Ronni Baslund
0b269e7ea7
A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.
Close it with defense-in-depth across three independent layers:
1. IdP — operator-application.yaml blueprint binds an
ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
app, so Authentik denies the OIDC flow for non-admins. The blueprint also
provisions the provider + application (state: created, so a fresh env is
built from code while an existing hand-made provider is left untouched).
Wire OPERATOR_OIDC_* into both authentik containers and mount the
blueprints dir on the worker (it applies blueprints, and previously lacked
the mount).
2. Operator app — require-platform-admin.global.ts requires platformAdmin and
routes a non-admin to not-authorized.vue, which triggers a full sign-out
(local + Authentik IdP) for shared-workstation safety. Fails open on a
transient /api/me error by design, to avoid mass-signout on platform-api
restarts; layers 1 and 3 contain the exposure.
3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
plus platformAdmin resolved from the DB on every request.
Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.
Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.
43 lines
1.8 KiB
TypeScript
43 lines
1.8 KiB
TypeScript
// Routes signed-in users to the surface that matches their role:
|
|
// - partner staff (User.partnerId set) on '/' → /partner
|
|
// - non-partner-staff hitting /partner/* → /
|
|
//
|
|
// Runs after the OIDC global middleware (00.auth.global from nuxt-oidc-auth)
|
|
// so we know the user is authenticated by the time we get here. /me is
|
|
// fetched lazily via useMe() and cached in useState — first nav after sign-in
|
|
// pays one round-trip, subsequent navs read from cache.
|
|
//
|
|
// The partner surface shares the dezky-portal OAuth client with ordinary
|
|
// tenant users (a tenant admin authenticates here legitimately), so there is
|
|
// no IdP-level gate the way the operator app has — this redirect plus the
|
|
// platform-api's per-endpoint partnerId checks are the whole defense. Because
|
|
// of that, /partner/* must fail CLOSED: if we can't positively confirm the
|
|
// caller is partner staff (e.g. /api/me errored transiently, so `me` is null),
|
|
// we keep them out rather than letting the page shell render. Data is always
|
|
// backend-guarded, but the shell shouldn't show to a non-partner.
|
|
//
|
|
// Auth pages (/auth/*, /signed-out) are skipped because they're public.
|
|
|
|
export default defineNuxtRouteMiddleware(async (to) => {
|
|
if (to.path.startsWith('/auth/') || to.path === '/signed-out') return
|
|
|
|
const onPartnerSurface = to.path.startsWith('/partner')
|
|
|
|
const { fetchMe, isPartnerStaff } = useMe()
|
|
const me = await fetchMe()
|
|
|
|
// Couldn't resolve identity. For non-partner routes, defer to the OIDC
|
|
// middleware's bounce. For partner routes, fail closed — unconfirmed is
|
|
// not-partner.
|
|
if (!me) {
|
|
return onPartnerSurface ? navigateTo('/') : undefined
|
|
}
|
|
|
|
if (to.path === '/' && isPartnerStaff.value) {
|
|
return navigateTo('/partner')
|
|
}
|
|
if (onPartnerSurface && !isPartnerStaff.value) {
|
|
return navigateTo('/')
|
|
}
|
|
})
|