Files
andon/tasks/todo.md
Julien Calixte 82ac540909 feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
2026-05-28 01:09:48 +02:00

2.2 KiB
Raw Blame History

Andon — Task Checklist

Derived from plan.md. Build order follows the House of Quality weights (DESIGN.md §4). Check off as tasks complete; stop at each checkpoint for review.

Phase 1 — Foundation & board spine

  • T1 Scaffold Nuxt 4 + tooling + Dockerised dev (M) — deps: none
  • T2 Board-definition module (C1) + BoardView (C2) — F1 (M) — deps: T1
  • Checkpoint: build + tests pass, board interactive, human review

Phase 2 — File a defect (G1)

  • T3 Postgres schema + migrations (C8) (S) — deps: T1
  • T4 Projects API + ProjectAutocomplete (C4) — F3 (M) — deps: T3
  • T5 File a defect: POST /api/defects + DefectForm (C3) — F2 (M) — deps: T2, T3, T4
  • Checkpoint: defect files end-to-end (dev auth), tests pass, human review

Phase 3 — See weak points (G2)

  • T6 Defects read API: feed + per-section counts (C7) — F6 (M) — deps: T3
  • T7 Dashboard DotMap (C5) — F4 (M) — deps: T2, T6
  • T8 VerbatimModal + Feed (C6) — F5 (M) — deps: T6, T7
  • Checkpoint: dashboard dot map + feed + modal work, ≤350ms @2k, human review

Phase 4 — Authentication (G4)

  • T9 Google OAuth + session + domain-check middleware (C9) — F9 (M) — deps: T1, retrofits T5
  • Checkpoint: both views gated to @theodo.com, reporters real, human review

Phase 5 — Notifications (G3)

  • T10 Web Push subscribe + service worker (C10) — F8 (M) — deps: T3, T9
  • T11 Send push on defect filed (fire-and-forget) — F7 (S) — deps: T5, T10
  • Checkpoint: file → push arrives ≤10s, filing latency unaffected, human review

Phase 6 — Ship (F10)

  • T12 Prod image + Coolify managed Postgres (backups) & domains (C11) (M) — deps: T1T11
  • Checkpoint: data survives redeploy, both subdomains live, ready for review

Blocked on open questions (see plan.md)

  • Google OAuth client provisioning (blocks T9) — client provided; redirect URI …/auth/google/callback
  • Confirm pnpm + Vitest + Playwright vs Theodo template (affects T1)
  • Coolify two-domain routing model (affects T12)
  • "Owner only" vs any subscribed user for push (affects T10/T11)