ahmido
c5fbcaa692
Key changes Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there). Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens. Blocks disabled / soft-deleted users with a generic error and safe logging. Membership-based post-login routing: 0 memberships → /admin/no-access 1 membership → tenant dashboard (via Filament URL helpers) >1 memberships → /admin/choose-tenant Adds Filament pages: /admin/choose-tenant (tenant selection + redirect) /admin/no-access (tenantless-safe) Both use simple layout to avoid tenant-required UI. Guards / tests Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for: /admin/login, /admin/no-access, /admin/choose-tenant with Http::preventStrayRequests() Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa. Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #76
22 lines
743 B
Markdown
22 lines
743 B
Markdown
# Data Model: 063 — Entra Sign-in
|
|
|
|
This feature reuses the existing `users` table and does not introduce new tables.
|
|
|
|
## `users` table
|
|
|
|
The following columns are used for Entra ID integration. The spec confirms these columns and their types are authoritative for v1 and should not be changed.
|
|
|
|
- `entra_tenant_id`
|
|
- **Type**: `varchar(255)`
|
|
- **Nullable**: Yes
|
|
- **Description**: Stores the Entra ID tenant identifier (`tid` claim).
|
|
|
|
- `entra_object_id`
|
|
- **Type**: `varchar(255)`
|
|
- **Nullable**: Yes
|
|
- **Description**: Stores the Entra ID user object identifier (`oid` claim).
|
|
|
|
### Indexes
|
|
|
|
A unique composite index on `(entra_tenant_id, entra_object_id)` already exists and will be used to enforce uniqueness for user upserts.
|