Compare commits

..

1 Commits

Author SHA1 Message Date
RaymondVerhoef
89d3395a62 feat: enhance OIDC configuration for Azure login and improve error handling in API responses
All checks were successful
On Push to Main / test (push) Successful in 56s
On Push to Main / publish (push) Successful in 1m24s
On Push to Main / deploy-dev (push) Successful in 2m58s
2026-07-11 10:19:54 +02:00
5 changed files with 27 additions and 57 deletions

View File

@@ -33,18 +33,3 @@ jobs:
-e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \ -e "entra_client_secret=${{ secrets.ENTRA_CLIENT_SECRET }}" \
-e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \ -e "entra_admin_emails=${{ secrets.ENTRA_ADMIN_EMAILS }}" \
infra/development/site/deploy-playbook.yml infra/development/site/deploy-playbook.yml
# TEMP DIAGNOSTIC — investigating a 502 from pocketbase-learning on this
# environment. Remove this step once resolved.
- name: TEMP DIAGNOSTIC - pocketbase-learning status and logs
if: always()
run: |
ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key -p 4484 root@46.224.220.37 "
cd /opt/learning-platform &&
echo '--- docker compose ps ---' &&
docker compose ps &&
echo '--- pocketbase-learning logs (last 200 lines) ---' &&
docker compose logs --tail=200 pocketbase-learning &&
echo '--- learning-platform (caddy) logs (last 50 lines) ---' &&
docker compose logs --tail=50 learning-platform
"

View File

@@ -46,6 +46,13 @@
} }
handle_errors { handle_errors {
# Don't mask API errors with the SPA shell — return a proper
# JSON error so the frontend can display a meaningful message.
@api path /api/*
respond @api `{"code":{err.status_code},"message":"Backend unavailable"}` {err.status_code} {
Content-Type application/json
}
rewrite * /index.html rewrite * /index.html
file_server file_server
} }

View File

@@ -17,15 +17,15 @@
// //
// Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails), // Keep this logic in sync with src/lib/azureAuth.js (resolveRole / parseAdminEmails),
// which carries the canonical, unit-tested version for the frontend/tests. // which carries the canonical, unit-tested version for the frontend/tests.
//
// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback function resolveRole(email) {
// via require() — PocketBase's JSVM runs each hook callback below as its own const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
// isolated program, so a shared top-level function here would not be in const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
// scope at call time. See pb_hooks/utils.js for details. return allow.indexOf((email || "").toLowerCase()) !== -1 ? "admin" : "user";
}
// On creation (first login): set defaults before the record is persisted. // On creation (first login): set defaults before the record is persisted.
onRecordCreate(function (e) { onRecordCreate(function (e) {
const { resolveRole } = require(`${__hooks}/utils.js`);
const email = e.record.get("email") || ""; const email = e.record.get("email") || "";
e.record.set("role", resolveRole(email)); e.record.set("role", resolveRole(email));
@@ -45,7 +45,6 @@ onRecordCreate(function (e) {
// On every successful auth (incl. OIDC): keep the admin role in sync with the // On every successful auth (incl. OIDC): keep the admin role in sync with the
// allow-list, so promoting/demoting an admin only requires an env change. // allow-list, so promoting/demoting an admin only requires an env change.
onRecordAuthRequest(function (e) { onRecordAuthRequest(function (e) {
const { resolveRole } = require(`${__hooks}/utils.js`);
const email = e.record.get("email") || ""; const email = e.record.get("email") || "";
const want = resolveRole(email); const want = resolveRole(email);
if (e.record.get("role") !== want) { if (e.record.get("role") !== want) {

View File

@@ -1,29 +0,0 @@
/// <reference path="../pb_data/types.d.ts" />
//
// Shared helpers for pb_hooks/*.pb.js callbacks.
//
// PocketBase's JSVM serializes and runs each registered hook callback as its
// own isolated program, so a plain top-level function declared in a *.pb.js
// file is NOT in scope inside a callback at call time. Reusable helpers must
// instead live in a plain (non *.pb.js, so it isn't auto-loaded as a hook)
// module and be pulled in per-callback via require(`${__hooks}/utils.js`).
// See: https://github.com/pocketbase/pocketbase/discussions/3599
//
// Loaded modules use a shared registry across callback invocations, so keep
// this file stateless.
//
// Keep resolveRole in sync with src/lib/azureAuth.js's resolveRole (the
// canonical, unit-tested version used by the frontend).
module.exports = {
/**
* Resolve a user's role from their e-mail and the ENTRA_ADMIN_EMAILS allow-list.
* @param {string} email
* @returns {"admin"|"user"}
*/
resolveRole: function (email) {
const raw = ($os.getenv("ENTRA_ADMIN_EMAILS") || "").toLowerCase();
const allow = raw.split(",").map(function (s) { return s.trim(); }).filter(Boolean);
return allow.indexOf(String(email || "").toLowerCase()) !== -1 ? "admin" : "user";
},
};

View File

@@ -47,6 +47,14 @@ migrate((app) => {
} }
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common"; const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
const clientId = $os.getenv("ENTRA_CLIENT_ID");
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET");
const hasOidc = !!(clientId && clientSecret);
if (!hasOidc) {
console.log("WARN: ENTRA_CLIENT_ID / ENTRA_CLIENT_SECRET not set — OIDC provider will not be configured. " +
"Set the env vars and re-apply the migration to enable Azure login.");
}
// 2. Recreate `team_members` as an auth collection (same name → all existing // 2. Recreate `team_members` as an auth collection (same name → all existing
// `user_id` references in test_results, on_demand_attempts, // `user_id` references in test_results, on_demand_attempts,
@@ -75,7 +83,7 @@ migrate((app) => {
mfa: { enabled: false, duration: 600, rule: "" }, mfa: { enabled: false, duration: 600, rule: "" },
oauth2: { oauth2: {
enabled: true, enabled: hasOidc,
// Map the OIDC userinfo claims onto our fields. // Map the OIDC userinfo claims onto our fields.
mappedFields: { mappedFields: {
id: "", id: "",
@@ -83,18 +91,18 @@ migrate((app) => {
username: "", username: "",
avatarURL: "", avatarURL: "",
}, },
providers: [ providers: hasOidc ? [
{ {
name: "oidc", name: "oidc",
clientId: $os.getenv("ENTRA_CLIENT_ID"), clientId: clientId,
clientSecret: $os.getenv("ENTRA_CLIENT_SECRET"), clientSecret: clientSecret,
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize", authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token", tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
userInfoURL: "https://graph.microsoft.com/oidc/userinfo", userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
displayName: "Microsoft", displayName: "Microsoft",
pkce: true, pkce: true,
}, },
], ] : [],
}, },
fields: [ fields: [