Commit Graph

2 Commits

Author SHA1 Message Date
RaymondVerhoef
2628041c12 fix: make team_members→auth migration boot reliably (#16)
The deployed migration crash-looped PocketBase (502 on every /api call)
for two reasons, both verified against a production-like DB locally:

1. team_members is referenced by relation fields (team_member_id) in
   micro_learning_completions and theme_session_completions, so
   app.delete(team_members) was blocked — and the swallowed error left
   the create to fail with "Collection name must be unique". Fix: before
   dropping team_members, convert those relation fields to plain text
   (consistent with how user_id is stored elsewhere) and rebuild the
   theme_session_completions unique index on the text column.

2. An enabled OAuth2 provider with empty clientId/clientSecret fails
   validation and aborts the migration. Fix: attach the OIDC provider
   only when ENTRA_CLIENT_ID and ENTRA_CLIENT_SECRET are present;
   otherwise create the auth collection without a provider.

Verified locally with the muchobien/pocketbase image: boots clean both
without Entra env (provider-less) and with env (auth-methods returns the
Microsoft OIDC provider).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 18:59:47 +02:00
RaymondVerhoef
3af105bccd feat: Azure (Entra ID) login as user login (#16)
Replaces the client-side PIN login with real authentication against Azure
Entra ID via PocketBase's built-in OAuth2 (OIDC) flow. Every Azure user is
auto-provisioned as a team_member on first login.

- pb_migrations: team_members becomes a PocketBase auth collection (OIDC
  provider configured from env); all collections require @request.auth.id
- pb_hooks: provisioning of role (ENTRA_ADMIN_EMAILS allow-list) and
  enrollment_status, with admin-role re-sync on every login
- frontend: "Sign in with Microsoft" login, pb.authStore-based session,
  TeamManager manages roster/roles (no PIN/manual create)
- infra: Entra env wiring + pb_hooks mount for dev (Labs) and prod
- src/lib/azureAuth.js + tests for the canonical role/allow-list logic
- docs/auth-spec.md

Knowledge base, generated tests and micro-learnings are left untouched.
Existing PIN users are dropped (no migration required, per sign-off).

Closes #16

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:41:08 +02:00