Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
44 lines
1.4 KiB
YAML
44 lines
1.4 KiB
YAML
# Production / self-host stack (Coolify-deployable as a Docker Compose resource).
|
|
# For production, prefer a Coolify-managed Postgres (automatic backups — see
|
|
# docs/adr/0003) by setting DATABASE_URL to it; the bundled `db` service is for
|
|
# self-hosting and local production testing.
|
|
# docker compose up --build
|
|
services:
|
|
app:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3000:3000"
|
|
environment:
|
|
DATABASE_URL: ${DATABASE_URL:-postgres://andon:andon@db:5432/andon}
|
|
NUXT_SESSION_PASSWORD: ${NUXT_SESSION_PASSWORD:-}
|
|
NUXT_OAUTH_GOOGLE_CLIENT_ID: ${NUXT_OAUTH_GOOGLE_CLIENT_ID:-}
|
|
NUXT_OAUTH_GOOGLE_CLIENT_SECRET: ${NUXT_OAUTH_GOOGLE_CLIENT_SECRET:-}
|
|
NUXT_OAUTH_GOOGLE_REDIRECT_URL: ${NUXT_OAUTH_GOOGLE_REDIRECT_URL:-}
|
|
VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
|
|
VAPID_PRIVATE_KEY: ${VAPID_PRIVATE_KEY:-}
|
|
VAPID_SUBJECT: ${VAPID_SUBJECT:-mailto:owner@theodo.com}
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
|
|
db:
|
|
image: postgres:16-alpine
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER:-andon}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-andon}
|
|
POSTGRES_DB: ${POSTGRES_DB:-andon}
|
|
volumes:
|
|
- andon_pgdata:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-andon}"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
volumes:
|
|
andon_pgdata:
|