Ronni Baslund
0b269e7ea7
A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.
Close it with defense-in-depth across three independent layers:
1. IdP — operator-application.yaml blueprint binds an
ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
app, so Authentik denies the OIDC flow for non-admins. The blueprint also
provisions the provider + application (state: created, so a fresh env is
built from code while an existing hand-made provider is left untouched).
Wire OPERATOR_OIDC_* into both authentik containers and mount the
blueprints dir on the worker (it applies blueprints, and previously lacked
the mount).
2. Operator app — require-platform-admin.global.ts requires platformAdmin and
routes a non-admin to not-authorized.vue, which triggers a full sign-out
(local + Authentik IdP) for shared-workstation safety. Fails open on a
transient /api/me error by design, to avoid mass-signout on platform-api
restarts; layers 1 and 3 contain the exposure.
3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
plus platformAdmin resolved from the DB on every request.
Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.
Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.
131 lines
3.2 KiB
Vue
131 lines
3.2 KiB
Vue
<script setup lang="ts">
|
|
// Shown when an authenticated-but-non-operator session reaches the operator
|
|
// portal (see middleware/require-platform-admin.global.ts). The account is
|
|
// valid in Authentik but lacks platformAdmin — e.g. a partner or tenant user
|
|
// who completed the dezky-operator OIDC flow.
|
|
//
|
|
// We do NOT leave them parked here with a live session: that's the
|
|
// shared-workstation risk the full-sign-out rule guards against. We trigger the
|
|
// same full sign-out the UserMenu uses — clearing both the local
|
|
// nuxt-oidc-auth session and the Authentik IdP session (so this also ends their
|
|
// SSO session in any other tab — intended for an elevated context).
|
|
//
|
|
// A short delay lets them actually read why before the redirect through
|
|
// Authentik fires; the button is an immediate-out fallback. The timer is
|
|
// cleared on unmount so a manual click can't double-fire it.
|
|
|
|
definePageMeta({ layout: 'blank', auth: false, oidcAuth: { enabled: false } })
|
|
|
|
const SIGN_OUT_DELAY_MS = 2200
|
|
|
|
function signOut() {
|
|
return navigateTo('/api/auth/sign-out', { external: true })
|
|
}
|
|
|
|
onMounted(() => {
|
|
const timer = setTimeout(signOut, SIGN_OUT_DELAY_MS)
|
|
onBeforeUnmount(() => clearTimeout(timer))
|
|
})
|
|
</script>
|
|
|
|
<template>
|
|
<div class="shell">
|
|
<div class="card">
|
|
<div class="badge">
|
|
<UiIcon name="shield" :size="22" />
|
|
</div>
|
|
<p class="eyebrow">dezky · ops</p>
|
|
<h1>Not an operator account</h1>
|
|
<p class="lead">
|
|
This account doesn't have operator access. For your security we're
|
|
signing you out completely — sign in with an operator account to
|
|
continue.
|
|
</p>
|
|
<button class="primary" type="button" @click="signOut">Sign out now</button>
|
|
<p class="hint">operator.dezky.local</p>
|
|
</div>
|
|
</div>
|
|
</template>
|
|
|
|
<style scoped>
|
|
.shell {
|
|
min-height: 100vh;
|
|
display: flex;
|
|
align-items: center;
|
|
justify-content: center;
|
|
padding: 32px;
|
|
background: var(--bg);
|
|
}
|
|
|
|
.card {
|
|
background: var(--surface);
|
|
border: 1px solid var(--border);
|
|
border-radius: 12px;
|
|
padding: 36px 36px 32px;
|
|
width: 100%;
|
|
max-width: 420px;
|
|
text-align: center;
|
|
box-shadow: 0 24px 60px rgba(0, 0, 0, 0.4);
|
|
}
|
|
|
|
.badge {
|
|
width: 48px;
|
|
height: 48px;
|
|
border-radius: 12px;
|
|
display: inline-flex;
|
|
align-items: center;
|
|
justify-content: center;
|
|
background: rgba(240, 88, 88, 0.12);
|
|
color: var(--bad);
|
|
margin: 0 auto 16px;
|
|
}
|
|
|
|
.eyebrow {
|
|
font-family: var(--font-mono);
|
|
font-size: 11px;
|
|
letter-spacing: 0.18em;
|
|
text-transform: uppercase;
|
|
color: var(--text-mute);
|
|
margin: 0 0 10px 0;
|
|
}
|
|
|
|
h1 {
|
|
font-family: var(--font-display);
|
|
font-weight: 600;
|
|
font-size: 24px;
|
|
letter-spacing: -0.02em;
|
|
line-height: 1.15;
|
|
margin: 0;
|
|
}
|
|
|
|
.lead {
|
|
font-size: 13px;
|
|
color: var(--text-dim);
|
|
line-height: 1.55;
|
|
margin: 14px 0 26px;
|
|
}
|
|
|
|
.primary {
|
|
display: block;
|
|
width: 100%;
|
|
height: 42px;
|
|
background: var(--accent);
|
|
color: var(--accent-fg);
|
|
border: none;
|
|
border-radius: 7px;
|
|
font-weight: 600;
|
|
font-size: 13px;
|
|
font-family: inherit;
|
|
cursor: pointer;
|
|
}
|
|
.primary:hover { filter: brightness(0.96); }
|
|
|
|
.hint {
|
|
font-family: var(--font-mono);
|
|
font-size: 10px;
|
|
letter-spacing: 0.06em;
|
|
color: var(--text-mute);
|
|
margin: 22px 0 0 0;
|
|
}
|
|
</style>
|