ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): enforce operator/partner platform isolation

Browse Source 
A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.

Close it with defense-in-depth across three independent layers:

1. IdP — operator-application.yaml blueprint binds an
   ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
   app, so Authentik denies the OIDC flow for non-admins. The blueprint also
   provisions the provider + application (state: created, so a fresh env is
   built from code while an existing hand-made provider is left untouched).
   Wire OPERATOR_OIDC_* into both authentik containers and mount the
   blueprints dir on the worker (it applies blueprints, and previously lacked
   the mount).

2. Operator app — require-platform-admin.global.ts requires platformAdmin and
   routes a non-admin to not-authorized.vue, which triggers a full sign-out
   (local + Authentik IdP) for shared-workstation safety. Fails open on a
   transient /api/me error by design, to avoid mass-signout on platform-api
   restarts; layers 1 and 3 contain the exposure.

3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
   plus platformAdmin resolved from the DB on every request.

Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.

Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.
This commit is contained in:
Ronni Baslund
2026-05-30 15:48:01 +02:00
parent da1b77ba5d
commit 0b269e7ea7
7 changed files with 480 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/portal/middleware/partner-routing.global.ts
+19 -2
View File
@@ -7,19 +7,36 @@
// fetched lazily via useMe() and cached in useState — first nav after sign-in
// pays one round-trip, subsequent navs read from cache.
//
// The partner surface shares the dezky-portal OAuth client with ordinary
// tenant users (a tenant admin authenticates here legitimately), so there is
// no IdP-level gate the way the operator app has — this redirect plus the
// platform-api's per-endpoint partnerId checks are the whole defense. Because
// of that, /partner/* must fail CLOSED: if we can't positively confirm the
// caller is partner staff (e.g. /api/me errored transiently, so `me` is null),
// we keep them out rather than letting the page shell render. Data is always
// backend-guarded, but the shell shouldn't show to a non-partner.
//
// Auth pages (/auth/*, /signed-out) are skipped because they're public.
export default defineNuxtRouteMiddleware(async (to) => {
if (to.path.startsWith('/auth/') || to.path === '/signed-out') return
const onPartnerSurface = to.path.startsWith('/partner')
const { fetchMe, isPartnerStaff } = useMe()
const me = await fetchMe()
if (!me) return // Not signed in yet — OIDC middleware handles the bounce
// Couldn't resolve identity. For non-partner routes, defer to the OIDC
// middleware's bounce. For partner routes, fail closed — unconfirmed is
// not-partner.
if (!me) {
return onPartnerSurface ? navigateTo('/') : undefined
}
if (to.path === '/' && isPartnerStaff.value) {
return navigateTo('/partner')
}
if (to.path.startsWith('/partner') && !isPartnerStaff.value) {
if (onPartnerSurface && !isPartnerStaff.value) {
return navigateTo('/')
}
})