feat(spa): opt-in 'https' nx serve config for dev-server TLS #263
Reference in New Issue
Block a user
Delete Branch "feat/spa-dev-server-tls"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Add an opt-in
httpsconfiguration to the SPA dev-servers so the ADR-0030 dockerised dev mode can be reached over a hostname registered in Entra. Entra refuseshttp:redirect URIs for anything other thanlocalhost, which made the hostname-based access pattern (apf-portal.dev-jg.local,apf-portal.dev.local, …) — the only stable way to share a VM-based dev stack with another developer — impossible to wire to OIDC. This PR closes that gap without touching the WSL-native + localhost flow.What lands
apps/portal-shell/project.json,apps/portal-admin/project.jsonhttpsNx serve configuration: inherits thedevelopmentbuild, setsssl: true+sslKey: .secrets/dev-tls.key+sslCert: .secrets/dev-tls.pem.defaultConfigurationstaysdevelopment; thehttpsconfig is purely opt-in.infra/local/dev.compose.ymlportal-shellandportal-admincommands now end with--configuration=${NX_SERVE_CONFIGURATION:-development}. Compose interpolates the value at YAML parse time frominfra/local/.env. Default isdevelopment(no SSL), so behaviour is unchanged for anyone who doesn't opt in.infra/local/.env.exampleNX_SERVE_CONFIGURATION=httpsblock with the rationale + pointer to the mkcert setup.apps/portal-bff/.env.exampleENTRA_*_REDIRECT_URIdefaults shows the HTTPS hostname-based override pattern (the four URIs that go with theappsprofile when accessing via a hostname) and reminds that each override must be registered Entra-side.infra/README.mdmkcert -install, cert generation,.secrets/dev-tls.{key,pem}convention, Entra registration reminder,NX_SERVE_CONFIGURATION=httpsopt-in. Notes that WSL-native is unaffected and that the cert path stays the same when the corp CA eventually replaces mkcert.Design notes
.secrets/dev-tls.{key,pem}at repo root. Matches the existingapps/portal-bff/.secrets/jwks.pempattern (gitignored via*.pem+*.key). Workspace-relative path means project.json can hardcode it and each dev drops their per-host cert there.project.json.httpsis opt-in, not default. Nativenx servekeeps booting on HTTP (localhost:4200) without SSL key files, exactly as before. Compose default is alsodevelopment— only settingNX_SERVE_CONFIGURATION=httpsininfra/local/.envswitches it on, gated by the dev having actually run the mkcert step.http://portal-bff:3000on the internal Compose network. Entra still gets HTTPS at the browser-facing origin, which is what its policy enforces.What this PR deliberately does NOT do
Test plan
project.jsonfiles parse as JSON;nx show projectexposes the newhttpsconfiguration with the expected SSL options.docker compose -f dev.compose.yml --profile apps configvalidates withNX_SERVE_CONFIGURATION=https(resolves to--configuration=https) and without it (resolves to--configuration=development).mkcert -installon the workstation,mkcertagainstapf-portal.dev-jg.local, copy.secrets/dev-tls.{key,pem}to the VM, setNX_SERVE_CONFIGURATION=httpsininfra/local/.env, register the fourhttps://apf-portal.dev-jg.local:*URIs in Entra, restartdev.sh up apps, then openhttps://apf-portal.dev-jg.local:4200/from the workstation → SPA loads, no cert warning, sign-in completes and returns to the SPA via the OIDC callback.nx serve portal-shellstill boots onhttp://localhost:4200/, OIDC against the existinghttp://localhost:3000/...Entra URIs still works.Related
httpsis a new Nx serve configuration, not a newenvironment.tssibling, so 0018's build-time replacement story is unchanged.Entra refuses http: redirect URIs for any host other than localhost, which blocked the ADR-0030 dockerised dev mode the moment a developer tried to share the stack with another teammate via a hostname (e.g. apf-portal.dev.local). Add an opt-in 'https' Nx serve configuration on both SPAs so the dev-server can terminate TLS using a mkcert cert, and let the apps Compose profile pick the configuration via an env var so behaviour stays unchanged by default. - apps/portal-{shell,admin}/project.json: new https configuration inheriting development + ssl/sslKey/sslCert at .secrets/dev-tls.*. - infra/local/dev.compose.yml: shell + admin commands gain --configuration=${NX_SERVE_CONFIGURATION:-development}, interpolated from infra/local/.env at parse time. - infra/local/.env.example: NX_SERVE_CONFIGURATION block + rationale. - apps/portal-bff/.env.example: comment block above the ENTRA_*_ REDIRECT_URI defaults shows the https hostname override pattern and reminds that each URI must be registered Entra-side. - infra/README.md: new HTTPS dev-server setup subsection covering mkcert install, cert generation, the .secrets/ convention, the Entra step, and how to flip NX_SERVE_CONFIGURATION on. Native WSL / localhost is unaffected: defaultConfiguration stays development, no SSL files required, existing Entra localhost URIs work as before. BFF stays plain HTTP behind the SPA proxy.