From a8d9fe61210242c35310554678b5c4dd31f3f252 Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 16 Mar 2026 14:37:09 +0100 Subject: [PATCH 1/5] feat: improve oidc only mode --- docs/feature-roadmap.md | 5 + test/accounts/user_authentication_test.exs | 27 +++++ .../controllers/auth_controller_test.exs | 101 ++++++++++++++++++ .../mv_web/live/global_settings_live_test.exs | 65 +++++++++++ 4 files changed, 198 insertions(+) diff --git a/docs/feature-roadmap.md b/docs/feature-roadmap.md index 6383660..2ec15a5 100644 --- a/docs/feature-roadmap.md +++ b/docs/feature-roadmap.md @@ -49,6 +49,11 @@ - ✅ **Page-level authorization** - LiveView page access control - ✅ **System role protection** - Critical roles cannot be deleted +**Planned: OIDC-only mode (TDD, tests first):** +- Admin Settings: When OIDC-only is enabled, disable "Allow direct registration" toggle and show hint (tests in `GlobalSettingsLiveTest`). +- Backend: Reject password sign-in and `register_with_password` when OIDC-only (tests in `AuthControllerTest`, `Accounts`). +- GET `/sign-in` redirect to OIDC when OIDC-only and OIDC configured (tests in `AuthControllerTest`). Implementation to follow after tests. + **Missing Features:** - ❌ Password reset flow - ❌ Email verification diff --git a/test/accounts/user_authentication_test.exs b/test/accounts/user_authentication_test.exs index 1b47165..b759e8a 100644 --- a/test/accounts/user_authentication_test.exs +++ b/test/accounts/user_authentication_test.exs @@ -288,4 +288,31 @@ defmodule Mv.Accounts.UserAuthenticationTest do end end end + + describe "register_with_password when OIDC-only is enabled" do + alias Mv.Membership + + test "returns error when OIDC-only is enabled" do + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + + try do + attrs = %{ + email: "newuser#{System.unique_integer([:positive])}@example.com", + password: "SecurePassword123" + } + + result = + Mv.Accounts.User + |> Ash.Changeset.for_create(:register_with_password, attrs) + |> Ash.create() + + assert {:error, _} = result + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original_oidc_only}) + end + end + end end diff --git a/test/mv_web/controllers/auth_controller_test.exs b/test/mv_web/controllers/auth_controller_test.exs index e449284..cc090a9 100644 --- a/test/mv_web/controllers/auth_controller_test.exs +++ b/test/mv_web/controllers/auth_controller_test.exs @@ -283,6 +283,107 @@ defmodule MvWeb.AuthControllerTest do assert to =~ "/auth/user/password/sign_in_with_token" end + describe "when OIDC-only is enabled" do + setup %{conn: authenticated_conn} do + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + + conn = build_unauthenticated_conn(authenticated_conn) + {:ok, conn: conn, original_oidc_only: original_oidc_only} + end + + test "password sign-in is rejected and redirects to sign-in with error", %{ + conn: conn, + original_oidc_only: original + } do + try do + _user = + create_test_user(%{ + email: "password@example.com", + password: "secret123", + oidc_id: nil + }) + + {:ok, view, _html} = live(conn, "/sign-in") + + result = + view + |> form("#user-password-sign-in-with-password", + user: %{email: "password@example.com", password: "secret123"} + ) + |> render_submit() + + # When OIDC-only is enabled, password sign-in must not succeed (no redirect to sign_in_with_token). + case result do + {:error, {:redirect, %{to: to}}} -> + refute to =~ "sign_in_with_token", + "Expected password sign-in to be rejected when OIDC-only, got redirect to: #{to}" + + _ -> + # LiveView re-rendered (e.g. with flash error) instead of redirecting to success + :ok + end + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + end + + describe "GET /sign-in when OIDC-only" do + test "redirects to OIDC flow when OIDC-only and OIDC are configured", %{ + conn: authenticated_conn + } do + {:ok, settings} = Membership.get_settings() + prev = %{ + oidc_only: settings.oidc_only, + oidc_client_id: settings.oidc_client_id, + oidc_base_url: settings.oidc_base_url, + oidc_redirect_uri: settings.oidc_redirect_uri + } + + {:ok, _} = + Membership.update_settings(settings, %{ + oidc_only: true, + oidc_client_id: "test-client", + oidc_base_url: "https://idp.example.com", + oidc_redirect_uri: "http://localhost:4000/auth/user/oidc/callback", + oidc_client_secret: "test-secret" + }) + + try do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, ~p"/sign-in") + assert redirected_to(conn) =~ "/auth/user/oidc" + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, prev) + end + end + + test "returns 200 when OIDC-only but OIDC not configured", %{conn: authenticated_conn} do + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + + try do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, ~p"/sign-in") + assert conn.status == 200 + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original_oidc_only}) + end + end + + test "returns 200 when OIDC-only is disabled", %{conn: authenticated_conn} do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, ~p"/sign-in") + assert conn.status == 200 + end + end + # OIDC/Rauthy error handling tests describe "handle_oidc_failure/2" do test "Assent.ServerUnreachableError redirects to sign-in with error flash", %{ diff --git a/test/mv_web/live/global_settings_live_test.exs b/test/mv_web/live/global_settings_live_test.exs index e48c44b..92da11b 100644 --- a/test/mv_web/live/global_settings_live_test.exs +++ b/test/mv_web/live/global_settings_live_test.exs @@ -110,4 +110,69 @@ defmodule MvWeb.GlobalSettingsLiveTest do assert html =~ "SMTP" or html =~ "E-Mail" or html =~ "Settings" end end + + describe "Authentication section when OIDC-only is enabled" do + setup %{conn: conn} do + user = create_test_user(%{email: "admin@example.com"}) + conn = conn_with_oidc_user(conn, user) + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + {:ok, conn: conn, original_oidc_only: original_oidc_only} + end + + @describetag :ui + test "registration checkbox is disabled when OIDC-only is enabled", %{ + conn: conn, + original_oidc_only: original + } do + try do + {:ok, view, _html} = live(conn, ~p"/settings") + assert has_element?(view, "#registration-enabled-checkbox[disabled]") + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + + @describetag :ui + test "OIDC-only hint is visible when OIDC-only is enabled", %{ + conn: conn, + original_oidc_only: original + } do + try do + {:ok, view, _html} = live(conn, ~p"/settings") + assert has_element?