|
|
|
|
@@ -19,42 +19,26 @@
|
|
|
|
|
// re-configure the provider from the PocketBase admin UI (Settings → Auth
|
|
|
|
|
// providers) or ship a follow-up migration.
|
|
|
|
|
migrate((app) => {
|
|
|
|
|
// 1. Detach relation fields that point at team_members. PocketBase refuses to
|
|
|
|
|
// delete a collection that other collections relate to, so before we can
|
|
|
|
|
// drop the old PIN-based team_members we convert those relations into plain
|
|
|
|
|
// text fields (the id is stored as text — consistent with how user_id is
|
|
|
|
|
// stored in test_results / on_demand_attempts). Per-user progress is reset
|
|
|
|
|
// anyway, so dropping the FK constraint here is acceptable.
|
|
|
|
|
const deps = [
|
|
|
|
|
{ name: "micro_learning_completions", relId: "rel_team_member_id", textId: "txt_mlc_team_member" },
|
|
|
|
|
{ name: "theme_session_completions", relId: "rel_tsc_team_member", textId: "txt_tsc_team_member" },
|
|
|
|
|
// 1. Drop the old PIN-based collection (takes the PIN records with it).
|
|
|
|
|
// Other collections (micro_learning_completions, theme_session_completions)
|
|
|
|
|
// have relation fields pointing to the old team_members — PocketBase refuses
|
|
|
|
|
// to delete a referenced collection. Remove those relation fields first,
|
|
|
|
|
// delete the old collection, create the new auth collection, then re-add
|
|
|
|
|
// the relation fields pointing to the new collection.
|
|
|
|
|
const relDeps = [
|
|
|
|
|
{ collection: "micro_learning_completions", fieldId: "rel_team_member_id", fieldName: "team_member_id" },
|
|
|
|
|
{ collection: "theme_session_completions", fieldId: "rel_tsc_team_member", fieldName: "team_member_id" },
|
|
|
|
|
];
|
|
|
|
|
for (const dep of deps) {
|
|
|
|
|
let c;
|
|
|
|
|
try { c = app.findCollectionByNameOrId(dep.name); } catch (_) { continue; }
|
|
|
|
|
// Drop any index that references the team_member_id column.
|
|
|
|
|
c.indexes = (c.indexes || []).filter((idx) => idx.indexOf("team_member_id") === -1);
|
|
|
|
|
// Replace the relation field with a text field of the same name.
|
|
|
|
|
c.fields.removeById(dep.relId);
|
|
|
|
|
c.fields.add(new Field({
|
|
|
|
|
type: "text",
|
|
|
|
|
id: dep.textId,
|
|
|
|
|
name: "team_member_id",
|
|
|
|
|
required: false,
|
|
|
|
|
min: 0,
|
|
|
|
|
max: 0,
|
|
|
|
|
}));
|
|
|
|
|
app.save(c);
|
|
|
|
|
|
|
|
|
|
// Remove blocking relation fields so the old collection can be deleted.
|
|
|
|
|
for (const dep of relDeps) {
|
|
|
|
|
try {
|
|
|
|
|
const col = app.findCollectionByNameOrId(dep.collection);
|
|
|
|
|
col.fields.removeById(dep.fieldId);
|
|
|
|
|
app.save(col);
|
|
|
|
|
} catch (_) { /* collection doesn't exist yet — skip */ }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Recreate the unique (team_member_id, session_week) guard on the text column.
|
|
|
|
|
try {
|
|
|
|
|
const tsc = app.findCollectionByNameOrId("theme_session_completions");
|
|
|
|
|
tsc.indexes.push("CREATE UNIQUE INDEX `idx_theme_session_completions_user_week` ON `theme_session_completions` (`team_member_id`, `session_week`)");
|
|
|
|
|
app.save(tsc);
|
|
|
|
|
} catch (_) { /* collection missing — skip */ }
|
|
|
|
|
|
|
|
|
|
// 2. Drop the old PIN-based team_members (now unreferenced).
|
|
|
|
|
try {
|
|
|
|
|
const old = app.findCollectionByNameOrId("team_members");
|
|
|
|
|
app.delete(old);
|
|
|
|
|
@@ -62,29 +46,15 @@ migrate((app) => {
|
|
|
|
|
// Collection did not exist — nothing to drop.
