feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
This commit is contained in:
52
tests/auth.spec.ts
Normal file
52
tests/auth.spec.ts
Normal file
@@ -0,0 +1,52 @@
|
||||
import { describe, it, expect } from 'vitest'
|
||||
import { isAllowedGoogleUser } from '../server/utils/allowedGoogleUser'
|
||||
import { isPublicApiPath } from '../server/utils/authPaths'
|
||||
|
||||
// F9: access is restricted to verified @theodo.com identities. The Google
|
||||
// `hd` (hosted-domain) claim is NOT trusted on its own — we re-derive the
|
||||
// domain from the verified email server-side (DESIGN T9).
|
||||
describe('isAllowedGoogleUser', () => {
|
||||
it('allows a verified @theodo.com email', () => {
|
||||
expect(isAllowedGoogleUser({ email: 'jane@theodo.com', email_verified: true })).toBe(true)
|
||||
})
|
||||
|
||||
it('denies a non-theodo verified email even when hd claims theodo.com', () => {
|
||||
expect(
|
||||
isAllowedGoogleUser({ email: 'attacker@gmail.com', email_verified: true, hd: 'theodo.com' }),
|
||||
).toBe(false)
|
||||
})
|
||||
|
||||
it('denies a theodo email that Google has not verified', () => {
|
||||
expect(isAllowedGoogleUser({ email: 'jane@theodo.com', email_verified: false })).toBe(false)
|
||||
})
|
||||
|
||||
it('matches the domain case-insensitively', () => {
|
||||
expect(isAllowedGoogleUser({ email: 'jane@Theodo.COM', email_verified: true })).toBe(true)
|
||||
})
|
||||
|
||||
it('denies when the email is missing', () => {
|
||||
expect(isAllowedGoogleUser({ email_verified: true, hd: 'theodo.com' })).toBe(false)
|
||||
})
|
||||
|
||||
it('denies a look-alike domain that merely ends in theodo.com', () => {
|
||||
expect(isAllowedGoogleUser({ email: 'eve@nottheodo.com', email_verified: true })).toBe(false)
|
||||
})
|
||||
})
|
||||
|
||||
describe('isPublicApiPath', () => {
|
||||
it('treats the health check as public', () => {
|
||||
expect(isPublicApiPath('/api/health')).toBe(true)
|
||||
})
|
||||
|
||||
it('treats the session endpoint as public', () => {
|
||||
expect(isPublicApiPath('/api/_auth/session')).toBe(true)
|
||||
})
|
||||
|
||||
it('gates the defects API', () => {
|
||||
expect(isPublicApiPath('/api/defects')).toBe(false)
|
||||
})
|
||||
|
||||
it('ignores the query string when matching', () => {
|
||||
expect(isPublicApiPath('/api/health?probe=1')).toBe(true)
|
||||
})
|
||||
})
|
||||
Reference in New Issue
Block a user