN-based team_members we convert those relations into plain
|
||||
// text fields (the id is stored as text — consistent with how user_id is
|
||||
// stored in test_results / on_demand_attempts). Per-user progress is reset
|
||||
// anyway, so dropping the FK constraint here is acceptable.
|
||||
const deps = [
|
||||
{ name: "micro_learning_completions", relId: "rel_team_member_id", textId: "txt_mlc_team_member" },
|
||||
{ name: "theme_session_completions", relId: "rel_tsc_team_member", textId: "txt_tsc_team_member" },
|
||||
];
|
||||
|
||||
// Remove blocking relation fields so the old collection can be deleted.
|
||||
for (const dep of relDeps) {
|
||||
try {
|
||||
const col = app.findCollectionByNameOrId(dep.collection);
|
||||
col.fields.removeById(dep.fieldId);
|
||||
app.save(col);
|
||||
} catch (_) { /* collection doesn't exist yet — skip */ }
|
||||
for (const dep of deps) {
|
||||
let c;
|
||||
try { c = app.findCollectionByNameOrId(dep.name); } catch (_) { continue; }
|
||||
// Drop any index that references the team_member_id column.
|
||||
c.indexes = (c.indexes || []).filter((idx) => idx.indexOf("team_member_id") === -1);
|
||||
// Replace the relation field with a text field of the same name.
|
||||
c.fields.removeById(dep.relId);
|
||||
c.fields.add(new Field({
|
||||
type: "text",
|
||||
id: dep.textId,
|
||||
name: "team_member_id",
|
||||
required: false,
|
||||
min: 0,
|
||||
max: 0,
|
||||
}));
|
||||
app.save(c);
|
||||
}
|
||||
|
||||
// Recreate the unique (team_member_id, session_week) guard on the text column.
|
||||
try {
|
||||
const tsc = app.findCollectionByNameOrId("theme_session_completions");
|
||||
tsc.indexes.push("CREATE UNIQUE INDEX `idx_theme_session_completions_user_week` ON `theme_session_completions` (`team_member_id`, `session_week`)");
|
||||
app.save(tsc);
|
||||
} catch (_) { /* collection missing — skip */ }
|
||||
|
||||
// 2. Drop the old PIN-based team_members (now unreferenced).
|
||||
try {
|
||||
const old = app.findCollectionByNameOrId("team_members");
|
||||
app.delete(old);
|
||||
@@ -47,6 +63,28 @@ migrate((app) => {
|
||||
}
|
||||
|
||||
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
||||
const clientId = $os.getenv("ENTRA_CLIENT_ID");
|
||||
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET");
|
||||
|
||||
// Only configure the OIDC provider when credentials are actually present.
|
||||
// PocketBase rejects an enabled OAuth2 provider with an empty clientId /
|
||||
// clientSecret, which would abort this migration and prevent PocketBase from
|
||||
// starting at all (502 on every /api call). When the secrets are absent the
|
||||
// collection is created without a provider; once the ENTRA_* secrets are set,
|
||||
// configure the provider via the PocketBase admin UI
|
||||
// (Settings → Auth providers → OIDC) or re-apply this migration.
|
||||
const oidcProviders = (clientId && clientSecret) ? [
|
||||
{
|
||||
name: "oidc",
|
||||
clientId: clientId,
|
||||
clientSecret: clientSecret,
|
||||
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
||||
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
||||
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
||||
displayName: "Microsoft",
|
||||
pkce: true,
|
||||
},
|
||||
] : [];
|
||||
|
||||
// 2. Recreate `team_members` as an auth collection (same name → all existing
|
||||
// `user_id` references in test_results, on_demand_attempts,
|
||||
@@ -75,7 +113,7 @@ migrate((app) => {
|
||||
mfa: { enabled: false, duration: 600, rule: "" },
|
||||
|
||||
oauth2: {
|
||||
enabled: true,
|
||||
enabled: oidcProviders.length > 0,
|
||||
// Map the OIDC userinfo claims onto our fields.
|
||||
mappedFields: {
|
||||
id: "",
|
||||
@@ -83,18 +121,7 @@ migrate((app) => {
|
||||
username: "",
|
||||
avatarURL: "",
|
||||
},
|
||||
providers: [
|
||||
{
|
||||
name: "oidc",
|
||||
clientId: $os.getenv("ENTRA_CLIENT_ID"),
|
||||
clientSecret: $os.getenv("ENTRA_CLIENT_SECRET"),
|
||||
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
||||
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
||||
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
||||
displayName: "Microsoft",
|
||||
pkce: true,
|
||||
},
|
||||
],
|
||||
providers: oidcProviders,
|
||||
},
|
||||
|
||||
fields: [
|
||||
@@ -250,24 +277,6 @@ migrate((app) => {
|
||||
});
|
||||
|
||||
app.save(collection);
|
||||
|
||||
// 3. Re-add the relation fields pointing to the new auth collection.
|
||||
for (const dep of relDeps) {
|
||||
try {
|
||||
const col = app.findCollectionByNameOrId(dep.collection);
|
||||
const newField = new Field({
|
||||
id: dep.fieldId,
|
||||
name: dep.fieldName,
|
||||
type: "relation",
|
||||
required: true,
|
||||
collectionId: collection.id,
|
||||
cascadeDelete: true,
|
||||
maxSelect: 1,
|
||||
});
|
||||
col.fields.add(newField);
|
||||
app.save(col);
|
||||
} catch (_) { /* collection doesn't exist — skip */ }
|
||||
}
|
||||
}, (app) => {
|
||||
// Down: drop the auth collection and recreate the original PIN-based base
|
||||
// collection (without data — the original records are gone).
|
||||
|
||||
Reference in New Issue
Block a user