feat(auth): Google OAuth, sealed session and default-deny gating (T9)

Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
Julien Calixte
2026-05-28 01:09:48 +02:00
parent 73e4c56a9e
commit 82ac540909
18 changed files with 368 additions and 21 deletions

View File

@@ -0,0 +1,21 @@
// Authorisation gate for Google identities (F9, DESIGN T9).
//
// Access is restricted to the company's verified email domain. We deliberately
// ignore Google's `hd` (hosted-domain) claim as the source of truth: a personal
// account can be made to present an `hd`, so we re-derive the domain from the
// email Google itself reports as verified.
const ALLOWED_EMAIL_DOMAIN = 'theodo.com'
export interface GoogleUserInfo {
email?: string
email_verified?: boolean | string
// `hd` is intentionally not consulted — see the module comment.
hd?: string
}
export function isAllowedGoogleUser(user: GoogleUserInfo): boolean {
const verified = user.email_verified === true || user.email_verified === 'true'
if (!verified || !user.email) return false
const domain = user.email.split('@')[1]?.toLowerCase()
return domain === ALLOWED_EMAIL_DOMAIN
}

12
server/utils/authPaths.ts Normal file
View File

@@ -0,0 +1,12 @@
// Which `/api` routes bypass the default-deny auth middleware (F9).
//
// `/api/health` must answer for the orchestrator's liveness probe before any
// session exists; `/api/_auth/*` is nuxt-auth-utils' own session endpoint that
// the client uses to read/clear the session. Everything else under `/api`
// requires an authenticated session.
const PUBLIC_API_PREFIXES = ['/api/health', '/api/_auth/']
export function isPublicApiPath(path: string): boolean {
const pathname = path.split('?')[0]!
return PUBLIC_API_PREFIXES.some((prefix) => pathname.startsWith(prefix))
}

View File

@@ -2,9 +2,14 @@ import type { H3Event } from 'h3'
/**
* Resolves the reporter's email — the one seam between filing and auth (ADR
* 0002). For now it returns a fixed dev identity so the filing slice works
* before OAuth exists; Task 9 swaps this to read the verified session email.
* 0002). Backed by the authenticated Google session (Task 9) so defects record
* the true reporter. The auth middleware already gates the filing endpoint, so
* a missing session here is an unexpected 401, not a normal path.
*/
export function getReporter(_event: H3Event): string {
return process.env.DEV_REPORTER_EMAIL ?? 'dev@theodo.com'
export async function getReporter(event: H3Event): Promise<string> {
const { user } = await getUserSession(event)
if (!user?.email) {
throw createError({ statusCode: 401, statusMessage: 'Authentication required' })
}
return user.email
}