(view, "[data-testid='oidc-only-registration-hint']") + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + + test "when OIDC-only is disabled, registration checkbox is enabled and can be toggled", %{ + conn: conn, + original_oidc_only: original + } do + try do + {:ok, settings} = Membership.get_settings() + Membership.update_settings(settings, %{oidc_only: false}) + + {:ok, view, _html} = live(conn, ~p"/settings") + refute has_element?(view, "#registration-enabled-checkbox[disabled]") + + initial_checked = + view |> element("#registration-enabled-checkbox") |> render() =~ "checked" + + view + |> element("#registration-enabled-checkbox") + |> render_click() + + new_checked = view |> element("#registration-enabled-checkbox") |> render() =~ "checked" + assert new_checked != initial_checked + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + end end -- 2.47.2 From 9b4f3b140cdff26c7e3b66e90640483835875138 Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 16 Mar 2026 17:14:54 +0100 Subject: [PATCH 2/5] feat: improve oidc only mode --- CHANGELOG.md | 7 + assets/js/app.js | 19 +++ lib/accounts/user.ex | 10 ++ .../oidc_only_blocks_password_registration.ex | 27 ++++ .../authorization/checks/oidc_only_active.ex | 16 +++ lib/mv_web/components/core_components.ex | 8 ++ lib/mv_web/components/layouts.ex | 4 +- lib/mv_web/components/layouts/root.html.heex | 2 +- lib/mv_web/controllers/auth_controller.ex | 17 ++- lib/mv_web/live/global_settings_live.ex | 133 +++++++++++++----- lib/mv_web/live_helpers.ex | 9 +- lib/mv_web/plugs/check_page_permission.ex | 9 +- .../plugs/oidc_only_sign_in_redirect.ex | 61 ++++++++ lib/mv_web/router.ex | 1 + priv/gettext/de/LC_MESSAGES/default.po | 17 ++- priv/gettext/default.pot | 10 ++ priv/gettext/en/LC_MESSAGES/default.po | 15 ++ .../controllers/auth_controller_test.exs | 3 +- .../plugs/check_page_permission_test.exs | 5 +- 19 files changed, 330 insertions(+), 43 deletions(-) create mode 100644 lib/accounts/user/validations/oidc_only_blocks_password_registration.ex create mode 100644 lib/mv/authorization/checks/oidc_only_active.ex create mode 100644 lib/mv_web/plugs/oidc_only_sign_in_redirect.ex diff --git a/CHANGELOG.md b/CHANGELOG.md index d39df9b..7cc8ea5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- **Improved OIDC-only mode** – Admin can enable “Only OIDC sign-in” in settings; when enabled, direct registration is disabled and sign-in page redirects to OIDC when configured. +- **Success toast auto-dismiss** – Success flash messages (e.g. “Settings saved”) hide automatically after 5 seconds instead of requiring the user to close them. + +### Changed +- **Unauthenticated access** – Users who are not logged in are redirected to sign-in without showing a “no permission” message; the message is only shown to logged-in users who lack access. + ### Fixed - **SMTP configuration** – Repaired so that both port 587 (TLS/STARTTLS) and 465 (SSL) work correctly. diff --git a/assets/js/app.js b/assets/js/app.js index 87f2c25..4c7e3c5 100644 --- a/assets/js/app.js +++ b/assets/js/app.js @@ -113,6 +113,25 @@ Hooks.FocusRestore = { } } +// FlashAutoDismiss: after a delay, clear the flash so the toast hides without user clicking X (e.g. success toasts) +Hooks.FlashAutoDismiss = { + mounted() { + const ms = this.el.dataset.autoClearMs + if (!ms) return + const delay = parseInt(ms, 10) + if (delay > 0) { + this.timer = setTimeout(() => { + const key = this.el.dataset.clearFlashKey || "success" + this.pushEvent("lv:clear-flash", {key}) + }, delay) + } + }, + + destroyed() { + if (this.timer) clearTimeout(this.timer) + } +} + // TabListKeydown hook: WCAG tab pattern — prevent default for ArrowLeft/ArrowRight so the server can handle tab switch (roving tabindex) Hooks.TabListKeydown = { mounted() { diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex index 29a2d4b..0127796 100644 --- a/lib/accounts/user.ex +++ b/lib/accounts/user.ex @@ -362,6 +362,12 @@ defmodule Mv.Accounts.User do # Authorization Policies # Order matters: Most specific policies first, then general permission check policies do + # When OIDC-only is active, password sign-in is forbidden (SSO only). + policy action(:sign_in_with_password) do + forbid_if Mv.Authorization.Checks.OidcOnlyActive + authorize_if always() + end + # AshAuthentication bypass (registration/login without actor) bypass AshAuthentication.Checks.AshAuthenticationInteraction do description "Allow AshAuthentication internal operations (registration, login)" @@ -409,6 +415,10 @@ defmodule Mv.Accounts.User do validate {Mv.Accounts.User.Validations.RegistrationEnabled, []}, where: [action_is(:register_with_password)] + # Block password registration when OIDC-only mode is active + validate {Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration, []}, + where: [action_is(:register_with_password)] + # Email uniqueness check for all actions that change the email attribute # Validates that user email is not already used by another (unlinked) member validate Mv.Accounts.User.Validations.EmailNotUsedByOtherMember diff --git a/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex b/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex new file mode 100644 index 0000000..e4d9a35 --- /dev/null +++ b/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex @@ -0,0 +1,27 @@ +defmodule Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration do + @moduledoc """ + Validation that blocks direct registration (register_with_password) when + OIDC-only mode is active. In OIDC-only mode, sign-in and registration are + only allowed via OIDC (SSO). + """ + use Ash.Resource.Validation + + @impl true + def init(opts), do: {:ok, opts} + + @impl true + def validate(_changeset, _opts, _context) do + if Mv.Config.oidc_only?() do + {:error, + field: :base, + message: + Gettext.dgettext( + MvWeb.Gettext, + "default", + "Registration with password is disabled when only OIDC sign-in is active." + )} + else + :ok + end + end +end diff --git a/lib/mv/authorization/checks/oidc_only_active.ex b/lib/mv/authorization/checks/oidc_only_active.ex new file mode 100644 index 0000000..8d56ca1 --- /dev/null +++ b/lib/mv/authorization/checks/oidc_only_active.ex @@ -0,0 +1,16 @@ +defmodule Mv.Authorization.Checks.OidcOnlyActive do + @moduledoc """ + Policy check: true when OIDC-only mode is active (Config.oidc_only?()). + + Used to forbid password sign-in when only OIDC (SSO) sign-in is allowed. + """ + use Ash.Policy.SimpleCheck + + alias Mv.Config + + @impl true + def describe(_opts), do: "OIDC-only mode is active" + + @impl true + def match?(_actor, _context, _opts), do: Config.oidc_only?() +end diff --git a/lib/mv_web/components/core_components.ex b/lib/mv_web/components/core_components.ex index 8c58c32..b5bd763 100644 --- a/lib/mv_web/components/core_components.ex +++ b/lib/mv_web/components/core_components.ex @@ -63,6 +63,11 @@ defmodule MvWeb.CoreComponents do values: [:info, :error, :success, :warning], doc: "used for styling and flash lookup" + attr :auto_clear_ms, :integer, + default: nil, + doc: + "when set, flash is auto-dismissed after this many milliseconds (e.g. 5000 for success toasts)" + attr :rest, :global, doc: "the arbitrary HTML attributes to add to the flash container" slot :inner_block, doc: "the optional inner block that renders the flash message" @@ -74,6 +79,9 @@ defmodule MvWeb.CoreComponents do
