fix(oidc): report provider initialization status to prevent auto-redirect failure

[wucm667]

What type of PR is this?

• bug

What this PR does / why we need it:

When the OIDC issuer (e.g. Authentik) is not reachable at startup, the provider initialization fails silently and ctrl.oidcProvider remains nil. However, the status endpoint still reports oidc.enabled=true, causing the frontend to auto-redirect to a broken /api/v1/users/login/oidc endpoint which returns HTTP 500 "OIDC provider not available".

Changes:

• Add Initialized field to OIDCStatus struct that reflects whether the provider was actually created (ctrl.oidcProvider != nil)
• Frontend auto-redirect now checks status?.oidc?.initialized before redirecting
• OIDC login button is only shown when provider is initialized

Which issue(s) this PR fixes:

Fixes #1471

Special notes for your reviewer:

The fix is minimal and targeted — only 3 files changed with 5 insertions and 2 deletions. No behavioral change when OIDC initializes successfully.

Testing

Verified that:

• When OIDC provider initializes successfully, initialized is true and auto-redirect works as before
• When OIDC provider fails to initialize, initialized is false, preventing auto-redirect to a broken endpoint
• The OIDC login button is hidden when provider is not initialized

Summary by CodeRabbit

• New Features

  • OIDC sign-in button and automatic redirect now only activate once the authentication provider is fully initialized.
  • Status API now includes an explicit "initialized" flag for the OIDC provider so UI and integrations can detect readiness.

• Chores

  • CI lint workflow now provisions Node.js LTS before installing dependencies and running checks.

[coderabbitai]

Walkthrough

Adds an initialized boolean to the backend OIDC status and requires it in frontend checks to prevent OIDC auto-redirects and hide the OIDC sign-in button when the server-side OIDC provider is not initialized.

Changes

Cohort / File(s)	Summary
Backend Status Response backend/app/api/handlers/v1/controller.go	Added Initialized bool (json:"initialized") to OIDCStatus; value computed from ctrl.oidcProvider != nil at request time.
Frontend Type Definitions frontend/lib/api/types/data-contracts.ts	Extended OIDCStatus interface with initialized: boolean to match backend contract.
Frontend UI Logic frontend/pages/index.vue	Updated runtime conditionals to require status.oidc.initialized (in addition to enabled/autoRedirect) before performing auto-redirect and before rendering the "Sign in with OIDC" button.
CI Workflow .github/workflows/partial-frontend.yaml	Added Node.js setup (actions/setup-node with node-version: lts/*) to the lint job prior to pnpm install / lint / typecheck steps.

Sequence Diagram(s)

sequenceDiagram
    participant User as User
    participant Frontend as Frontend (Browser)
    participant Backend as Backend (API)
    participant OIDC as OIDC Provider

    User->>Frontend: Open page
    Frontend->>Backend: GET /v1/status
    Backend->>Backend: check ctrl.oidcProvider != nil
    Backend-->>Frontend: respond with status.oidc { enabled, autoRedirect, initialized, ... }
    alt initialized && enabled && autoRedirect && no oidcError
        Frontend->>User: perform OIDC redirect to provider
        User->>OIDC: OIDC auth flow
    else not initialized or other block
        Frontend->>User: show local UI (hide/disable OIDC button)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Security Recommendations

• Treat initialized as authoritative server state; do not allow client-side overrides.
• Log backend OIDC initialization state and failures (with timestamps and context) for diagnostics.
• Add backoff/rate-limiting for frontend auto-redirect attempts to prevent redirect storms when provider is repeatedly uninitialized.
• Avoid logging or exposing sensitive OIDC data (client secrets, tokens, internal endpoints) in errors or responses.

Poem

🌤️ A little flag now guards the gate,
If OIDC sleeps, we patiently wait.
No sudden redirect, no puzzled frown,
The sign-in button stays tucked down,
Users greeted calmly, no chaos around.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding OIDC initialization status reporting to prevent auto-redirect failures.
Description check	✅ Passed	The description includes all required sections: PR type (bug), what it does with file-level changes, the issue it fixes (#1471), and testing verification.
Linked Issues check	✅ Passed	The code changes fully address the objectives from #1471: preventing auto-redirect when OIDC provider is uninitialized, hiding the OIDC button, and handling unreachable issuers gracefully.
Out of Scope Changes check	✅ Passed	All changes are directly related to the OIDC initialization fix. The Node.js setup addition in the workflow is a supporting change required for the frontend build process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wucm667]

Fixed a prettier formatting warning on line 76. Lint now passes on our modified files.

