feat(portal): real OCIS storage data via refresh-token service auth
The Storage page + endpoint landed earlier but had no working OCIS backend credential. OCIS has no service-account/client-credentials grant and trusts a single issuer, and basic auth resolves no user in our external-IdP setup — so authenticate OcisClient via an OIDC refresh-token bootstrap instead: - One-time headless login of svc-platform-api against the ocis provider (public client ocis-web, issuer .../o/ocis/) yields a refresh token, persisted in Mongo (ocis_credentials) and rotated on every use. - OcisClient mints access tokens with the refresh_token grant; the service user holds the OCIS admin role (OCIS_ADMIN_USER_ID) so libregraph ListAllDrives works. - scripts/bootstrap-ocis.mjs re-runs the bootstrap if the token lapses. - Dashboard Plan card gains a storage capacity bar beside seats; hidden when storage is unavailable. - compose + .env.example: OCIS service OIDC env and admin user id. - docs/NEXT-STEPS: document the mechanism and the dead-end alternatives.
This commit is contained in:
Ronni Baslund
@@ -58,6 +58,11 @@ OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand
|
||||
# (required to list all drives). See docs/NEXT-STEPS.md.
|
||||
OCIS_SVC_USERNAME=svc-platform-api
|
||||
OCIS_SVC_PASSWORD=changeme_use_openssl_rand
|
||||
# OCIS account UUID of the service user, used to grant it the OCIS admin role at
|
||||
# startup (required for libregraph ListAllDrives). Populate after the OCIS
|
||||
# bootstrap autoprovisions the account (see docs/NEXT-STEPS.md). Leave empty
|
||||
# until then.
|
||||
OCIS_ADMIN_USER_ID=
|
||||
|
||||
# ────────────────────────────────────────
|
||||
# Collabora
|
||||
|
||||
Reference in New Issue
Block a user