feat(portal-shell): authGuard + BFF http interceptors + /profile demo route
CI / commits (pull_request) Successful in 1m29s
CI / scan (pull_request) Successful in 1m39s
CI / check (pull_request) Successful in 1m50s
CI / a11y (pull_request) Successful in 55s
CI / perf (pull_request) Successful in 2m22s

brings the spa auth track to the level of polish the bff surface
deserves. before this pr the header reflected sign-in state but
there were no protected routes and no global handling of session
drift; this pr lands one guard, two interceptors, and a demo
consumer that exercises the loop end-to-end.

  authGuard (CanActivateFn):
    gates routes on AuthService.state. waits out the bootstrap
    `loading` state (filter+firstValueFrom on toObservable(state)),
    allows when `authenticated`, redirects via auth.login() (full-
    page navigation to the bff's /auth/login → entra round-trip)
    when `anonymous` or `error`. error → same redirect as anonymous:
    the bff-side login screen surfaces diagnostics more usefully
    than a generic spa outage page would.

  bffCredentialsInterceptor:
    flips withCredentials: true on every request whose url starts
    with AUTH_BFF_BASE_URL. replaces the per-call flag added in
    #114 with a single point of truth; future bff calls inherit it
    automatically.

  bffUnauthorizedInterceptor:
    calls AuthService.refresh() when a bff route (other than
    /auth/me) answers 401. keeps the spa state in sync after
    server-side session destruction (absolute-timeout, manual
    revoke, idle-ttl expiry). /me is deliberately excluded —
    refresh() itself calls /me, a 401 there would loop.

    notable: the interceptor injects Injector and resolves
    AuthService lazily inside catchError. injecting it eagerly at
    the top would re-enter di while AuthService's own constructor
    is still firing the bootstrap /me through this same
    interceptor, raising a circular-construction error that
    swallowed the request before the testing backend could record
    it. standard angular pattern for "interceptor depends on a
    service that uses HttpClient".

  /profile demo route:
    first real consumer of authGuard. lazy-loaded angular component
    that renders the curated CurrentUser payload (displayName,
    username, oid, tid). exercises the full loop guard → bff /me
    → spa render.

removed the per-call withCredentials: true from AuthService.refresh()
— the credentials interceptor handles it uniformly now. the spec
that pinned the per-call flag moved to
bff-credentials.interceptor.spec.ts where it belongs.

i18n: 6 new message ids + route.profile.title shipped with fr
translations in messages.fr.xlf.

19/19 feature-auth + 34/34 portal-shell + 123/123 portal-bff under
the clean-env ci repro (env -u redis_url … etc.). bundle main is
492 kb raw / 131 kb transfer — well under the 300 kb gzip budget
per adr-0017.

out of scope, landing in follow-ups:
- a real user-profile feature (settings, preferences, etc.)
- showing the auth-loading state on the route the guard blocks
  (today the user sees the previous route until /me resolves)
This commit is contained in:
Julien Gautier
2026-05-13 00:26:04 +02:00
parent c427e5d4fe
commit 9247e5e02e
15 changed files with 642 additions and 27 deletions
@@ -0,0 +1,89 @@
import { provideHttpClient } from '@angular/common/http';
import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
import { TestBed } from '@angular/core/testing';
import type { ActivatedRouteSnapshot, RouterStateSnapshot } from '@angular/router';
import { AUTH_BFF_BASE_URL, AUTH_NAVIGATOR } from './auth.config';
import { authGuard } from './auth.guard';
import { AuthService } from './auth.service';
const BFF_BASE = 'http://bff.test/api';
const ME_URL = `${BFF_BASE}/auth/me`;
const USER = {
oid: 'user-oid',
tid: 'tenant-id',
username: 'jane@apf.example',
displayName: 'Jane Doe',
};
function setup() {
const navigate = vi.fn();
TestBed.configureTestingModule({
providers: [
provideHttpClient(),
provideHttpClientTesting(),
{ provide: AUTH_BFF_BASE_URL, useValue: BFF_BASE },
{ provide: AUTH_NAVIGATOR, useValue: navigate },
],
});
return {
httpCtrl: TestBed.inject(HttpTestingController),
auth: TestBed.inject(AuthService),
navigate,
};
}
function runGuard(): Promise<boolean | unknown> {
// Functional guards must run inside the injection context.
return TestBed.runInInjectionContext(() =>
Promise.resolve(
(authGuard as unknown as (r: ActivatedRouteSnapshot, s: RouterStateSnapshot) => unknown)(
{} as ActivatedRouteSnapshot,
{} as RouterStateSnapshot,
),
),
);
}
describe('authGuard', () => {
afterEach(() => {
TestBed.resetTestingModule();
});
it('allows navigation when state resolves to authenticated', async () => {
const { httpCtrl } = setup();
const guardPromise = runGuard();
// The bootstrap /me resolves to a user → state transitions to
// authenticated → guard returns true.
httpCtrl.expectOne(ME_URL).flush(USER);
expect(await guardPromise).toBe(true);
});
it('redirects via AuthService.login() and denies when state is anonymous', async () => {
const { httpCtrl, navigate } = setup();
const guardPromise = runGuard();
httpCtrl
.expectOne(ME_URL)
.flush({ error: 'unauthenticated' }, { status: 401, statusText: 'Unauthorized' });
expect(await guardPromise).toBe(false);
expect(navigate).toHaveBeenCalledWith(`${BFF_BASE}/auth/login`);
});
it('redirects via AuthService.login() and denies when state is error', async () => {
const { httpCtrl, navigate } = setup();
const guardPromise = runGuard();
httpCtrl.expectOne(ME_URL).flush('boom', { status: 500, statusText: 'Internal Server Error' });
expect(await guardPromise).toBe(false);
expect(navigate).toHaveBeenCalledWith(`${BFF_BASE}/auth/login`);
});
it('waits out the loading state before deciding (fresh-tab footgun)', async () => {
const { httpCtrl, auth } = setup();
// Guard called before /me has resolved → state is `loading`.
expect(auth.state().kind).toBe('loading');
const guardPromise = runGuard();
// Resolve loading → authenticated; guard then unblocks.
httpCtrl.expectOne(ME_URL).flush(USER);
expect(await guardPromise).toBe(true);
});
});