Init an admin user in prod closes #381

moritz commented

2026-02-04 18:13:01 +01:00

Owner

Description of the implemented changes

The changes were:

Bugfixing
New Feature
Breaking Change
Refactoring

What has been changed?

Definition of Done

Code Quality

No new technical depths
Linting passed
Documentation is added were needed

Accessibility

New elements are properly defined with html-tags
Colour contrast follows WCAG criteria
Aria labels are added when needed
Everything is accessible by keyboard
Tab-Order is comprehensible
All interactive elements have a visible focus

Testing

Tests for new code are written
All tests pass
axe-core dev tools show no critical or major issues

Additional Notes

## Description of the implemented changes The changes were: - [ ] Bugfixing - [x] New Feature - [ ] Breaking Change - [ ] Refactoring  ## What has been changed?  ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added were needed ### Accessibility - [ ] New elements are properly defined with html-tags - [ ] Colour contrast follows WCAG criteria - [ ] Aria labels are added when needed - [ ] Everything is accessible by keyboard - [ ] Tab-Order is comprehensible - [ ] All interactive elements have a visible focus ### Testing - [x] Tests for new code are written - [x] All tests pass - [ ] axe-core dev tools show no critical or major issues ## Additional Notes

moritz added this to the Accounts & Logins milestone 2026-02-04 18:13:01 +01:00

moritz self-assigned this 2026-02-04 18:13:01 +01:00

moritz added 12 commits 2026-02-04 18:13:03 +01:00

Call seed_admin in docker entrypoint after migrate 65a6a568b5

Ensures admin user is created/updated from ENV on every container start.

Seeds: use ADMIN_PASSWORD/ADMIN_PASSWORD_FILE; fallback only in dev/test 2f821a7cce

No fallback in production; prod uses Release.seed_admin in entrypoint.

Add Role.get_admin_role for Release.seed_admin 556c11e08c

Used by Mv.Release to resolve Admin role when creating/updating admin user from ENV.

Add Mv.Release.seed_admin for admin bootstrap from ENV 24b17b8448

Creates/updates admin user from ADMIN_EMAIL and ADMIN_PASSWORD or ADMIN_PASSWORD_FILE.
Idempotent; no fallback password in production. Called from docker entrypoint and seeds.

Seeds: call Mv.Release.seed_admin to avoid duplication df12f802c3

Replaces inline admin creation with seed_admin(); exercises same path as entrypoint.
Dev/test: set ADMIN_EMAIL default and ADMIN_PASSWORD fallback before calling.

Add OIDC role sync config (OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM) a527ef980c

Mv.OidcRoleSyncConfig reads from config; runtime.exs overrides from ENV in prod.

Add OidcRoleSync: apply Admin/Mitglied from OIDC groups cae814b967

Register and sign-in call apply_admin_role_from_user_info; users in configured
admin group get Admin role, others get Mitglied. Internal User action + bypass policy.

Docs and .env.example for admin bootstrap and OIDC role sync 5b3eab4d5d

Documents ADMIN_EMAIL/PASSWORD, seed_admin, entrypoint; OIDC_ADMIN_GROUP_NAME,
OIDC_GROUPS_CLAIM and role sync on register/sign-in.

Fix: load OIDC role sync config from ENV in all environments a3c4bb5615

OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM were only set in prod block;
in dev admin_group was nil so role sync never ran. Move config outside
prod block so dev/test get ENV values.

Refactor: remove debug instrumentation from OidcRoleSync cd6db4ae28

Drop temporary logging used to diagnose OIDC groups sync in dev.

OIDC: pass oauth_tokens to role sync; get? true for sign_in; return record in register b215282609

- sign_in_with_rauthy: get? true so Ash returns single user; pass oauth_tokens to OidcRoleSync.
- register_with_rauthy: pass oauth_tokens to OidcRoleSync; return {:ok, record} to preserve token.

Tests: accept single user or list from read_sign_in_with_rauthy (get? true)

continuous-integration/drone/push Build was killed

Details

f59ed30d48

Handle {:ok, user}, {:ok, nil} in addition to {:ok, [user]}, {:ok, []}.

moritz force-pushed feature/381_init_admin from f59ed30d48 to d573a22769

2026-02-04 18:13:37 +01:00

Compare

moritz added 1 commit 2026-02-04 19:48:53 +01:00

Code-review follow-ups: policy, docs, seed_admin behaviour

continuous-integration/drone/push Build is passing

Details

c5f1fdce0a

- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk.
- seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test.
- Fix DE translation for 'access this page'; add get? true comment in User.

moritz changed title from ~~WIP: Init an admin user in prod closes #381~~ to Init an admin user in prod closes #381

2026-02-04 19:49:30 +01:00

moritz added 1 commit 2026-02-04 20:34:13 +01:00

OIDC sign-in: robust after_action for get? result, non-bang role sync

continuous-integration/drone/push Build is passing

Details

continuous-integration/drone/promote/production Build is passing

Details

ad42a53919

- sign_in_with_rauthy after_action normalizes result (nil/struct/list) to list before Enum.each.
- OidcRoleSync.do_set_role uses Ash.update and swallows errors so auth is not blocked; skip update if role already correct.

moritz merged commit 6ab0365a8c into main

2026-02-04 20:53:02 +01:00

moritz deleted branch feature/381_init_admin

2026-02-04 20:53:03 +01:00

moritz referenced this pull request from a commit

2026-02-04 20:53:04 +01:00

Merge pull request 'Init an admin user in prod closes #381' (#409) from feature/381_init_admin into main

Rows
Columns

Init an admin user in prod closes #381 #409

Description of the implemented changes

What has been changed?

Definition of Done

Code Quality

Accessibility

Testing

Additional Notes