Refactor Admin Initialization and Add OIDC Group Mapping

[bigtcze]

Summary

Refactor the application startup logic to respect the OIDC_ONLY mode regarding admin creation and implement Role-Based Access Control (RBAC) mapping from OIDC groups.

Current Behavior

1. The system creates a local admin user (with a generated password if not provided) during startup in backend/src/db/index.js, even if OIDC_ONLY=true.
2. There is no mechanism to map OIDC groups/claims to the internal admin role.

Proposed Changes

1. Disable Local Admin in OIDC Mode

Modify backend/src/db/index.js:

• In initializeAdminUser(), add a check for process.env.OIDC_ONLY.
• If OIDC_ONLY is true, skip the creation of the local admin user entirely.

2. Implement OIDC Group Mapping

Modify backend/src/routes/auth.js:

• Introduce a new environment variable: OIDC_ADMIN_GROUP (e.g., noteer-admins).
• In the OIDC callback handler:
  • Extract the groups/roles claim from the TokenSet or UserInfo (typically groups, roles, or memberOf).
  • If OIDC_ADMIN_GROUP is defined and the user's claims contain this group, set the user's role to admin in the database.
  • Ensure this works for both new user creation and existing user updates (syncing permissions on login).

Complexity

4/10

• Requires modification of the DB initialization logic.
• Requires parsing OIDC claims and updating the user upsert logic.
• Testing requires mocking OIDC responses with specific group claims.

Technical Details

• Files to touch: backend/src/db/index.js, backend/src/routes/auth.js.
• Env Vars: Add OIDC_ADMIN_GROUP.