Compare commits
1 Commits
fix-sso
...
89d3395a62
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
89d3395a62 |
15
.github/workflows/deploy-dev.yml
vendored
15
.github/workflows/deploy-dev.yml
vendored
@@ -33,18 +33,3 @@ jobs:
|
|||||||
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
|
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
|
||||||
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
|
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
|
||||||
infra/development/site/deploy-playbook.yml
|
infra/development/site/deploy-playbook.yml
|
||||||
|
|
||||||
# TEMP DIAGNOSTIC — investigating a 502 from pocketbase-learning on this
|
|
||||||
# environment. Remove this step once resolved.
|
|
||||||
- name: TEMP DIAGNOSTIC - pocketbase-learning status and logs
|
|
||||||
if: always()
|
|
||||||
run: |
|
|
||||||
ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key -p 4484 root@46.224.220.37 "
|
|
||||||
cd /opt/learning-platform &&
|
|
||||||
echo '--- docker compose ps ---' &&
|
|
||||||
docker compose ps &&
|
|
||||||
echo '--- pocketbase-learning logs (last 200 lines) ---' &&
|
|
||||||
docker compose logs --tail=200 pocketbase-learning &&
|
|
||||||
echo '--- learning-platform (caddy) logs (last 50 lines) ---' &&
|
|
||||||
docker compose logs --tail=50 learning-platform
|
|
||||||
"
|
|
||||||
|
|||||||
@@ -46,6 +46,13 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
handle_errors {
|
handle_errors {
|
||||||
|
# Don't mask API errors with the SPA shell — return a proper
|
||||||
|
# JSON error so the frontend can display a meaningful message.
|
||||||
|
@api path /api/*
|
||||||
|
respond @api `{"code":{err.status_code},"message":"Backend unavailable"}` {err.status_code} {
|
||||||
|
Content-Type application/json
|
||||||
|
}
|
||||||
|
|
||||||
rewrite * /index.html
|
rewrite * /index.html
|
||||||
file_server
|
file_server
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -17,15 +17,15 @@
|
|||||||
//
|
//
|
||||||
// Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails),
|
// Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails),
|
||||||
// which carries the canonical, unit-tested version for the frontend/tests.
|
// which carries the canonical, unit-tested version for the frontend/tests.
|
||||||
//
|
|
||||||
// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback
|
function resolveRole(email) {
|
||||||
// via require() — PocketBase's JSVM runs each hook callback below as its own
|
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
|
||||||
// isolated program, so a shared top-level function here would not be in
|
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
|
||||||
// scope at call time. See pb_hooks/utils.js for details.
|
return allow.indexOf((email || "").toLowerCase()) !== -1 ? "admin" : "user";
|
||||||
|
}
|
||||||
|
|
||||||
// On creation (first login): set defaults before the record is persisted.
|
// On creation (first login): set defaults before the record is persisted.
|
||||||
onRecordCreate(function (e) {
|
onRecordCreate(function (e) {
|
||||||
const { resolveRole } = require(`${__hooks}/utils.js`);
|
|
||||||
const email = e.record.get("email") || "";
|
const email = e.record.get("email") || "";
|
||||||
|
|
||||||
e.record.set("role", resolveRole(email));
|
e.record.set("role", resolveRole(email));
|
||||||
@@ -45,7 +45,6 @@ onRecordCreate(function (e) {
|
|||||||
// On every successful auth (incl. OIDC): keep the admin role in sync with the
|
// On every successful auth (incl. OIDC): keep the admin role in sync with the
|
||||||
// allow-list, so promoting/demoting an admin only requires an env change.
|
// allow-list, so promoting/demoting an admin only requires an env change.
|
||||||
onRecordAuthRequest(function (e) {
|
onRecordAuthRequest(function (e) {
|
||||||
const { resolveRole } = require(`${__hooks}/utils.js`);
|
|
||||||
const email = e.record.get("email") || "";
|
const email = e.record.get("email") || "";
|
||||||
const want = resolveRole(email);
|
const want = resolveRole(email);
|
||||||
if (e.record.get("role") !== want) {
|
if (e.record.get("role") !== want) {
|
||||||
|
|||||||
@@ -1,29 +0,0 @@
|
|||||||
/// <reference path="../pb_data/types.d.ts" />
|
|
||||||
//
|
|
||||||
// Shared helpers for pb_hooks/*.pb.js callbacks.
