feat(auth): Redis-backed OIDC sessions for portal + operator
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 19s
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 22s
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s
ci / test (push) Successful in 31s
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 43s
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 5s
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 51s
ci / deploy (push) Failing after 3m42s
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 19s
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 22s
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s
ci / test (push) Successful in 31s
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 43s
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 5s
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 51s
ci / deploy (push) Failing after 3m42s
nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default
mount is per-pod memory — broken at >1 replica (random 401s) and every
deploy logged all users out. A nitro plugin now mounts 'oidc' on the
dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL
is set; dev keeps the memory driver with no Redis required. Replicas back
to 2 for both apps.
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,26 @@
|
||||
// Mount the nuxt-oidc-auth session store on Redis when configured.
|
||||
//
|
||||
// The module persists sessions via useStorage('oidc'); the default mount is
|
||||
// per-pod memory, which 401s every request that lands on a replica that
|
||||
// didn't mint the session AND drops all sessions on each deploy. Mounting at
|
||||
// runtime (instead of nitro.storage in nuxt.config) keeps the Redis URL out
|
||||
// of the build — same reason the OIDC provider config is env-driven.
|
||||
//
|
||||
// SESSION_REDIS_URL is set in production (fleet/apps/operator.yaml, value in
|
||||
// operator-secrets). Unset in dev → in-memory mount stays, no Redis needed.
|
||||
import redisDriver from 'unstorage/drivers/redis'
|
||||
|
||||
export default defineNitroPlugin(() => {
|
||||
const url = process.env.SESSION_REDIS_URL
|
||||
if (!url) return
|
||||
useStorage().mount(
|
||||
'oidc',
|
||||
redisDriver({
|
||||
url,
|
||||
base: 'oidc:operator',
|
||||
// Safety net against orphaned sessions accumulating forever; well above
|
||||
// any real session lifetime.
|
||||
ttl: 60 * 60 * 24 * 14,
|
||||
}),
|
||||
)
|
||||
})
|
||||
Reference in New Issue
Block a user