hide("##{@id}")} role="alert" class="pointer-events-auto" diff --git a/lib/mv_web/components/layouts.ex b/lib/mv_web/components/layouts.ex index 5a96001..835d859 100644 --- a/lib/mv_web/components/layouts.ex +++ b/lib/mv_web/components/layouts.ex @@ -171,7 +171,7 @@ defmodule MvWeb.Layouts do {@club_name} - +
@@ -265,7 +265,7 @@ defmodule MvWeb.Layouts do aria-live="polite" class="z-50 toast toast-bottom toast-end flex flex-col gap-2 pointer-events-none" > - <.flash kind={:success} flash={@flash} /> + <.flash kind={:success} flash={@flash} auto_clear_ms={5000} /> <.flash kind={:warning} flash={@flash} /> <.flash kind={:info} flash={@flash} /> <.flash kind={:error} flash={@flash} /> diff --git a/lib/mv_web/components/layouts/root.html.heex b/lib/mv_web/components/layouts/root.html.heex index 5419b73..bb900aa 100644 --- a/lib/mv_web/components/layouts/root.html.heex +++ b/lib/mv_web/components/layouts/root.html.heex @@ -74,7 +74,7 @@ aria-live="polite" class="z-50 flex flex-col gap-2 toast toast-bottom toast-end" > - <.flash id="flash-success-root" kind={:success} flash={@flash} /> + <.flash id="flash-success-root" kind={:success} flash={@flash} auto_clear_ms={5000} /> <.flash id="flash-warning-root" kind={:warning} flash={@flash} /> <.flash id="flash-info-root" kind={:info} flash={@flash} /> <.flash id="flash-error-root" kind={:error} flash={@flash} /> diff --git a/lib/mv_web/controllers/auth_controller.ex b/lib/mv_web/controllers/auth_controller.ex index 20a76f5..d279163 100644 --- a/lib/mv_web/controllers/auth_controller.ex +++ b/lib/mv_web/controllers/auth_controller.ex @@ -15,8 +15,23 @@ defmodule MvWeb.AuthController do use AshAuthentication.Phoenix.Controller alias Mv.Accounts.User.Errors.PasswordVerificationRequired + alias Mv.Config - def success(conn, activity, user, _token) do + def success(conn, {:password, :sign_in} = _activity, user, token) do + if Config.oidc_only?() do + conn + |> put_flash(:error, gettext("Only sign-in via Single Sign-On (SSO) is allowed.")) + |> redirect(to: ~p"/sign-in") + else + success_continue(conn, {:password, :sign_in}, user, token) + end + end + + def success(conn, activity, user, token) do + success_continue(conn, activity, user, token) + end + + defp success_continue(conn, activity, user, _token) do return_to = get_session(conn, :return_to) || ~p"/" message = diff --git a/lib/mv_web/live/global_settings_live.ex b/lib/mv_web/live/global_settings_live.ex index f69b947..25a8942 100644 --- a/lib/mv_web/live/global_settings_live.ex +++ b/lib/mv_web/live/global_settings_live.ex @@ -19,6 +19,7 @@ defmodule MvWeb.GlobalSettingsLive do ## Events - `validate` / `save` - Club settings form - `toggle_registration_enabled` - Enable/disable direct registration (/register) + - `toggle_oidc_only` - Enable/disable OIDC-only sign-in (immediate, outside OIDC form) - `toggle_join_form_enabled` - Enable/disable the join form - `add_join_form_field` / `remove_join_form_field` - Manage join form fields - `toggle_join_form_field_required` - Toggle required flag per field @@ -80,6 +81,7 @@ defmodule MvWeb.GlobalSettingsLive do |> assign(:oidc_admin_group_name_env_set, Mv.Config.oidc_admin_group_name_env_set?()) |> assign(:oidc_groups_claim_env_set, Mv.Config.oidc_groups_claim_env_set?()) |> assign(:oidc_only_env_set, Mv.Config.oidc_only_env_set?()) + |> assign(:oidc_only, Mv.Config.oidc_only?()) |> assign(:oidc_configured, Mv.Config.oidc_configured?()) |> assign(:oidc_client_secret_set, Mv.Config.oidc_client_secret_set?()) |> assign(:registration_enabled, settings.registration_enabled != false) @@ -625,11 +627,30 @@ defmodule MvWeb.GlobalSettingsLive do class="checkbox checkbox-sm" checked={@registration_enabled} phx-click="toggle_registration_enabled" + disabled={@oidc_only} aria-label={gettext("Allow direct registration (/register)")} /> -

{gettext("OIDC (Single Sign-On)")}

@@ -638,6 +659,38 @@ defmodule MvWeb.GlobalSettingsLive do {gettext("Some values are set via environment variables. Those fields are read-only.")}

<% end %> +
+ + +
+

+ {gettext( + "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button." + )} +

<.form for={@form} id="oidc-form" phx-change="validate" phx-submit="save">
<.input @@ -744,27 +797,6 @@ defmodule MvWeb.GlobalSettingsLive do ) } /> -
- <.input - field={@form[:oidc_only]} - type="checkbox" - class="checkbox checkbox-sm" - disabled={@oidc_only_env_set or not @oidc_configured} - label={ - if @oidc_only_env_set do - gettext("Only OIDC sign-in (hide password login)") <> - " (" <> gettext("From OIDC_ONLY") <> ")" - else - gettext("Only OIDC sign-in (hide password login)") - end - } - /> -

- {gettext( - "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button." - )} -

-