|
|
||||||
//
|
|
||||||
// PocketBase's JSVM serializes and runs each registered hook callback as its
|
|
||||||
// own isolated program, so a plain top-level function declared in a *.pb.js
|
|
||||||
// file is NOT in scope inside a callback at call time. Reusable helpers must
|
|
||||||
// instead live in a plain (non *.pb.js, so it isn't auto-loaded as a hook)
|
|
||||||
// module and be pulled in per-callback via require(`${__hooks}/utils.js`).
|
|
||||||
// See: https://github.com/pocketbase/pocketbase/discussions/3599
|
|
||||||
//
|
|
||||||
// Loaded modules use a shared registry across callback invocations, so keep
|
|
||||||
// this file stateless.
|
|
||||||
//
|
|
||||||
// Keep resolveRole in sync with src/lib/azureAuth.js's resolveRole (the
|
|
||||||
// canonical, unit-tested version used by the frontend).
|
|
||||||
|
|
||||||
module.exports = {
|
|
||||||
/**
|
|
||||||
* Resolve a user's role from their e-mail and the ENTRA_ADMIN_EMAILS allow-list.
|
|
||||||
* @param {string} email
|
|
||||||
* @returns {"admin"|"user"}
|
|
||||||
*/
|
|
||||||
resolveRole: function (email) {
|
|
||||||
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
|
|
||||||
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
|
|
||||||
return allow.indexOf(String(email || "").toLowerCase()) !== -1 ? "admin" : "user";
|
|
||||||
},
|
|
||||||
};
|
|
||||||
@@ -47,6 +47,14 @@ migrate((app) => {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
||||||
|
const clientId = $os.getenv("ENTRA_CLIENT_ID");
|
||||||
|
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET");
|
||||||
|
|
||||||
|
const hasOidc = !!(clientId && clientSecret);
|
||||||
|
if (!hasOidc) {
|
||||||
|
console.log("WARN: ENTRA_CLIENT_ID / ENTRA_CLIENT_SECRET not set — OIDC provider will not be configured. " +
|
||||||
|
"Set the env vars and re-apply the migration to enable Azure login.");
|
||||||
|
}
|
||||||
|
|
||||||
// 2. Recreate `team_members` as an auth collection (same name → all existing
|
// 2. Recreate `team_members` as an auth collection (same name → all existing
|
||||||
// `user_id` references in test_results, on_demand_attempts,
|
// `user_id` references in test_results, on_demand_attempts,
|
||||||
@@ -75,7 +83,7 @@ migrate((app) => {
|
|||||||
mfa: { enabled: false, duration: 600, rule: "" },
|
mfa: { enabled: false, duration: 600, rule: "" },
|
||||||
|
|
||||||
oauth2: {
|
oauth2: {
|
||||||
enabled: true,
|
enabled: hasOidc,
|
||||||
// Map the OIDC userinfo claims onto our fields.
|
// Map the OIDC userinfo claims onto our fields.
|
||||||
mappedFields: {
|
mappedFields: {
|
||||||
id: "",
|
id: "",
|
||||||
@@ -83,18 +91,18 @@ migrate((app) => {
|
|||||||
username: "",
|
username: "",
|
||||||
avatarURL: "",
|
avatarURL: "",
|
||||||
},
|
},
|
||||||
providers: [
|
providers: hasOidc ? [
|
||||||
{
|
{
|
||||||
name: "oidc",
|
name: "oidc",
|
||||||
clientId: $os.getenv("ENTRA_CLIENT_ID"),
|
clientId: clientId,
|
||||||
clientSecret: $os.getenv("ENTRA_CLIENT_SECRET"),
|
clientSecret: clientSecret,
|
||||||
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
||||||
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
||||||
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
||||||
displayName: "Microsoft",
|
displayName: "Microsoft",
|
||||||
pkce: true,
|
pkce: true,
|
||||||
},
|
},
|
||||||
],
|
] : [],
|
||||||
},
|
},
|
||||||
|
|
||||||
fields: [
|
fields: [
|
||||||
|
|||||||
Reference in New Issue
Block a user