feat(portal-admin): spa auth wiring + admin shell skeleton
CI / scan (pull_request) Successful in 3m22s
CI / commits (pull_request) Successful in 3m43s
CI / check (pull_request) Successful in 3m55s
CI / a11y (pull_request) Successful in 2m21s
CI / perf (pull_request) Successful in 7m1s

Phase-3a step per ADR-0020 §"Confirmation" item 4 (entry route +
admin shell). Wires the existing `feature-auth` library against the
distinct admin OIDC routes (`/api/admin/auth/*`) the BFF exposes
since PR #129, ships a lean header/sidebar/footer chrome with an
"Admin" badge so an internal user can never mistake the surface for
portal-shell, and gives the landing page a self-test panel that
confirms the auth chain end-to-end as soon as an `admin` Entra role
gets assigned.

Lib changes (libs/feature/auth)

- New AUTH_PATH_PREFIX injection token. Default factory returns
  `/auth` so portal-shell-shaped hosts keep working without an
  explicit provider. Admin hosts override with `/admin/auth`.
- AuthService composes URLs as `${bffBaseUrl}${pathPrefix}/{me,login,
  logout}`. The interceptors are unchanged — they only care about
  the BFF base URL.

portal-admin wiring

- environment.ts: same shape as portal-shell, same BFF base URL
  (both SPAs talk to one BFF per ADR-0020 §"Where does the admin
  app live"), same CSRF cookie name in v1.
- app.config.ts: HttpClient with the standard interceptor chain
  (credentials → csrf → unauthorized), AUTH_BFF_BASE_URL from env,
  AUTH_PATH_PREFIX = '/admin/auth', AUTH_CSRF_COOKIE_NAME from env.

Admin shell components

- AdminHeader: APF wordmark + persistent "Admin" badge + auth widget.
  No global search / notifications / help cluster — admins land on
  tabular workloads, not discovery. Per ADR-0020 §"UX style is
  data-dense".
- AdminSidebar: static menu listing the four ADR-0020 v1 modules.
  Audit log is a live router link (target of PR 8); the others are
  aria-disabled placeholders with a "Soon" badge so the navigation
  shape is visible even before they ship.
- AdminFooter: copyright + persistent "Admin surface" tag — the
  badge stays in view for long workloads where the header may have
  scrolled off.

Home page

- Auth self-test panel: signed-in payload (display name, tenant,
  oid) when authenticated, Sign in button when anonymous, error
  state when the BFF is unreachable.
- Roadmap list quoting ADR-0020's v1 catalogue so a returning
  contributor sees what's pending without grepping.

Notes

- LayoutStateService isn't consumed yet (no collapse toggle in v1),
  but the theme preference still threads through because both apps
  read the same localStorage key — toggle in portal-shell, see it
  honoured in portal-admin.
- Strings are plain English in v1. The admin app's $localize plumbing
  is wired but adding markers to the shell chrome here would require
  regenerating messages.fr.xlf and i18nMissingTranslation=error fails
  the prod build on every gap. Full i18n is its own follow-up.
- v1 reuses the shared `portal_csrf` cookie name. A user with both
  portals open could see CSRF cookie overwrites on session creation;
  splitting to `portal_admin_csrf` is a follow-up if the pattern
  becomes common.
- Build verified locally: 86.65 KB gzip initial / 300 KB budget,
  4.46 KB CSS / 150 KB budget.