<.button :if={ @@ -880,6 +912,7 @@ defmodule MvWeb.GlobalSettingsLive do |> assign(:registration_enabled, fresh_settings.registration_enabled != false) |> assign(:vereinfacht_api_key_set, present?(fresh_settings.vereinfacht_api_key)) |> assign(:oidc_client_secret_set, Mv.Config.oidc_client_secret_set?()) + |> assign(:oidc_only, Mv.Config.oidc_only?()) |> assign(:oidc_configured, Mv.Config.oidc_configured?()) |> assign(:smtp_configured, Mv.Config.smtp_configured?()) |> assign(:smtp_password_set, present?(Mv.Config.smtp_password())) @@ -916,19 +949,53 @@ defmodule MvWeb.GlobalSettingsLive do @impl true def handle_event("toggle_registration_enabled", _params, socket) do - settings = socket.assigns.settings - new_value = not socket.assigns.registration_enabled + if Mv.Config.oidc_only?() do + {:noreply, socket} + else + settings = socket.assigns.settings + new_value = not socket.assigns.registration_enabled - case Membership.update_settings(settings, %{registration_enabled: new_value}) do - {:ok, updated_settings} -> - {:noreply, - socket - |> assign(:settings, updated_settings) - |> assign(:registration_enabled, updated_settings.registration_enabled != false) - |> assign_form()} + case Membership.update_settings(settings, %{registration_enabled: new_value}) do + {:ok, updated_settings} -> + {:noreply, + socket + |> assign(:settings, updated_settings) + |> assign(:registration_enabled, updated_settings.registration_enabled != false) + |> assign_form()} - {:error, _} -> - {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))} + {:error, _} -> + {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))} + end + end + end + + @impl true + def handle_event("toggle_oidc_only", _params, socket) do + if socket.assigns.oidc_only_env_set do + {:noreply, socket} + else + settings = socket.assigns.settings + new_value = not socket.assigns.oidc_only + + # When enabling OIDC-only, also disable direct registration; when disabling, only change oidc_only. + params = + if new_value, + do: %{oidc_only: true, registration_enabled: false}, + else: %{oidc_only: false} + + case Membership.update_settings(settings, params) do + {:ok, updated_settings} -> + {:noreply, + socket + |> assign(:settings, updated_settings) + |> assign(:oidc_only, updated_settings.oidc_only == true) + |> assign(:registration_enabled, updated_settings.registration_enabled != false) + |> assign_form() + |> put_flash(:success, gettext("Settings updated successfully"))} + + {:error, _} -> + {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))} + end end end diff --git a/lib/mv_web/live_helpers.ex b/lib/mv_web/live_helpers.ex index 38a0157..4206aa6 100644 --- a/lib/mv_web/live_helpers.ex +++ b/lib/mv_web/live_helpers.ex @@ -74,7 +74,7 @@ defmodule MvWeb.LiveHelpers do socket = socket - |> Phoenix.LiveView.put_flash(:error, "You don't have permission to access this page.") + |> maybe_put_access_denied_flash(user) |> Phoenix.LiveView.push_navigate(to: redirect_to) {:halt, socket} @@ -82,6 +82,13 @@ defmodule MvWeb.LiveHelpers do end end + # Only show "no permission" when user is logged in; unauthenticated users are redirected to sign-in without flash. + defp maybe_put_access_denied_flash(socket, nil), do: socket + + defp maybe_put_access_denied_flash(socket, _user) do + Phoenix.LiveView.put_flash(socket, :error, "You don't have permission to access this page.") + end + defp ensure_user_role_loaded(socket) do user = socket.assigns[:current_user] diff --git a/lib/mv_web/plugs/check_page_permission.ex b/lib/mv_web/plugs/check_page_permission.ex index ff6d47d..b2f37ec 100644 --- a/lib/mv_web/plugs/check_page_permission.ex +++ b/lib/mv_web/plugs/check_page_permission.ex @@ -54,7 +54,7 @@ defmodule MvWeb.Plugs.CheckPagePermission do conn |> fetch_session() |> fetch_flash() - |> put_flash(:error, "You don't have permission to access this page.") + |> maybe_put_access_denied_flash(user) |> redirect(to: redirect_to) |> halt() end @@ -75,6 +75,13 @@ defmodule MvWeb.Plugs.CheckPagePermission do defp redirect_target(user), do: redirect_target_for_user(user) + # Only set "no permission" flash when user is logged in; unauthenticated users get redirect only, no flash. + defp maybe_put_access_denied_flash(conn, nil), do: conn + + defp maybe_put_access_denied_flash(conn, _user) do + put_flash(conn, :error, "You don't have permission to access this page.") + end + @doc """ Returns true if the path is public (no auth/permission check). Used by LiveView hook to skip redirect on sign-in etc. diff --git a/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex b/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex new file mode 100644 index 0000000..81a81b1 --- /dev/null +++ b/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex @@ -0,0 +1,61 @@ +defmodule MvWeb.Plugs.OidcOnlySignInRedirect do + @moduledoc """ + When OIDC-only mode is active: + - GET /sign-in redirects to the OIDC flow when OIDC is configured (sign-in page skipped). + - GET /auth/user/password/sign_in_with_token is rejected (redirect to /sign-in with error) + so password sign-in cannot complete. + """ + import Plug.Conn + import Phoenix.Controller + + alias Mv.Config + + def init(opts), do: opts + + def call(conn, _opts) do + conn + |> maybe_redirect_sign_in_to_oidc() + |> maybe_reject_password_token_sign_in() + end + + defp maybe_redirect_sign_in_to_oidc(conn) do + if conn.request_path == "/sign-in" and conn.method == "GET" do + if Config.oidc_only?() and Config.oidc_configured?() do + conn + |> redirect(to: "/auth/user/oidc") + |> halt() + else + conn + end + else + conn + end + end + + defp maybe_reject_password_token_sign_in(conn) do + if conn.halted, do: conn, else: reject_password_token_sign_in_if_applicable(conn) + end + + defp reject_password_token_sign_in_if_applicable(conn) do + path = conn.request_path + + password_token_path? = + path =~ ~r|/auth/user/password/sign_in_with_token| and conn.method == "GET" + + if password_token_path? and Config.oidc_only?() do + message = + Gettext.dgettext( + MvWeb.Gettext, + "default", + "Only sign-in via Single Sign-On (SSO) is allowed." + ) + + conn + |> put_flash(:error, message) + |> redirect(to: "/sign-in") + |> halt() + else + conn + end + end +end diff --git a/lib/mv_web/router.ex b/lib/mv_web/router.ex index f115535..591dead 100644 --- a/lib/mv_web/router.ex +++ b/lib/mv_web/router.ex @@ -18,6 +18,7 @@ defmodule MvWeb.Router do plug MvWeb.Plugs.CheckPagePermission plug MvWeb.Plugs.JoinFormEnabled plug MvWeb.Plugs.RegistrationEnabled + plug MvWeb.Plugs.OidcOnlySignInRedirect end pipeline :api do diff --git a/priv/gettext/de/LC_MESSAGES/default.po b/priv/gettext/de/LC_MESSAGES/default.po index 078ef19..3d4ce2d 100644 --- a/priv/gettext/de/LC_MESSAGES/default.po +++ b/priv/gettext/de/LC_MESSAGES/default.po @@ -3854,7 +3854,7 @@ msgstr "Wenn deaktiviert, können sich Nutzer*innen nicht über /register anmeld #: lib/mv_web/controllers/page_controller.ex #, elixir-autogen, elixir-format msgid "Home" -msgstr "" +msgstr "Startseite" #: lib/mv_web/controllers/join_confirm_controller.ex #, elixir-autogen, elixir-format, fuzzy @@ -3895,3 +3895,18 @@ msgstr "Rolle %{name}" #, elixir-autogen, elixir-format msgid "User %{email}" msgstr "Benutzer*in %{email}" + +#: lib/mv_web/live/global_settings_live.ex +#, elixir-autogen, elixir-format +msgid "Only OIDC sign-in is active. This option is disabled." +msgstr "Nur OIDC-Anmeldung ist aktiv. Diese Option ist deaktiviert." + +#: lib/mv_web/controllers/auth_controller.ex +#, elixir-autogen, elixir-format +msgid "Only sign-in via Single Sign-On (SSO) is allowed." +msgstr "Nur Anmeldung per Single Sign-On (SSO) ist erlaubt." + +#~ #: lib/accounts/user/validations/oidc_only_blocks_password_registration.ex +#~ #, elixir-autogen, elixir-format +#~ msgid "Registration with password is disabled when only OIDC sign-in is active." +#~ msgstr "Registrierung mit Passwort ist deaktiviert, wenn nur OIDC-Anmeldung aktiv ist." diff --git a/priv/gettext/default.pot b/priv/gettext/default.pot index a845e1e..3e2eb5d 100644 --- a/priv/gettext/default.pot +++ b/priv/gettext/default.pot @@ -3895,3 +3895,13 @@ msgstr "" #, elixir-autogen, elixir-format msgid "User %{email}" msgstr "" + +#: lib/mv_web/live/global_settings_live.ex +#, elixir-autogen, elixir-format +msgid "Only OIDC sign-in is active. This option is disabled." +msgstr "" + +#: lib/mv_web/controllers/auth_controller.ex +#, elixir-autogen, elixir-format +msgid "Only sign-in via Single Sign-On (SSO) is allowed." +msgstr "" diff --git a/priv/gettext/en/LC_MESSAGES/default.po b/priv/gettext/en/LC_MESSAGES/default.po index d01da60..8b6da9c 100644 --- a/priv/gettext/en/LC_MESSAGES/default.po +++ b/priv/gettext/en/LC_MESSAGES/default.po @@ -3895,3 +3895,18 @@ msgstr "Role %{name}" #, elixir-autogen, elixir-format msgid "User %{email}" msgstr "User %{email}" + +#: lib/mv_web/live/global_settings_live.ex +#, elixir-autogen, elixir-format +msgid "Only OIDC sign-in is active. This option is disabled." +msgstr "" + +#: lib/mv_web/controllers/auth_controller.ex +#, elixir-autogen, elixir-format +msgid "Only sign-in via Single Sign-On (SSO) is allowed." +msgstr "" + +#~ #: lib/accounts/user/validations/oidc_only_blocks_password_registration.ex +#~ #, elixir-autogen, elixir-format +#~ msgid "Registration with password is disabled when only OIDC sign-in is active." +#~ msgstr "Registration with password is disabled when only OIDC sign-in is active." diff --git a/test/mv_web/controllers/auth_controller_test.exs b/test/mv_web/controllers/auth_controller_test.exs index cc090a9..ffab450 100644 --- a/test/mv_web/controllers/auth_controller_test.exs +++ b/test/mv_web/controllers/auth_controller_test.exs @@ -318,7 +318,7 @@ defmodule MvWeb.AuthControllerTest do case result do {:error, {:redirect, %{to: to}}} -> refute to =~ "sign_in_with_token", - "Expected password sign-in to be rejected when OIDC-only, got redirect to: #{to}" + "Expected password sign-in to be rejected when OIDC-only, got redirect to: #{to}" _ -> # LiveView re-rendered (e.g. with flash error) instead of redirecting to success @@ -336,6 +336,7 @@ defmodule MvWeb.AuthControllerTest do conn: authenticated_conn } do {:ok, settings} = Membership.get_settings() + prev = %{ oidc_only: settings.oidc_only, oidc_client_id: settings.oidc_client_id, diff --git a/test/mv_web/plugs/check_page_permission_test.exs b/test/mv_web/plugs/check_page_permission_test.exs index 2798161..76bed74 100644 --- a/test/mv_web/plugs/check_page_permission_test.exs +++ b/test/mv_web/plugs/check_page_permission_test.exs @@ -181,13 +181,14 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do end describe "unauthenticated user" do - test "nil current_user is denied and redirected to \"/sign-in\"" do + test "nil current_user is denied and redirected to \"/sign-in\" without access-denied flash" do conn = conn_without_user("/members") |> CheckPagePermission.call([]) assert conn.halted assert redirected_to(conn) == "/sign-in" - assert Phoenix.Flash.get(conn.assigns[:flash] || %{}, :error) == + # Unauthenticated users are redirected to sign-in only; no "no permission" message. + refute Phoenix.Flash.get(conn.assigns[:flash] || %{}, :error) == "You don't have permission to access this page." end end -- 2.47.2 From a049ccb8e3472cc8e9164c158ff0c98346ec8c09 Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 16 Mar 2026 17:33:03 +0100 Subject: [PATCH 3/5] style: fix formatting --- lib/mv_web/components/layouts.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mv_web/components/layouts.ex b/lib/mv_web/components/layouts.ex index 835d859..54f589d 100644 --- a/lib/mv_web/components/layouts.ex +++ b/lib/mv_web/components/layouts.ex @@ -171,7 +171,7 @@ defmodule MvWeb.Layouts do {@club_name} - +
-- 2.47.2 From c40f3135a1ae413d16da1677d51bb66c1a4dd3b6 Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 16 Mar 2026 17:52:59 +0100 Subject: [PATCH 4/5] feat: only run all seeds on first startup --- CHANGELOG.md | 1 + CODE_GUIDELINES.md | 6 +-- docs/admin-bootstrap-and-oidc-role-sync.md | 4 +- lib/mv/release.ex | 62 +++++++++++++++------- priv/repo/seeds.exs | 33 +++++++----- 5 files changed, 70 insertions(+), 36 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cc8ea5..e54d132 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Success toast auto-dismiss** – Success flash messages (e.g. “Settings saved”) hide automatically after 5 seconds instead of requiring the user to close them. ### Changed +- **Seeds run only when needed** – Bootstrap and dev seeds are skipped on application start when the admin user already exists (`Mv.Release.bootstrap_seeds_applied?/0`). This avoids duplicate data and speeds up startup in dev and production after the first run. - **Unauthenticated access** – Users who are not logged in are redirected to sign-in without showing a “no permission” message; the message is only shown to logged-in users who lack access. ### Fixed diff --git a/CODE_GUIDELINES.md b/CODE_GUIDELINES.md index c0cb543..911c8d9 100644 --- a/CODE_GUIDELINES.md +++ b/CODE_GUIDELINES.md @@ -284,13 +284,13 @@ end ### 1.2.1 Database Seeds -Seeds are split into **bootstrap** and **dev**: +Seeds are split into **bootstrap** and **dev**. They run on every start (e.g. `just run`, Docker entrypoint) but **exit early** if already applied so startup stays fast and no duplicate data is created. -- **`priv/repo/seeds.exs`** – Entrypoint. Runs `seeds_bootstrap.exs` always; runs `seeds_dev.exs` only when `Mix.env()` is `:dev` or `:test`. +- **`priv/repo/seeds.exs`** – Entrypoint. If the admin user (ADMIN_EMAIL or default) already exists, skips entirely; otherwise runs `seeds_bootstrap.exs` and, in dev/test, `seeds_dev.exs`. - **`priv/repo/seeds_bootstrap.exs`** – Creates only data required for system startup: membership fee types, custom fields, roles, admin user, system user, global settings (including default membership fee type). No members, no groups. Used in all environments (dev, test, prod). - **`priv/repo/seeds_dev.exs`** – Creates 20 sample members, groups, and optional custom field values. Run only in dev and test. -In production, running `mix run priv/repo/seeds.exs` executes only the bootstrap part (no dev seeds). +In production, running `mix run priv/repo/seeds.exs` (or `Mv.Release.run_seeds/0`) executes only the bootstrap part when not yet applied (no dev seeds unless `RUN_DEV_SEEDS=true`). The “already applied” check uses `Mv.Release.bootstrap_seeds_applied?