Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
22 lines
860 B
TypeScript
22 lines
860 B
TypeScript
// Authorisation gate for Google identities (F9, DESIGN T9).
|
|
//
|
|
// Access is restricted to the company's verified email domain. We deliberately
|
|
// ignore Google's `hd` (hosted-domain) claim as the source of truth: a personal
|
|
// account can be made to present an `hd`, so we re-derive the domain from the
|
|
// email Google itself reports as verified.
|
|
const ALLOWED_EMAIL_DOMAIN = 'theodo.com'
|
|
|
|
export interface GoogleUserInfo {
|
|
email?: string
|
|
email_verified?: boolean | string
|
|
// `hd` is intentionally not consulted — see the module comment.
|
|
hd?: string
|
|
}
|
|
|
|
export function isAllowedGoogleUser(user: GoogleUserInfo): boolean {
|
|
const verified = user.email_verified === true || user.email_verified === 'true'
|
|
if (!verified || !user.email) return false
|
|
const domain = user.email.split('@')[1]?.toLowerCase()
|
|
return domain === ALLOWED_EMAIL_DOMAIN
|
|
}
|