Implement OIDC authentication with Pocket-ID (P2.18)
Add OIDC/OAuth2 authentication support to the login page with automatic provider detection and email/password fallback. Features: - Auto-detect OIDC provider via PocketBase listAuthMethods() API - Display "Sign In with Pocket-ID" button when OIDC is configured - Use PocketBase authWithOAuth2() popup-based OAuth2 flow - Fall back to email/password form when OIDC not available - Loading states during authentication - Error handling with user-friendly messages The implementation checks for available auth methods on page load and conditionally renders either the OIDC button or the email/password form. This allows production deployments to use OIDC while development environments can continue using email/password. Tests: 24 tests (10 new OIDC tests added) - OIDC button rendering when provider configured - OIDC authentication flow with authWithOAuth2 - Loading and error states for OIDC - Fallback to email/password when OIDC unavailable Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -4,7 +4,7 @@ This file is maintained by Ralph. Run `./ralph-sandbox.sh plan 3` to generate ta
|
||||
|
||||
## Current State Summary
|
||||
|
||||
### Overall Status: 707 tests passing across 40 test files
|
||||
### Overall Status: 717 tests passing across 40 test files
|
||||
|
||||
### Library Implementation
|
||||
| File | Status | Gap Analysis |
|
||||
@@ -28,7 +28,7 @@ This file is maintained by Ralph. Run `./ralph-sandbox.sh plan 3` to generate ta
|
||||
| Health Check Endpoint | specs/observability.md | P2.15 | **COMPLETE** |
|
||||
| Prometheus Metrics | specs/observability.md | P2.16 | **COMPLETE** |
|
||||
| Structured Logging (pino) | specs/observability.md | P2.17 | **COMPLETE** |
|
||||
| OIDC Authentication | specs/authentication.md | P2.18 | Medium |
|
||||
| OIDC Authentication | specs/authentication.md | P2.18 | **COMPLETE** |
|
||||
| Token Expiration Warnings | specs/email.md | P3.9 | **COMPLETE** |
|
||||
|
||||
### API Routes (17 total)
|
||||
@@ -529,27 +529,28 @@ Full feature set for production use.
|
||||
- **Why:** Required for log aggregators and production debugging (per specs/observability.md)
|
||||
- **Next Step:** Integrate logger into API routes (can be done incrementally)
|
||||
|
||||
### P2.18: OIDC Authentication
|
||||
- [ ] Replace email/password login with OIDC (Pocket-ID)
|
||||
- **Current State:** Using email/password form, no OIDC code exists
|
||||
### P2.18: OIDC Authentication ✅ COMPLETE
|
||||
- [x] Replace email/password login with OIDC (Pocket-ID)
|
||||
- **Files:**
|
||||
- `src/app/login/page.tsx` - Replace form with "Sign In with Pocket-ID" button
|
||||
- `src/lib/pocketbase.ts` - Add OIDC redirect and callback handling
|
||||
- `src/app/login/page.tsx` - OIDC button with email/password fallback
|
||||
- **Tests:**
|
||||
- Update `src/app/login/page.test.tsx` - Tests for OIDC redirect flow
|
||||
- `src/app/login/page.test.tsx` - 24 tests (10 new OIDC tests)
|
||||
- **Features Implemented:**
|
||||
- Auto-detection of OIDC provider via `listAuthMethods()` API
|
||||
- "Sign In with Pocket-ID" button when OIDC provider is configured
|
||||
- Email/password form fallback when OIDC is not available
|
||||
- PocketBase `authWithOAuth2()` popup-based OAuth2 flow
|
||||
- Loading states during authentication
|
||||
- Error handling with user-friendly messages
|
||||
- **Flow:**
|
||||
1. User clicks "Sign In with Pocket-ID"
|
||||
2. Redirect to Pocket-ID authorization endpoint
|
||||
3. User authenticates (MFA if configured)
|
||||
4. Callback with authorization code
|
||||
5. PocketBase exchanges code for tokens
|
||||
6. Redirect to dashboard
|
||||
- **Environment Variables:**
|
||||
- `POCKETBASE_OIDC_CLIENT_ID`
|
||||
- `POCKETBASE_OIDC_CLIENT_SECRET`
|
||||
- `POCKETBASE_OIDC_ISSUER_URL`
