PocketBase on Labs crash-looped since the SSO deploy (PR #17): mounting --migrationsDir for the first time replayed the entire migration history against a database that was provisioned out-of-band (empty _migrations ledger) and died on 1778948471_created_content.js. On top of that the team_members->auth migration had its own crash paths and trapped OAuth2 config inside a one-shot, env-dependent migration. - pb_migrations/1000000000_baseline_ledger_sync.js: detects an out-of-band provisioned DB (schema exists, ledger empty) and marks the 79 historical migrations as applied; no-op on fresh or already-synced DBs - pb_migrations/1781000000_team_members_to_auth.js: idempotency guard, relation->text conversion WITH data preservation (PocketBase diffs fields by id, so the column is backed up and restored via SQL), unique index rebuild, no silent catches, env only as fast-path - pb_hooks/entra_oidc.pb.js + pb_hooks/utils.js: reconcile the Entra OIDC provider from ENTRA_* env on every bootstrap + cron tick (compare-before-save, warn-once); heals environments that migrated without secrets and supports secret rotation without re-apply - pb_hooks/team_members.pb.js: require() pattern — JSVM runs callbacks as isolated programs, top-level helpers are not in scope (adopts Leroy's fix from the fix-sso branch) - infra/*/site/deploy-playbook.yml: health-gate after compose up — the deploy fails loudly with container logs when PocketBase does not become healthy (runs #83-#88 were green while PB crash-looped) - docker-compose.yml: .env.local is optional again - docs/auth-spec.md + AI_AGENT.md: ledger/reconciler documentation, ADRs 006-008, never-rename-applied-migrations warning Verified locally against PocketBase v0.30.4 with a 7-scenario DoD matrix (fresh DB +/- env, out-of-band DB with data incl. data preservation, populated-ledger upgrade, late-secrets healing, re-run guard, hook provisioning): 15/15 pass. npm test 112/112. Closes #18 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
56 lines
2.2 KiB
JavaScript
56 lines
2.2 KiB
JavaScript
/// <reference path="../pb_data/types.d.ts" />
|
|
//
|
|
// Issue #16 — Auto-provisioning & role assignment for Azure (Entra ID) users.
|
|
//
|
|
// PocketBase auto-creates a `team_members` auth record on the first OIDC login
|
|
// (name is filled from the OIDC `name` claim via the collection's mappedFields).
|
|
// These hooks add the application-specific bits:
|
|
//
|
|
// * default `role` from an admin allow-list (env ENTRA_ADMIN_EMAILS),
|
|
// * default `enrollment_status = "not_started"` so new users go through the
|
|
// existing onboarding screen,
|
|
// * re-sync the admin role on every login so allow-list changes take effect
|
|
// without manual edits.
|
|
//
|
|
// The allow-list is a comma-separated list of e-mail addresses, e.g.:
|
|
// ENTRA_ADMIN_EMAILS=rve@respellion.nl,admin@respellion.nl
|
|
//
|
|
// resolveRole itself lives in pb_hooks/utils.js and is pulled in per-callback
|
|
// via require() — PocketBase's JSVM runs each hook callback below as its own
|
|
// isolated program, so a shared top-level function here would not be in scope
|
|
// at call time. See pb_hooks/utils.js for details. Keep the logic in sync with
|
|
// src/lib/azureAuth.js (resolveRole / parseAdminEmails), which carries the
|
|
// canonical, unit-tested version for the frontend/tests.
|
|
|
|
// On creation (first login): set defaults before the record is persisted.
|
|
onRecordCreate(function (e) {
|
|
const { resolveRole } = require(`${__hooks}/utils.js`);
|
|
const email = e.record.get("email") || "";
|
|
|
|
e.record.set("role", resolveRole(email));
|
|
|
|
if (!e.record.get("enrollment_status")) {
|
|
e.record.set("enrollment_status", "not_started");
|
|
}
|
|
|
|
// Fallback name when the IdP supplied no `name` claim.
|
|
if (!e.record.get("name")) {
|
|
e.record.set("name", email ? email.split("@")[0] : "Onbekend");
|
|
}
|
|
|
|
e.next();
|
|
}, "team_members");
|
|
|
|
// On every successful auth (incl. OIDC): keep the admin role in sync with the
|
|
// allow-list, so promoting/demoting an admin only requires an env change.
|
|
onRecordAuthRequest(function (e) {
|
|
const { resolveRole } = require(`${__hooks}/utils.js`);
|
|
const email = e.record.get("email") || "";
|
|
const want = resolveRole(email);
|
|
if (e.record.get("role") !== want) {
|
|
e.record.set("role", want);
|
|
e.app.save(e.record);
|
|
}
|
|
e.next();
|
|
}, "team_members");
|