MasterMito
d1e80e39a7
Merge pull request 'fix: Add fallback values for Keycloak environment variables to fix Docker build' ( #7 ) from epic/admin_rework_second_try into main
...
CI Pipeline / Backend Build & Test (push) Successful in 51s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 30s
CI Pipeline / Infrastructure Validation (push) Successful in 3s
Reviewed-on: #7
2026-03-20 12:17:44 +01:00
28284d7edc
fix: Add fallback values for Keycloak environment variables to fix Docker build
...
CI Pipeline / Backend Build & Test (pull_request) Successful in 52s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 35s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 3s
The build was failing because KEYCLOAK_ISSUER and KEYCLOAK_CLIENT_ID
were undefined during the static generation phase. Added default values
that match the development configuration.
- Added fallback for KEYCLOAK_ISSUER
- Added fallback for KEYCLOAK_CLIENT_ID
2026-03-20 12:11:22 +01:00
MasterMito
66719d9787
Merge pull request 'Rework Admin UI' ( #6 ) from epic/admin_rework_second_try into main
...
CI Pipeline / Backend Build & Test (push) Successful in 49s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 32s
CI Pipeline / Infrastructure Validation (push) Successful in 3s
Reviewed-on: #6
2026-03-20 11:55:38 +01:00
MasterMito
984ab77137
Merge pull request 'Fix RLS permissions and JWT validation for admin club creation' ( #5 ) from fix/rls-permission-test-failure into epic/admin_rework_second_try
...
CI Pipeline / Backend Build & Test (pull_request) Successful in 53s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 38s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 3s
Reviewed-on: #5
2026-03-20 11:42:05 +01:00
0f036a2ef6
Fix test: Update GetClubsCurrent_NoTenantContext_ReturnsForbidden to reflect actual behavior
...
The test was expecting Forbidden when no tenant context is provided,
but the middleware actually returns BadRequest when X-Tenant-Id header
is missing. Updated the test and added GetClubsCurrent_InvalidTenant_ReturnsForbidden
to properly test the Forbidden case.
2026-03-20 11:36:52 +01:00
fdc1f415b7
Add test endpoint for middleware validation tests
2026-03-20 11:21:02 +01:00
13f9e7be7f
Fix JWT validation by configuring custom signing key resolver
...
- Added IssuerSigningKeyResolver to fetch JWKS directly from internal Keycloak URL
- This bypasses the localhost:8080 URLs in Keycloak's discovery document
- Ensures JWT tokens are validated against correct signing keys
2026-03-20 11:01:56 +01:00
87c315c6fd
Fix Keycloak hostname configuration for Docker internal communication
...
- Add MetadataAddress configuration to JWT middleware for internal Docker URLs
- Add KC_HOSTNAME_ADMIN and KC_SPI_HOSTNAME_DEFAULT_ADMIN to Keycloak env
- This ensures API can fetch JWKS from Keycloak via internal Docker network
- Tests passing: 63/63
2026-03-20 10:49:55 +01:00
26d7d83811
Fix middleware order - place Authentication before TenantValidation
...
The JWT middleware needs to fetch signing keys from Keycloak before
tenant validation runs. The previous order caused signature validation
to fail because the middleware was blocking the JWKS endpoint requests.
- Moved Authentication before TenantValidationMiddleware
- Removed realm endpoint from exemption list (not needed with correct order)
- This allows JWT middleware to fetch signing keys and validate tokens
2026-03-20 10:42:31 +01:00
4ba76288b5
Add JWT debugging and fix Keycloak networking
...
- Added JWT authentication event logging to diagnose validation failures
- Fixed docker-compose networking for API to reach Keycloak via hostname
- Debug endpoint now accessible without auth for troubleshooting
- Still investigating why claims are not populated despite token being present
2026-03-20 10:30:10 +01:00
97baf266a8
WIP: Fix Keycloak networking for API container
2026-03-20 10:15:50 +01:00
0f9a7aba5c
Make debug endpoint anonymous for troubleshooting
2026-03-20 09:56:24 +01:00
a3ca12da26
Add CORS configuration and exempt debug endpoint from tenant validation
...
