From 2604ed3efd8248d574d6aff68b539678d7483129 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Thu, 14 May 2026 15:28:32 +0200 Subject: [PATCH 1/2] fix(portal-bff): use the real portal-admin dev port (4300) in admin-flow references MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #129 baked `4201` into a few comments and test fixtures as the admin SPA's dev port. The actual port wired in `apps/portal-admin/project.json` `serve.options.port` is `4300` — the Nx serve target listens on 4300 in dev. Aligning the references so a contributor reading `.env.example` or the test fixtures sees the same number their browser is hitting. Touched: - `apps/portal-bff/.env.example` — `ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI` default + the surrounding comment. - `apps/portal-bff/src/config/check-cors-allowlist.ts` — stale doc-comment that pre-dated the portal-admin scaffolding. - `auth.module.spec.ts`, `auth.controller.spec.ts`, `auth.service.spec.ts`, `admin-auth.controller.spec.ts`, `check-entra-config.spec.ts` — fixture `adminPostLogoutRedirectUri` values. Tests don't depend on the port; aligned for clarity only. No behaviour change. 278 specs still pass. --- apps/portal-bff/.env.example | 5 +++-- apps/portal-bff/src/admin/admin-auth.controller.spec.ts | 2 +- apps/portal-bff/src/auth/auth.controller.spec.ts | 2 +- apps/portal-bff/src/auth/auth.module.spec.ts | 2 +- apps/portal-bff/src/auth/auth.service.spec.ts | 2 +- apps/portal-bff/src/config/check-cors-allowlist.ts | 5 +++-- apps/portal-bff/src/config/check-entra-config.spec.ts | 2 +- 7 files changed, 11 insertions(+), 9 deletions(-) diff --git a/apps/portal-bff/.env.example b/apps/portal-bff/.env.example index 2df0dae..4ee0412 100644 --- a/apps/portal-bff/.env.example +++ b/apps/portal-bff/.env.example @@ -67,9 +67,10 @@ ENTRA_POST_LOGOUT_REDIRECT_URI=http://localhost:4200/ # session. Both `ENTRA_REDIRECT_URI` and `ENTRA_ADMIN_REDIRECT_URI` # must be registered in the same Entra app registration's # "Redirect URIs" list. Distinct post-logout URL routes admin -# sign-outs to the admin SPA's landing page (port 4201 in dev). +# sign-outs to the admin SPA's landing page (port 4300 in dev — see +# apps/portal-admin/project.json `serve.options.port`). ENTRA_ADMIN_REDIRECT_URI=http://localhost:3000/api/admin/auth/callback -ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI=http://localhost:4201/ +ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI=http://localhost:4300/ # Cookie signing secret (per ADR-0009 §"Cookies"). Used to sign the # transient pre-auth cookie that carries the OIDC `state` + PKCE diff --git a/apps/portal-bff/src/admin/admin-auth.controller.spec.ts b/apps/portal-bff/src/admin/admin-auth.controller.spec.ts index f5d7870..71bceaf 100644 --- a/apps/portal-bff/src/admin/admin-auth.controller.spec.ts +++ b/apps/portal-bff/src/admin/admin-auth.controller.spec.ts @@ -16,7 +16,7 @@ const ENTRA: EntraConfig = { redirectUri: 'http://localhost:3000/api/auth/callback', postLogoutRedirectUri: 'http://localhost:4200/', adminRedirectUri: 'http://localhost:3000/api/admin/auth/callback', - adminPostLogoutRedirectUri: 'http://localhost:4201/', + adminPostLogoutRedirectUri: 'http://localhost:4300/', authority: 'https://login.microsoftonline.com/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee', }; diff --git a/apps/portal-bff/src/auth/auth.controller.spec.ts b/apps/portal-bff/src/auth/auth.controller.spec.ts index 3e72138..9b09437 100644 --- a/apps/portal-bff/src/auth/auth.controller.spec.ts +++ b/apps/portal-bff/src/auth/auth.controller.spec.ts @@ -17,7 +17,7 @@ const ENTRA: EntraConfig = { redirectUri: 'http://localhost:3000/api/auth/callback', postLogoutRedirectUri: 'http://localhost:4200/', adminRedirectUri: 'http://localhost:3000/api/admin/auth/callback', - adminPostLogoutRedirectUri: 'http://localhost:4201/', + adminPostLogoutRedirectUri: 'http://localhost:4300/', authority: 'https://login.microsoftonline.com/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee', }; diff --git a/apps/portal-bff/src/auth/auth.module.spec.ts b/apps/portal-bff/src/auth/auth.module.spec.ts index 9490a6c..855d9ee 100644 --- a/apps/portal-bff/src/auth/auth.module.spec.ts +++ b/apps/portal-bff/src/auth/auth.module.spec.ts @@ -43,7 +43,7 @@ const VALID = { ENTRA_REDIRECT_URI: 'http://localhost:3000/api/auth/callback', ENTRA_POST_LOGOUT_REDIRECT_URI: 'http://localhost:4200/', ENTRA_ADMIN_REDIRECT_URI: 'http://localhost:3000/api/admin/auth/callback', - ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI: 'http://localhost:4201/', + ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI: 'http://localhost:4300/', // Well-formed but unreachable Redis URL — `ioredis` opens the // socket lazily so the module compiles without any network access. REDIS_URL: 'redis://default:test-pass@127.0.0.1:65535/0', diff --git a/apps/portal-bff/src/auth/auth.service.spec.ts b/apps/portal-bff/src/auth/auth.service.spec.ts index 09a3f2e..685e872 100644 --- a/apps/portal-bff/src/auth/auth.service.spec.ts +++ b/apps/portal-bff/src/auth/auth.service.spec.ts @@ -12,7 +12,7 @@ const ENTRA: EntraConfig = { redirectUri: 'http://localhost:3000/api/auth/callback', postLogoutRedirectUri: 'http://localhost:4200/', adminRedirectUri: 'http://localhost:3000/api/admin/auth/callback', - adminPostLogoutRedirectUri: 'http://localhost:4201/', + adminPostLogoutRedirectUri: 'http://localhost:4300/', authority: 'https://login.microsoftonline.com/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee', }; diff --git a/apps/portal-bff/src/config/check-cors-allowlist.ts b/apps/portal-bff/src/config/check-cors-allowlist.ts index 470b3cb..7c477bb 100644 --- a/apps/portal-bff/src/config/check-cors-allowlist.ts +++ b/apps/portal-bff/src/config/check-cors-allowlist.ts @@ -21,8 +21,9 @@ * Production should set `CORS_ALLOWED_ORIGINS` to the SPA / admin * SPA's deploy origins (e.g. * `https://portal.apf.example,https://admin.portal.apf.example`). - * Dev `.env` lists `http://localhost:4200` (and 4201 once - * portal-admin grows a dev server). + * Dev `.env` lists `http://localhost:4200` (portal-shell) and + * `http://localhost:4300` (portal-admin) — see + * apps/portal-admin/project.json `serve.options.port`. */ export function readCorsAllowlist(): readonly string[] { const raw = process.env['CORS_ALLOWED_ORIGINS']; diff --git a/apps/portal-bff/src/config/check-entra-config.spec.ts b/apps/portal-bff/src/config/check-entra-config.spec.ts index 4c36260..23469bc 100644 --- a/apps/portal-bff/src/config/check-entra-config.spec.ts +++ b/apps/portal-bff/src/config/check-entra-config.spec.ts @@ -8,7 +8,7 @@ const VALID = { ENTRA_REDIRECT_URI: 'http://localhost:3000/api/auth/callback', ENTRA_POST_LOGOUT_REDIRECT_URI: 'http://localhost:4200/', ENTRA_ADMIN_REDIRECT_URI: 'http://localhost:3000/api/admin/auth/callback', - ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI: 'http://localhost:4201/', + ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI: 'http://localhost:4300/', }; describe('assertEntraConfig', () => { -- 2.30.2 From 986c3acea10f1cfd457d543fb309ff8b3724ad28 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Thu, 14 May 2026 15:37:04 +0200 Subject: [PATCH 2/2] fix(portal-bff): add portal-admin :4300 to CORS_ALLOWED_ORIGINS in .env.example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Caught while reviewing the previous port-correction commit on this branch. The CORS section still pointed to "Add :4201 once portal-admin grows its own dev server" — but portal-admin has its dev server (on :4300, not :4201), and the SPA will hit the BFF with credentials as soon as the admin auth flow lands. Without the origin in the allowlist the browser blocks the call and the developer chases a CORS error instead of getting to work. Updates the example to list both dev origins and points at `apps//project.json` `serve.options.port` as the source of truth so future readers don't have to grep for it. Local `.env` is on the developer to update — this only touches `.env.example`. Behaviour change is opt-in. --- apps/portal-bff/.env.example | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/portal-bff/.env.example b/apps/portal-bff/.env.example index 4ee0412..aa67ea3 100644 --- a/apps/portal-bff/.env.example +++ b/apps/portal-bff/.env.example @@ -133,9 +133,10 @@ LOG_USER_ID_SALT=replace_with_32_random_bytes_base64url # defaulting to localhost is the classic "works in dev, breaks in # prod" trap. # -# Local dev: the portal-shell dev server on :4200. Add :4201 once -# portal-admin grows its own dev server. -CORS_ALLOWED_ORIGINS=http://localhost:4200 +# Local dev: portal-shell on :4200 and portal-admin on :4300 — both +# call the BFF with credentials. Source of truth for the ports: +# `apps//project.json` `serve.options.port`. +CORS_ALLOWED_ORIGINS=http://localhost:4200,http://localhost:4300 # Rate limiting (per ADR-0015 §"DoS mitigation"). Both optional # with conservative defaults; override per environment when traffic -- 2.30.2