From 8069fce9e31f22f3921752343d208ff5055de8a5 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Fri, 10 Apr 2026 11:59:06 +0200
Subject: [PATCH] Rename ecosplay client, fix redirect URIs, set admin user
 real name

- Rename OIDC client ecosplay-web -> ecosplay_web in the realm import
  JSON. The client is used by the internal e-cosplay site for OAuth.
- Replace wildcard redirect URIs with the two exact callbacks:
  https://www.e-cosplay.fr/oauth/keycloak and
  https://cos.local/oauth/keycloak. webOrigins and post-logout URIs
  follow the same hosts.
- Add helpers to sync.sh (client_internal_id, rename_client,
  set_client_uris) and a reconciliation step that renames any legacy
  ecosplay-web -> ecosplay_web and idempotently re-applies the URIs
  on every run, so live installs are migrated automatically.
- Set the bootstrap admin user's real first/last name (jovann Serreau)
  in both the env vars and the realm import JSON.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml         |  4 ++--
 init/sync.sh               | 40 ++++++++++++++++++++++++++++++++++++++
 realms/ecosplay-realm.json | 16 +++++++--------
 3 files changed, 50 insertions(+), 10 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 5a42127..3ab6c08 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -71,8 +71,8 @@ services:
       ECOSPLAY_GROUPS: "gp_asso gp_contest gp_mail gp_mailling gp_member gp_ndd gp_sign gp_ticket super_admin_asso superadmin"
       ADMIN_USER_USERNAME: jovann@siteconseil.fr
       ADMIN_USER_PASSWORD: Shoko1997@
-      ADMIN_USER_FIRSTNAME: Jovann
-      ADMIN_USER_LASTNAME: SiteConseil
+      ADMIN_USER_FIRSTNAME: jovann
+      ADMIN_USER_LASTNAME: Serreau
     volumes:
       - ./init/sync.sh:/opt/init/sync.sh:ro
     entrypoint: ["/bin/bash", "/opt/init/sync.sh"]
diff --git a/init/sync.sh b/init/sync.sh
index c435966..5ed804e 100755
--- a/init/sync.sh
+++ b/init/sync.sh
@@ -112,6 +112,38 @@ ensure_user_client_role() {
     info "  $2 -> client role $3/$4 ($1)"
 }
 
+client_internal_id() {
+    # $1=realm $2=clientId
+    $KC get clients -r "$1" -q clientId="$2" --fields id 2>/dev/null \
+        | sed -n 's/.*"id"[ ]*:[ ]*"\([^"]*\)".*/\1/p' \
+        | head -n1
+}
+
+rename_client() {
+    # $1=realm $2=oldClientId $3=newClientId
+    local cid
+    cid=$(client_internal_id "$1" "$2")
+    if [ -n "$cid" ]; then
+        $KC update "clients/$cid" -r "$1" -s "clientId=$3" >/dev/null
+        info "  renamed client $2 -> $3 ($1)"
+    fi
+}
+
+set_client_uris() {
+    # $1=realm $2=clientId $3=redirectUris(json) $4=webOrigins(json) $5=postLogoutUris(##-separated)
+    local cid
+    cid=$(client_internal_id "$1" "$2")
+    if [ -z "$cid" ]; then
+        warn "client $2 not found in $1, skipping URI sync"
+        return
+    fi
+    $KC update "clients/$cid" -r "$1" \
+        -s "redirectUris=$3" \
+        -s "webOrigins=$4" \
+        -s "attributes.\"post.logout.redirect.uris\"=$5" >/dev/null
+    info "  client $2 URIs synced ($1)"
+}
+
 # =============================================================
 # Master realm: SMTP, theme, locale
 # =============================================================
@@ -153,6 +185,14 @@ if realm_exists ecosplay; then
     ensure_user_client_role ecosplay "$ADMIN_USER_USERNAME" realm-management realm-admin
     ensure_user_in_group  ecosplay "$ADMIN_USER_USERNAME" super_admin_asso
     ensure_user_in_group  ecosplay "$ADMIN_USER_USERNAME" superadmin
+
+    log "Reconciling ecosplay_web client"
+    # Legacy rename: dash -> underscore (if migrated from older import)
+    rename_client ecosplay ecosplay-web ecosplay_web
+    set_client_uris ecosplay ecosplay_web \
+        '["https://www.e-cosplay.fr/oauth/keycloak","https://cos.local/oauth/keycloak"]' \
+        '["https://www.e-cosplay.fr","https://cos.local"]' \
+        'https://www.e-cosplay.fr/*##https://cos.local/*'
 else
     warn "ecosplay realm not found — will be imported on next boot"
 fi
diff --git a/realms/ecosplay-realm.json b/realms/ecosplay-realm.json
index 51608db..0e207c2 100644
--- a/realms/ecosplay-realm.json
+++ b/realms/ecosplay-realm.json
@@ -71,8 +71,8 @@
     {
       "username": "jovann@siteconseil.fr",
       "email": "jovann@siteconseil.fr",
-      "firstName": "Jovann",
-      "lastName": "SiteConseil",
+      "firstName": "jovann",
+      "lastName": "Serreau",
       "enabled": true,
       "emailVerified": true,
       "credentials": [
@@ -92,19 +92,19 @@
 
   "clients": [
     {
-      "clientId": "ecosplay-web",
+      "clientId": "ecosplay_web",
       "name": "E-Cosplay Web",
-      "description": "Application web principale e-cosplay.fr",
+      "description": "Application web principale e-cosplay.fr (login site interne)",
       "enabled": true,
       "publicClient": false,
       "secret": "change-me-in-admin-console",
       "redirectUris": [
-        "https://www.e-cosplay.fr/*",
-        "https://e-cosplay.fr/*"
+        "https://www.e-cosplay.fr/oauth/keycloak",
+        "https://cos.local/oauth/keycloak"
       ],
       "webOrigins": [
         "https://www.e-cosplay.fr",
-        "https://e-cosplay.fr"
+        "https://cos.local"
       ],
       "protocol": "openid-connect",
       "standardFlowEnabled": true,
@@ -113,7 +113,7 @@
       "serviceAccountsEnabled": false,
       "frontchannelLogout": true,
       "attributes": {
-        "post.logout.redirect.uris": "https://www.e-cosplay.fr/*##https://e-cosplay.fr/*",
+        "post.logout.redirect.uris": "https://www.e-cosplay.fr/*##https://cos.local/*",
         "pkce.code.challenge.method": "S256"
       }
     }