Every first Microsoft login failed with 403 "Only superusers can perform this action": PocketBase applies the collection createRule to the automatic record creation during OAuth2 sign-up, and team_members was created with createRule null (superuser-only) on the wrong assumption that the OAuth2 flow bypasses it. Since the pre-Azure records were deliberately dropped, every user was a first login and nobody could get in. Reproduced locally against a mock OIDC provider (PocketBase v0.30.4). createRule becomes '@request.context = "oauth2"': record creation is allowed exclusively from within the OAuth2 flow. Anonymous REST creates (which could otherwise pre-seed rogue admin profiles) remain rejected — covered by an explicit test. - pb_migrations/1781000002_allow_oauth2_signup.js: applies the rule on already-migrated environments (Labs); idempotent, guarded, with down - pb_migrations/1781000000_team_members_to_auth.js: same rule for fresh environments (filename unchanged — ledger-safe) - scripts/setup-pb-collections.mjs: fallback entry mirrored - docs/auth-spec.md: ADR 009 + files table Verified with a mock-OIDC matrix (9/9): baseline reproduces the 403 on the old rule; upgrade path heals (first login 200, role/enrollment/name defaults, second login no duplicate, anonymous create still rejected); fresh chain + admin allow-list mapping OK. DoD harness regression 15/15, npm test 112/112. Closes #22 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
250 lines
8.5 KiB
JavaScript
250 lines
8.5 KiB
JavaScript
/**
|
|
* Creates all PocketBase collections for the learning platform.
|
|
* Usage: node scripts/setup-pb-collections.mjs [PB_URL] [ADMIN_EMAIL] [ADMIN_PASSWORD]
|
|
* Defaults: http://localhost:8090, prompted if not provided
|
|
*/
|
|
|
|
const PB_URL = process.argv[2] || 'http://localhost:8090';
|
|
const ADMIN_EMAIL = process.argv[3];
|
|
const ADMIN_PASSWORD = process.argv[4];
|
|
|
|
if (!ADMIN_EMAIL || !ADMIN_PASSWORD) {
|
|
console.error('Usage: node scripts/setup-pb-collections.mjs <PB_URL> <admin_email> <admin_password>');
|
|
process.exit(1);
|
|
}
|
|
|
|
const OPEN_RULES = { listRule: '', viewRule: '', createRule: '', updateRule: '', deleteRule: '' };
|
|
|
|
// PocketBase v0.23: created/updated must be explicitly defined as autodate fields
|
|
const AUTODATE_FIELDS = [
|
|
{ name: 'created', type: 'autodate', onCreate: true, onUpdate: false },
|
|
{ name: 'updated', type: 'autodate', onCreate: true, onUpdate: true },
|
|
];
|
|
|
|
const COLLECTIONS = [
|
|
{
|
|
name: 'topics',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'id', type: 'text', primaryKey: true, system: true, min: 1, max: 255, pattern: '^[a-zA-Z0-9_-]+$' },
|
|
{ name: 'label', type: 'text', required: true },
|
|
{ name: 'type', type: 'text', required: false },
|
|
{ name: 'description', type: 'text', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'relations',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'source', type: 'text', required: true },
|
|
{ name: 'target', type: 'text', required: true },
|
|
{ name: 'type', type: 'text', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'content',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'topic_id', type: 'text', required: true },
|
|
{ name: 'data', type: 'json', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
// Question bank: one record per topic with a `questions` JSON array.
|
|
// Shared across all users; admin-curated; powers on-demand topic tests.
|
|
name: 'question_bank',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'topic_id', type: 'text', required: true },
|
|
{ name: 'questions', type: 'json', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
// On-demand attempts log: one record per completed topic test.
|
|
// Powers the weekly-cap aggregation and the Contributions feed.
|
|
name: 'on_demand_attempts',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'user_id', type: 'text', required: true },
|
|
{ name: 'topic_id', type: 'text', required: true },
|
|
{ name: 'topic_label', type: 'text', required: false },
|
|
{ name: 'question_ids', type: 'json', required: false },
|
|
{ name: 'score', type: 'number', required: false },
|
|
{ name: 'total', type: 'number', required: false },
|
|
{ name: 'percentage', type: 'number', required: false },
|
|
{ name: 'time_used', type: 'number', required: false },
|
|
{ name: 'unseen_correct', type: 'number', required: false },
|
|
{ name: 'points_earned', type: 'number', required: false },
|
|
{ name: 'capped', type: 'bool', required: false },
|
|
{ name: 'iso_week', type: 'text', required: false },
|
|
{ name: 'completed_at', type: 'text', required: false },
|
|
{ name: 'breakdown', type: 'json', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'sources',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'name', type: 'text', required: true },
|
|
{ name: 'status', type: 'text', required: false },
|
|
{ name: 'error', type: 'text', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
// NOTE: `team_members` is an AUTH collection owned by the migration
|
|
// pb_migrations/1781000000_team_members_to_auth.js (Azure/Entra ID login).
