refactor(store): wave B.8 — identity_provider repo (read side) (#259)#260
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
📝 WalkthroughWalkthroughMigrates identity-provider read access to a new store.Repos().IdentityProvider: adds domain types and repo interface, implements a Postgres repo, wires it into Repos, and updates handler, SSO, SCIM, and linker call sites to use the new repo and struct types. ChangesIdentity Provider Repository Migration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/scim/auth.go`:
- Line 59: The code stores a store.IdentityProvider into context but later
asserts it as db.IdentityProvidersProjection, causing the retrieval to fail;
update the type assertions where the context value is read (references around
the IdentityProvider storage and retrieval, e.g., the code that calls
GetBySlugForSCIM and the context get at lines noted) to use the
store.IdentityProvider type instead of db.IdentityProvidersProjection so the
authenticated provider is correctly read from context (ensure both the store
assignment and the subsequent assertions use the same store.IdentityProvider
type).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4ed6254e-7c64-4fe8-a91e-2dc3f883ade6
📒 Files selected for processing (9)
internal/api/idp_handler.gointernal/api/sso_handler.gointernal/idp/linker.gointernal/idp/linker_test.gointernal/scim/auth.gointernal/store/identity_provider.gointernal/store/postgres/identity_provider.gointernal/store/postgres/wire.gointernal/store/repos.go
IdentityProviderRepo covers the read side of the identity-providers projection: Get / GetBySlug / GetBySlugForSCIM / List / Count / ListEnabled. All 17 handler/scim/idp-internal read sites migrated. ClientSecretEncrypted stays encrypted at the boundary; the handler decrypts via internal/crypto when initiating the OIDC dance. ScimTokenHash is surfaced because the SCIM auth handler validates incoming bearer tokens against this column. Field renames at the type boundary follow Go convention: IssuerUrl → IssuerURL, AuthorizationUrl → AuthorizationURL, etc. Propagated to all consumers including sso_handler's OIDC provider config and idpToProto. Call sites migrated (17): - internal/api/idp_handler.go (13) + idpToProto signature - internal/api/sso_handler.go (3) + URL field renames - internal/scim/auth.go (1) - internal/idp/linker.go — LinkOrCreate signature shifted to store.IdentityProvider (callers in api/sso updated accordingly) - internal/idp/linker_test.go — test fixtures use store.IdentityProvider Non-goals: - Write-side projector queries (Insert/Update/SetSCIMEnabled/ RotateSCIMToken) stay on Queries() per the established pattern; pure projector internals migrate in a later wave. - SCIM user/group mapping queries — separate SCIM-domain sub-wave. Closes #259.
aadbede to
0903950
Compare
The withAuth middleware now stores store.IdentityProvider in context but providerFromContext was still asserting db.IdentityProvidersProjection, so every authenticated SCIM request failed the type assertion and the handlers downstream returned 401. Swap the context cast and every downstream helper that takes the provider to use store.IdentityProvider. Field accesses (ID, Slug, Name, DefaultRoleID, AutoLinkByEmail, ScimTokenHash) are identical between the two types so no further site changes are needed.
Summary
`IdentityProviderRepo` — read side of the identity-providers projection. All 17 handler/scim/idp-internal read sites migrated.
Branches off main directly.
Methods
`Get`, `GetBySlug`, `GetBySlugForSCIM`, `List(filter)`, `Count`, `ListEnabled`.
`ClientSecretEncrypted` stays encrypted at the boundary — handler decrypts via `internal/crypto` when initiating the OIDC dance. `ScimTokenHash` surfaced because the SCIM auth handler validates incoming bearer tokens against this column.
Field renames follow Go convention: `IssuerUrl` → `IssuerURL` etc.
Call sites migrated (17)
Non-goals
Acceptance
Part of #242. Closes #259.
Summary by CodeRabbit