local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 53 Pull requests 1 Projects 2 Releases 3 Packages 1 Activity Actions

Improve oidc only mode #474

Merged
simon merged 5 commits from feature/improve_oidc_only into main 2026-03-16 19:09:09 +01:00
Conversation 0 Commits 5 Files changed 23 +579 -54
simon commented 2026-03-16 17:37:11 +01:00
Owner
Copy link

Description of the implemented changes

The changes were:

  • Bugfixing
  • New Feature
  • Breaking Change
  • Refactoring

OIDC-only mode improvements and UX tweaks (success toasts, unauthenticated redirect).

What has been changed?

OIDC-only mode (new feature)

  • Admin settings: "Only OIDC sign-in" is an immediate toggle at the top of the OIDC section (no save button). Enabling it also turns off "Allow direct registration". When OIDC-only is on, the registration checkbox is disabled and shows a tooltip (DaisyUI <.tooltip>).
  • Backend: Password sign-in is forbidden via Ash policy (OidcOnlyActive check). Password registration is blocked via validation OidcOnlyBlocksPasswordRegistration. New plug OidcOnlySignInRedirect: when OIDC-only and OIDC are configured, GET /sign-in redirects to the OIDC flow; GET /auth/user/password/sign_in_with_token is rejected with redirect + flash. AuthController.success/4 also rejects password sign-in when OIDC-only.
  • Tests: GlobalSettingsLive (OIDC-only UI), AuthController (redirect and password sign-in rejection), User authentication (register_with_password blocked when OIDC-only).

UX / behaviour (no new feature flag)

  • Success toasts: Success flash messages auto-dismiss after 5 seconds via JS hook FlashAutoDismiss and optional auto_clear_ms on <.flash> (used for success in root layout and flash_group).
  • Unauthenticated users: Redirect to sign-in without the "You don't have permission to access this page" flash; that message is only shown to logged-in users who lack access. Logic in LiveHelpers and CheckPagePermission plug; test updated accordingly.

Other

  • Layouts: comment about unprocessed join-request count no longer uses "TODO" (Credo).
  • Gettext: German translation for "Home" (Startseite); POT/PO kept in sync.
  • CHANGELOG: Unreleased section updated with the above.

Definition of Done

Code Quality

  • No new technical depths
  • Linting passed
  • Documentation is added where needed (module docs, comments where non-obvious)

Accessibility

  • New elements are properly defined with html-tags (labels, aria-label on checkboxes)
  • Colour contrast follows WCAG criteria (unchanged)
  • Aria labels are added when needed (e.g. oidc-only and registration checkboxes)
  • Everything is accessible by keyboard (toggles and buttons unchanged)
  • Tab-Order is comprehensible
  • All interactive elements have a visible focus (existing patterns)

Testing

  • Tests for new code are written (OIDC-only UI, auth controller, user auth; SMTP config builder and mailer)
  • All tests pass
  • axe-core dev tools show no critical or major issues (not re-run for this PR; suggest spot-check on settings and sign-in)