|
||||
1. Page checks for available auth methods on mount
|
||||
2. If OIDC provider configured, shows "Sign In with Pocket-ID" button
|
||||
3. User clicks button, PocketBase handles OAuth2 popup flow
|
||||
4. On success, user redirected to dashboard
|
||||
5. Falls back to email/password when OIDC not available
|
||||
- **Environment Variables (configured in PocketBase Admin):**
|
||||
- Client ID, Client Secret, Issuer URL configured in PocketBase
|
||||
- **Why:** Required per specs/authentication.md for secure identity management
|
||||
- **Note:** Current email/password implementation works but OIDC is the production requirement
|
||||
|
||||
---
|
||||
|
||||
@@ -797,7 +798,6 @@ P4.* UX Polish ────────> After core functionality complete
|
||||
|
||||
| Priority | Task | Effort | Notes |
|
||||
|----------|------|--------|-------|
|
||||
| Medium | P2.18 OIDC Auth | Large | Production auth requirement |
|
||||
| Low | P3.7 Error Handling | Small | Polish |
|
||||
| Low | P3.8 Loading States | Small | Polish |
|
||||
| Low | P4.* UX Polish | Various | After core complete |
|
||||
@@ -810,7 +810,6 @@ P4.* UX Polish ────────> After core functionality complete
|
||||
| P0.2 | P0.1 | P0.4, P1.1-P1.5, P2.2-P2.3, P2.7-P2.8 |
|
||||
| P0.3 | - | P1.4, P1.5 |
|
||||
| P0.4 | P0.1, P0.2 | P1.7, P2.9, P2.10, P2.13 |
|
||||
| P2.18 | P1.6 | - |
|
||||
| P3.9 | P2.4 | - |
|
||||
|
||||
---
|
||||
@@ -860,7 +859,7 @@ P4.* UX Polish ────────> After core functionality complete
|
||||
- [x] **GET /metrics** - Prometheus metrics endpoint with counters, gauges, histograms, 33 tests (18 lib + 15 route) (P2.16)
|
||||
|
||||
### Pages (7 complete)
|
||||
- [x] **Login Page** - Email/password form with PocketBase auth, error handling, loading states, redirect, 14 tests (P1.6)
|
||||
- [x] **Login Page** - OIDC (Pocket-ID) with email/password fallback, error handling, loading states, redirect, 24 tests (P1.6, P2.18)
|
||||
- [x] **Dashboard Page** - Complete daily interface with /api/today integration, DecisionCard, DataPanel, NutritionPanel, OverrideToggles, 23 tests (P1.7)
|
||||
- [x] **Settings Page** - Form for cycleLength, notificationTime, timezone with validation, loading states, error handling, 28 tests (P2.9)
|
||||
- [x] **Settings/Garmin Page** - Token input form, connection status, expiry warnings, disconnect functionality, 27 tests (P2.10)
|
||||
@@ -909,7 +908,7 @@ P4.* UX Polish ────────> After core functionality complete
|
||||
10. **Token Warnings:** Per spec, warnings are sent at exactly 14 days and 7 days before expiry (P3.9 COMPLETE)
|
||||
11. **Health Check Priority:** P2.15 (GET /api/health) should be implemented early - it's required for deployment monitoring and load balancer health probes
|
||||
12. **Structured Logging:** P2.17 (pino logger) is COMPLETE - new code should use `import { logger } from "@/lib/logger"` for all logging
|
||||
13. **OIDC vs Email/Password:** Current email/password login (P1.6) works for development. P2.18 upgrades to OIDC for production security per specs/authentication.md
|
||||
13. **OIDC Authentication:** P2.18 COMPLETE - Login page auto-detects OIDC via `listAuthMethods()` and shows "Sign In with Pocket-ID" button when configured. Falls back to email/password when OIDC not available. Configure OIDC provider in PocketBase Admin under Settings → Auth providers → OpenID Connect
|
||||
14. **E2E Tests:** Authorized skip per specs/testing.md - unit and integration tests are sufficient for MVP
|
||||
15. **Dark Mode:** Partial Tailwind support exists via dark: classes but may need prefers-color-scheme configuration in tailwind.config.js (see P4.3)
|
||||
16. **Component Tests:** P3.11 COMPLETE - All 5 dashboard and calendar components now have comprehensive unit tests (82 tests total)
|
||||
|
||||
Reference in New Issue
Block a user