feat: Azure (Entra ID) login as user login (#16)
Replaces the client-side PIN login with real authentication against Azure Entra ID via PocketBase's built-in OAuth2 (OIDC) flow. Every Azure user is auto-provisioned as a team_member on first login. - pb_migrations: team_members becomes a PocketBase auth collection (OIDC provider configured from env); all collections require @request.auth.id - pb_hooks: provisioning of role (ENTRA_ADMIN_EMAILS allow-list) and enrollment_status, with admin-role re-sync on every login - frontend: "Sign in with Microsoft" login, pb.authStore-based session, TeamManager manages roster/roles (no PIN/manual create) - infra: Entra env wiring + pb_hooks mount for dev (Labs) and prod - src/lib/azureAuth.js + tests for the canonical role/allow-list logic - docs/auth-spec.md Knowledge base, generated tests and micro-learnings are left untouched. Existing PIN users are dropped (no migration required, per sign-off). Closes #16 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
57
pb_migrations/1781000001_tighten_api_rules.js
Normal file
57
pb_migrations/1781000001_tighten_api_rules.js
Normal file
@@ -0,0 +1,57 @@
|
||||
/// <reference path="../pb_data/types.d.ts" />
|
||||
//
|
||||
// Issue #16 — Lock down API rules now that authentication is real.
|
||||
//
|
||||
// Before Azure login the app had no real auth, so every collection rule was
|
||||
// "" (public). With mandatory Entra OIDC login, every legitimate caller is
|
||||
// authenticated, so we require `@request.auth.id != ""` on all non-system,
|
||||
// non-`team_members` collections.
|
||||
//
|
||||
// This intentionally does NOT delete or restructure any data — it only changes
|
||||
// access rules. The knowledge base, generated tests and micro-learnings stay
|
||||
// exactly as they are; they simply become unreadable to anonymous callers.
|
||||
//
|
||||
// `team_members` is configured by its own migration (1781000000) and skipped
|
||||
// here. System collections (`_superusers`, `_mfas`, `_otps`, …) are skipped.
|
||||
//
|
||||
// NOTE (follow-up): for least-privilege we could further restrict write/delete
|
||||
// on the knowledge-authoring collections (topics, relations, content, sources,
|
||||
// question_bank, curriculum_versions) to `@request.auth.role = "admin"`. That
|
||||
// is deferred because micro_learnings / theme_sessions are written by regular
|
||||
// users (generate-then-cache) and the full matrix needs runtime verification.
|
||||
// The trust boundary today is: perimeter Azure gate + authenticated employees.
|
||||
const AUTHED = '@request.auth.id != ""';
|
||||
|
||||
migrate((app) => {
|
||||
const collections = app.findAllCollections();
|
||||
for (const c of collections) {
|
||||
if (c.system) continue;
|
||||
if (c.name === "team_members") continue;
|
||||
|
||||
c.viewRule = AUTHED;
|
||||
c.listRule = AUTHED;
|
||||
// View collections only support list/view rules.
|
||||
if (c.type !== "view") {
|
||||
c.createRule = AUTHED;
|
||||
c.updateRule = AUTHED;
|
||||
c.deleteRule = AUTHED;
|
||||
}
|
||||
app.save(c);
|
||||
}
|
||||
}, (app) => {
|
||||
// Down: restore fully public rules (the pre-Azure baseline).
|
||||
const collections = app.findAllCollections();
|
||||
for (const c of collections) {
|
||||
if (c.system) continue;
|
||||
if (c.name === "team_members") continue;
|
||||
|
||||
c.viewRule = "";
|
||||
c.listRule = "";
|
||||
if (c.type !== "view") {
|
||||
c.createRule = "";
|
||||
c.updateRule = "";
|
||||
c.deleteRule = "";
|
||||
}
|
||||
app.save(c);
|
||||
}
|
||||
});
|
||||
Reference in New Issue
Block a user