fix: don't crash PocketBase when Entra secrets are absent (#16)
Configuring an enabled OAuth2 provider with empty clientId/clientSecret fails collection validation, aborting the migration and preventing PocketBase from starting (502 on every /api call). Attach the OIDC provider only when ENTRA_CLIENT_ID and ENTRA_CLIENT_SECRET are present; otherwise create the auth collection without a provider. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -28,6 +28,28 @@ migrate((app) => {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
||||||
|
const clientId = $os.getenv("ENTRA_CLIENT_ID");
|
||||||
|
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET");
|
||||||
|
|
||||||
|
// Only configure the OIDC provider when credentials are actually present.
|
||||||
|
// PocketBase rejects an enabled OAuth2 provider with an empty clientId /
|
||||||
|
// clientSecret, which would abort this migration and prevent PocketBase from
|
||||||
|
// starting at all (502 on every /api call). When the secrets are absent the
|
||||||
|
// collection is created without a provider; once the ENTRA_* secrets are set,
|
||||||
|
// configure the provider via the PocketBase admin UI
|
||||||
|
// (Settings → Auth providers → OIDC) or re-apply this migration.
|
||||||
|
const oidcProviders = (clientId && clientSecret) ? [
|
||||||
|
{
|
||||||
|
name: "oidc",
|
||||||
|
clientId: clientId,
|
||||||
|
clientSecret: clientSecret,
|
||||||
|
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
||||||
|
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
||||||
|
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
||||||
|
displayName: "Microsoft",
|
||||||
|
pkce: true,
|
||||||
|
},
|
||||||
|
] : [];
|
||||||
|
|
||||||
// 2. Recreate `team_members` as an auth collection (same name → all existing
|
// 2. Recreate `team_members` as an auth collection (same name → all existing
|
||||||
// `user_id` references in test_results, on_demand_attempts,
|
// `user_id` references in test_results, on_demand_attempts,
|
||||||
@@ -56,7 +78,7 @@ migrate((app) => {
|
|||||||
mfa: { enabled: false, duration: 600, rule: "" },
|
mfa: { enabled: false, duration: 600, rule: "" },
|
||||||
|
|
||||||
oauth2: {
|
oauth2: {
|
||||||
enabled: true,
|
enabled: oidcProviders.length > 0,
|
||||||
// Map the OIDC userinfo claims onto our fields.
|
// Map the OIDC userinfo claims onto our fields.
|
||||||
mappedFields: {
|
mappedFields: {
|
||||||
id: "",
|
id: "",
|
||||||
@@ -64,18 +86,7 @@ migrate((app) => {
|
|||||||
username: "",
|
username: "",
|
||||||
avatarURL: "",
|
avatarURL: "",
|
||||||
},
|
},
|
||||||
providers: [
|
providers: oidcProviders,
|
||||||
{
|
|
||||||
name: "oidc",
|
|
||||||
clientId: $os.getenv("ENTRA_CLIENT_ID"),
|
|
||||||
clientSecret: $os.getenv("ENTRA_CLIENT_SECRET"),
|
|
||||||
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
|
||||||
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
|
||||||
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
|
||||||
displayName: "Microsoft",
|
|
||||||
pkce: true,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
|
|
||||||
fields: [
|
fields: [
|
||||||
|
|||||||
Reference in New Issue
Block a user