Gate the app behind Google sign-in restricted to verified @theodo.com identities, and record the real reporter on filed defects (F9). - nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler, mounted at /auth/google/callback to match the registered redirect URI. - isAllowedGoogleUser re-derives the domain from Google's verified email; the spoofable `hd` claim is deliberately ignored (DESIGN T9). - Default-deny: server middleware 401s unauthenticated /api calls (health and the session endpoint excepted); a global route middleware redirects unauthenticated page navigations to /login. - getReporter() now reads the session email instead of the dev stub. - Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD, NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated. Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path matching. Live OAuth round-trip pending manual verification.
13 lines
576 B
TypeScript
13 lines
576 B
TypeScript
// Which `/api` routes bypass the default-deny auth middleware (F9).
|
|
//
|
|
// `/api/health` must answer for the orchestrator's liveness probe before any
|
|
// session exists; `/api/_auth/*` is nuxt-auth-utils' own session endpoint that
|
|
// the client uses to read/clear the session. Everything else under `/api`
|
|
// requires an authenticated session.
|
|
const PUBLIC_API_PREFIXES = ['/api/health', '/api/_auth/']
|
|
|
|
export function isPublicApiPath(path: string): boolean {
|
|
const pathname = path.split('?')[0]!
|
|
return PUBLIC_API_PREFIXES.some((prefix) => pathname.startsWith(prefix))
|
|
}
|