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
|
|
|
|
const clientId = $os.getenv("ENTRA_CLIENT_ID");
|
|
|
|
|
const tenant = $os.getenv("ENTRA_TENANT_ID") || "common";
|
|
|
|
|
const clientId = $os.getenv("ENTRA_CLIENT_ID");
|
|
|
|
|
const clientSecret = $os.getenv("ENTRA_CLIENT_SECRET");
|
|
|
|
|
|
|
|
|
|
// Only configure the OIDC provider when credentials are actually present.
|
|
|
|
|
// PocketBase rejects an enabled OAuth2 provider with an empty clientId /
|
|
|
|
|
// clientSecret, which would abort this migration and prevent PocketBase from
|
|
|
|
|
// starting at all (502 on every /api call). When the secrets are absent the
|
|
|
|
|
// collection is created without a provider; once the ENTRA_* secrets are set,
|
|
|
|
|
// configure the provider via the PocketBase admin UI
|
|
|
|
|
// (Settings → Auth providers → OIDC) or re-apply this migration.
|
|
|
|
|
const oidcProviders = (clientId && clientSecret) ? [
|
|
|
|
|
{
|
|
|
|
|
name: "oidc",
|
|
|
|
|
clientId: clientId,
|
|
|
|
|
clientSecret: clientSecret,
|
|
|
|
|
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
|
|
|
|
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
|
|
|
|
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
|
|
|
|
displayName: "Microsoft",
|
|
|
|
|
pkce: true,
|
|
|
|
|
},
|
|
|
|
|
] : [];
|
|
|
|
|
const hasOidc = !!(clientId && clientSecret);
|
|
|
|
|
if (!hasOidc) {
|
|
|
|
|
console.log("WARN: ENTRA_CLIENT_ID / ENTRA_CLIENT_SECRET not set — OIDC provider will not be configured. " +
|
|
|
|
|
"Set the env vars and re-apply the migration to enable Azure login.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 2. Recreate `team_members` as an auth collection (same name → all existing
|
|
|
|
|
// `user_id` references in test_results, on_demand_attempts,
|
|
|
|
|
@@ -113,7 +83,7 @@ migrate((app) => {
|
|
|
|
|
mfa: { enabled: false, duration: 600, rule: "" },
|
|
|
|
|
|
|
|
|
|
oauth2: {
|
|
|
|
|
enabled: oidcProviders.length > 0,
|
|
|
|
|
enabled: hasOidc,
|
|
|
|
|
// Map the OIDC userinfo claims onto our fields.
|
|
|
|
|
mappedFields: {
|
|
|
|
|
id: "",
|
|
|
|
|
@@ -121,7 +91,18 @@ migrate((app) => {
|
|
|
|
|
username: "",
|
|
|
|
|
avatarURL: "",
|
|
|
|
|
},
|
|
|
|
|
providers: oidcProviders,
|
|
|
|
|
providers: hasOidc ? [
|
|
|
|
|
{
|
|
|
|
|
name: "oidc",
|
|
|
|
|
clientId: clientId,
|
|
|
|
|
clientSecret: clientSecret,
|
|
|
|
|
authURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
|
|
|
|
|
tokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
|
|
|
|
|
userInfoURL: "https://graph.microsoft.com/oidc/userinfo",
|
|
|
|
|
displayName: "Microsoft",
|
|
|
|
|
pkce: true,
|
|
|
|
|
},
|
|
|
|
|
] : [],
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
fields: [
|
|
|
|
|
@@ -277,6 +258,24 @@ migrate((app) => {
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
app.save(collection);
|
|
|
|
|
|
|
|
|
|
// 3. Re-add the relation fields pointing to the new auth collection.
|
|
|
|
|
for (const dep of relDeps) {
|
|
|
|
|
try {
|
|
|
|
|
const col = app.findCollectionByNameOrId(dep.collection);
|
|
|
|
|
const newField = new Field({
|
|
|
|
|
id: dep.fieldId,
|
|
|
|
|
name: dep.fieldName,
|
|
|
|
|
type: "relation",
|
|
|
|
|
required: true,
|
|
|
|
|
collectionId: collection.id,
|
|
|
|
|
cascadeDelete: true,
|
|
|
|
|
maxSelect: 1,
|
|
|
|
|
});
|
|
|
|
|
col.fields.add(newField);
|
|
|
|
|
app.save(col);
|
|
|
|
|
} catch (_) { /* collection doesn't exist — skip */ }
|
|
|
|
|
}
|
|
|
|
|
}, (app) => {
|
|
|
|
|
// Down: drop the auth collection and recreate the original PIN-based base
|
|
|
|
|
// collection (without data — the original records are gone).
|
|
|
|
|
|