Files
andon/server/middleware/auth.ts
Julien Calixte 82ac540909 feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
2026-05-28 01:09:48 +02:00

16 lines
662 B
TypeScript

import { isPublicApiPath } from '../utils/authPaths'
// Default-deny gate for the data API (F9). Every `/api` route requires an
// authenticated session except the explicitly public ones (health probe, the
// session endpoint). Pages are guarded separately by app/middleware/auth.global
// so static assets and the OAuth route stay reachable while unauthenticated.
export default defineEventHandler(async (event) => {
if (!event.path.startsWith('/api/')) return
if (isPublicApiPath(event.path)) return
const { user } = await getUserSession(event)
if (!user) {
throw createError({ statusCode: 401, statusMessage: 'Authentication required' })
}
})