47 lines
3.0 KiB
Markdown
47 lines
3.0 KiB
Markdown
# Haumdaucher User Creation
|
|
|
|
This Google Apps Script automatically provisions local Google Firebase accounts (Email/Password) based on the target emails defined in the Haumdaucher Google Sheet.
|
|
|
|
It is designed to run silently and declaratively alongside the `mail_forwarding` module.
|
|
|
|
## Architecture
|
|
- **Environment**: Google Apps Script (Standalone).
|
|
- **Authentication**: Native Google Cloud Platform (GCP) linking. The script authenticates via `ScriptApp.getOAuthToken()` using the underlying GCP project's identity, avoiding hardcoded API keys.
|
|
- **API**: Google Identity Toolkit REST API (`accounts:query`, `accounts`, `accounts:update`, `accounts:sendOobCode`).
|
|
- **Triggers**: `onFormSubmit` (for real-time form entries) and `onChange` (for manual sheet edits).
|
|
|
|
## Declarative Logic
|
|
The script compares the desired state (emails in the Sheet) with the current state (users in Firebase Auth):
|
|
- **Create**: User in sheet but not in Firebase -> Creates an account with a secure random password.
|
|
- **Disable**: User in Firebase but not in sheet -> Soft deletes the account (`disableUser: true`).
|
|
- **Re-Enable**: User in sheet and Firebase but disabled -> Re-enables the account.
|
|
- **Ignore**: User matches both states and is active -> No action.
|
|
|
|
## Operational Instructions
|
|
|
|
### 1. Linking to GCP (Required once)
|
|
To allow the script to call Firebase APIs securely without an API key:
|
|
1. Open the Apps Script project (`clasp open-script`).
|
|
2. Click the **Project Settings** (gear icon) on the left.
|
|
3. Under **Google Cloud Platform (GCP) Project**, click **Change project**.
|
|
4. Enter your GCP Project Number (e.g., `171880300854` - this is the `messagingSenderId` from Terraform outputs).
|
|
5. Click **Set Project**.
|
|
|
|
### 2. Manual Triggers (setup)
|
|
If you modify the code or push a new version, you must reinstall the background triggers:
|
|
1. Open the IDE (`clasp open-script`).
|
|
2. Select the `setup` function from the dropdown.
|
|
3. Click **Run**.
|
|
*(Note: `clasp push` only updates code, it does not update running triggers).*
|
|
|
|
### 3. Dry Run Mode
|
|
The code natively supports a `DRY_RUN` flag in `CONFIG`. When set to `true`, it will read states and print its intended actions to the Execution Logs, but will NOT mutate Firebase data.
|
|
Currently, this is configured for production (`DRY_RUN: false`).
|
|
|
|
### 4. Admin Reporting
|
|
The script will send an email to `info@haumdaucher.de` **only if** state changes occurred (creating, disabling, or re-enabling a user). If no changes are needed, it remains completely silent.
|
|
|
|
### 5. Email Templates & Custom Actions
|
|
The Identity Platform email templates (Password Reset, etc.) are NOT managed via Terraform due to provider limitations. They are stored in `email_templates.md` and must be manually copy-pasted into the Firebase Console.
|
|
The action URL for Password Resets has been customized to point to the main Vue.js frontend (`https://haumdaucher.de/`), which intercepts the `mode=resetPassword` parameter and displays the custom `PasswordReset.vue` component to maintain the club's aesthetic.
|