feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
@@ -1,6 +1,12 @@
|
||||
<script setup lang="ts">
|
||||
// Single domain (ADR 0004): report at `/`, view all defects at `/defects`,
|
||||
// with a persistent header to move between them.
|
||||
const { loggedIn, user, clear } = useUserSession()
|
||||
|
||||
async function signOut() {
|
||||
await clear()
|
||||
await navigateTo('/login')
|
||||
}
|
||||
</script>
|
||||
|
||||
<template>
|
||||
@@ -25,6 +31,12 @@
|
||||
</NuxtLink>
|
||||
</li>
|
||||
</ul>
|
||||
<div v-if="loggedIn" class="flex items-center gap-3 pl-2">
|
||||
<span class="hidden text-sm opacity-70 sm:inline">{{ user?.email }}</span>
|
||||
<button type="button" class="btn btn-ghost btn-sm" @click="signOut">
|
||||
Sign out
|
||||
</button>
|
||||
</div>
|
||||
</nav>
|
||||
</header>
|
||||
|
||||
|
||||
13
app/middleware/auth.global.ts
Normal file
13
app/middleware/auth.global.ts
Normal file
@@ -0,0 +1,13 @@
|
||||
// Redirect unauthenticated visitors to the login page, and bounce already
|
||||
// logged-in users away from it (F9). Runs on both SSR and client navigations;
|
||||
// the server data API is gated independently in server/middleware/auth.ts.
|
||||
export default defineNuxtRouteMiddleware((to) => {
|
||||
const { loggedIn } = useUserSession()
|
||||
|
||||
if (!loggedIn.value && to.path !== '/login') {
|
||||
return navigateTo('/login')
|
||||
}
|
||||
if (loggedIn.value && to.path === '/login') {
|
||||
return navigateTo('/')
|
||||
}
|
||||
})
|
||||
32
app/pages/login.vue
Normal file
32
app/pages/login.vue
Normal file
@@ -0,0 +1,32 @@
|
||||
<script setup lang="ts">
|
||||
// Login gate (F9). Standalone (no app header — its nav points at gated routes).
|
||||
// The button is a real anchor so it hits the server OAuth route directly.
|
||||
definePageMeta({ layout: false })
|
||||
|
||||
const route = useRoute()
|
||||
const error = computed(() => {
|
||||
if (route.query.error === 'domain') return 'Sign in with your @theodo.com Google account.'
|
||||
if (route.query.error === 'oauth') return 'Sign-in failed — please try again.'
|
||||
return null
|
||||
})
|
||||
</script>
|
||||
|
||||
<template>
|
||||
<main class="flex min-h-screen items-center justify-center p-6">
|
||||
<div class="card bg-base-100 border-base-300 w-full max-w-sm border shadow-sm">
|
||||
<div class="card-body items-center text-center gap-4">
|
||||
<h1 class="flex items-center gap-2 text-2xl font-semibold">
|
||||
<span class="size-2.5 rounded-full bg-[#e11d48]" aria-hidden="true" />
|
||||
Project Board Andon
|
||||
</h1>
|
||||
<p class="opacity-70">Sign in to report and view board defects.</p>
|
||||
|
||||
<p v-if="error" role="alert" class="alert alert-error text-sm">{{ error }}</p>
|
||||
|
||||
<a href="/auth/google/callback" class="btn btn-primary w-full">
|
||||
Sign in with Google
|
||||
</a>
|
||||
</div>
|
||||
</div>
|
||||
</main>
|
||||
</template>
|
||||
Reference in New Issue
Block a user