- Add CORS policy to allow frontend requests from localhost:3000
- Exempt /api/debug endpoints from tenant validation
- Fix JSON parsing in realm_access claim checks
2026-03-20 09:42:16 +01:00
b52d75591b
Add debug endpoint to inspect JWT claims
2026-03-20 09:34:29 +01:00
bb373a6b8e
Fix admin authorization check - properly parse realm_access claim
...
The realm_access claim in JWT is a JSON object, not a simple string.
Previous string contains check was looking for escaped quotes in wrong format.
- Parse realm_access as JSON to extract roles array
- Check if 'admin' exists in roles array
- Fallback to string contains check if JSON parsing fails
- Applied fix in RequireGlobalAdmin policy, TenantValidationMiddleware,
and ClubRoleClaimsTransformation
Fixes: Admin users getting 401 when trying to create clubs
2026-03-19 22:13:40 +01:00
ade9444682
Fix RLS permission issue in integration tests
...
- Add BYPASSRLS privilege to app_admin role
- Grant full schema and table access to app_admin
- Allow rls_test_user to assume app_admin role
- Fixes: permission denied for table clubs (42501)
2026-03-19 21:40:38 +01:00
112b299b8e
WIP: AdminClubService DI fix and RLS-related changes
2026-03-19 21:36:06 +01:00
04641319ce
feat: Add global administrator role support with integration tests for admin-only club endpoints.
2026-03-18 15:11:42 +01:00
d295c9123e
feat: Configure Keycloak to use internal port 8081, explicitly define OIDC endpoints in NextAuth, and update API service Keycloak authority.
2026-03-18 14:47:57 +01:00
da70cf4b13
feat: Enrich DTOs and UI to display member names instead of UUIDs for task assignees, creators, and shift signups.
2026-03-18 14:15:33 +01:00
65fea5d48b
Introduced Openspec to project
2026-03-18 12:07:34 +01:00
MasterMito
3cf7c3a221
Merge pull request 'feat: restrict admin access to club operations and rollout test environment' ( #4 ) from epic/admin_rework_second_try into main
...
CI Pipeline / Backend Build & Test (push) Successful in 48s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 32s
CI Pipeline / Infrastructure Validation (push) Successful in 3s
Reviewed-on: #4
2026-03-18 09:16:58 +01:00
d30895c94a
fix: resolve frontend lint errors and cleanup types
CI Pipeline / Backend Build & Test (pull_request) Successful in 53s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 36s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 4s
2026-03-18 09:15:02 +01:00
821459966c
feat: restrict admin access to club operations and rollout test environment
CI Pipeline / Backend Build & Test (pull_request) Successful in 53s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Failing after 16s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 3s
2026-03-18 09:08:45 +01:00
9cb80e4517
fix(auth): restore keycloak sign-in for NodePort access
...
CI Pipeline / Backend Build & Test (push) Successful in 58s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 28s
CI Pipeline / Infrastructure Validation (push) Successful in 4s
Trust external host for Auth.js, provide missing frontend auth env/secrets, and submit a proper CSRF-backed sign-in POST so browser login reaches Keycloak reliably.
2026-03-13 06:52:18 +01:00
d4f09295be
feat(k8s): expose workclub services via LAN NodePorts
...
Expose frontend, API, and Keycloak on stable NodePorts and align app/keycloak external URLs for local-network browser access.
2026-03-13 06:33:50 +01:00
eaa163afa4
fix(k8s): stabilize keycloak rollout and align CD deploy manifests
...
Update Keycloak probe/realm import behavior and authority config so auth services start reliably on the dev cluster, while keeping CD deployment steps aligned with the actual Kubernetes overlay behavior.
