Ronni Baslund
55b1c133e3
New Nuxt 3 app at apps/operator/ — internal admin portal on its own domain
(operator.dezky.local), own OAuth client (dezky-operator), own session
secrets, own cookies. Customer and operator surfaces can't decrypt each
other's session state.
OAuth flow verified end-to-end:
- GET / → middleware redirect to /auth/login
- User clicks Sign in → /auth/oidc/login → bounces to Authentik with
client_id=dezky-operator, scope includes 'groups'
- Authentik checks dezky-platform-admins group binding (added in O.1),
silent-reauths via the existing auth.dezky.local session
- Returns to /auth/oidc/callback with code, exchanges for token,
creates session cookie on operator.dezky.local
- Lands on pages/index.vue placeholder dashboard
Smoke test 'Create partner "test-partner"' button on the placeholder home
exercises the full operator-only authorization chain:
- 1st call: 200, partner created in Mongo
- 2nd call: 409 'already exists' (idempotency holds, token still valid)
- Same call from the customer portal: 403 'requires operator-scoped
token' (audience guard rejects dezky-portal aud)
JwtAuthGuard now multi-issuer in addition to multi-audience. Each
Authentik OAuth provider mints tokens with its own per-app iss URL
(.../application/o/<slug>/), so the guard accepts a comma-separated
AUTHENTIK_ISSUER. The audience-only fix from O.2 wasn't sufficient —
issuer is validated separately by jose.jwtVerify and was still pinned
to dezky-portal alone, yielding 'unexpected iss claim value' rejections.
Compose changes: new 'operator' service (Node 20 alpine, pnpm install +
nuxt dev, mkcert CA mount, traefik labels for operator.dezky.local +
TLS); new operator_node_modules volume; operator.dezky.local added to
traefik's Docker network aliases. Distinct OPERATOR_NUXT_OIDC_* session
secrets pulled from .env (gitignored, generated via openssl).
Real operator screens (sidebar, topbar, tenants, partners, etc.) come
in O.4. This commit is pure scaffolding + the security boundary proof.
77 lines
2.4 KiB
TypeScript
77 lines
2.4 KiB
TypeScript
// Nuxt 3 configuration for the Dezky operator portal.
|
|
// Separate app from apps/portal — different OAuth client, different cookies,
|
|
// different domain, stricter authorization. See docs/OPERATOR-PLAN.md.
|
|
|
|
export default defineNuxtConfig({
|
|
compatibilityDate: '2026-01-01',
|
|
devtools: { enabled: true },
|
|
|
|
modules: ['nuxt-oidc-auth'],
|
|
|
|
css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
|
|
|
|
app: {
|
|
head: {
|
|
htmlAttrs: { 'data-theme': 'dark' },
|
|
link: [
|
|
{ rel: 'preconnect', href: 'https://fonts.googleapis.com' },
|
|
{ rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
|
|
{
|
|
rel: 'stylesheet',
|
|
href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
|
|
},
|
|
],
|
|
},
|
|
},
|
|
|
|
oidc: {
|
|
defaultProvider: 'oidc',
|
|
session: {
|
|
expirationCheck: true,
|
|
automaticRefresh: true,
|
|
},
|
|
middleware: {
|
|
globalMiddlewareEnabled: true,
|
|
customLoginPage: true,
|
|
},
|
|
providers: {
|
|
// Generic OIDC against the dezky-operator Authentik client. Same shape
|
|
// as the customer portal's config but pointed at a different provider
|
|
// and a different audience.
|
|
oidc: {
|
|
clientId: process.env.NUXT_OIDC_CLIENT_ID || '',
|
|
clientSecret: process.env.NUXT_OIDC_CLIENT_SECRET || '',
|
|
redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || '',
|
|
authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
|
|
tokenUrl: 'https://auth.dezky.local/application/o/token/',
|
|
userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
|
|
logoutUrl: 'https://auth.dezky.local/application/o/dezky-operator/end-session/',
|
|
openIdConfiguration:
|
|
'https://auth.dezky.local/application/o/dezky-operator/.well-known/openid-configuration',
|
|
scope: ['openid', 'profile', 'email', 'groups'],
|
|
userNameClaim: 'preferred_username',
|
|
responseType: 'code',
|
|
grantType: 'authorization_code',
|
|
pkce: true,
|
|
skipAccessTokenParsing: true,
|
|
exposeAccessToken: true,
|
|
},
|
|
},
|
|
},
|
|
|
|
vite: {
|
|
server: {
|
|
hmr: {
|
|
protocol: 'wss',
|
|
clientPort: 443,
|
|
},
|
|
},
|
|
},
|
|
|
|
nitro: {
|
|
routeRules: {
|
|
'/api/**': { cors: true },
|
|
},
|
|
},
|
|
})
|