feat(auth): Google OAuth, sealed session and default-deny gating (T9)

Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
Julien Calixte
2026-05-28 01:09:48 +02:00
parent 73e4c56a9e
commit 82ac540909
18 changed files with 368 additions and 21 deletions

32
app/pages/login.vue Normal file
View File

@@ -0,0 +1,32 @@
<script setup lang="ts">
// Login gate (F9). Standalone (no app header — its nav points at gated routes).
// The button is a real anchor so it hits the server OAuth route directly.
definePageMeta({ layout: false })
const route = useRoute()
const error = computed(() => {
if (route.query.error === 'domain') return 'Sign in with your @theodo.com Google account.'
if (route.query.error === 'oauth') return 'Sign-in failed — please try again.'
return null
})
</script>
<template>
<main class="flex min-h-screen items-center justify-center p-6">
<div class="card bg-base-100 border-base-300 w-full max-w-sm border shadow-sm">
<div class="card-body items-center text-center gap-4">
<h1 class="flex items-center gap-2 text-2xl font-semibold">
<span class="size-2.5 rounded-full bg-[#e11d48]" aria-hidden="true" />
Project Board Andon
</h1>
<p class="opacity-70">Sign in to report and view board defects.</p>
<p v-if="error" role="alert" class="alert alert-error text-sm">{{ error }}</p>
<a href="/auth/google/callback" class="btn btn-primary w-full">
Sign in with Google
</a>
</div>
</div>
</main>
</template>