dezky

ronnibaslund/dezky

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ronni Baslund	91134c94f5	feat(auth): Redis-backed OIDC sessions for portal + operator ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 19s Details ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 22s Details ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s Details ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s Details ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s Details ci / test (push) Successful in 31s Details ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s Details ci / build (map[dir:apps/operator name:operator]) (push) Successful in 43s Details ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 5s Details ci / build (map[dir:apps/portal name:portal]) (push) Successful in 51s Details ci / deploy (push) Failing after 3m42s Details nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default mount is per-pod memory — broken at >1 replica (random 401s) and every deploy logged all users out. A nitro plugin now mounts 'oidc' on the dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL is set; dev keeps the memory driver with no Redis required. Replicas back to 2 for both apps.	2026-06-10 18:48:16 +02:00
Ronni Baslund	17ffd95a70	chore(portal,operator): upgrade to Nuxt 4 Upgrade both Nuxt apps to Nuxt 4.4.6 (vue-tsc 3, TypeScript 5.6, undici 7) and add a root tsconfig.json to each app. Fix the strict-null / noUncheckedIndexedAccess errors surfaced by Nuxt 4's stricter generated tsconfig and vue-tsc 3. Drop the nuxt-oidc-auth pnpm patch (Nuxt 4 fixes the prepare:types crash natively).	2026-05-30 08:02:43 +02:00
Ronni Baslund	adfd9baafe	chore: initial scaffold with running local stack and portal auth Brings up Dezky's local development environment end-to-end: Infrastructure (docker-compose): - Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54) - Postgres + Mongo + Redis with healthchecks and init script for per-service users - Authentik 2025.10 (server + worker) as OIDC IdP - Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server) - OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes where the server reads - Collabora office, plus the portal + provisioning service stubs - Docker network aliases on Traefik so containers resolve auth.dezky.local etc. through the network (not host /etc/hosts) - Docker socket mount parameterized for macOS Docker Desktop symlink path Authentik provisioning (done via API after stack boot): - ocis-provider (public client) + OCIS Files application - dezky-portal provider (confidential) + Dezky Portal application - Admin API token bound to akadmin manually since 2025.10's AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row Portal (apps/portal): - Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset - Global auth middleware; login at /auth/oidc/login redirects to Authentik - Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark, Auth* sub-components, design tokens as CSS custom properties - Pages: auth/login, auth/expired, auth/disabled, index (post-login landing) - mkcert root CA mounted into the portal so Node fetch trusts Authentik's self-signed cert (NODE_EXTRA_CA_CERTS) — dev only Docs: - AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted alternative - NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and dev-mode caveats Dev-mode shortcuts that need to be revisited before prod: - skipAccessTokenParsing on the OIDC config - NODE_EXTRA_CA_CERTS mkcert mount - Bootstrap password still the generated value in .env - Authentik admin token (dezky-bootstrap-token) is non-expiring	2026-05-23 21:25:11 +02:00

Author

SHA1

Message

Date

Ronni Baslund

91134c94f5

feat(auth): Redis-backed OIDC sessions for portal + operator

ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 19s

Details

ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 22s

Details

ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s

Details

ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s

Details

ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s

Details

ci / test (push) Successful in 31s

Details

ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s

Details

ci / build (map[dir:apps/operator name:operator]) (push) Successful in 43s

Details

ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 5s

Details

ci / build (map[dir:apps/portal name:portal]) (push) Successful in 51s

Details

ci / deploy (push) Failing after 3m42s

Details

nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default
mount is per-pod memory — broken at >1 replica (random 401s) and every
deploy logged all users out. A nitro plugin now mounts 'oidc' on the
dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL
is set; dev keeps the memory driver with no Redis required. Replicas back
to 2 for both apps.

2026-06-10 18:48:16 +02:00

Ronni Baslund

17ffd95a70

chore(portal,operator): upgrade to Nuxt 4

Upgrade both Nuxt apps to Nuxt 4.4.6 (vue-tsc 3, TypeScript 5.6, undici 7) and add a root tsconfig.json to each app. Fix the strict-null / noUncheckedIndexedAccess errors surfaced by Nuxt 4's stricter generated tsconfig and vue-tsc 3. Drop the nuxt-oidc-auth pnpm patch (Nuxt 4 fixes the prepare:types crash natively).

2026-05-30 08:02:43 +02:00

Ronni Baslund

adfd9baafe

chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

2026-05-23 21:25:11 +02:00

3 Commits