feat(auth): Google OAuth, sealed session and default-deny gating (T9)

Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
Julien Calixte
2026-05-28 01:09:48 +02:00
parent 73e4c56a9e
commit 82ac540909
18 changed files with 368 additions and 21 deletions

View File

@@ -0,0 +1,25 @@
import { isAllowedGoogleUser, type GoogleUserInfo } from '../../../utils/allowedGoogleUser'
// Google OAuth entry + callback (F9). nuxt-auth-utils uses one handler for
// both legs: with no `?code` it redirects to Google; on return it exchanges the
// code and hands us the verified userinfo. We then re-check the email domain
// server-side (the `hd` claim is not trusted) before minting a session.
export default defineOAuthGoogleEventHandler({
config: {},
async onSuccess(event, { user }) {
const info = user as GoogleUserInfo
if (!isAllowedGoogleUser(info)) {
await clearUserSession(event)
return sendRedirect(event, '/login?error=domain')
}
await setUserSession(event, {
// isAllowedGoogleUser guarantees a present email; narrow for the compiler.
user: { email: info.email!, name: user.name, picture: user.picture },
})
return sendRedirect(event, '/')
},
onError(event, error) {
console.error('Google OAuth error:', error)
return sendRedirect(event, '/login?error=oauth')
},
})