diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index 1d18f40..cb2b893 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -33,3 +33,18 @@ jobs: -e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \ -e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \ infra/development/site/deploy-playbook.yml + + # TEMP DIAGNOSTIC — investigating a 502 from pocketbase-learning on this + # environment. Remove this step once resolved. + - name: TEMP DIAGNOSTIC - pocketbase-learning status and logs + if: always() + run: | + ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key -p 4484 root@46.224.220.37 " + cd /opt/learning-platform && + echo '--- docker compose ps ---' && + docker compose ps && + echo '--- pocketbase-learning logs (last 200 lines) ---' && + docker compose logs --tail=200 pocketbase-learning && + echo '--- learning-platform (caddy) logs (last 50 lines) ---' && + docker compose logs --tail=50 learning-platform + " diff --git a/pb_hooks/team_members.pb.js b/pb_hooks/team_members.pb.js index 4551ddf..48fc958 100644 --- a/pb_hooks/team_members.pb.js +++ b/pb_hooks/team_members.pb.js @@ -17,15 +17,15 @@ // // Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails), // which carries the canonical, unit-tested version for the frontend/tests. - -function resolveRole(email) { - const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase(); - const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean); - return allow.indexOf((email || "").toLowerCase()) !== -1 ? "admin" : "user"; -} +// +// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback +// via require() — PocketBase's JSVM runs each hook callback below as its own +// isolated program, so a shared top-level function here would not be in +// scope at call time. See pb_hooks/utils.js for details. // On creation (first login): set defaults before the record is persisted. onRecordCreate(function (e) { + const { resolveRole } = require(`${__hooks}/utils.js`); const email = e.record.get("email") || ""; e.record.set("role", resolveRole(email)); @@ -45,6 +45,7 @@ onRecordCreate(function (e) { // On every successful auth (incl. OIDC): keep the admin role in sync with the // allow-list, so promoting/demoting an admin only requires an env change. onRecordAuthRequest(function (e) { + const { resolveRole } = require(`${__hooks}/utils.js`); const email = e.record.get("email") || ""; const want = resolveRole(email); if (e.record.get("role") !== want) { diff --git a/pb_hooks/utils.js b/pb_hooks/utils.js new file mode 100644 index 0000000..f3cba39 --- /dev/null +++ b/pb_hooks/utils.js @@ -0,0 +1,29 @@ +/// +// +// Shared helpers for pb_hooks/*.pb.js callbacks. +// +// PocketBase's JSVM serializes and runs each registered hook callback as its +// own isolated program, so a plain top-level function declared in a *.pb.js +// file is NOT in scope inside a callback at call time. Reusable helpers must +// instead live in a plain (non *.pb.js, so it isn't auto-loaded as a hook) +// module and be pulled in per-callback via require(`${__hooks}/utils.js`). +// See: https://github.com/pocketbase/pocketbase/discussions/3599 +// +// Loaded modules use a shared registry across callback invocations, so keep +// this file stateless. +// +// Keep resolveRole in sync with src/lib/azureAuth.js's resolveRole (the +// canonical, unit-tested version used by the frontend). + +module.exports = { + /** + * Resolve a user's role from their e-mail and the ENTRA_ADMIN_EMAILS allow-list. + * @param {string} email + * @returns {"admin"|"user"} + */ + resolveRole: function (email) { + const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase(); + const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean); + return allow.indexOf(String(email || "").toLowerCase()) !== -1 ? "admin" : "user"; + }, +};