/0` (admin user exists). ### 1.3 Domain-Driven Design diff --git a/docs/admin-bootstrap-and-oidc-role-sync.md b/docs/admin-bootstrap-and-oidc-role-sync.md index 5e26c85..0998d67 100644 --- a/docs/admin-bootstrap-and-oidc-role-sync.md +++ b/docs/admin-bootstrap-and-oidc-role-sync.md @@ -2,7 +2,7 @@ ## Overview -- **Admin bootstrap:** In production, the Docker entrypoint runs migrate, then `Mv.Release.run_seeds/0` (bootstrap seeds; set `RUN_DEV_SEEDS=true` to also run dev seeds), then `seed_admin/0` from ENV, then the server. Password can be changed without redeploy via `bin/mv eval "Mv.Release.seed_admin()"`. +- **Admin bootstrap:** In production, the Docker entrypoint runs migrate, then `Mv.Release.run_seeds/0` (skips if admin user already exists; otherwise runs bootstrap seeds; set `RUN_DEV_SEEDS=true` to also run dev seeds), then `seed_admin/0` from ENV, then the server. Password can be changed without redeploy via `bin/mv eval "Mv.Release.seed_admin()"`. - **OIDC role sync:** Optional mapping from OIDC groups (e.g. from Authentik profile scope) to the Admin role. Users in the configured admin group get the Admin role on registration and on each sign-in. ## Admin Bootstrap (Part A) @@ -16,7 +16,7 @@ ### Release Tasks -- `Mv.Release.run_seeds/0` – Runs bootstrap seeds (fee types, custom fields, roles, settings). If `RUN_DEV_SEEDS` env is `"true"`, also runs dev seeds (members, groups, sample data). Idempotent. +- `Mv.Release.run_seeds/0` – If the admin user already exists (bootstrap already applied), skips; otherwise runs bootstrap seeds (fee types, custom fields, roles, settings). If `RUN_DEV_SEEDS` env is `"true"`, also runs dev seeds (members, groups, sample data). Safe to call on every start. - `Mv.Release.seed_admin/0` – Reads ADMIN_EMAIL and password from ADMIN_PASSWORD or ADMIN_PASSWORD_FILE. If both email and password are set: creates or updates the user with the Admin role. If only ADMIN_EMAIL is set: sets the Admin role on an existing user with that email (for OIDC-only admins); does not create a user. Idempotent. ### Entrypoint diff --git a/lib/mv/release.ex b/lib/mv/release.ex index 00dcadf..7b30c83 100644 --- a/lib/mv/release.ex +++ b/lib/mv/release.ex @@ -6,8 +6,8 @@ defmodule Mv.Release do ## Tasks - `migrate/0` - Runs all pending Ecto migrations. - - `run_seeds/0` - Runs bootstrap seeds (fee types, custom fields, roles, settings). - In production, set `RUN_DEV_SEEDS=true` to also run dev seeds (members, groups, sample data). + - `bootstrap_seeds_applied?/0` - Returns whether bootstrap was already applied (admin user exists). Used to skip re-running seeds. + - `run_seeds/0` - If bootstrap already applied, skips; otherwise runs bootstrap seeds (fee types, custom fields, roles, settings). In production, set `RUN_DEV_SEEDS=true` to also run dev seeds (members, groups, sample data). - `seed_admin/0` - Ensures an admin user exists from ENV (ADMIN_EMAIL, ADMIN_PASSWORD or ADMIN_PASSWORD_FILE). Idempotent; can be run on every deployment or via shell to update the admin password without redeploying. @@ -28,13 +28,35 @@ defmodule Mv.Release do end end + @doc """ + Returns whether bootstrap seeds have already been applied (admin user exists). + + We check for the admin user (from ADMIN_EMAIL or default), not the Admin role, + because migrations may create the Admin role for the system actor. Only seeds + create the admin (login) user. Used to skip re-running seeds on subsequent starts. + Call only when the application is already started. + """ + def bootstrap_seeds_applied? do + admin_email = get_env("ADMIN_EMAIL", "admin@localhost") + + case User + |> Ash.Query.filter(email == ^admin_email) + |> Ash.read_one(authorize?: false, domain: Mv.Accounts) do + {:ok, %User{}} -> true + _ -> false + end + rescue + _ -> false + end + @doc """ Runs seed scripts so the database has required bootstrap data (and optionally dev data). - - Always runs bootstrap seeds (fee types, custom fields, roles, system user, settings). - - If `RUN_DEV_SEEDS` env is set to `"true"`, also runs dev seeds (members, groups, sample data). + - Skips if bootstrap was already applied (Admin role exists); otherwise runs bootstrap seeds. + - If `RUN_DEV_SEEDS` env is set to `"true"`, also runs dev seeds (members, groups, sample data) + when bootstrap is run. - Uses paths from the application's priv dir so it works in releases (no Mix). Idempotent. + Uses paths from the application's priv dir so it works in releases (no Mix). """ def run_seeds do case Application.ensure_all_started(@app) do @@ -42,23 +64,27 @@ defmodule Mv.Release do {:error, {app, reason}} -> raise "Failed to start #{inspect(app)}: #{inspect(reason)}" end - priv = :code.priv_dir(@app) - bootstrap_path = Path.join(priv, "repo/seeds_bootstrap.exs") - dev_path = Path.join(priv, "repo/seeds_dev.exs") + if bootstrap_seeds_applied?