Note: The remaining CI warnings (unused vars in location pages, tailwind issues) are pre-existing on main and not introduced by this PR.

[coderabbitai]

🧹 Nitpick comments (1)

frontend/lib/api/types/data-contracts.ts (1)

1216-1222: OIDCStatus.initialized addition looks correct and well-scoped.

This contract update matches the backend status payload change and enables safer frontend gating of OIDC redirect/login UI.
Security recommendation: keep backend availability checks on /users/login/oidc as the enforcement point; UI checks should stay defense-in-depth only.

As per coding guidelines, "Never edit generated types in lib/api/types/ - run task generate after backend API changes".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/lib/api/types/data-contracts.ts` around lines 1216 - 1222, You
manually edited the generated OIDCStatus interface (symbol OIDCStatus) in
frontend/lib/api/types/data-contracts.ts; revert this edit and instead
regenerate the types so the change comes from the API spec: undo the manual
change to OIDCStatus, run the repository codegen task (run "task generate" or
the project's equivalent) to produce updated types, verify the generated
OIDCStatus includes initialized, and commit the regenerated file rather than
editing lib/api/types by hand.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@frontend/lib/api/types/data-contracts.ts`:
- Around line 1216-1222: You manually edited the generated OIDCStatus interface
(symbol OIDCStatus) in frontend/lib/api/types/data-contracts.ts; revert this
edit and instead regenerate the types so the change comes from the API spec:
undo the manual change to OIDCStatus, run the repository codegen task (run "task
generate" or the project's equivalent) to produce updated types, verify the
generated OIDCStatus includes initialized, and commit the regenerated file
rather than editing lib/api/types by hand.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 91d372d2-bb19-481d-8efa-34f11a9cf47f

📥 Commits

Reviewing files that changed from the base of the PR and between a012b1d and d540412.

📒 Files selected for processing (3)

• backend/app/api/handlers/v1/controller.go
• frontend/lib/api/types/data-contracts.ts
• frontend/pages/index.vue

🚧 Files skipped from review as they are similar to previous changes (2)

• backend/app/api/handlers/v1/controller.go
• frontend/pages/index.vue

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/partial-frontend.yaml (1)

22-24: Pin Node to a stable major version (e.g., 24) instead of lts/* for better reproducibility and security.

The lts/* specifier rolls to a new major version annually, risking unexpected CI failures and dependency-resolution drift. Pinning to a stable major—such as Node 24, already used in copilot-setup-steps.yml—ensures consistent runtime behavior across builds and strengthens the supply chain.

Other workflows in this repository (upgrade-test.yaml, e2e-partial.yaml) use the same lts/* pattern and would also benefit from pinning.

Suggested change

-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
-        with:
-          node-version: lts/*
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "24"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/partial-frontend.yaml around lines 22 - 24, Replace the
floating node-version specifier with a pinned major version: change the
actions/setup-node step
(actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020) to use
node-version: "24" (or "24.x") instead of "lts/*" to ensure reproducible builds;
apply the same change to other workflows that use lts/* (e.g.,
upgrade-test.yaml, e2e-partial.yaml) so all CI jobs target the same Node 24
major runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/partial-frontend.yaml:
- Around line 22-24: Replace the floating node-version specifier with a pinned
major version: change the actions/setup-node step
(actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020) to use
node-version: "24" (or "24.x") instead of "lts/*" to ensure reproducible builds;
apply the same change to other workflows that use lts/* (e.g.,
upgrade-test.yaml, e2e-partial.yaml) so all CI jobs target the same Node 24
major runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6c55c758-1616-445b-8928-7a157fc7eded

📥 Commits

Reviewing files that changed from the base of the PR and between f07088d and 42e7314.

📒 Files selected for processing (1)

• .github/workflows/partial-frontend.yaml

[wucm667]

The Lint CI is now running with Node.js 22 LTS (the setup-node fix worked), but it's still failing due to 26 pre-existing lint issues on main:

• 10 errors: unused vars, duplicate imports, import ordering in components/Location/CreateModal.vue, pages/collection/index/entity-types.vue, pages/location/[id]/index.vue, etc.
• 16 warnings: prettier formatting, tailwind class ordering

None of these are from this PR's changes. The modified files (index.vue, data-contracts.ts, controller.go) pass lint cleanly.

The --max-warnings 1 threshold is being exceeded by main's existing issues. This appears to be a recent regression on main (possibly from dependency updates or new eslint rules).