You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* refactor(store): wave B.8 — identity_provider repo (read side) (#259)
IdentityProviderRepo covers the read side of the identity-providers
projection: Get / GetBySlug / GetBySlugForSCIM / List / Count /
ListEnabled. All 17 handler/scim/idp-internal read sites migrated.
ClientSecretEncrypted stays encrypted at the boundary; the handler
decrypts via internal/crypto when initiating the OIDC dance.
ScimTokenHash is surfaced because the SCIM auth handler validates
incoming bearer tokens against this column.
Field renames at the type boundary follow Go convention:
IssuerUrl → IssuerURL, AuthorizationUrl → AuthorizationURL, etc.
Propagated to all consumers including sso_handler's OIDC provider
config and idpToProto.
Call sites migrated (17):
- internal/api/idp_handler.go (13) + idpToProto signature
- internal/api/sso_handler.go (3) + URL field renames
- internal/scim/auth.go (1)
- internal/idp/linker.go — LinkOrCreate signature shifted to
store.IdentityProvider (callers in api/sso updated accordingly)
- internal/idp/linker_test.go — test fixtures use store.IdentityProvider
Non-goals:
- Write-side projector queries (Insert/Update/SetSCIMEnabled/
RotateSCIMToken) stay on Queries() per the established pattern;
pure projector internals migrate in a later wave.
- SCIM user/group mapping queries — separate SCIM-domain sub-wave.
Closes#259.
* fix(scim): align provider context type with new IdentityProvider repo
The withAuth middleware now stores store.IdentityProvider in context
but providerFromContext was still asserting db.IdentityProvidersProjection,
so every authenticated SCIM request failed the type assertion and the
handlers downstream returned 401.
Swap the context cast and every downstream helper that takes the
provider to use store.IdentityProvider. Field accesses (ID, Slug, Name,
DefaultRoleID, AutoLinkByEmail, ScimTokenHash) are identical between
the two types so no further site changes are needed.
0 commit comments