() do + IO.puts("Seeds already applied (admin user exists). Skipping.") + else + priv = :code.priv_dir(@app) + bootstrap_path = Path.join(priv, "repo/seeds_bootstrap.exs") + dev_path = Path.join(priv, "repo/seeds_dev.exs") - prev = Code.compiler_options() - Code.compiler_options(ignore_module_conflict: true) + prev = Code.compiler_options() + Code.compiler_options(ignore_module_conflict: true) - try do - Code.eval_file(bootstrap_path) - IO.puts("✅ Bootstrap seeds completed.") + try do + Code.eval_file(bootstrap_path) + IO.puts("✅ Bootstrap seeds completed.") - if System.get_env("RUN_DEV_SEEDS") == "true" do - Code.eval_file(dev_path) - IO.puts("✅ Dev seeds completed.") + if System.get_env("RUN_DEV_SEEDS") == "true" do + Code.eval_file(dev_path) + IO.puts("✅ Dev seeds completed.") + end + after + Code.compiler_options(prev) end - after - Code.compiler_options(prev) end end diff --git a/priv/repo/seeds.exs b/priv/repo/seeds.exs index 7257f8b..fad2982 100644 --- a/priv/repo/seeds.exs +++ b/priv/repo/seeds.exs @@ -3,7 +3,8 @@ # mix run priv/repo/seeds.exs # # Bootstrap runs in all environments. Dev seeds (members, groups, sample data) -# run only in dev and test. +# run only in dev and test. Skips entirely if bootstrap was already applied +# (Admin role exists), so safe to run on every start. # # In production (release): seeds are run via Mv.Release.run_seeds/0 from the # container entrypoint. Set RUN_DEV_SEEDS=true to also run dev seeds there. @@ -12,19 +13,25 @@ # so that eval_file of bootstrap/dev does not emit "redefining module" warnings; # it is always restored in `after` to avoid hiding real conflicts elsewhere. -prev = Code.compiler_options() -Code.compiler_options(ignore_module_conflict: true) +_ = Application.ensure_all_started(:mv) -try do - # Always run bootstrap (fee types, custom fields, roles, admin, system user, settings) - Code.eval_file("priv/repo/seeds_bootstrap.exs") +if Mv.Release.bootstrap_seeds_applied?() do + IO.puts("Seeds already applied (admin user exists). Skipping.") +else + prev = Code.compiler_options() + Code.compiler_options(ignore_module_conflict: true) - # In dev and test only: run dev seeds (20 members, groups, custom field values) - if Mix.env() in [:dev, :test] do - Code.eval_file("priv/repo/seeds_dev.exs") + try do + # Always run bootstrap (fee types, custom fields, roles, admin, system user, settings) + Code.eval_file("priv/repo/seeds_bootstrap.exs") + + # In dev and test only: run dev seeds (20 members, groups, custom field values) + if Mix.env() in [:dev, :test] do + Code.eval_file("priv/repo/seeds_dev.exs") + end + + IO.puts("✅ All seeds completed.") + after + Code.compiler_options(prev) end - - IO.puts("✅ All seeds completed.") -after - Code.compiler_options(prev) end -- 2.47.2 From 77012f10caf185f8aeed5dc0b5028f100842c1a7 Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 16 Mar 2026 19:20:30 +0100 Subject: [PATCH 5/5] refactor: harden seed only once implementation --- .env.example | 1 + CHANGELOG.md | 3 ++- CODE_GUIDELINES.md | 4 ++-- docs/admin-bootstrap-and-oidc-role-sync.md | 5 +++-- lib/mv/release.ex | 13 ++++++++----- priv/repo/seeds.exs | 7 ++++--- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/.env.example b/.env.example index 661593b..d63e019 100644 --- a/.env.example +++ b/.env.example @@ -14,6 +14,7 @@ ASSOCIATION_NAME="Sportsclub XYZ" # Optional: Admin user (created/updated on container start via Release.seed_admin) # In production, set these so the first admin can log in. Change password without redeploy: # bin/mv eval "Mv.Release.seed_admin()" (with new ADMIN_PASSWORD or ADMIN_PASSWORD_FILE) +# FORCE_SEEDS=true re-runs bootstrap seeds even when admin user exists (e.g. after changing roles/custom fields). # ADMIN_EMAIL=admin@example.com # ADMIN_PASSWORD=secure-password # ADMIN_PASSWORD_FILE=/run/secrets/admin_password diff --git a/CHANGELOG.md b/CHANGELOG.md index e54d132..92319c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,11 +8,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Added +- **FORCE_SEEDS** – Environment variable. When set to `"true"`, bootstrap (and optionally dev) seeds are run even when the admin user already exists, so you can re-apply changed seed data (e.g. new roles or custom fields) without deleting the admin user. - **Improved OIDC-only mode** – Admin can enable “Only OIDC sign-in” in settings; when enabled, direct registration is disabled and sign-in page redirects to OIDC when configured. - **Success toast auto-dismiss** – Success flash messages (e.g. “Settings saved”) hide automatically after 5 seconds instead of requiring the user to close them. ### Changed -- **Seeds run only when needed** – Bootstrap and dev seeds are skipped on application start when the admin user already exists (`Mv.Release.bootstrap_seeds_applied?/0`). This avoids duplicate data and speeds up startup in dev and production after the first run. +- **Seeds run only when needed** – Bootstrap and dev seeds are skipped on application start when the admin user already exists (`Mv.Release.bootstrap_seeds_applied?/0`). This avoids duplicate data and speeds up startup in dev and production after the first run. Set `FORCE_SEEDS=true` to override and re-run. - **Unauthenticated access** – Users who are not logged in are redirected to sign-in without showing a “no permission” message; the message is only shown to logged-in users who lack access. ### Fixed diff --git a/CODE_GUIDELINES.md b/CODE_GUIDELINES.md index 911c8d9..f84c5ad 100644 --- a/CODE_GUIDELINES.md +++ b/CODE_GUIDELINES.md @@ -286,11 +286,11 @@ end Seeds are split into **bootstrap** and **dev**. They run on every start (e.g. `just run`, Docker entrypoint) but **exit early** if already applied so startup stays fast and no duplicate data is created. -- **`priv/repo/seeds.exs`** – Entrypoint. If the admin user (ADMIN_EMAIL or default) already exists, skips entirely; otherwise runs `seeds_bootstrap.exs` and, in dev/test, `seeds_dev.exs`. +- **`priv/repo/seeds.exs`** – Entrypoint. If the admin user (ADMIN_EMAIL or default) already exists, skips entirely (unless `FORCE_SEEDS=true`); otherwise runs `seeds_bootstrap.exs` and, in dev/test, `seeds_dev.exs`. - **`priv/repo/seeds_bootstrap.exs`** – Creates only data required for system startup: membership fee types, custom fields, roles, admin user, system user, global settings (including default membership fee type). No members, no groups. Used in all environments (dev, test, prod). - **`priv/repo/seeds_dev.exs`** – Creates 20 sample members, groups, and optional custom field values. Run only in dev and test. -In production, running `mix run priv/repo/seeds.exs` (or `Mv.Release.run_seeds/0`) executes only the bootstrap part when not yet applied (no dev seeds unless `RUN_DEV_SEEDS=true`). The “already applied” check uses `Mv.Release.bootstrap_seeds_applied?/0` (admin user exists). +In production, running `mix run priv/repo/seeds.exs` (or `Mv.Release.run_seeds/0`) executes only the bootstrap part when not yet applied (no dev seeds unless `RUN_DEV_SEEDS=true`). The “already applied” check uses `Mv.Release.bootstrap_seeds_applied?