OIDC sign-in: robust after_action for get? result, non-bang role sync

- sign_in_with_rauthy after_action normalizes result (nil/struct/list) to list before Enum.each. - OidcRoleSync.do_set_role uses Ash.update and swallows errors so auth is not blocked; skip update if role already correct.
2026-02-04 20:25:54 +01:00 · 2026-02-04 20:25:54 +01:00 · ad42a53919
commit ad42a53919
parent c5f1fdce0a
2 changed files with 24 additions and 9 deletions
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@ -271,15 +271,24 @@ defmodule Mv.Accounts.User do
      filter expr(oidc_id == get_path(^arg(:user_info), [:sub]))
      # Sync role from OIDC groups after sign-in (e.g. admin group → Admin role)
-      prepare Ash.Resource.Preparation.Builtins.after_action(fn query, records, _context ->
+      # get? true can return nil, a single %User{}, or a list; normalize to list for Enum.each
      prepare Ash.Resource.Preparation.Builtins.after_action(fn query, result, _context ->
                user_info = Ash.Query.get_argument(query, :user_info) || %{}
                oauth_tokens = Ash.Query.get_argument(query, :oauth_tokens) || %{}
-                Enum.each(records, fn user ->
+                users =
                  case result do
                    nil -> []
                    u when is_struct(u, User) -> [u]
                    list when is_list(list) -> list
                    _ -> []
                  end
                Enum.each(users, fn user ->
                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info, oauth_tokens)
                end)
-                {:ok, records}
+                {:ok, result}
              end)
    end
--- a/lib/mv/oidc_role_sync.ex
+++ b/lib/mv/oidc_role_sync.ex
@ -132,11 +132,17 @@ defmodule Mv.OidcRoleSync do
  end
  defp do_set_role(user, role) do
    if user.role_id == role.id do
      :ok
    else
      user
      |> Ash.Changeset.for_update(:set_role_from_oidc_sync, %{role_id: role.id})
      |> Ash.Changeset.set_context(%{private: %{oidc_role_sync: true}})
-    |> Ash.update!(domain: Mv.Accounts, context: %{private: %{oidc_role_sync: true}})
+      |> Ash.update(domain: Mv.Accounts, context: %{private: %{oidc_role_sync: true}})
-
+      |> case do
-    :ok
+        {:ok, _} -> :ok
        {:error, _} -> :ok
      end
    end
  end
 end