feat(spa): opt-in 'https' nx serve config for dev-server TLS
CI / scan (pull_request) Successful in 4m36s
CI / commits (pull_request) Successful in 5m43s
CI / a11y (pull_request) Successful in 5m26s
CI / check (pull_request) Successful in 7m35s
CI / perf (pull_request) Successful in 23m38s

Entra refuses http: redirect URIs for any host other than localhost,
which blocked the ADR-0030 dockerised dev mode the moment a developer
tried to share the stack with another teammate via a hostname (e.g.
apf-portal.dev.local). Add an opt-in 'https' Nx serve configuration
on both SPAs so the dev-server can terminate TLS using a mkcert cert,
and let the apps Compose profile pick the configuration via an env
var so behaviour stays unchanged by default.

- apps/portal-{shell,admin}/project.json: new https configuration
  inheriting development + ssl/sslKey/sslCert at .secrets/dev-tls.*.
- infra/local/dev.compose.yml: shell + admin commands gain
  --configuration=${NX_SERVE_CONFIGURATION:-development}, interpolated
  from infra/local/.env at parse time.
- infra/local/.env.example: NX_SERVE_CONFIGURATION block + rationale.
- apps/portal-bff/.env.example: comment block above the ENTRA_*_
  REDIRECT_URI defaults shows the https hostname override pattern and
  reminds that each URI must be registered Entra-side.
- infra/README.md: new HTTPS dev-server setup subsection covering
  mkcert install, cert generation, the .secrets/ convention, the
  Entra step, and how to flip NX_SERVE_CONFIGURATION on.

Native WSL / localhost is unaffected: defaultConfiguration stays
development, no SSL files required, existing Entra localhost URIs
work as before. BFF stays plain HTTP behind the SPA proxy.
This commit is contained in:
Julien Gautier
2026-06-01 16:13:31 +02:00
parent cca3b76771
commit 82d8c6972f
6 changed files with 127 additions and 2 deletions
+19
View File
@@ -60,6 +60,25 @@ ENTRA_CLIENT_SECRET=replace_with_real_value
# User portal — `/api/auth/callback` is the OIDC return URL; the
# post-logout URL is where Entra sends the browser after RP-initiated
# logout (typically the SPA landing page).
#
# The default values below match WSL-native dev (browser on the same
# host as the BFF, accessing http://localhost:4200/). For the
# ADR-0030 dockerised dev mode accessed via a hostname (e.g.
# https://apf-portal.dev-jg.local:4200/), override these to point at
# the SPA dev-server origin instead — `/api/auth/callback` is then
# proxied to the BFF (see apps/portal-shell/proxy.conf.js):
#
# ENTRA_REDIRECT_URI=https://apf-portal.dev-jg.local:4200/api/auth/callback
# ENTRA_POST_LOGOUT_REDIRECT_URI=https://apf-portal.dev-jg.local:4200/
# ENTRA_ADMIN_REDIRECT_URI=https://apf-portal.dev-jg.local:4300/api/admin/auth/callback
# ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI=https://apf-portal.dev-jg.local:4300/
#
# The `https:` scheme is mandatory for non-`localhost` hosts — Entra
# rejects `http:` for anything else. See the "HTTPS dev-server setup"
# section of infra/README.md for the dev-server TLS / mkcert setup.
# Each override URI must also be registered in the Entra app
# registration's Redirect URIs list (the BFF sends *one* of them per
# auth request; Entra validates it is allowed).
ENTRA_REDIRECT_URI=http://localhost:3000/api/auth/callback
ENTRA_POST_LOGOUT_REDIRECT_URI=http://localhost:4200/
# Admin portal — distinct callback per ADR-0020 §"Sessions — distinct