Ronni Baslund
8e81730372
Operator can now manage tenants end-to-end from the UI:
- pages/tenants/index.vue — list with status/plan/domains/created/
provisioning-state columns, search by slug or name, status chips
with live counts (all/active/pending/suspended), click-through
to detail
- pages/tenants/[slug].vue — 7-tab detail (Overview, Users, Resources,
Billing, Audit, Support, Danger zone)
- 3 tabs hit real backends: Overview (identity + billing fields),
Users (lazy-loaded via new GET /tenants/:slug/users endpoint),
Resources (live provisioning state per integration + Reconcile button)
- 3 tabs render mock fixtures with warn-tone "mock" badges: Billing
(Stripe placeholder), Audit (sample log lines), Support (placeholder
pending the ticket queue work)
- Danger zone: 3 real-backend cards (Suspend / Resume / Soft-delete),
each gated by a ConfirmDialog modal. Verified live — clicked
Suspend on acme, status flipped to 'suspended' in Mongo, then
Resumed back to 'active'
platform-api additions:
- GET /tenants/:slug/users returns users with this tenant in their
tenantIds, sorted by last login. Same authorization rule as the
existing /tenants/:slug — platform admins always pass,
non-admins must be a member of the tenant
- tenants.module imports User schema for the new lookup
New components (apps/operator/components/):
- Tabs.vue — horizontal strip with optional per-tab counts, v-model
- ConfirmDialog.vue — Teleport-to-body modal, Escape/backdrop close,
danger/primary tone for the confirm button
Server proxy infrastructure (apps/operator/server/):
- utils/platform-api.ts — single helper encapsulating
access-token-from-session + bearer-forward + error normalization.
Every operator proxy route is now a one-liner against this helper
- api/tenants/index.get.ts, [slug]/{index.get,index.patch,index.delete,
users.get,suspend.post,resume.post,reconcile.post}.ts
Two real bugs found and fixed during the smoke test:
- Mongoose subdocument `_id` leaks into JSON when iterating
tenant.provisioningStatus. Switched to an explicit
`['authentik', 'stalwart', 'ocis']` whitelist in both v-fors
- Documents created before provisioningErrors was added (like the
acme tenant) don't have the field at all in JSON. Use optional
chaining (`tenant.provisioningErrors?.[k]`) instead of bracket
access. Without it: 'Cannot read properties of undefined (reading
"authentik")' during the Resources tab render
33 lines
1.2 KiB
TypeScript
33 lines
1.2 KiB
TypeScript
// Helper: forward a request to platform-api using the signed-in operator's
|
|
// access token. Every operator proxy route uses this — it's the only place
|
|
// we touch the encrypted session.
|
|
|
|
import type { H3Event } from 'h3'
|
|
import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
|
|
|
|
const BASE = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
|
|
|
|
export async function platformApi<T = unknown>(
|
|
event: H3Event,
|
|
path: string,
|
|
init: { method?: string; body?: unknown; query?: Record<string, string | number | undefined> } = {},
|
|
): Promise<T> {
|
|
const session = await getUserSession(event).catch(() => null)
|
|
const accessToken = (session as { accessToken?: string } | null)?.accessToken
|
|
if (!accessToken) {
|
|
throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
|
|
}
|
|
|
|
try {
|
|
return (await $fetch(`${BASE}${path}`, {
|
|
method: (init.method as 'GET' | 'POST' | 'PATCH' | 'DELETE') ?? 'GET',
|
|
headers: { Authorization: `Bearer ${accessToken}` },
|
|
body: init.body,
|
|
query: init.query,
|
|
})) as T
|
|
} catch (err: unknown) {
|
|
const e = err as { statusCode?: number; data?: unknown }
|
|
throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
|
|
}
|
|
}
|