barbercollie/ReadMeABook
1
0
Fork 1
mirror of https://github.com/kikootwo/ReadMeABook.git synced 2026-06-03 04:40:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comprehensive OIDC access control and admin role mapping

Browse Source 
Implements full OIDC configuration UI and backend support for access control and admin permissions.

**Access Control Features:**
- Open access (anyone can log in)
- Group/claim based access (require specific group membership)
- Allowed list (whitelist specific emails/usernames)
- Admin approval (manual approval required for new users)

**Admin Role Mapping:**
- Automatic admin role assignment based on OIDC claims
- Configurable claim name and value (default: groups claim)
- First user always becomes admin
- Dynamic role updates on each login

**Setup Wizard:**
- Updated OIDCConfigStep with comprehensive OIDC settings
- Access control method selector with conditional fields
- Admin role mapping configuration with examples
- Improved UX with clear sections and helpful descriptions

**Admin Settings:**
- Expanded OIDC section with all new configuration options
- Proper JSON array handling for allowed emails/usernames
- Visual organization matching setup wizard

**Backend:**
- Updated setup complete API to persist new OIDC fields
- Updated OIDC settings API for all new configuration
- Updated settings GET endpoint to return new fields with defaults
- Proper comma-separated to JSON array conversion

**Documentation:**
- Comprehensive OIDC section in auth.md
- Configuration examples and use cases
- Clear distinction between access control and admin roles
- Default values documented

All changes tested and ready for production use.
This commit is contained in:
Claude
2025-12-21 18:43:39 +00:00
committed by kikootwo
parent a3ba192fbd
commit 5a9b6b4b46
7 changed files with 730 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/app/api/setup/complete/route.ts
+50
View File
@@ -241,6 +241,56 @@ export async function POST(request: NextRequest) {
update: { value: encryptedClientSecret, encrypted: true },
create: { key: 'oidc.client_secret', value: encryptedClientSecret, encrypted: true },
});
// Access control configuration
await prisma.configuration.upsert({
where: { key: 'oidc.access_control_method' },
update: { value: oidc.access_control_method || 'open' },
create: { key: 'oidc.access_control_method', value: oidc.access_control_method || 'open' },
});
await prisma.configuration.upsert({
where: { key: 'oidc.access_group_claim' },
update: { value: oidc.access_group_claim || 'groups' },
create: { key: 'oidc.access_group_claim', value: oidc.access_group_claim || 'groups' },
});
await prisma.configuration.upsert({
where: { key: 'oidc.access_group_value' },
update: { value: oidc.access_group_value || '' },
create: { key: 'oidc.access_group_value', value: oidc.access_group_value || '' },
});
await prisma.configuration.upsert({
where: { key: 'oidc.allowed_emails' },
update: { value: oidc.allowed_emails || '[]' },
create: { key: 'oidc.allowed_emails', value: oidc.allowed_emails || '[]' },
});
await prisma.configuration.upsert({
where: { key: 'oidc.allowed_usernames' },
update: { value: oidc.allowed_usernames || '[]' },
create: { key: 'oidc.allowed_usernames', value: oidc.allowed_usernames || '[]' },
});
// Admin role mapping configuration
await prisma.configuration.upsert({
where: { key: 'oidc.admin_claim_enabled' },
update: { value: oidc.admin_claim_enabled || 'false' },
create: { key: 'oidc.admin_claim_enabled', value: oidc.admin_claim_enabled || 'false' },
});
await prisma.configuration.upsert({
where: { key: 'oidc.admin_claim_name' },
update: { value: oidc.admin_claim_name || 'groups' },
create: { key: 'oidc.admin_claim_name', value: oidc.admin_claim_name || 'groups' },
});
await prisma.configuration.upsert({
where: { key: 'oidc.admin_claim_value' },
update: { value: oidc.admin_claim_value || '' },
create: { key: 'oidc.admin_claim_value', value: oidc.admin_claim_value || '' },
});
}
// Manual registration configuration (if enabled)