ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
e3ce0116743a43facfbe09b403de8e75a16d69d9
dezky/apps/portal/nuxt.config.ts
T
Ronni Baslund 955357a91a
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
feat(apps): make environment URLs prod-ready (env-driven, not hardcoded .local) 
The apps were wired for the dev (.local) environment. Drive the base URLs from
env so one build serves dev and prod (.eu):

- portal nuxt.config: OIDC authorization/token/userinfo/discovery URLs +
  redirectUri now derive from NUXT_PUBLIC_AUTH_URL / NUXT_PUBLIC_PORTAL_URL
  (+ PORTAL_OIDC_APP_SLUG); .local defaults keep dev working with no env.
- portal sign-out handler: end-session + post-logout URLs env-driven.
- portal scheduling page: booking base/host from runtimeConfig.public.bookingUrl
  (NUXT_PUBLIC_BOOKING_URL).
- platform-api: tenant mail domain suffix from PLATFORM_TENANT_DOMAIN (dezky.eu
  in prod), defaulting to dezky.local.

(booking needs no change — its only .local ref is the dev-server allowedHosts.)
2026-06-08 22:18:51 +02:00

143 lines
6.3 KiB
TypeScript
Raw Blame History

// Nuxt 3 configuration for Dezky portal
// https://nuxt.com/docs/api/configuration/nuxt-config
// Base URLs are environment-driven so one build runs in dev (.local) and
// production (.eu). NUXT_PUBLIC_AUTH_URL / NUXT_PUBLIC_PORTAL_URL are set at
// BUILD (CI) and RUNTIME (fleet/apps/portal.yaml + portal-secrets); the .local
// defaults keep local dev working with no env.
const AUTH_URL = (process.env.NUXT_PUBLIC_AUTH_URL || 'https://auth.dezky.local').replace(/\/$/, '')
const PORTAL_URL = (process.env.NUXT_PUBLIC_PORTAL_URL || 'https://app.dezky.local').replace(/\/$/, '')
const PORTAL_OIDC_APP_SLUG = process.env.PORTAL_OIDC_APP_SLUG || 'dezky-portal'
export default defineNuxtConfig({
compatibilityDate: '2026-01-01',
devtools: { enabled: true },
modules: ['nuxt-oidc-auth'],
css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
// Auto-import from the shared packages/ui workspace in addition to the
// app's own components/. /shared-packages is bind-mounted in
// docker-compose.yml — outside containers the same files live at
// <repo>/packages/ui/components/. The local dir keeps the default
// directory-based prefix (so components/partner/InviteTeammateModal.vue
// stays <PartnerInviteTeammateModal>); the shared dir uses no prefix so
// CountrySelect.vue is just <CountrySelect>.
components: [
'~/components',
{ path: '/shared-packages/ui/components', pathPrefix: false },
],
app: {
head: {
link: [
{ rel: 'preconnect', href: 'https://fonts.googleapis.com' },
{ rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
{
rel: 'stylesheet',
href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
},
],
},
},
runtimeConfig: {
mongodbUri: process.env.MONGODB_URI,
apiBase: process.env.NUXT_API_BASE,
public: {
authUrl: process.env.NUXT_PUBLIC_AUTH_URL,
portalUrl: process.env.NUXT_PUBLIC_PORTAL_URL,
bookingUrl: process.env.NUXT_PUBLIC_BOOKING_URL || 'https://booking.dezky.local',
},
},
oidc: {
defaultProvider: 'oidc',
session: {
expirationCheck: true,
automaticRefresh: true,
},
middleware: {
globalMiddlewareEnabled: true,
// Unauthenticated users land directly on the Authentik login flow.
// Authentik is Dezky-branded and serves as the single sign-on entry
// point for every Dezky app (portal, OCIS files, mail, chat). Direct
// navigation to auth.dezky.local or the post-login dashboard
// (/if/user/) is short-circuited by a Traefik middleware on the
// authentik service that redirects to app.dezky.local — see
// infrastructure/docker-compose/docker-compose.yml.
customLoginPage: false,
},
providers: {
// Generic OIDC against our Authentik instance (provider preset key MUST be one of
// apple, auth0, cognito, entra, github, keycloak, logto, microsoft, oidc, paypal, zitadel).
oidc: {
// The root .env uses PORTAL_OIDC_* (operator uses OPERATOR_OIDC_*) so
// both apps can share one .env. docker-compose remaps these to
// NUXT_OIDC_* per-container; locally we just read them directly.
clientId: process.env.PORTAL_OIDC_CLIENT_ID || process.env.NUXT_OIDC_CLIENT_ID || '',
clientSecret: process.env.PORTAL_OIDC_CLIENT_SECRET || process.env.NUXT_OIDC_CLIENT_SECRET || '',
redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || `${PORTAL_URL}/auth/oidc/callback`,
authorizationUrl: `${AUTH_URL}/application/o/authorize/`,
tokenUrl: `${AUTH_URL}/application/o/token/`,
userInfoUrl: `${AUTH_URL}/application/o/userinfo/`,
// Logout is handled by our custom /api/auth/sign-out endpoint, not the
// module's RP-initiated chain. Authentik 2025.10 doesn't reliably
// honor `post_logout_redirect_uri` from the provider invalidation
// flow, so we end the local session ourselves and bounce to a
// Dezky-branded /signed-out page that fires Authentik's end-session
// in a hidden iframe for a clean IdP logout in the background.
logoutUrl: '',
// Discovery URL — used by id_token validation to fetch JWKS + issuer
openIdConfiguration:
`${AUTH_URL}/application/o/${PORTAL_OIDC_APP_SLUG}/.well-known/openid-configuration`,
// offline_access asks Authentik for a refresh token. Without it there's
// nothing to refresh with, so session.automaticRefresh can't run and the
// module's refresh() falls back to a full login() redirect on token
// expiry — yanking the user to the dashboard mid-action and losing their
// input. With it, the access token renews silently in the background.
scope: ['openid', 'profile', 'email', 'groups', 'offline_access'],
userNameClaim: 'preferred_username',
responseType: 'code',
grantType: 'authorization_code',
pkce: true,
// Authentik's access tokens aren't always parseable as JWT — skip strict parsing
skipAccessTokenParsing: true,
// Expose access token in the server-side session so Nitro route handlers can
// forward it to platform-api. Token never reaches the browser.
exposeAccessToken: true,
// ALSO expose the id_token — needed so the logout handler can populate
// `id_token_hint` on the RP-initiated logout URL. Without it Authentik
// can't verify the request comes from a known session and falls back
// to its "You've logged out" confirmation page.
exposeIdToken: true,
},
},
},
vite: {
server: {
hmr: {
protocol: 'wss',
clientPort: 443,
},
// Vite 7's strict allowedHosts blocks anything not in this list with a
// plaintext 403. We serve the portal behind Traefik on app.dezky.local.
allowedHosts: ['app.dezky.local'],
},
},
nitro: {
routeRules: {
'/api/**': { cors: true },
},
// Persist nuxt-oidc-auth's session store on disk so HMR / restarts don't
// sign out everyone in dev. Memory driver (the default) is fine in prod
// when there's one long-running container per instance.
storage: {
oidc: { driver: 'fs', base: '.nuxt/oidc-store' },
},
},
})
Reference in New Issue View Git Blame Copy Permalink