ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(operator): scaffold apps/operator Nuxt app + multi-issuer JWT (O.3)

Browse Source 
New Nuxt 3 app at apps/operator/ — internal admin portal on its own domain
(operator.dezky.local), own OAuth client (dezky-operator), own session
secrets, own cookies. Customer and operator surfaces can't decrypt each
other's session state.

OAuth flow verified end-to-end:
  - GET / → middleware redirect to /auth/login
  - User clicks Sign in → /auth/oidc/login → bounces to Authentik with
    client_id=dezky-operator, scope includes 'groups'
  - Authentik checks dezky-platform-admins group binding (added in O.1),
    silent-reauths via the existing auth.dezky.local session
  - Returns to /auth/oidc/callback with code, exchanges for token,
    creates session cookie on operator.dezky.local
  - Lands on pages/index.vue placeholder dashboard

Smoke test 'Create partner "test-partner"' button on the placeholder home
exercises the full operator-only authorization chain:
  - 1st call: 200, partner created in Mongo
  - 2nd call: 409 'already exists' (idempotency holds, token still valid)
  - Same call from the customer portal: 403 'requires operator-scoped
    token' (audience guard rejects dezky-portal aud)

JwtAuthGuard now multi-issuer in addition to multi-audience. Each
Authentik OAuth provider mints tokens with its own per-app iss URL
(.../application/o/<slug>/), so the guard accepts a comma-separated
AUTHENTIK_ISSUER. The audience-only fix from O.2 wasn't sufficient —
issuer is validated separately by jose.jwtVerify and was still pinned
to dezky-portal alone, yielding 'unexpected iss claim value' rejections.

Compose changes: new 'operator' service (Node 20 alpine, pnpm install +
nuxt dev, mkcert CA mount, traefik labels for operator.dezky.local +
TLS); new operator_node_modules volume; operator.dezky.local added to
traefik's Docker network aliases. Distinct OPERATOR_NUXT_OIDC_* session
secrets pulled from .env (gitignored, generated via openssl).

Real operator screens (sidebar, topbar, tenants, partners, etc.) come
in O.4. This commit is pure scaffolding + the security boundary proof.
This commit is contained in:
Ronni Baslund
2026-05-24 07:20:16 +02:00
parent 2db41fec5e
commit 55b1c133e3
12 changed files with 8764 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/OPERATOR-PLAN.md
+21 -14
View File
@@ -314,21 +314,28 @@ done in order — earlier ones unblock later ones.
(operator token → 200) deferred until O.3 when the operator app
exists to mint that token
### O.3 · Scaffold `apps/operator/`
### O.3 · Scaffold `apps/operator/`
- [ ] `apps/operator/package.json` (Nuxt 3, `nuxt-oidc-auth` beta.11, same
deps as portal)
- [ ] `nuxt.config.ts` with `oidc` block pointing at `dezky-operator`
- [ ] Docker compose service `operator`, with Traefik labels for
`operator.dezky.local`, `node_modules` volume, same `NODE_EXTRA_CA_CERTS`
mount for mkcert
- [ ] Network alias on Traefik: `operator.dezky.local`
- [ ] User task: add `operator.dezky.local` to `/etc/hosts`
- [ ] Session secrets in `.env`: `NUXT_OIDC_TOKEN_KEY` (base64-32),
`NUXT_OIDC_SESSION_SECRET`, `NUXT_OIDC_AUTH_SESSION_SECRET`
**distinct from** the customer portal's secrets
- [ ] Verify login: visit `https://operator.dezky.local`, bounce to Authentik,
sign in as akadmin, land on a placeholder index page
- [x] `apps/operator/package.json` (Nuxt 3, `nuxt-oidc-auth` 1.0.0-beta.11)
- [x] `nuxt.config.ts` wired against the `dezky-operator` Authentik provider:
`client_id=dezky-operator`, audience claim becomes `dezky-operator`,
scope includes `groups`, `exposeAccessToken: true` so the Nitro proxy
can forward it
- [x] Docker compose service `operator` running on the dezky network, mkcert
root CA mounted, Traefik route at `operator.dezky.local`
- [x] Network alias on Traefik: `operator.dezky.local`
- [x] `operator.dezky.local` added to `/etc/hosts`
- [x] Distinct session secrets in `.env` (`OPERATOR_NUXT_OIDC_*`) the two
apps can't decrypt each other's session cookies
- [x] Verified login: signing in lands on the placeholder index showing
`Operator portal · placeholder` with the user's identity
- [x] Smoke test `POST /partners`: operator session returns 200 (partner
created in Mongo), idempotent re-call returns 409 (already exists),
customer-portal session returns 403 ("requires operator-scoped token")
- [x] `JwtAuthGuard` extended to accept **multi-issuer** as well as
multi-audience (each Authentik OAuth provider has its own per-app
`iss` URL); `AUTHENTIK_ISSUER` env is now comma-separated. The audience
change in O.2 wasn't enough on its own — issuer matching is separate
### O.4 · Design system + app shell