ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(portal): real Security & audit page (+ bundled Storage / per-tenant-roles WIP)

Browse Source 
Security & audit (admin)
- Audit log: real, tenant-scoped — widened GET /tenants/:slug/audit with
  q/action/outcome/actorEmail/since/before; UI gains search, outcome + time
  filters, action chips, cursor pagination, and client-side CSV export.
- Security policy: new tenant.securityPolicy (mfaMode, session idle/absolute,
  allowedCountries, ipAllowlist) + PATCH /tenants/:slug/security-policy
  (membership-gated, audited). Editable, labelled by enforcement status.
- MFA: live enrollment overview via GET /tenants/:slug/mfa-status
  (Authentik countAuthenticators per member).
- SSO apps (Dezky as IdP): real Authentik OIDC provider + application CRUD,
  scoped to the tenant group. New AuthentikClient methods (provider/app/binding
  + flow/key/scope discovery), TenantSsoApp schema, TenantSsoService (rollback
  on partial failure; client secret never stored), GET/POST/DELETE
  /tenants/:slug/sso-apps. Validated end-to-end against live Authentik.
- Deferred: shared-flow MFA/geo/session enforcement (global auth-flow blast
  radius) — to be done as its own reviewed change.

Bundled in-progress work that shares the same files (kept together so the tree
stays green):
- Storage page: StorageService + GET /tenants/:slug/storage (OCIS-backed),
  storage.get proxy, storage.vue.
- Per-tenant roles: User.tenantRoles + MeProfile.tenantRoles plumbing.
This commit is contained in:
Ronni Baslund
2026-05-31 17:20:36 +02:00
parent 3288fde693
commit 559348f6bc
27 changed files with 1744 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/docker-compose/docker-compose.yml
+9
View File
@@ -555,6 +555,15 @@ services:
# /ingest/stalwart/webhook. Both ends read the same env var.
STALWART_WEBHOOK_SECRET: ${STALWART_WEBHOOK_SECRET}
OCIS_API_URL: https://files.dezky.local
# Service-user auth for libregraph read calls (drive quotas powering the
# customer-admin Storage page). OCIS has no backend service-account grant
# and trusts a single issuer, so we run an OIDC password grant against the
# SAME provider OCIS trusts (client `ocis-web`) as a dedicated service user
# that holds the OCIS admin role. See docs/NEXT-STEPS.md.
OCIS_OIDC_TOKEN_URL: https://auth.dezky.local/application/o/token/
OCIS_OIDC_CLIENT_ID: ocis-web
OCIS_SVC_USERNAME: ${OCIS_SVC_USERNAME}
OCIS_SVC_PASSWORD: ${OCIS_SVC_PASSWORD}
# JWT validation against Authentik for portal-issued access tokens.
# Issuers are comma-separated — each Authentik OAuth provider issues tokens
# with its own per-app issuer URL, so we accept both portal and operator.