feat(platform-api): multi-audience JWT + Partner CRUD + tenant lifecycle (O.2)

JwtAuthGuard now accepts a comma-separated AUTHENTIK_AUDIENCE ('dezky-portal,dezky-operator'). jose.jwtVerify takes an array and succeeds on any match — both customer-portal and operator-portal tokens validate against this service. Per-endpoint guards restrict further. New OperatorGuard enforces operator-only mutations: 1. JWT audience claim includes 'dezky-operator' (proof from the token alone that this is a privileged session) 2. ActorService-resolved User has platformAdmin=true (DB check so revocation works without waiting for the token to expire) Both required; either alone is insufficient. Partner module: - Partner schema: slug, name, domain, status, marginPct, contactInfo, billingInfo. marginPct is one number per partner (decided in grilling) - CRUD endpoints under @UseGuards(JwtAuthGuard, OperatorGuard) — every partner mutation requires operator scope - GET /partners returns each row with a computed customers count from aggregating Tenant.partnerId. MRR aggregation deferred until Subscription gains a price column - GET /partners/:slug/tenants for the partner detail view - DELETE soft-terminates (status='terminated') — never hard-delete because tenants may still reference the partner Tenant changes: - partnerId?: Types.ObjectId (ref Partner, indexed sparse) added to Tenant schema - UpdateTenantDto accepts partnerId so PATCH can attach/detach - POST /tenants/:slug/suspend and /resume — operator-only via OperatorGuard. PATCH already covers plan/domains/partnerId changes Smoke test: customer-portal session sends POST /api/partners through the portal proxy → 403 "This endpoint requires an operator-scoped token". The positive test (operator-token → 200) waits for O.3 when there's an operator app to mint the right token. apps/portal/server/api/partners/index.post.ts is a temporary verification proxy — delete once the operator portal exists.
2026-05-24 07:08:59 +02:00
parent 3573188431
commit 2db41fec5e
17 changed files with 474 additions and 24 deletions
@@ -289,23 +289,30 @@ done in order — earlier ones unblock later ones.
  docs is gone in 2025.10. Use `policies/bindings/` with a direct `group`
  reference instead

-### O.2 · platform-api — multi-audience + Partner CRUD
+### O.2 · platform-api — multi-audience + Partner CRUD ✓

- [ ] `JwtAuthGuard`: accept audience list `['dezky-portal', 'dezky-operator']`
- [ ] New decorator/guard `@RequiresOperatorAudience()` enforcing
-      `aud === 'dezky-operator' && actor.platformAdmin`
- [ ] `schemas/partner.schema.ts` — Partner model (slug, name, domain,
-      status, marginPct, contactInfo, billingInfo)
- [ ] `partners/` module: controller + service + DTOs (create / read /
-      update / soft-delete)
- [ ] Add `partnerId?: Types.ObjectId` (ref Partner, index) to Tenant schema
- [ ] Aggregations: `Partner.customers` (count) and `Partner.mrr` (sum)
-      computed at query time
- [ ] Tenant lifecycle endpoints: `POST /tenants/:slug/suspend`,
-      `POST /tenants/:slug/resume`, plan/seat-cap change via existing PATCH
- [ ] All operator-only mutations gated by `@RequiresOperatorAudience()`
- [ ] Smoke test: `curl` create-partner with a `dezky-operator` token works,
-      same call with a `dezky-portal` token gets 403
+- [x] `JwtAuthGuard`: accepts comma-separated `AUTHENTIK_AUDIENCE`
+      (`dezky-portal,dezky-operator`). Both audiences validate; per-endpoint
+      guards further restrict
+- [x] `OperatorGuard` (not a decorator — a regular `CanActivate` guard)
+      enforcing `aud includes 'dezky-operator' && actor.platformAdmin`.
+      Applied via `@UseGuards(JwtAuthGuard, OperatorGuard)`
+- [x] `schemas/partner.schema.ts` — Partner model
+- [x] `partners/` module: controller + service + DTOs (create / read /
+      update / soft-terminate / list tenants under partner)
+- [x] `partnerId?: Types.ObjectId` added to Tenant schema (indexed, sparse).
+      `UpdateTenantDto` accepts `partnerId` to attach/detach
+- [x] `Partner.customers` aggregated at query time (count of Tenants by
+      partnerId). MRR aggregation **deferred** — Tenant has no monthly
+      amount yet and Subscription lacks a price column. Will land when
+      Subscription gains pricing
+- [x] Tenant lifecycle endpoints: `POST /tenants/:slug/suspend`,
+      `POST /tenants/:slug/resume` (operator-only). PATCH already accepts
+      plan/domains/partnerId changes
+- [x] Smoke test: customer-portal token → `POST /partners` returns 403
+      "This endpoint requires an operator-scoped token" ✓. Positive test
+      (operator token → 200) deferred until O.3 when the operator app
+      exists to mint that token

 ### O.3 · Scaffold `apps/operator/`