Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
26 lines
1.0 KiB
TypeScript
26 lines
1.0 KiB
TypeScript
import { isAllowedGoogleUser, type GoogleUserInfo } from '../../../utils/allowedGoogleUser'
|
|
|
|
// Google OAuth entry + callback (F9). nuxt-auth-utils uses one handler for
|
|
// both legs: with no `?code` it redirects to Google; on return it exchanges the
|
|
// code and hands us the verified userinfo. We then re-check the email domain
|
|
// server-side (the `hd` claim is not trusted) before minting a session.
|
|
export default defineOAuthGoogleEventHandler({
|
|
config: {},
|
|
async onSuccess(event, { user }) {
|
|
const info = user as GoogleUserInfo
|
|
if (!isAllowedGoogleUser(info)) {
|
|
await clearUserSession(event)
|
|
return sendRedirect(event, '/login?error=domain')
|
|
}
|
|
await setUserSession(event, {
|
|
// isAllowedGoogleUser guarantees a present email; narrow for the compiler.
|
|
user: { email: info.email!, name: user.name, picture: user.picture },
|
|
})
|
|
return sendRedirect(event, '/')
|
|
},
|
|
onError(event, error) {
|
|
console.error('Google OAuth error:', error)
|
|
return sendRedirect(event, '/login?error=oauth')
|
|
},
|
|
})
|