feat(operator): scaffold apps/operator Nuxt app + multi-issuer JWT (O.3)
New Nuxt 3 app at apps/operator/ — internal admin portal on its own domain
(operator.dezky.local), own OAuth client (dezky-operator), own session
secrets, own cookies. Customer and operator surfaces can't decrypt each
other's session state.
OAuth flow verified end-to-end:
- GET / → middleware redirect to /auth/login
- User clicks Sign in → /auth/oidc/login → bounces to Authentik with
client_id=dezky-operator, scope includes 'groups'
- Authentik checks dezky-platform-admins group binding (added in O.1),
silent-reauths via the existing auth.dezky.local session
- Returns to /auth/oidc/callback with code, exchanges for token,
creates session cookie on operator.dezky.local
- Lands on pages/index.vue placeholder dashboard
Smoke test 'Create partner "test-partner"' button on the placeholder home
exercises the full operator-only authorization chain:
- 1st call: 200, partner created in Mongo
- 2nd call: 409 'already exists' (idempotency holds, token still valid)
- Same call from the customer portal: 403 'requires operator-scoped
token' (audience guard rejects dezky-portal aud)
JwtAuthGuard now multi-issuer in addition to multi-audience. Each
Authentik OAuth provider mints tokens with its own per-app iss URL
(.../application/o/<slug>/), so the guard accepts a comma-separated
AUTHENTIK_ISSUER. The audience-only fix from O.2 wasn't sufficient —
issuer is validated separately by jose.jwtVerify and was still pinned
to dezky-portal alone, yielding 'unexpected iss claim value' rejections.
Compose changes: new 'operator' service (Node 20 alpine, pnpm install +
nuxt dev, mkcert CA mount, traefik labels for operator.dezky.local +
TLS); new operator_node_modules volume; operator.dezky.local added to
traefik's Docker network aliases. Distinct OPERATOR_NUXT_OIDC_* session
secrets pulled from .env (gitignored, generated via openssl).
Real operator screens (sidebar, topbar, tenants, partners, etc.) come
in O.4. This commit is pure scaffolding + the security boundary proof.
This commit is contained in:
Ronni Baslund
@@ -13,15 +13,21 @@ import type { AuthentikJwtPayload } from './jwt-payload.interface.js'
|
||||
export class JwtAuthGuard implements CanActivate {
|
||||
private readonly logger = new Logger(JwtAuthGuard.name)
|
||||
private jwks: ReturnType<typeof createRemoteJWKSet> | null = null
|
||||
private readonly issuer: string
|
||||
// AUTHENTIK_AUDIENCE is comma-separated to accept tokens from multiple
|
||||
// OAuth clients (customer portal + operator portal + future surfaces).
|
||||
// jose.jwtVerify with an array succeeds if the token's aud matches any.
|
||||
// AUTHENTIK_ISSUER and AUTHENTIK_AUDIENCE are both comma-separated to accept
|
||||
// tokens from multiple OAuth clients (customer portal + operator portal +
|
||||
// future surfaces). Each Authentik provider issues tokens with its own
|
||||
// per-app issuer URL (`.../application/o/<slug>/`) — we accept any match.
|
||||
// jose.jwtVerify with arrays succeeds when the token's iss/aud match any.
|
||||
private readonly issuers: string[]
|
||||
private readonly audiences: string[]
|
||||
private readonly jwksUri: string
|
||||
|
||||
constructor(config: ConfigService) {
|
||||
this.issuer = config.getOrThrow<string>('AUTHENTIK_ISSUER')
|
||||
this.issuers = config
|
||||
.getOrThrow<string>('AUTHENTIK_ISSUER')
|
||||
.split(',')
|
||||
.map((s) => s.trim())
|
||||
.filter(Boolean)
|
||||
this.audiences = config
|
||||
.getOrThrow<string>('AUTHENTIK_AUDIENCE')
|
||||
.split(',')
|
||||
@@ -58,7 +64,7 @@ export class JwtAuthGuard implements CanActivate {
|
||||
|
||||
try {
|
||||
const { payload } = await jwtVerify(token, this.getJwks(), {
|
||||
issuer: this.issuer,
|
||||
issuer: this.issuers,
|
||||
audience: this.audiences,
|
||||
})
|
||||
req.user = payload as unknown as AuthentikJwtPayload
|
||||
|
||||
Reference in New Issue
Block a user