Files
apf_portal/libs/shared/auth/README.md
T
Julien Gautier 540d9dc28a
CI / check (pull_request) Failing after 28s
CI / commits (pull_request) Failing after 25s
CI / scan (pull_request) Failing after 56s
CI / a11y (pull_request) Failing after 33s
CI / perf (pull_request) Failing after 47s
Docs site / build (pull_request) Failing after 26s
feat(auth): authorization catalogues + Principal builder skeleton (ADR-0025)
Per ADR-0025's implementation phasing, lands the closed-set
catalogues + the OIDC-callback hook that composes the
session-resident Principal. No new guards yet.

- libs/shared/auth: framework-agnostic lib hosting
  authorization.types.ts (4 privileges + 24 functional roles + 6
  scope kinds + Principal type) and entra-group-to-role.ts
  (validated GUID -> slug resolver). 17 unit tests against the
  catalogues + resolver contracts.
- BFF: PrincipalBuilder composes the three axes once at sign-in;
  ScopeResolver seam (StubScopeResolver returns unrestricted in
  v1, replaced by a Prisma-backed implementation when ADR-0026's
  user_scopes table lands). 19 persona-driven tests covering the
  test tenant's full provisioning + edge cases (unknown
  privilege drift, unknown group GUID, empty permissions).
- AuthService extracts the Entra "groups" claim; AuthenticatedUser
  grows the groups: readonly string[] field.
- SessionEstablisher builds + persists the principal alongside
  the legacy user shape (additive — guards consuming user.oid
  unchanged).
- ENTRA_GROUP_MAP_PATH env var + load-entra-group-map.ts read
  the tenant-private map from infra/<env>-tenant.entra.json
  (gitignored; .example.json committed with the schema).
- ADR-0025 path references updated from libs/feature/auth
  (Angular-scoped, scope:portal-shell) to libs/shared/auth
  (consumable by both BFF and SPA).
- notes/entra-groups-claim-activation.md: operator runbook for
  the "Token configuration -> Add groups claim" step in the
  Entra admin centre.

Test plan:
- pnpm nx affected -t lint test build : 13 projects green
  (497 BFF tests + 17 shared-auth tests + 1 shared-util test +
  full lint + full build).
2026-05-23 19:48:39 +02:00

1.1 KiB

shared-auth

Framework-agnostic authorization primitives shared across portal-bff and portal-shell per ADR-0025:

  • Catalogues (authorization.types.ts) — closed-set lists of the four privileges (Portal.* Entra app roles), the 24 functional roles (apf-role-* Entra security groups), and the six scope kinds. Adding an entry is an ADR amendment, not a code change in isolation.
  • Principal type — the session-resident shape consumed by route guards (@RequirePrivilege, @RequireRole, @RequireScope) and projected to the AI service's flat roles[] contract.
  • EntraGroupToRoleResolver — turns the tenant-specific Entra group GUIDs carried in the OIDC groups claim into the catalogue's role slugs. Configured at boot from infra/<env>-tenant.entra.json (gitignored — GUIDs are tenant-private).

Building

Run pnpm nx build shared-auth to build the library.

Running unit tests

Run pnpm nx test shared-auth to execute the unit tests via Vitest.