Additional Notes

  • OIDC-only: When the OIDC_ONLY env var is set, the toggle is read-only and shows "(From OIDC_ONLY)". When OIDC is not configured, the toggle is disabled.
  • Invalidation: Enabling OIDC-only sets registration_enabled: false in one update; disabling OIDC-only only updates oidc_only (registration left as-is).
  • Review focus: Plug order in router (OidcOnlySignInRedirect), policy/validation order in User, and that all OIDC-only paths (form, plug, controller) stay consistent.
## Description of the implemented changes The changes were: - [x] Bugfixing - [x] New Feature - [ ] Breaking Change - [x] Refactoring **OIDC-only mode improvements and UX tweaks (success toasts, unauthenticated redirect).** ## What has been changed? ### OIDC-only mode (new feature) - **Admin settings:** "Only OIDC sign-in" is an immediate toggle at the top of the OIDC section (no save button). Enabling it also turns off "Allow direct registration". When OIDC-only is on, the registration checkbox is disabled and shows a tooltip (DaisyUI `<.tooltip>`). - **Backend:** Password sign-in is forbidden via Ash policy (`OidcOnlyActive` check). Password registration is blocked via validation `OidcOnlyBlocksPasswordRegistration`. New plug `OidcOnlySignInRedirect`: when OIDC-only and OIDC are configured, GET `/sign-in` redirects to the OIDC flow; GET `/auth/user/password/sign_in_with_token` is rejected with redirect + flash. `AuthController.success/4` also rejects password sign-in when OIDC-only. - **Tests:** GlobalSettingsLive (OIDC-only UI), AuthController (redirect and password sign-in rejection), User authentication (register_with_password blocked when OIDC-only). ### UX / behaviour (no new feature flag) - **Success toasts:** Success flash messages auto-dismiss after 5 seconds via JS hook `FlashAutoDismiss` and optional `auto_clear_ms` on `<.flash>` (used for success in root layout and `flash_group`). - **Unauthenticated users:** Redirect to sign-in without the "You don't have permission to access this page" flash; that message is only shown to logged-in users who lack access. Logic in `LiveHelpers` and `CheckPagePermission` plug; test updated accordingly. ### Other - Layouts: comment about unprocessed join-request count no longer uses "TODO" (Credo). - Gettext: German translation for "Home" (Startseite); POT/PO kept in sync. - CHANGELOG: Unreleased section updated with the above. ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added where needed (module docs, comments where non-obvious) ### Accessibility - [x] New elements are properly defined with html-tags (labels, aria-label on checkboxes) - [x] Colour contrast follows WCAG criteria (unchanged) - [x] Aria labels are added when needed (e.g. oidc-only and registration checkboxes) - [x] Everything is accessible by keyboard (toggles and buttons unchanged) - [x] Tab-Order is comprehensible - [x] All interactive elements have a visible focus (existing patterns) ### Testing - [x] Tests for new code are written (OIDC-only UI, auth controller, user auth; SMTP config builder and mailer) - [x] All tests pass - [ ] axe-core dev tools show no critical or major issues (not re-run for this PR; suggest spot-check on settings and sign-in) ## Additional Notes - **OIDC-only:** When the `OIDC_ONLY` env var is set, the toggle is read-only and shows "(From OIDC_ONLY)". When OIDC is not configured, the toggle is disabled. - **Invalidation:** Enabling OIDC-only sets `registration_enabled: false` in one update; disabling OIDC-only only updates `oidc_only` (registration left as-is). - **Review focus:** Plug order in router (OidcOnlySignInRedirect), policy/validation order in User, and that all OIDC-only paths (form, plug, controller) stay consistent.
simon added 3 commits 2026-03-16 17:37:13 +01:00
feat: improve oidc only mode
Some checks failed
continuous-integration/drone/push Build is failing
Details
a8d9fe6121
feat: improve oidc only mode
Some checks failed
continuous-integration/drone/push Build is failing
Details
9b4f3b140c
style: fix formatting
All checks were successful
continuous-integration/drone/push Build is passing
Details
a049ccb8e3
simon added this to the Sprint 14: 26.02 - 05.03 project 2026-03-16 17:37:14 +01:00
simon added 1 commit 2026-03-16 17:55:46 +01:00
Merge branch 'main' into feature/improve_oidc_only
All checks were successful
continuous-integration/drone/push Build is passing
Details
92e6f07572
simon added 1 commit 2026-03-16 19:00:45 +01:00
feat: add oidc cycle breaker
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/promote/production Build is passing
Details
25f3b19f50
simon merged commit c381b86b5e into main 2026-03-16 19:09:09 +01:00
simon referenced this pull request from a commit 2026-03-16 19:09:09 +01:00
Improve oidc only mode (#474)
simon deleted branch feature/improve_oidc_only 2026-03-16 19:09:12 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
optional

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
optional
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Sprint 14: 26.02 - 05.03
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#474
No description provided.
Delete branch "feature/improve_oidc_only"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?