ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(operator): scaffold apps/operator Nuxt app + multi-issuer JWT (O.3)

Browse Source 
New Nuxt 3 app at apps/operator/ — internal admin portal on its own domain
(operator.dezky.local), own OAuth client (dezky-operator), own session
secrets, own cookies. Customer and operator surfaces can't decrypt each
other's session state.

OAuth flow verified end-to-end:
  - GET / → middleware redirect to /auth/login
  - User clicks Sign in → /auth/oidc/login → bounces to Authentik with
    client_id=dezky-operator, scope includes 'groups'
  - Authentik checks dezky-platform-admins group binding (added in O.1),
    silent-reauths via the existing auth.dezky.local session
  - Returns to /auth/oidc/callback with code, exchanges for token,
    creates session cookie on operator.dezky.local
  - Lands on pages/index.vue placeholder dashboard

Smoke test 'Create partner "test-partner"' button on the placeholder home
exercises the full operator-only authorization chain:
  - 1st call: 200, partner created in Mongo
  - 2nd call: 409 'already exists' (idempotency holds, token still valid)
  - Same call from the customer portal: 403 'requires operator-scoped
    token' (audience guard rejects dezky-portal aud)

JwtAuthGuard now multi-issuer in addition to multi-audience. Each
Authentik OAuth provider mints tokens with its own per-app iss URL
(.../application/o/<slug>/), so the guard accepts a comma-separated
AUTHENTIK_ISSUER. The audience-only fix from O.2 wasn't sufficient —
issuer is validated separately by jose.jwtVerify and was still pinned
to dezky-portal alone, yielding 'unexpected iss claim value' rejections.

Compose changes: new 'operator' service (Node 20 alpine, pnpm install +
nuxt dev, mkcert CA mount, traefik labels for operator.dezky.local +
TLS); new operator_node_modules volume; operator.dezky.local added to
traefik's Docker network aliases. Distinct OPERATOR_NUXT_OIDC_* session
secrets pulled from .env (gitignored, generated via openssl).

