ordinarthur/rubis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rubis/apps/api/start/env.ts
ordinarthur 7521e1fff6 feat(auth): Microsoft 365 SSO + factorisation helper SSO partagé 
Backend
- Custom Ally driver Microsoft (Oauth2Driver) — Microsoft n'est pas dans
  les providers built-in, mais le driver dérive de Oauth2Driver en quelques
  lignes. Endpoints v2.0 (Microsoft Identity Platform), Graph /me pour le
  profil, fallback userPrincipalName si mail null (comptes perso).
- Tenant configurable via MICROSOFT_TENANT (défaut 'common' — accepte
  work/school + perso ; 'organizations' pour M365 strict).
- Migration 1400 : ajout microsoft_id nullable unique sur users.
- AuthMicrosoftController : redirect + callback (même pattern que Google).
- Refacto : extraction d'un service sso_session.ts (findOrCreateUserFromSso,
  nextRouteAfterSso, emitSsoSessionAndRedirect) → AuthGoogle + AuthMicrosoft
  partagent la logique.
- Routes /api/v1/auth/microsoft/{redirect,callback}.

Frontend
- Composant SsoButton générique (provider="google"|"microsoft") avec logo
  officiel inline pour chaque. Remplace l'ancien GoogleButton.
- Login + signup : pile verticale "Continuer avec Google" + "Continuer
  avec Microsoft", puis séparateur "ou", puis form email/password.
- Route SPA renommée /auth/google/complete → /auth/sso/complete (partagée
  entre les deux providers, la callback API redirige toujours dessus).
- Erreurs SSO sur /login : ?google=... ET ?microsoft=... → toast contextuel.

K3s
- ConfigMap rubis-api-config : ajout MICROSOFT_TENANT + MICROSOFT_CALLBACK_URL.
- Secret rubis-app-secrets : ajout MICROSOFT_CLIENT_ID + MICROSOFT_CLIENT_SECRET.

Doc
- .claude/deploy-memory.md : procédure Azure / Entra ID app registration.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:38:38 +02:00

89 lines
3.2 KiB
TypeScript
Raw Blame History

/*
|--------------------------------------------------------------------------
| Environment variables service
|--------------------------------------------------------------------------
|
| The `Env.create` method creates an instance of the Env service. The
| service validates the environment variables and also cast values
| to JavaScript data types.
|
*/
import { Env } from '@adonisjs/core/env'
export default await Env.create(new URL('../', import.meta.url), {
// Node
NODE_ENV: Env.schema.enum(['development', 'production', 'test'] as const),
PORT: Env.schema.number(),
HOST: Env.schema.string({ format: 'host' }),
LOG_LEVEL: Env.schema.string(),
// App
APP_KEY: Env.schema.secret(),
APP_URL: Env.schema.string({ format: 'url', tld: false }),
// Session
SESSION_DRIVER: Env.schema.enum(['cookie', 'memory', 'database'] as const),
// Database
DB_CONNECTION: Env.schema.enum.optional(['postgres', 'sqlite'] as const),
PG_HOST: Env.schema.string.optional({ format: 'host' }),
PG_PORT: Env.schema.number.optional(),
PG_USER: Env.schema.string.optional(),
PG_PASSWORD: Env.schema.string.optional(),
PG_DB_NAME: Env.schema.string.optional(),
// Redis (BullMQ + cache)
REDIS_HOST: Env.schema.string.optional({ format: 'host' }),
REDIS_PORT: Env.schema.number.optional(),
REDIS_PASSWORD: Env.schema.string.optional(),
// Storage (MinIO via S3 driver)
DRIVE_DISK: Env.schema.enum.optional(['s3', 'fs'] as const),
S3_ENDPOINT: Env.schema.string.optional({ format: 'url', tld: false }),
S3_REGION: Env.schema.string.optional(),
S3_BUCKET: Env.schema.string.optional(),
S3_ACCESS_KEY: Env.schema.string.optional(),
S3_SECRET_KEY: Env.schema.string.optional(),
S3_FORCE_PATH_STYLE: Env.schema.boolean.optional(),
// Mail
MAIL_FROM_ADDRESS: Env.schema.string.optional(),
MAIL_FROM_NAME: Env.schema.string.optional(),
MAIL_DRIVER: Env.schema.enum.optional(['smtp', 'resend'] as const),
SMTP_HOST: Env.schema.string.optional({ format: 'host' }),
SMTP_PORT: Env.schema.number.optional(),
RESEND_API_KEY: Env.schema.string.optional(),
// OCR
OCR_PROVIDER: Env.schema.enum.optional(['mock', 'mistral'] as const),
MISTRAL_API_KEY: Env.schema.string.optional(),
// Web (URL du SPA pour redirects post-checkin)
WEB_URL: Env.schema.string.optional({ format: 'url', tld: false }),
// Auth
ACCESS_TOKEN_TTL_MINUTES: Env.schema.number.optional(),
REFRESH_TOKEN_TTL_DAYS: Env.schema.number.optional(),
COOKIE_DOMAIN: Env.schema.string.optional(),
COOKIE_SECURE: Env.schema.boolean.optional(),
// Google SSO (Ally)
GOOGLE_CLIENT_ID: Env.schema.string.optional(),
GOOGLE_CLIENT_SECRET: Env.schema.string.optional(),
GOOGLE_CALLBACK_URL: Env.schema.string.optional({ format: 'url', tld: false }),
// Microsoft SSO (Ally)
MICROSOFT_CLIENT_ID: Env.schema.string.optional(),
MICROSOFT_CLIENT_SECRET: Env.schema.string.optional(),
MICROSOFT_TENANT: Env.schema.string.optional(),
MICROSOFT_CALLBACK_URL: Env.schema.string.optional({ format: 'url', tld: false }),
/*
|----------------------------------------------------------
| Variables for configuring the limiter package
|----------------------------------------------------------
*/
LIMITER_STORE: Env.schema.enum(['redis', 'memory'] as const)
})
Reference in New Issue View Git Blame Copy Permalink