Code-review follow-ups: policy, docs, seed_admin behaviour

- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk. - seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test. - Fix DE translation for 'access this page'; add get? true comment in User.
2026-02-04 19:44:43 +01:00 · 2026-02-04 19:44:43 +01:00 · c5f1fdce0a
commit c5f1fdce0a
parent d573a22769
7 changed files with 51 additions and 19 deletions
--- a/lib/mv/authorization/checks/oidc_role_sync_context.ex
+++ b/lib/mv/authorization/checks/oidc_role_sync_context.ex
@ -1,9 +1,9 @@
 defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
  @moduledoc """
-  Policy check: true when the action is being run from OIDC role sync (context.private.oidc_role_sync).
+  Policy check: true when the action is run from OIDC role sync (context.private.oidc_role_sync).

-  Used to allow the internal set_role_from_oidc_sync action when called by Mv.OidcRoleSync
-  without an actor.
+  Used to allow the internal set_role_from_oidc_sync action only when called by Mv.OidcRoleSync,
+  which sets context.private.oidc_role_sync when performing the update.
  """
  use Ash.Policy.SimpleCheck

@ -12,11 +12,7 @@ defmodule Mv.Authorization.Checks.OidcRoleSyncContext do

  @impl true
  def match?(_actor, authorizer, _opts) do
-    # Context from opts (e.g. Ash.update!(..., context: %{private: %{oidc_role_sync: true}}))
    context = Map.get(authorizer, :context) || %{}
-    from_context = get_in(context, [:private, :oidc_role_sync]) == true
-    # When update runs inside create's after_action, context may not be passed; use process dict.
-    from_process = Process.get(:oidc_role_sync) == true
-    from_context or from_process
+    get_in(context, [:private, :oidc_role_sync]) == true
  end
 end
--- a/lib/mv/oidc_role_sync.ex
+++ b/lib/mv/oidc_role_sync.ex
@ -10,6 +10,16 @@ defmodule Mv.OidcRoleSync do
  the access_token from oauth_tokens is decoded as JWT and the groups claim is
  read from there (e.g. Rauthy puts groups in the access token when scope
  includes "groups").
+
+  ## JWT access token (security)
+
+  The access_token payload is read without signature verification (peek only).
+  We rely on the fact that `oauth_tokens` is only ever passed from the
+  verified OIDC callback (Assent/AshAuthentication after provider token
+  exchange). If callers passed untrusted or tampered tokens, group claims
+  could be forged and a user could be assigned the Admin role. Therefore:
+  do not call this module with user-supplied tokens; it is intended only
+  for the internal flow from the OIDC callback.
  """
  alias Mv.Accounts.User
  alias Mv.Authorization.Role
--- a/lib/mv/release.ex
+++ b/lib/mv/release.ex
@ -52,14 +52,37 @@ defmodule Mv.Release do
        :ok

      is_nil(admin_password) or admin_password == "" ->
-        # Do not create or update any user without a password (no fallback in production)
-        :ok
+        ensure_admin_role_only(admin_email)

      true ->
        ensure_admin_user(admin_email, admin_password)
    end
  end

+  defp ensure_admin_role_only(email) do
+    case Role.get_admin_role() do
+      {:ok, nil} ->
+        :ok
+
+      {:ok, %Role{} = admin_role} ->
+        case get_user_by_email(email) do
+          {:ok, %User{} = user} ->
+            user
+            |> Ash.Changeset.for_update(:update, %{})
+            |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
+            |> Ash.update!(authorize?: false)
+
+            :ok
+
+          _ ->
+            :ok
+        end
+
+      {:error, _} ->
+        :ok
+    end
+  end
+
  defp ensure_admin_user(email, password) do
    if is_nil(password) or password == "" do
      :ok