2026-03-13 06:25:07 +01:00
7272358746
fix(k8s): extreme probe timeouts for RPi and final Keycloak 26 admin fix
CI Pipeline / Backend Build & Test (push) Successful in 51s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 28s
CI Pipeline / Infrastructure Validation (push) Successful in 3s
2026-03-10 22:22:36 +01:00
9b1ceb1fb4
fix(k8s): fix image names, keycloak 26 envs, and bump resource limits for RPi
CI Pipeline / Backend Build & Test (push) Successful in 52s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 42s
CI Pipeline / Infrastructure Validation (push) Successful in 5s
2026-03-10 22:16:31 +01:00
90ae752652
fix(k8s): enable keycloak health endpoints and increase probe delays
CI Pipeline / Backend Build & Test (push) Successful in 1m2s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 29s
CI Pipeline / Infrastructure Validation (push) Successful in 3s
2026-03-10 22:07:02 +01:00
3c41f0e40c
fix(k8s): use args instead of command for keycloak to allow default entrypoint
CI Pipeline / Backend Build & Test (push) Successful in 1m19s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 26s
CI Pipeline / Infrastructure Validation (push) Successful in 4s
2026-03-10 22:02:48 +01:00
fce8b28114
fix(cd): force delete postgres statefulset to allow storage changes
CI Pipeline / Backend Build & Test (push) Successful in 57s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 34s
CI Pipeline / Infrastructure Validation (push) Successful in 5s
2026-03-10 21:54:26 +01:00
b204f6aa32
fix(k8s): register secrets and postgres-patch in dev kustomization
CI Pipeline / Frontend Lint, Test & Build (push) Has been cancelled
CI Pipeline / Infrastructure Validation (push) Has been cancelled
CI Pipeline / Backend Build & Test (push) Has been cancelled
2026-03-10 21:42:31 +01:00
0a4d99b65b
fix(k8s): add dev secrets and use emptyDir for postgres on storage-less cluster
CI Pipeline / Frontend Lint, Test & Build (push) Has been cancelled
CI Pipeline / Infrastructure Validation (push) Has been cancelled
CI Pipeline / Backend Build & Test (push) Has been cancelled
2026-03-10 21:18:19 +01:00
c9841d6cfc
fix(cd): ensure workclub-dev namespace exists before deployment
CI Pipeline / Backend Build & Test (push) Successful in 59s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 26s
CI Pipeline / Infrastructure Validation (push) Successful in 4s
2026-03-10 20:40:29 +01:00
641a6d0af0
fix(cd): use dynamic KUBECONFIG path and enhanced context diagnostics
CI Pipeline / Frontend Lint, Test & Build (push) Has been cancelled
CI Pipeline / Infrastructure Validation (push) Has been cancelled
CI Pipeline / Backend Build & Test (push) Has been cancelled
2026-03-10 20:38:21 +01:00
b1c351e936
fix(cd): use printf for robust KUBECONFIG writing and add diagnostics
CI Pipeline / Frontend Lint, Test & Build (push) Has been cancelled
CI Pipeline / Infrastructure Validation (push) Has been cancelled
CI Pipeline / Backend Build & Test (push) Has been cancelled
2026-03-10 20:35:12 +01:00
df625f3b3a
Next try fixing the deployment pipeline
CI Pipeline / Frontend Lint, Test & Build (push) Has been cancelled
CI Pipeline / Infrastructure Validation (push) Has been cancelled
CI Pipeline / Backend Build & Test (push) Has been cancelled
2026-03-10 20:32:48 +01:00
b028c06636
Fix for Deployment, install kubectl
CI Pipeline / Frontend Lint, Test & Build (push) Has been cancelled
CI Pipeline / Infrastructure Validation (push) Has been cancelled
CI Pipeline / Backend Build & Test (push) Has been cancelled
2026-03-10 20:29:28 +01:00
9f4bea36fe
fix(cd): use robust manual kubectl setup to avoid base64 truncated input error
CI Pipeline / Backend Build & Test (push) Failing after 13s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 27s
CI Pipeline / Infrastructure Validation (push) Successful in 4s
2026-03-10 20:25:10 +01:00
c5b3fbe4cb
Added Kubernetes Cluster Deployment
CI Pipeline / Backend Build & Test (push) Failing after 55s
CI Pipeline / Frontend Lint, Test & Build (push) Failing after 33s
CI Pipeline / Infrastructure Validation (push) Successful in 9s
2026-03-10 19:58:55 +01:00
4f6d0ae6df
chore: remove old screenshot images
CI Pipeline / Backend Build & Test (push) Successful in 1m1s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 29s
CI Pipeline / Infrastructure Validation (push) Successful in 4s
2026-03-09 17:31:51 +01:00
MasterMito
c6981324d6
Merge pull request 'fix(backend): resolve shift signup by looking up Member via ExternalUserId' ( #3 ) from fix/shift-signup-external-user-lookup into main
...
