ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6370e392cc8dd44cf1850e8328a3df74ad53702b
dezky/apps/portal/nuxt.config.ts
T
Ronni Baslund 0bd4e5498e feat: portal redesign, pricing catalog, partner-staff invites 
- portal: new admin/ and partner/ surfaces with full component library
  (AppLauncher, Avatar, Badge, Card, Modal, Tabs, etc.), composables,
  layouts, partner-routing middleware, and supporting server APIs
- pricing: Price schema/module with operator CRUD, pricing.vue catalog UI,
  Subscription extended with cycle/currency/perSeatAmount/seats snapshots
  for stable MRR aggregation
- partner staff: User.partnerId, invite-partner-user DTO and flow,
  /partners/:slug/users endpoints, InvitePartnerUserModal, shared
  dezky-partner-staff Authentik group
- /me: partner-aware endpoint returning user + partner context so portal
  can route between end-user and partner-admin surfaces
- tenant: seats field for portfolio displays and future MRR calculations
- operator: pricing page, signed-out page, useMe/useToast composables,
  ToastStack
2026-05-28 20:00:33 +02:00

129 lines
5.3 KiB
TypeScript
Raw Blame History

// Nuxt 3 configuration for Dezky portal
// https://nuxt.com/docs/api/configuration/nuxt-config
export default defineNuxtConfig({
compatibilityDate: '2026-01-01',
devtools: { enabled: true },
modules: ['nuxt-oidc-auth'],
css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
// Auto-import from the shared packages/ui workspace in addition to the
// app's own components/. /shared-packages is bind-mounted in
// docker-compose.yml — outside containers the same files live at
// <repo>/packages/ui/components/. The local dir keeps the default
// directory-based prefix (so components/partner/InviteTeammateModal.vue
// stays <PartnerInviteTeammateModal>); the shared dir uses no prefix so
// CountrySelect.vue is just <CountrySelect>.
components: [
'~/components',
{ path: '/shared-packages/ui/components', pathPrefix: false },
],
app: {
head: {
link: [
{ rel: 'preconnect', href: 'https://fonts.googleapis.com' },
{ rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
{
rel: 'stylesheet',
href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
},
],
},
},
runtimeConfig: {
mongodbUri: process.env.MONGODB_URI,
apiBase: process.env.NUXT_API_BASE,
public: {
authUrl: process.env.NUXT_PUBLIC_AUTH_URL,
portalUrl: process.env.NUXT_PUBLIC_PORTAL_URL,
},
},
oidc: {
defaultProvider: 'oidc',
session: {
expirationCheck: true,
automaticRefresh: true,
},
middleware: {
globalMiddlewareEnabled: true,
// Unauthenticated users land directly on the Authentik login flow.
// Authentik is Dezky-branded and serves as the single sign-on entry
// point for every Dezky app (portal, OCIS files, mail, chat). Direct
// navigation to auth.dezky.local or the post-login dashboard
// (/if/user/) is short-circuited by a Traefik middleware on the
// authentik service that redirects to app.dezky.local — see
// infrastructure/docker-compose/docker-compose.yml.
customLoginPage: false,
},
providers: {
// Generic OIDC against our Authentik instance (provider preset key MUST be one of
// apple, auth0, cognito, entra, github, keycloak, logto, microsoft, oidc, paypal, zitadel).
oidc: {
// The root .env uses PORTAL_OIDC_* (operator uses OPERATOR_OIDC_*) so
// both apps can share one .env. docker-compose remaps these to
// NUXT_OIDC_* per-container; locally we just read them directly.
clientId: process.env.PORTAL_OIDC_CLIENT_ID || process.env.NUXT_OIDC_CLIENT_ID || '',
clientSecret: process.env.PORTAL_OIDC_CLIENT_SECRET || process.env.NUXT_OIDC_CLIENT_SECRET || '',
redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || 'https://app.dezky.local/auth/oidc/callback',
authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
tokenUrl: 'https://auth.dezky.local/application/o/token/',
userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
// Logout is handled by our custom /api/auth/sign-out endpoint, not the
// module's RP-initiated chain. Authentik 2025.10 doesn't reliably
// honor `post_logout_redirect_uri` from the provider invalidation
// flow, so we end the local session ourselves and bounce to a
// Dezky-branded /signed-out page that fires Authentik's end-session
// in a hidden iframe for a clean IdP logout in the background.
logoutUrl: '',
// Discovery URL — used by id_token validation to fetch JWKS + issuer
openIdConfiguration:
'https://auth.dezky.local/application/o/dezky-portal/.well-known/openid-configuration',
scope: ['openid', 'profile', 'email', 'groups'],
userNameClaim: 'preferred_username',
responseType: 'code',
grantType: 'authorization_code',
pkce: true,
// Authentik's access tokens aren't always parseable as JWT — skip strict parsing
skipAccessTokenParsing: true,
// Expose access token in the server-side session so Nitro route handlers can
// forward it to platform-api. Token never reaches the browser.
exposeAccessToken: true,
// ALSO expose the id_token — needed so the logout handler can populate
// `id_token_hint` on the RP-initiated logout URL. Without it Authentik
// can't verify the request comes from a known session and falls back
// to its "You've logged out" confirmation page.
exposeIdToken: true,
},
},
},
vite: {
server: {
hmr: {
protocol: 'wss',
clientPort: 443,
},
// Vite 7's strict allowedHosts blocks anything not in this list with a
// plaintext 403. We serve the portal behind Traefik on app.dezky.local.
allowedHosts: ['app.dezky.local'],
},
},
nitro: {
routeRules: {
'/api/**': { cors: true },
},
// Persist nuxt-oidc-auth's session store on disk so HMR / restarts don't
// sign out everyone in dev. Memory driver (the default) is fine in prod
// when there's one long-running container per instance.
storage: {
oidc: { driver: 'fs', base: '.nuxt/oidc-store' },
},
},
})
Reference in New Issue View Git Blame Copy Permalink