Compare commits

..

3 Commits

Author SHA1 Message Date
ad88f06462 small change and temp logging 2026-07-02 15:52:47 +02:00
RaymondVerhoef
d5191073f0 feat: migrate team_members to OIDC-based auth collection and update docker-compose environment configuration
All checks were successful
On Push to Main / test (push) Successful in 57s
On Push to Main / publish (push) Successful in 1m16s
On Push to Main / deploy-dev (push) Successful in 3m0s
2026-06-25 18:05:39 +02:00
fab7a12f7b Merge pull request 'fix/issue-16-azure-login' (#17) from fix/issue-16-azure-login into main
All checks were successful
On Push to Main / test (push) Successful in 30s
On Push to Main / publish (push) Successful in 1m15s
On Push to Main / deploy-dev (push) Successful in 2m54s
Reviewed-on: #17
2026-06-24 14:00:40 +00:00
5 changed files with 92 additions and 6 deletions

View File

@@ -33,3 +33,18 @@ jobs:
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
infra/development/site/deploy-playbook.yml
# TEMP DIAGNOSTIC — investigating a 502 from pocketbase-learning on this
# environment. Remove this step once resolved.
- name: TEMP DIAGNOSTIC - pocketbase-learning status and logs
if: always()
run: |
ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key -p 4484 root@46.224.220.37 "
cd /opt/learning-platform &&
echo '--- docker compose ps ---' &&
docker compose ps &&
echo '--- pocketbase-learning logs (last 200 lines) ---' &&
docker compose logs --tail=200 pocketbase-learning &&
echo '--- learning-platform (caddy) logs (last 50 lines) ---' &&
docker compose logs --tail=50 learning-platform
"

View File

@@ -12,7 +12,11 @@ services:
container_name: pocketbase-learning
restart: unless-stopped
working_dir: /pb
env_file:
- .env.local
command: ["serve", "--http=0.0.0.0:8090", "--dir=/pb/pb_data", "--migrationsDir=/pb/pb_migrations"]
ports:
- "8090:8090"
volumes:
- pb_data:/pb/pb_data
- ./pb_migrations:/pb/pb_migrations

View File

@@ -17,15 +17,15 @@
//
// Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails),
// which carries the canonical, unit-tested version for the frontend/tests.
function resolveRole(email) {
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
return allow.indexOf((email || "").toLowerCase()) !== -1 ? "admin" : "user";
}
//
// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback
// via require() — PocketBase's JSVM runs each hook callback below as its own
// isolated program, so a shared top-level function here would not be in
// scope at call time. See pb_hooks/utils.js for details.
// On creation (first login): set defaults before the record is persisted.
onRecordCreate(function (e) {
const { resolveRole } = require(`${__hooks}/utils.js`);
const email = e.record.get("email") || "";
e.record.set("role", resolveRole(email));
@@ -45,6 +45,7 @@ onRecordCreate(function (e) {
// On every successful auth (incl. OIDC): keep the admin role in sync with the
// allow-list, so promoting/demoting an admin only requires an env change.
onRecordAuthRequest(function (e) {
const { resolveRole } = require(`${__hooks}/utils.js`);
const email = e.record.get("email") || "";
const want = resolveRole(email);
if (e.record.get("role") !== want) {

29
pb_hooks/utils.js Normal file
View File

@@ -0,0 +1,29 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Shared helpers for pb_hooks/*.pb.js callbacks.
//
// PocketBase's JSVM serializes and runs each registered hook callback as its
// own isolated program, so a plain top-level function declared in a *.pb.js
// file is NOT in scope inside a callback at call time. Reusable helpers must
// instead live in a plain (non *.pb.js, so it isn't auto-loaded as a hook)
// module and be pulled in per-callback via require(`${__hooks}/utils.js`).
// See: https://github.com/pocketbase/pocketbase/discussions/3599
//
// Loaded modules use a shared registry across callback invocations, so keep
// this file stateless.
//
// Keep resolveRole in sync with src/lib/azureAuth.js's resolveRole (the
// canonical, unit-tested version used by the frontend).
module.exports = {
/**
* Resolve a user's role from their e-mail and the ENTRA_ADMIN_EMAILS allow-list.
* @param {string} email
* @returns {"admin"|"user"}
*/
resolveRole: function (email) {
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
return allow.indexOf(String(email || "").toLowerCase()) !== -1 ? "admin" : "user";
},
};

View File

@@ -20,6 +20,25 @@
// providers) or ship a follow-up migration.
migrate((app) => {
// 1. Drop the old PIN-based collection (takes the PIN records with it).
// Other collections (micro_learning_completions, theme_session_completions)
// have relation fields pointing to the old team_members — PocketBase refuses
// to delete a referenced collection. Remove those relation fields first,
// delete the old collection, create the new auth collection, then re-add
// the relation fields pointing to the new collection.
const relDeps = [
{ collection: "micro_learning_completions", fieldId: "rel_team_member_id", fieldName: "team_member_id" },
{ collection: "theme_session_completions", fieldId: "rel_tsc_team_member", fieldName: "team_member_id" },
];
// Remove blocking relation fields so the old collection can be deleted.
for (const dep of relDeps) {
try {
const col = app.findCollectionByNameOrId(dep.collection);
col.fields.removeById(dep.fieldId);
app.save(col);
} catch (_) { /* collection doesn't exist yet — skip */ }
}
try {
const old = app.findCollectionByNameOrId("team_members");
app.delete(old);
@@ -231,6 +250,24 @@ migrate((app) => {
});
app.save(collection);
// 3. Re-add the relation fields pointing to the new auth collection.
for (const dep of relDeps) {
try {
const col = app.findCollectionByNameOrId(dep.collection);
const newField = new Field({
id: dep.fieldId,
name: dep.fieldName,
type: "relation",
required: true,
collectionId: collection.id,
cascadeDelete: true,
maxSelect: 1,
});
col.fields.add(newField);
app.save(col);
} catch (_) { /* collection doesn't exist — skip */ }
}
}, (app) => {
// Down: drop the auth collection and recreate the original PIN-based base
// collection (without data — the original records are gone).