dezky

ronnibaslund/dezky

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ronni Baslund	901cc69ba3	fix(auth): silent session renewal + 401 auto-recovery ci / changes (push) Successful in 4s Details ci / tc_booking (push) Has been skipped Details ci / tc_operator (push) Successful in 20s Details ci / tc_website (push) Has been skipped Details ci / tc_platform_api (push) Has been skipped Details ci / test_platform_api (push) Has been skipped Details ci / build_booking (push) Has been skipped Details ci / tc_portal (push) Successful in 26s Details ci / build_platform_api (push) Has been skipped Details ci / build_operator (push) Successful in 31s Details ci / build_portal (push) Successful in 39s Details ci / deploy (push) Successful in 41s Details Idle sessions died and left a broken page: when the access token expired, nuxt-oidc-auth's automatic refresh had no refresh token to use — neither Authentik provider carried the offline_access scope mapping (and the operator never requested the scope), so the module cleared the session and every /api call 401'd until a manual F5 happened to re-auth through Authentik's still-alive SSO session. Fix 1: offline_access end to end — scope mapping attached to both live providers (and blueprints, prod + dev), operator now requests the scope. Sessions renew server-side for up to 30 days of activity (Redis store + pinned token key from earlier make the refresh tokens durable). Fix 2: client plugin in both apps — a 401 from /api sends the browser through /auth/oidc/login instead of leaving dead buttons; invisible when Authentik's session is alive, a clean sign-in screen when it isn't. Loop-guarded. Full sign-out behavior unchanged.	2026-06-11 09:21:15 +02:00
Ronni Baslund	0b269e7ea7	feat(auth): enforce operator/partner platform isolation A partner or tenant admin could complete the dezky-operator OIDC flow and land on the operator portal. The platform-api OperatorGuard already 403s their data, but the login/UI layer had no authorization check at all — the only gate was a manual Authentik UI setting with nothing in git enforcing it. Close it with defense-in-depth across three independent layers: 1. IdP — operator-application.yaml blueprint binds an ak_is_group_member("dezky-platform-admins") policy to the dezky-operator app, so Authentik denies the OIDC flow for non-admins. The blueprint also provisions the provider + application (state: created, so a fresh env is built from code while an existing hand-made provider is left untouched). Wire OPERATOR_OIDC_* into both authentik containers and mount the blueprints dir on the worker (it applies blueprints, and previously lacked the mount). 2. Operator app — require-platform-admin.global.ts requires platformAdmin and routes a non-admin to not-authorized.vue, which triggers a full sign-out (local + Authentik IdP) for shared-workstation safety. Fails open on a transient /api/me error by design, to avoid mass-signout on platform-api restarts; layers 1 and 3 contain the exposure. 3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience plus platformAdmin resolved from the DB on every request. Also harden the partner surface: it shares the dezky-portal client with tenant users so it has no IdP gate, and its /partner/* route middleware now fails CLOSED when identity can't be confirmed. Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret must be set before first boot since the blueprint now consumes it.	2026-05-30 15:48:01 +02:00

Author

SHA1

Message

Date

Ronni Baslund

901cc69ba3

fix(auth): silent session renewal + 401 auto-recovery

ci / changes (push) Successful in 4s

Details

ci / tc_booking (push) Has been skipped

Details

ci / tc_operator (push) Successful in 20s

Details

ci / tc_website (push) Has been skipped

Details

ci / tc_platform_api (push) Has been skipped

Details

ci / test_platform_api (push) Has been skipped

Details

ci / build_booking (push) Has been skipped

Details

ci / tc_portal (push) Successful in 26s

Details

ci / build_platform_api (push) Has been skipped

Details

ci / build_operator (push) Successful in 31s

Details

ci / build_portal (push) Successful in 39s

Details

ci / deploy (push) Successful in 41s

Details

Idle sessions died and left a broken page: when the access token expired,
nuxt-oidc-auth's automatic refresh had no refresh token to use — neither
Authentik provider carried the offline_access scope mapping (and the
operator never requested the scope), so the module cleared the session
and every /api call 401'd until a manual F5 happened to re-auth through
Authentik's still-alive SSO session.

Fix 1: offline_access end to end — scope mapping attached to both live
providers (and blueprints, prod + dev), operator now requests the scope.
Sessions renew server-side for up to 30 days of activity (Redis store +
pinned token key from earlier make the refresh tokens durable).

Fix 2: client plugin in both apps — a 401 from /api sends the browser
through /auth/oidc/login instead of leaving dead buttons; invisible when
Authentik's session is alive, a clean sign-in screen when it isn't.
Loop-guarded. Full sign-out behavior unchanged.

2026-06-11 09:21:15 +02:00

Ronni Baslund

0b269e7ea7

feat(auth): enforce operator/partner platform isolation

A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.

Close it with defense-in-depth across three independent layers:

1. IdP — operator-application.yaml blueprint binds an
   ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
   app, so Authentik denies the OIDC flow for non-admins. The blueprint also
   provisions the provider + application (state: created, so a fresh env is
   built from code while an existing hand-made provider is left untouched).
   Wire OPERATOR_OIDC_* into both authentik containers and mount the
   blueprints dir on the worker (it applies blueprints, and previously lacked
   the mount).

2. Operator app — require-platform-admin.global.ts requires platformAdmin and
   routes a non-admin to not-authorized.vue, which triggers a full sign-out
   (local + Authentik IdP) for shared-workstation safety. Fails open on a
   transient /api/me error by design, to avoid mass-signout on platform-api
   restarts; layers 1 and 3 contain the exposure.

3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
   plus platformAdmin resolved from the DB on every request.

Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.

Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.

2026-05-30 15:48:01 +02:00

2 Commits