CI Pipeline / Backend Build & Test (push) Successful in 49s
CI Pipeline / Frontend Lint, Test & Build (push) Successful in 28s
CI Pipeline / Infrastructure Validation (push) Successful in 5s
Reviewed-on: #3
2026-03-09 15:56:12 +01:00
e0790e9132
Fix TaskListItemDto missing title/status properties
CI Pipeline / Backend Build & Test (pull_request) Successful in 49s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 30s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 3s
2026-03-09 15:53:38 +01:00
672dec5f21
Fix task and shift self-assignment features
CI Pipeline / Backend Build & Test (pull_request) Successful in 48s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Failing after 28s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 4s
2026-03-09 15:47:57 +01:00
271b3c189c
chore: commit sisyphus evidence and CI/CD artifacts
CI Pipeline / Backend Build & Test (pull_request) Failing after 49s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 28s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 4s
2026-03-09 15:05:55 +01:00
867dc717cc
fix(shifts): expose ExternalUserId in ShiftSignupDto to fix frontend signup state
CI Pipeline / Backend Build & Test (pull_request) Failing after 49s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 29s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 3s
2026-03-09 14:46:35 +01:00
6119506bd3
fix(frontend): remove invalid json parsing on shift signup
...
CI Pipeline / Backend Build & Test (pull_request) Successful in 53s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 27s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 3s
- Backend `/signup` endpoint returns 200 OK with an empty body (`TypedResults.Ok()`), causing `res.json()` to throw 'Unexpected end of JSON input'. Removed the `res.json()` return.
- Added Suspense boundary in login page to fix `useSearchParams` build error.
2026-03-09 14:25:12 +01:00
1322def2ea
fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing
...
CI Pipeline / Backend Build & Test (pull_request) Successful in 49s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Failing after 26s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 4s
- Bypass NextAuth OIDC discovery with explicit token/userinfo endpoints using internal Docker DNS, avoiding 'issuer string did not match' errors.
- Fix next.config.ts API route interception that incorrectly forwarded NextAuth routes to backend by using 'fallback' rewrites.
- Add 'Use different credentials' button to login page and AuthGuard for clearing stale sessions.
2026-03-09 14:21:03 +01:00
a8730245b2
fix(backend): resolve shift signup by looking up Member via ExternalUserId
...
CI Pipeline / Backend Build & Test (pull_request) Successful in 52s
CI Pipeline / Frontend Lint, Test & Build (pull_request) Successful in 29s
CI Pipeline / Infrastructure Validation (pull_request) Successful in 5s
The signup/cancel endpoints were passing the Keycloak sub claim (external UUID)
directly as MemberId, but ShiftSignup.MemberId references the internal Member.Id.
Now ShiftService resolves ExternalUserId to the internal Member.Id before creating
the signup record. Integration tests updated to seed proper Member entities.
2026-03-09 13:24:50 +01:00
MasterMito
WorkClub Automation