/0` (admin user exists). Set `FORCE_SEEDS=true` to re-run seeds even when already applied. ### 1.3 Domain-Driven Design diff --git a/docs/admin-bootstrap-and-oidc-role-sync.md b/docs/admin-bootstrap-and-oidc-role-sync.md index 0998d67..21bf947 100644 --- a/docs/admin-bootstrap-and-oidc-role-sync.md +++ b/docs/admin-bootstrap-and-oidc-role-sync.md @@ -2,7 +2,7 @@ ## Overview -- **Admin bootstrap:** In production, the Docker entrypoint runs migrate, then `Mv.Release.run_seeds/0` (skips if admin user already exists; otherwise runs bootstrap seeds; set `RUN_DEV_SEEDS=true` to also run dev seeds), then `seed_admin/0` from ENV, then the server. Password can be changed without redeploy via `bin/mv eval "Mv.Release.seed_admin()"`. +- **Admin bootstrap:** In production, the Docker entrypoint runs migrate, then `Mv.Release.run_seeds/0` (skips if admin user already exists unless `FORCE_SEEDS=true`; set `RUN_DEV_SEEDS=true` to also run dev seeds), then `seed_admin/0` from ENV, then the server. Password can be changed without redeploy via `bin/mv eval "Mv.Release.seed_admin()"`. - **OIDC role sync:** Optional mapping from OIDC groups (e.g. from Authentik profile scope) to the Admin role. Users in the configured admin group get the Admin role on registration and on each sign-in. ## Admin Bootstrap (Part A) @@ -10,13 +10,14 @@ ### Environment Variables - `RUN_DEV_SEEDS` – If set to `"true"`, `run_seeds/0` also runs dev seeds (members, groups, sample data). Otherwise only bootstrap seeds run. +- `FORCE_SEEDS` – If set to `"true"`, seeds are run even when the admin user already exists (e.g. after changing bootstrap data such as roles or custom fields). Otherwise seeds are skipped when bootstrap was already applied. - `ADMIN_EMAIL` – Email of the admin user to create/update. If unset, seed_admin/0 does nothing. - `ADMIN_PASSWORD` – Password for the admin user. If unset (and no file), no new user is created; if a user with ADMIN_EMAIL already exists (e.g. OIDC-only), their role is set to Admin (no password change). - `ADMIN_PASSWORD_FILE` – Path to a file containing the password (e.g. Docker secret). ### Release Tasks -- `Mv.Release.run_seeds/0` – If the admin user already exists (bootstrap already applied), skips; otherwise runs bootstrap seeds (fee types, custom fields, roles, settings). If `RUN_DEV_SEEDS` env is `"true"`, also runs dev seeds (members, groups, sample data). Safe to call on every start. +- `Mv.Release.run_seeds/0` – If the admin user already exists (bootstrap already applied), skips unless `FORCE_SEEDS=true`; otherwise runs bootstrap seeds (fee types, custom fields, roles, settings). If `RUN_DEV_SEEDS` env is `"true"`, also runs dev seeds (members, groups, sample data). Safe to call on every start. - `Mv.Release.seed_admin/0` – Reads ADMIN_EMAIL and password from ADMIN_PASSWORD or ADMIN_PASSWORD_FILE. If both email and password are set: creates or updates the user with the Admin role. If only ADMIN_EMAIL is set: sets the Admin role on an existing user with that email (for OIDC-only admins); does not create a user. Idempotent. ### Entrypoint diff --git a/lib/mv/release.ex b/lib/mv/release.ex index 7b30c83..116b276 100644 --- a/lib/mv/release.ex +++ b/lib/mv/release.ex @@ -7,7 +7,7 @@ defmodule Mv.Release do - `migrate/0` - Runs all pending Ecto migrations. - `bootstrap_seeds_applied?/0` - Returns whether bootstrap was already applied (admin user exists). Used to skip re-running seeds. - - `run_seeds/0` - If bootstrap already applied, skips; otherwise runs bootstrap seeds (fee types, custom fields, roles, settings). In production, set `RUN_DEV_SEEDS=true` to also run dev seeds (members, groups, sample data). + - `run_seeds/0` - If bootstrap already applied, skips; otherwise runs bootstrap seeds (fee types, custom fields, roles, settings). Set `FORCE_SEEDS=true` to re-run seeds even when already applied. In production, set `RUN_DEV_SEEDS=true` to also run dev seeds (members, groups, sample data). - `seed_admin/0` - Ensures an admin user exists from ENV (ADMIN_EMAIL, ADMIN_PASSWORD or ADMIN_PASSWORD_FILE). Idempotent; can be run on every deployment or via shell to update the admin password without redeploying. @@ -19,6 +19,7 @@ defmodule Mv.Release do alias Mv.Authorization.Role require Ash.Query + require Logger def migrate do load_app() @@ -46,13 +47,15 @@ defmodule Mv.Release do _ -> false end rescue - _ -> false + e -> + Logger.warning("Could not check seed status (#{inspect(e)}), assuming not applied.") + false end @doc """ Runs seed scripts so the database has required bootstrap data (and optionally dev data). - - Skips if bootstrap was already applied (Admin role exists); otherwise runs bootstrap seeds. + - Skips if bootstrap was already applied (admin user exists); set `FORCE_SEEDS=true` to override and re-run. - If `RUN_DEV_SEEDS` env is set to `"true"`, also runs dev seeds (members, groups, sample data) when bootstrap is run. @@ -64,8 +67,8 @@ defmodule Mv.Release do {:error, {app, reason}} -> raise "Failed to start #{inspect(app)}: #{inspect(reason)}" end - if bootstrap_seeds_applied?() do - IO.puts("Seeds already applied (admin user exists). Skipping.") + if bootstrap_seeds_applied?() and System.get_env("FORCE_SEEDS") != "true" do + IO.puts("Seeds already applied. Skipping. (Set FORCE_SEEDS=true to override)") else priv = :code.priv_dir(@app) bootstrap_path = Path.join(priv, "repo/seeds_bootstrap.exs") diff --git a/priv/repo/seeds.exs b/priv/repo/seeds.exs index fad2982..c562a43 100644 --- a/priv/repo/seeds.exs +++ b/priv/repo/seeds.exs @@ -4,7 +4,8 @@ # # Bootstrap runs in all environments. Dev seeds (members, groups, sample data) # run only in dev and test. Skips entirely if bootstrap was already applied -# (Admin role exists), so safe to run on every start. +# (admin user exists), so safe to run on every start. Set FORCE_SEEDS=true to +# re-run seeds even when already applied. # # In production (release): seeds are run via Mv.Release.run_seeds/0 from the # container entrypoint. Set RUN_DEV_SEEDS=true to also run dev seeds there. @@ -15,8 +16,8 @@ _ = Application.ensure_all_started(:mv) -if Mv.Release.bootstrap_seeds_applied?() do - IO.puts("Seeds already applied (admin user exists). Skipping.") +if Mv.Release.bootstrap_seeds_applied?() and System.get_env("FORCE_SEEDS") != "true" do + IO.puts("Seeds already applied. Skipping. (Set FORCE_SEEDS=true to override)") else prev = Code.compiler_options() Code.compiler_options(ignore_module_conflict: true) -- 2.47.2