Tests: +15 specs (AdminHeader 5, AdminSidebar 3, AdminFooter 2,
Home 4, App 1 expanded). 1 new test in feature-auth AuthService for
the AUTH_PATH_PREFIX override path.
This commit is contained in:
Julien Gautier
2026-05-14 16:54:10 +02:00
parent aea395ae65
commit 4a707cdb0f
27 changed files with 1085 additions and 44 deletions
+6 -1
View File
@@ -1,4 +1,9 @@
export { AUTH_BFF_BASE_URL, AUTH_CSRF_COOKIE_NAME, AUTH_NAVIGATOR } from './lib/auth.config';
export {
AUTH_BFF_BASE_URL,
AUTH_CSRF_COOKIE_NAME,
AUTH_NAVIGATOR,
AUTH_PATH_PREFIX,
} from './lib/auth.config';
export { authGuard } from './lib/auth.guard';
export { AuthService } from './lib/auth.service';
export type { AuthState, CurrentUser } from './lib/auth.types';
+17
View File
@@ -35,3 +35,20 @@ export const AUTH_NAVIGATOR = new InjectionToken<(url: string) => void>('AUTH_NA
* (`portal_csrf` dev / `__Host-portal_csrf` prod) the BFF picks.
*/
export const AUTH_CSRF_COOKIE_NAME = new InjectionToken<string>('AUTH_CSRF_COOKIE_NAME');
/**
* Path prefix the BFF mounts the OIDC routes under. Joined to
* `AUTH_BFF_BASE_URL` to build the full URLs for `/me`, `/login`,
* `/logout`. `portal-shell` provides `/auth` (per ADR-0009);
* `portal-admin` provides `/admin/auth` (per ADR-0020 §"Sessions —
* distinct from `portal-shell`"). The lib stays surface-agnostic;
* the host picks which BFF auth surface its session belongs to.
*
* Default is `/auth` so portal-shell-shaped consumers can omit the
* provider and still work — matches the original (pre-admin) lib
* shape. Hosts on the admin surface MUST override.
*/
export const AUTH_PATH_PREFIX = new InjectionToken<string>('AUTH_PATH_PREFIX', {
providedIn: 'root',
factory: () => '/auth',
});
+25 -2
View File
@@ -1,7 +1,7 @@
import { provideHttpClient } from '@angular/common/http';
import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
import { TestBed } from '@angular/core/testing';
import { AUTH_BFF_BASE_URL, AUTH_NAVIGATOR } from './auth.config';
import { AUTH_BFF_BASE_URL, AUTH_NAVIGATOR, AUTH_PATH_PREFIX } from './auth.config';
import { AuthService } from './auth.service';
import type { CurrentUser } from './auth.types';
@@ -98,13 +98,36 @@ describe('AuthService', () => {
});
describe('URL accessors', () => {
it('derives me / login / logout URLs from the injected base', () => {
it('derives me / login / logout URLs from the injected base + default /auth prefix', () => {
const { service, http } = setup();
expect(service.meUrl).toBe(`${BFF_BASE}/auth/me`);
expect(service.loginUrl).toBe(`${BFF_BASE}/auth/login`);
expect(service.logoutUrl).toBe(`${BFF_BASE}/auth/logout`);
http.expectOne(ME_URL).flush({}, { status: 401, statusText: 'Unauthorized' });
});
it('honours AUTH_PATH_PREFIX when the host provides a non-default value (admin surface)', () => {
const navigate = vi.fn();
TestBed.configureTestingModule({
providers: [
provideHttpClient(),
provideHttpClientTesting(),
{ provide: AUTH_BFF_BASE_URL, useValue: BFF_BASE },
{ provide: AUTH_NAVIGATOR, useValue: navigate },
{ provide: AUTH_PATH_PREFIX, useValue: '/admin/auth' },
AuthService,
],
});
const service = TestBed.inject(AuthService);
const http = TestBed.inject(HttpTestingController);
expect(service.meUrl).toBe(`${BFF_BASE}/admin/auth/me`);
expect(service.loginUrl).toBe(`${BFF_BASE}/admin/auth/login`);
expect(service.logoutUrl).toBe(`${BFF_BASE}/admin/auth/logout`);
// The auto-refresh on first inject fires against the override path.
http
.expectOne(`${BFF_BASE}/admin/auth/me`)
.flush({}, { status: 401, statusText: 'Unauthorized' });
});
});
describe('login() / logout()', () => {
+5 -4
View File
@@ -1,7 +1,7 @@
import { HttpClient, HttpErrorResponse } from '@angular/common/http';
import { Injectable, computed, inject, signal } from '@angular/core';
import { firstValueFrom } from 'rxjs';
import { AUTH_BFF_BASE_URL, AUTH_NAVIGATOR } from './auth.config';
import { AUTH_BFF_BASE_URL, AUTH_NAVIGATOR, AUTH_PATH_PREFIX } from './auth.config';
import type { AuthState, CurrentUser } from './auth.types';
/**
@@ -23,6 +23,7 @@ import type { AuthState, CurrentUser } from './auth.types';
export class AuthService {
private readonly http = inject(HttpClient);
private readonly bffBaseUrl = inject(AUTH_BFF_BASE_URL);
private readonly pathPrefix = inject(AUTH_PATH_PREFIX);
private readonly navigate = inject(AUTH_NAVIGATOR);
private readonly _state = signal<AuthState>({ kind: 'loading' });
@@ -95,15 +96,15 @@ export class AuthService {
}
get meUrl(): string {
return `${this.bffBaseUrl}/auth/me`;
return `${this.bffBaseUrl}${this.pathPrefix}/me`;
}
get loginUrl(): string {
return `${this.bffBaseUrl}/auth/login`;
return `${this.bffBaseUrl}${this.pathPrefix}/login`;
}
get logoutUrl(): string {
return `${this.bffBaseUrl}/auth/logout`;
return `${this.bffBaseUrl}${this.pathPrefix}/logout`;
}
}