Files
andon/.env.example
Julien Calixte 82ac540909 feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
2026-05-28 01:09:48 +02:00

24 lines
922 B
Plaintext

# App — session sealing key for nuxt-auth-utils (must be ≥32 chars)
NUXT_SESSION_PASSWORD=change-me-to-a-long-random-string-min-32-chars
# Database (Postgres) — Coolify-managed in prod, docker-compose in dev
DATABASE_URL=postgres://andon:andon@localhost:5432/andon
# Credentials for the bundled Postgres service in docker-compose.yml
POSTGRES_USER=andon
POSTGRES_PASSWORD=andon
POSTGRES_DB=andon
# Google OAuth (Task 9) — nuxt-auth-utils reads these exact names. Access is
# restricted server-side to verified @theodo.com emails (the `hd` claim is not
# trusted on its own). REDIRECT_URL must match an Authorized redirect URI in the
# Google Cloud console (defaults to <origin>/auth/google/callback if unset).
NUXT_OAUTH_GOOGLE_CLIENT_ID=
NUXT_OAUTH_GOOGLE_CLIENT_SECRET=
NUXT_OAUTH_GOOGLE_REDIRECT_URL=
# Web Push / VAPID (Task 10)
VAPID_PUBLIC_KEY=
VAPID_PRIVATE_KEY=
VAPID_SUBJECT=mailto:example@theodo.com