kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
50 Commits 1 Branch 0 Tags
f6a36f3bd9e8406efb9ac0778a641c34f2910f55
Commit Graph

4 Commits

Author SHA1 Message Date
kawa f6a36f3bd9 Use SDK 10.0.203 (10.0.204 has no MCR image) 
The previous pin (sdk:10.0.204) doesn't exist on MCR — only the installer
SDK uses that patch. MCR publishes band-2 images up to 10.0.203. Band 2
publishes blazor.web.js correctly (verified locally on 10.0.204), so pin
to the newest available 2xx image, 10.0.203.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-11 10:37:04 +02:00
kawa c41abc0ea5 Pin build SDK to 10.0.204 to restore blazor.web.js 
SDK 10.0.300 published a static-assets endpoints manifest without
blazor.web.js, so MapStaticAssets returned 404 for the Blazor boot script
in production. With no boot script the interactive circuit never starts
and every page renders static — buttons and dropdowns (e.g. user role
changes) do nothing. SDK 10.0.204 is verified to publish blazor.web.js
(physical file + manifest entry) against the 10.0.8 runtime.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-11 10:34:06 +02:00
kawa ebda614aaa Fix prod auth: persist DataProtection keys; redirect unauth to login 
Two deployment-breaking issues caused 404s on protected pages after a
container recreate:

1. DataProtection keys were stored in the container's ephemeral home dir.
   Every redeploy regenerated them, invalidating all auth cookies (users
   silently logged out) and — worse — making the app-only certs encrypted
   under /data/appcerts undecryptable. Persist keys to /data/dpkeys with a
   stable application name so they survive recreates.

2. DefaultChallengeScheme was OpenIdConnect, so a logged-out request to any
   [Authorize] Blazor page forced an OIDC challenge. When OIDC is
   unconfigured/unreachable the challenge throws and the request 404s, with
   no path to the login page. Challenge the cookie scheme instead, which
   redirects to /account/login (the combined local + Microsoft page). OIDC
   is still triggered explicitly from /account/login/entra.

Also harden the container image:
- Pin base images to exact patch (sdk:10.0.300, aspnet:10.0.8). Floating
  :10.0 tags drift; a stale/pre-GA SDK base silently drops blazor.web.js
  from the publish manifest, 404ing framework assets in production.
- Install curl and switch the compose healthcheck to it (the aspnet image
  ships no wget/curl, so the old healthcheck always reported unhealthy).
  Probe /account/login (anonymous, 200) since / now 302-redirects.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-09 14:34:58 +02:00
kawa d19092c84e Initial commit 2026-06-02 10:56:03 +02:00