ahmido
c5fbcaa692
Key changes Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there). Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens. Blocks disabled / soft-deleted users with a generic error and safe logging. Membership-based post-login routing: 0 memberships → /admin/no-access 1 membership → tenant dashboard (via Filament URL helpers) >1 memberships → /admin/choose-tenant Adds Filament pages: /admin/choose-tenant (tenant selection + redirect) /admin/no-access (tenantless-safe) Both use simple layout to avoid tenant-required UI. Guards / tests Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for: /admin/login, /admin/no-access, /admin/choose-tenant with Http::preventStrayRequests() Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa. Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #76
743 B
743 B
Data Model: 063 — Entra Sign-in
This feature reuses the existing users table and does not introduce new tables.
users table
The following columns are used for Entra ID integration. The spec confirms these columns and their types are authoritative for v1 and should not be changed.
-
entra_tenant_id- Type:
varchar(255) - Nullable: Yes
- Description: Stores the Entra ID tenant identifier (
tidclaim).
- Type:
-
entra_object_id- Type:
varchar(255) - Nullable: Yes
- Description: Stores the Entra ID user object identifier (
oidclaim).
- Type:
Indexes
A unique composite index on (entra_tenant_id, entra_object_id) already exists and will be used to enforce uniqueness for user upserts.