Real operator screens (sidebar, topbar, tenants, partners, etc.) come
in O.4. This commit is pure scaffolding + the security boundary proof.
This commit is contained in:
Ronni Baslund
2026-05-24 07:20:16 +02:00
parent 2db41fec5e
commit 55b1c133e3
12 changed files with 8764 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/operator/pages/index.vue
+251
View File
@@ -0,0 +1,251 @@
<script setup lang="ts">
// O.3 scaffolding home. Confirms login round-trips and exposes a smoke-test
// button that exercises the operator-only audience gating against
// platform-api. Real operator UI lands in O.4+.
const { user, logout } = useOidcAuth()
const smokeResult = ref<string | null>(null)
const smokeBusy = ref(false)
async function createTestPartner() {
smokeBusy.value = true
smokeResult.value = null
try {
const res = await $fetch('/api/operator-smoke-test', { method: 'POST' })
smokeResult.value = `${JSON.stringify(res).slice(0, 200)}`
} catch (err: unknown) {
const e = err as { data?: { message?: string }; statusCode?: number }
smokeResult.value = `${e.statusCode}: ${e.data?.message ?? String(err)}`
} finally {
smokeBusy.value = false
}
}
</script>
<template>
<div class="page">
<header class="bar">
<div class="brand">
<span class="dot" />
<span class="name">dezky · ops</span>
</div>
<div class="me">
<span class="email">{{ user?.userInfo?.email || user?.userName }}</span>
<button class="logout" @click="logout()">sign out</button>
</div>
</header>
<main class="stage">
<p class="eyebrow">O.3 scaffolding</p>
<h1>Operator portal · placeholder</h1>
<p class="lead">
You're signed in via the <code>dezky-operator</code> Authentik client. Real screens
(Overview, Tenants, Partners, Infrastructure, etc.) land in O.4 once the design system
is ported. This page exists to prove the OAuth round-trip works and to smoke-test the
operator-only endpoints on platform-api.
</p>
<section class="card">
<h2>Smoke test · POST /partners</h2>
<p>
Calls <code>https://api.dezky.local/partners</code> through a server-side proxy that
forwards your access token. With an operator-scoped token this should return 200 +
the created partner; with a customer-portal token (try in the other app) it returns 403.
</p>
<button :disabled="smokeBusy" class="primary" @click="createTestPartner">
{{ smokeBusy ? 'Calling' : 'Create partner "test-partner"' }}
</button>
<pre v-if="smokeResult" class="result">{{ smokeResult }}</pre>
</section>
<section class="meta">
<div class="row"><span class="k">subject</span><span class="v">{{ user?.userName }}</span></div>
<div class="row"><span class="k">email</span><span class="v">{{ user?.userInfo?.email }}</span></div>
<div class="row"><span class="k">groups</span><span class="v">{{ (user?.userInfo as { groups?: string[] } | undefined)?.groups?.join(', ') || '' }}</span></div>
<div class="row"><span class="k">aud</span><span class="v">dezky-operator (expected)</span></div>
</section>
</main>
</div>
</template>
<style scoped>
.page {
min-height: 100vh;
display: flex;
flex-direction: column;
}
.bar {
padding: 14px 24px;
display: flex;
justify-content: space-between;
align-items: center;
border-bottom: 1px solid var(--border);
}
.brand {
display: flex;
align-items: center;
gap: 10px;
font-family: var(--font-mono);
font-size: 12px;
font-weight: 600;
}
.dot {
width: 10px;
height: 10px;
border-radius: 999px;
background: var(--accent);
box-shadow: 0 0 0 3px rgba(212, 255, 58, 0.15);
}
.me {
display: flex;
align-items: center;
gap: 12px;
}
.email {
font-family: var(--font-mono);
font-size: 12px;
color: var(--text-dim);
}
.logout {
background: transparent;
border: 1px solid var(--border);
border-radius: 6px;
padding: 6px 12px;
font-family: var(--font-mono);
font-size: 11px;
color: var(--text);
}
.logout:hover {
background: rgba(244, 243, 238, 0.04);
}
.stage {
flex: 1;
padding: 48px 32px;
max-width: 760px;
width: 100%;
margin: 0 auto;
}
.eyebrow {
font-family: var(--font-mono);
font-size: 10px;
letter-spacing: 0.18em;
text-transform: uppercase;
color: var(--text-mute);
margin: 0 0 12px 0;
}
h1 {
margin: 0 0 16px 0;
font-family: var(--font-display);
font-weight: 600;
font-size: 32px;
letter-spacing: -0.025em;
line-height: 1.1;
}
.lead {
color: var(--text-dim);
font-size: 14px;
line-height: 1.6;
margin: 0 0 32px 0;
}
code {
font-family: var(--font-mono);
font-size: 12px;
background: rgba(244, 243, 238, 0.06);
padding: 1px 6px;
border-radius: 3px;
}
.card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 20px 22px;
margin-bottom: 24px;
}
.card h2 {
font-family: var(--font-display);
font-weight: 600;
font-size: 16px;
letter-spacing: -0.01em;
margin: 0 0 8px 0;
}
.card p {
font-size: 13px;
color: var(--text-dim);
line-height: 1.55;
margin: 0 0 14px 0;
}
.primary {
height: 36px;
padding: 0 16px;
background: var(--accent);
color: var(--accent-fg);
border: none;
border-radius: 6px;
font-weight: 600;
font-size: 12.5px;
font-family: inherit;
cursor: pointer;
}
.primary[disabled] {
opacity: 0.55;
cursor: not-allowed;
}
.result {
margin: 14px 0 0 0;
padding: 12px;
background: var(--bg);
border: 1px solid var(--border);
border-radius: 6px;
font-family: var(--font-mono);
font-size: 11.5px;
color: var(--text-dim);
white-space: pre-wrap;
word-break: break-all;
}
.meta {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 14px 18px;
}
.row {
display: flex;
gap: 12px;
padding: 5px 0;
font-family: var(--font-mono);
font-size: 11px;
}
.k {
color: var(--text-mute);
letter-spacing: 0.06em;
text-transform: uppercase;
width: 70px;
flex-shrink: 0;
}
.v {
color: var(--text-dim);
word-break: break-all;
}
</style>