ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
dezky/apps/operator/middleware/require-platform-admin.global.ts
T
Ronni Baslund 0b269e7ea7 feat(auth): enforce operator/partner platform isolation 
A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.

Close it with defense-in-depth across three independent layers:

1. IdP — operator-application.yaml blueprint binds an
   ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
   app, so Authentik denies the OIDC flow for non-admins. The blueprint also
   provisions the provider + application (state: created, so a fresh env is
   built from code while an existing hand-made provider is left untouched).
   Wire OPERATOR_OIDC_* into both authentik containers and mount the
   blueprints dir on the worker (it applies blueprints, and previously lacked
   the mount).

2. Operator app — require-platform-admin.global.ts requires platformAdmin and
   routes a non-admin to not-authorized.vue, which triggers a full sign-out
   (local + Authentik IdP) for shared-workstation safety. Fails open on a
   transient /api/me error by design, to avoid mass-signout on platform-api
   restarts; layers 1 and 3 contain the exposure.

3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
   plus platformAdmin resolved from the DB on every request.

Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.

Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.
2026-05-30 15:48:01 +02:00

53 lines
2.6 KiB
TypeScript
Raw Permalink Blame History

// Authorization gate for the operator portal.
//
// nuxt-oidc-auth's global middleware only proves *authentication* — "does
// this browser hold a valid dezky-operator session?". It says nothing about
// whether the person is actually an operator. Without this middleware, anyone
// who completes the dezky-operator OIDC flow (a partner, a tenant admin, any
// Authentik user) lands on the full operator shell. The platform-api still
// 403s their data calls via OperatorGuard, but *being on the operator app at
// all* is the violation — and it leaves only the Authentik application policy
// standing between a non-admin and the UI. This is the second, in-app layer.
//
// Runs after 00.auth.global (nuxt-oidc-auth), so by the time we get here the
// session exists. We resolve the operator's own profile and require
// platformAdmin=true. A signed-in non-admin is fully signed out (local +
// Authentik IdP) — never silently left with a live operator session on what
// may be a shared workstation — and shown /not-authorized.
//
// /api/me is SSR-safe via useRequestFetch (it forwards the session cookie),
// so there's no flash of operator chrome before the redirect.
export default defineNuxtRouteMiddleware(async (to) => {
// Public surfaces: the login bounce, the sign-out landing, and the
// not-authorized page itself must stay reachable without the check.
if (
to.path.startsWith('/auth/') ||
to.path === '/signed-out' ||
to.path === '/not-authorized'
) {
return
}
const { fetchMe, isPlatformAdmin } = useMe()
const me = await fetchMe()
// fetchMe() collapses every failure to null — both "not signed in" and
// "signed in, but /api/me (→ platform-api) errored transiently". We let BOTH
// through here. The not-signed-in case is handled by the OIDC middleware's
// bounce to login. The API-error case is a DELIBERATE fail-OPEN: failing
// closed would bounce every operator to /not-authorized — and thus fully
// sign them out — on any platform-api restart, a self-inflicted mass-signout
// on routine deploys. The exposure from failing open is contained by the
// other two layers: Authentik's application policy stops a non-admin from
// ever obtaining a session (layer 1), and OperatorGuard 403s every data call
// regardless of what the UI renders (layer 3). See docs/AUTHENTIK-SETUP.md →
// "Operator portal isolation". (The partner middleware fails CLOSED instead
// because the partner surface has no layer-1 IdP gate.)
if (!me) return
if (!isPlatformAdmin.value) {
return navigateTo('/not-authorized')
}
})
Reference in New Issue View Git Blame Copy Permalink