|
|
// Migrations run on PocketBase start — before this script — so the entry
|
|
// below is only a fallback for environments where migrations have not run;
|
|
// when the auth collection already exists, this create is skipped.
|
|
{
|
|
name: 'team_members',
|
|
type: 'auth',
|
|
...OPEN_RULES,
|
|
// Mirror of pb_migrations/1781000002: creation only via the OAuth2
|
|
// sign-up flow (issue #22).
|
|
createRule: '@request.context = "oauth2"',
|
|
passwordAuth: { enabled: false, identityFields: ['email'] },
|
|
fields: [
|
|
{ name: 'name', type: 'text', required: false },
|
|
{ name: 'role', type: 'text', required: false },
|
|
{ name: 'curriculum_started_at', type: 'date', required: false },
|
|
{ name: 'enrollment_status', type: 'text', required: false },
|
|
],
|
|
},
|
|
{
|
|
name: 'quiz_results',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'user_id', type: 'text', required: true },
|
|
{ name: 'week_number', type: 'number', required: true },
|
|
{ name: 'score', type: 'number', required: false },
|
|
{ name: 'total', type: 'number', required: false },
|
|
{ name: 'percentage', type: 'number', required: false },
|
|
{ name: 'time_used', type: 'number', required: false },
|
|
{ name: 'completed_at', type: 'text', required: false },
|
|
{ name: 'breakdown', type: 'json', required: false },
|
|
{ name: 'points_earned',type: 'number', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'quiz_cache',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'user_id', type: 'text', required: true },
|
|
{ name: 'week_number', type: 'number', required: true },
|
|
{ name: 'questions', type: 'json', required: false },
|
|
{ name: 'meta', type: 'json', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'learn_progress',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'user_id', type: 'text', required: true },
|
|
{ name: 'week_number', type: 'number', required: true },
|
|
{ name: 'done', type: 'bool', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'leaderboard',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'user_id', type: 'text', required: true },
|
|
{ name: 'name', type: 'text', required: false },
|
|
{ name: 'points', type: 'number', required: false },
|
|
{ name: 'tests_completed', type: 'number', required: false },
|
|
{ name: 'learnings_completed', type: 'number', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'curriculum',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'year', type: 'number', required: true },
|
|
{ name: 'week_number', type: 'number', required: true },
|
|
{ name: 'topic_id', type: 'text', required: false },
|
|
{ name: 'theme', type: 'text', required: false },
|
|
{ name: 'quarter', type: 'number', required: false },
|
|
{ name: 'is_review_week', type: 'bool', required: false },
|
|
{ name: 'sort_order', type: 'number', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
{
|
|
name: 'settings',
|
|
type: 'base',
|
|
...OPEN_RULES,
|
|
fields: [
|
|
{ name: 'key', type: 'text', required: true },
|
|
{ name: 'value', type: 'text', required: false },
|
|
...AUTODATE_FIELDS,
|
|
],
|
|
},
|
|
];
|
|
|
|
async function post(path, body, token) {
|
|
const res = await fetch(`${PB_URL}${path}`, {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
...(token ? { Authorization: token } : {}),
|
|
},
|
|
body: JSON.stringify(body),
|
|
});
|
|
const json = await res.json();
|
|
if (!res.ok) throw Object.assign(new Error(json.message || 'Request failed'), { status: res.status, data: json });
|
|
return json;
|
|
}
|
|
|
|
async function main() {
|
|
console.log(`Connecting to PocketBase at ${PB_URL}...`);
|
|
|
|
// Authenticate as superuser (PocketBase v0.23+)
|
|
const auth = await post('/api/collections/_superusers/auth-with-password', {
|
|
identity: ADMIN_EMAIL,
|
|
password: ADMIN_PASSWORD,
|
|
});
|
|
const token = auth.token;
|
|
console.log('Authenticated as admin.\n');
|
|
|
|
for (const col of COLLECTIONS) {
|
|
try {
|
|
await post('/api/collections', col, token);
|
|
console.log(` ✓ Created: ${col.name}`);
|
|
} catch (err) {
|
|
if (err.status === 400 && err.data?.data?.name?.code === 'validation_not_unique') {
|
|
console.log(` ~ Skipped: ${col.name} (already exists)`);
|
|
} else {
|
|
console.error(` ✗ Failed: ${col.name} — ${err.message}`);
|
|
}
|
|
}
|
|
}
|
|
|
|
console.log('\nDone. All collections are set up with open API rules.');
|
|
}
|
|
|
|
main().catch(err => {
|
|
console.error('\nFatal error:', err.message);
|
|
process.exit(1);
|
|
});
|