local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

OIDC: pass oauth_tokens to role sync; get? true for sign_in; return record in register

Browse source 
- sign_in_with_rauthy: get? true so Ash returns single user; pass oauth_tokens to OidcRoleSync.
- register_with_rauthy: pass oauth_tokens to OidcRoleSync; return {:ok, record} to preserve token.
This commit is contained in:
Moritz 2026-02-04 18:03:15 +01:00
parent cd6db4ae28
commit b215282609
1 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/accounts/user.ex
View file

@ -258,6 +258,7 @@ defmodule Mv.Accounts.User do
end
read :sign_in_with_rauthy do
get? true
argument :user_info, :map, allow_nil?: false
argument :oauth_tokens, :map, allow_nil?: false
prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
@ -271,9 +272,10 @@ defmodule Mv.Accounts.User do
# Sync role from OIDC groups after sign-in (e.g. admin group → Admin role)
prepare Ash.Resource.Preparation.Builtins.after_action(fn query, records, _context ->
user_info = Ash.Query.get_argument(query, :user_info) || %{}
oauth_tokens = Ash.Query.get_argument(query, :oauth_tokens) || %{}
Enum.each(records, fn user ->
Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info)
Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info, oauth_tokens)
end)
{:ok, records}
@ -319,10 +321,12 @@ defmodule Mv.Accounts.User do
# Sync role from OIDC groups (e.g. admin group → Admin role) after user is created/updated
change fn changeset, _ctx ->
user_info = Ash.Changeset.get_argument(changeset, :user_info)
oauth_tokens = Ash.Changeset.get_argument(changeset, :oauth_tokens) || %{}
Ash.Changeset.after_action(changeset, fn _cs, record ->
Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info)
{:ok, Ash.get!(__MODULE__, record.id, authorize?: false, domain: Mv.Accounts)}
Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info, oauth_tokens)
# Return original record so __metadata__.token (from GenerateTokenChange) is preserved
{:ok, record}
end)
end
end