feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
@@ -11,5 +11,5 @@ export default defineEventHandler(async (event) => {
|
||||
if (input instanceof type.errors) {
|
||||
throw createError({ statusCode: 400, statusMessage: input.summary })
|
||||
}
|
||||
return createDefect(getDb(), { ...input, reporterEmail: getReporter(event) })
|
||||
return createDefect(getDb(), { ...input, reporterEmail: await getReporter(event) })
|
||||
})
|
||||
|
||||
15
server/middleware/auth.ts
Normal file
15
server/middleware/auth.ts
Normal file
@@ -0,0 +1,15 @@
|
||||
import { isPublicApiPath } from '../utils/authPaths'
|
||||
|
||||
// Default-deny gate for the data API (F9). Every `/api` route requires an
|
||||
// authenticated session except the explicitly public ones (health probe, the
|
||||
// session endpoint). Pages are guarded separately by app/middleware/auth.global
|
||||
// so static assets and the OAuth route stay reachable while unauthenticated.
|
||||
export default defineEventHandler(async (event) => {
|
||||
if (!event.path.startsWith('/api/')) return
|
||||
if (isPublicApiPath(event.path)) return
|
||||
|
||||
const { user } = await getUserSession(event)
|
||||
if (!user) {
|
||||
throw createError({ statusCode: 401, statusMessage: 'Authentication required' })
|
||||
}
|
||||
})
|
||||
25
server/routes/auth/google/callback.get.ts
Normal file
25
server/routes/auth/google/callback.get.ts
Normal file
@@ -0,0 +1,25 @@
|
||||
import { isAllowedGoogleUser, type GoogleUserInfo } from '../../../utils/allowedGoogleUser'
|
||||
|
||||
// Google OAuth entry + callback (F9). nuxt-auth-utils uses one handler for
|
||||
// both legs: with no `?code` it redirects to Google; on return it exchanges the
|
||||
// code and hands us the verified userinfo. We then re-check the email domain
|
||||
// server-side (the `hd` claim is not trusted) before minting a session.
|
||||
export default defineOAuthGoogleEventHandler({
|
||||
config: {},
|
||||
async onSuccess(event, { user }) {
|
||||
const info = user as GoogleUserInfo
|
||||
if (!isAllowedGoogleUser(info)) {
|
||||
await clearUserSession(event)
|
||||
return sendRedirect(event, '/login?error=domain')
|
||||
}
|
||||
await setUserSession(event, {
|
||||
// isAllowedGoogleUser guarantees a present email; narrow for the compiler.
|
||||
user: { email: info.email!, name: user.name, picture: user.picture },
|
||||
})
|
||||
return sendRedirect(event, '/')
|
||||
},
|
||||
onError(event, error) {
|
||||
console.error('Google OAuth error:', error)
|
||||
return sendRedirect(event, '/login?error=oauth')
|
||||
},
|
||||
})
|
||||
21
server/utils/allowedGoogleUser.ts
Normal file
21
server/utils/allowedGoogleUser.ts
Normal file
@@ -0,0 +1,21 @@
|
||||
// Authorisation gate for Google identities (F9, DESIGN T9).
|
||||
//
|
||||
// Access is restricted to the company's verified email domain. We deliberately
|
||||
// ignore Google's `hd` (hosted-domain) claim as the source of truth: a personal
|
||||
// account can be made to present an `hd`, so we re-derive the domain from the
|
||||
// email Google itself reports as verified.
|
||||
const ALLOWED_EMAIL_DOMAIN = 'theodo.com'
|
||||
|
||||
export interface GoogleUserInfo {
|
||||
email?: string
|
||||
email_verified?: boolean | string
|
||||
// `hd` is intentionally not consulted — see the module comment.
|
||||
hd?: string
|
||||
}
|
||||
|
||||
export function isAllowedGoogleUser(user: GoogleUserInfo): boolean {
|
||||
const verified = user.email_verified === true || user.email_verified === 'true'
|
||||
if (!verified || !user.email) return false
|
||||
const domain = user.email.split('@')[1]?.toLowerCase()
|
||||
return domain === ALLOWED_EMAIL_DOMAIN
|
||||
}
|
||||
12
server/utils/authPaths.ts
Normal file
12
server/utils/authPaths.ts
Normal file
@@ -0,0 +1,12 @@
|
||||
// Which `/api` routes bypass the default-deny auth middleware (F9).
|
||||
//
|
||||
// `/api/health` must answer for the orchestrator's liveness probe before any
|
||||
// session exists; `/api/_auth/*` is nuxt-auth-utils' own session endpoint that
|
||||
// the client uses to read/clear the session. Everything else under `/api`
|
||||
// requires an authenticated session.
|
||||
const PUBLIC_API_PREFIXES = ['/api/health', '/api/_auth/']
|
||||
|
||||
export function isPublicApiPath(path: string): boolean {
|
||||
const pathname = path.split('?')[0]!
|
||||
return PUBLIC_API_PREFIXES.some((prefix) => pathname.startsWith(prefix))
|
||||
}
|
||||
@@ -2,9 +2,14 @@ import type { H3Event } from 'h3'
|
||||
|
||||
/**
|
||||
* Resolves the reporter's email — the one seam between filing and auth (ADR
|
||||
* 0002). For now it returns a fixed dev identity so the filing slice works
|
||||
* before OAuth exists; Task 9 swaps this to read the verified session email.
|
||||
* 0002). Backed by the authenticated Google session (Task 9) so defects record
|
||||
* the true reporter. The auth middleware already gates the filing endpoint, so
|
||||
* a missing session here is an unexpected 401, not a normal path.
|
||||
*/
|
||||
export function getReporter(_event: H3Event): string {
|
||||
return process.env.DEV_REPORTER_EMAIL ?? 'dev@theodo.com'
|
||||
export async function getReporter(event: H3Event): Promise<string> {
|
||||
const { user } = await getUserSession(event)
|
||||
if (!user?.email) {
|
||||
throw createError({ statusCode: 401, statusMessage: 'Authentication required' })
|
||||
}
|
||||
return user.email
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user