Merge remote-tracking branch 'origin/main' into bugfix/harden-env-handling

Made-with: Cursor # Conflicts: # test/mv_web/controllers/auth_controller_test.exs
2026-04-07 16:33:24 +02:00 · 2026-04-07 16:33:24 +02:00 · 1d3f973410
commit 1d3f973410
parent d7dd7d1959 bac488b47c
5 changed files with 51 additions and 28 deletions
--- a/test/mv_web/controllers/auth_controller_test.exs
+++ b/test/mv_web/controllers/auth_controller_test.exs
@ -286,16 +286,33 @@ defmodule MvWeb.AuthControllerTest do
  describe "when OIDC-only is enabled" do
    setup %{conn: authenticated_conn} do
      {:ok, settings} = Membership.get_settings()
-      original_oidc_only = Map.get(settings, :oidc_only, false)
-      {:ok, _} = Membership.update_settings(settings, %{oidc_only: true})
+
+      prev = %{
+        oidc_only: settings.oidc_only,
+        oidc_client_id: settings.oidc_client_id,
+        oidc_base_url: settings.oidc_base_url,
+        oidc_redirect_uri: settings.oidc_redirect_uri,
+        oidc_client_secret: settings.oidc_client_secret
+      }
+
+      # OIDC must be cleared so GET /sign-in is not redirected by OidcOnlySignInRedirect
+      # (seeds may leave a full OIDC config). Rejection is enforced in AuthController.success/4.
+      {:ok, _} =
+        Membership.update_settings(settings, %{
+          oidc_only: true,
+          oidc_client_id: nil,
+          oidc_base_url: nil,
+          oidc_redirect_uri: nil,
+          oidc_client_secret: nil
+        })

      conn = build_unauthenticated_conn(authenticated_conn)
-      {:ok, conn: conn, original_oidc_only: original_oidc_only}
+      {:ok, conn: conn, original_sign_in_settings: prev}
    end

    test "password sign-in is rejected and redirects to sign-in with error", %{
      conn: conn,
-      original_oidc_only: original
+      original_sign_in_settings: prev
    } do
      try do
        _user =
@ -328,7 +345,7 @@ defmodule MvWeb.AuthControllerTest do
        end
      after
        {:ok, s} = Membership.get_settings()
-        Membership.update_settings(s, %{oidc_only: original})
+        Membership.update_settings(s, prev)
      end
    end
  end
@ -343,7 +360,8 @@ defmodule MvWeb.AuthControllerTest do
        oidc_only: settings.oidc_only,
        oidc_client_id: settings.oidc_client_id,
        oidc_base_url: settings.oidc_base_url,
-        oidc_redirect_uri: settings.oidc_redirect_uri
+        oidc_redirect_uri: settings.oidc_redirect_uri,
+        oidc_client_secret: settings.oidc_client_secret
      }

      {:ok, _} =
@ -374,7 +392,8 @@ defmodule MvWeb.AuthControllerTest do
        oidc_only: settings.oidc_only,
        oidc_client_id: settings.oidc_client_id,
        oidc_base_url: settings.oidc_base_url,
-        oidc_redirect_uri: settings.oidc_redirect_uri
+        oidc_redirect_uri: settings.oidc_redirect_uri,
+        oidc_client_secret: settings.oidc_client_secret
      }

      {:ok, _} =