feat: OIDC configuration in global Settings (ENV or DB)

- Add oidc_* attributes to Setting, migration and Config helpers
- Secrets and OidcRoleSyncConfig read from Config (ENV overrides DB)
- GlobalSettingsLive: OIDC section with disabled fields when ENV set
- OIDC role sync tests use DataCase for DB access

lib/mv/secrets.ex

@@ -7,12 +7,12 @@ defmodule Mv.Secrets do
   particularly for OIDC (Rauthy) authentication.
 
   ## Configuration Source
-  Secrets are read from the `:oidc` key in the application configuration,
-  which is typically set in `config/runtime.exs` from environment variables:
-  - `OIDC_CLIENT_ID`
-  - `OIDC_CLIENT_SECRET`
-  - `OIDC_BASE_URL`
-  - `OIDC_REDIRECT_URI`
+  Secrets are read via `Mv.Config` which prefers environment variables and
+  falls back to Settings from the database:
+  - OIDC_CLIENT_ID / settings.oidc_client_id
+  - OIDC_CLIENT_SECRET / settings.oidc_client_secret
+  - OIDC_BASE_URL / settings.oidc_base_url
+  - OIDC_REDIRECT_URI / settings.oidc_redirect_uri
 
   ## Usage
   This module is automatically called by AshAuthentication when resolving
@@ -26,7 +26,7 @@ defmodule Mv.Secrets do
         _opts,
         _meth
       ) do
-    get_config(:client_id)
+    {:ok, Mv.Config.oidc_client_id()}
   end
 
   def secret_for(
@@ -35,7 +35,7 @@ defmodule Mv.Secrets do
         _opts,
         _meth
       ) do
-    get_config(:redirect_uri)
+    {:ok, Mv.Config.oidc_redirect_uri()}
   end
 
   def secret_for(
@@ -44,7 +44,7 @@ defmodule Mv.Secrets do
         _opts,
         _meth
       ) do
-    get_config(:client_secret)
+    {:ok, Mv.Config.oidc_client_secret()}
   end
 
   def secret_for(
@@ -53,13 +53,6 @@ defmodule Mv.Secrets do
         _opts,
         _meth
       ) do
-    get_config(:base_url)
-  end
-
-  defp get_config(key) do
-    :mv
-    |> Application.fetch_env!(:oidc)
-    |> Keyword.fetch!(key)
-    |> then(&{:ok, &1})
+    {:ok, Mv.Config.oidc_base_url()}
   end
 end