From 5662e0821887c3b3858bc02bf0ff2380fd32d91b Mon Sep 17 00:00:00 2001
From: VMIS Developer <vmis-dev@porscheworld.tw>
Date: Mon, 16 Mar 2026 12:50:33 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20Traefik=20=E8=B7=AF=E7=94=B1=E7=AF=84?=
 =?UTF-8?q?=E6=9C=AC=E5=8A=A0=E5=85=A5=20/login=20OIDC=20redirect?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- manager 和一般租戶都加入 {code}-login 路由 (priority 300)
- 加入 {code}-oidc-redirect middleware 自動導向 user_oidc/login/1
- 修正 NC 無法透過 /login 觸發 SSO 的問題

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../app/services/scheduler/schedule_tenant.py | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/backend/app/services/scheduler/schedule_tenant.py b/backend/app/services/scheduler/schedule_tenant.py
index d7bfd85..1534f48 100644
--- a/backend/app/services/scheduler/schedule_tenant.py
+++ b/backend/app/services/scheduler/schedule_tenant.py
@@ -209,10 +209,24 @@ def _generate_tenant_route_yaml(tenant, is_active: bool) -> str:
             "    vmis-strip-admin:",
             "      stripPrefix:",
             '        prefixes: ["/admin"]',
+            f"    {code}-oidc-redirect:",
+            "      redirectRegex:",
+            '        regex: ".*"',
+            f'        replacement: "https://{domain}/apps/user_oidc/login/1"',
+            "        permanent: false",
             "",
         ]
         lines += [
             "  routers:",
+            f"    {code}-login:",
+            f'      rule: "Host(`{domain}`) && Path(`/login`)"',
+            f"      service: {code}-drive",
+            "      entryPoints: [websecure]",
+            f"      middlewares: [{code}-oidc-redirect]",
+            "      tls:",
+            "        certResolver: letsencrypt",
+            "      priority: 300",
+            "",
             f"    {code}-admin:",
             f'      rule: "Host(`{domain}`) && PathPrefix(`/admin`)"',
             f"      service: {code}-vmis",
@@ -255,7 +269,23 @@ def _generate_tenant_route_yaml(tenant, is_active: bool) -> str:
         ]
     else:
         lines += [
+            "  middlewares:",
+            f"    {code}-oidc-redirect:",
+            "      redirectRegex:",
+            '        regex: ".*"',
+            f'        replacement: "https://{domain}/apps/user_oidc/login/1"',
+            "        permanent: false",
+            "",
             "  routers:",
+            f"    {code}-login:",
+            f'      rule: "Host(`{domain}`) && Path(`/login`)"',
+            f"      service: {code}-drive",
+            "      entryPoints: [websecure]",
+            f"      middlewares: [{code}-oidc-redirect]",
+            "      tls:",
+            "        certResolver: letsencrypt",
+            "      priority: 300",
+            "",
             f"    {code}-drive:",
             f'      rule: "Host(`{domain}`)"',
             f"      service: {code}-drive",