feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
@@ -2,9 +2,14 @@ import type { H3Event } from 'h3'
|
||||
|
||||
/**
|
||||
* Resolves the reporter's email — the one seam between filing and auth (ADR
|
||||
* 0002). For now it returns a fixed dev identity so the filing slice works
|
||||
* before OAuth exists; Task 9 swaps this to read the verified session email.
|
||||
* 0002). Backed by the authenticated Google session (Task 9) so defects record
|
||||
* the true reporter. The auth middleware already gates the filing endpoint, so
|
||||
* a missing session here is an unexpected 401, not a normal path.
|
||||
*/
|
||||
export function getReporter(_event: H3Event): string {
|
||||
return process.env.DEV_REPORTER_EMAIL ?? 'dev@theodo.com'
|
||||
export async function getReporter(event: H3Event): Promise<string> {
|
||||
const { user } = await getUserSession(event)
|
||||
if (!user?.email) {
|
||||
throw createError({ statusCode: 401, statusMessage: 'Authentication required' })
|
||||
}
|
||||
return user.email
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user