9247e5e02e68812eaa359af9f13859d0d8677a90
brings the spa auth track to the level of polish the bff surface
deserves. before this pr the header reflected sign-in state but
there were no protected routes and no global handling of session
drift; this pr lands one guard, two interceptors, and a demo
consumer that exercises the loop end-to-end.
authGuard (CanActivateFn):
gates routes on AuthService.state. waits out the bootstrap
`loading` state (filter+firstValueFrom on toObservable(state)),
allows when `authenticated`, redirects via auth.login() (full-
page navigation to the bff's /auth/login → entra round-trip)
when `anonymous` or `error`. error → same redirect as anonymous:
the bff-side login screen surfaces diagnostics more usefully
than a generic spa outage page would.
bffCredentialsInterceptor:
flips withCredentials: true on every request whose url starts
with AUTH_BFF_BASE_URL. replaces the per-call flag added in
#114 with a single point of truth; future bff calls inherit it
automatically.
bffUnauthorizedInterceptor:
calls AuthService.refresh() when a bff route (other than
/auth/me) answers 401. keeps the spa state in sync after
server-side session destruction (absolute-timeout, manual
revoke, idle-ttl expiry). /me is deliberately excluded —
refresh() itself calls /me, a 401 there would loop.
notable: the interceptor injects Injector and resolves
AuthService lazily inside catchError. injecting it eagerly at
the top would re-enter di while AuthService's own constructor
is still firing the bootstrap /me through this same
interceptor, raising a circular-construction error that
swallowed the request before the testing backend could record
it. standard angular pattern for "interceptor depends on a
service that uses HttpClient".
/profile demo route:
first real consumer of authGuard. lazy-loaded angular component
that renders the curated CurrentUser payload (displayName,
username, oid, tid). exercises the full loop guard → bff /me
→ spa render.
removed the per-call withCredentials: true from AuthService.refresh()
— the credentials interceptor handles it uniformly now. the spec
that pinned the per-call flag moved to
bff-credentials.interceptor.spec.ts where it belongs.
i18n: 6 new message ids + route.profile.title shipped with fr
translations in messages.fr.xlf.
19/19 feature-auth + 34/34 portal-shell + 123/123 portal-bff under
the clean-env ci repro (env -u redis_url … etc.). bundle main is
492 kb raw / 131 kb transfer — well under the 300 kb gzip budget
per adr-0017.
out of scope, landing in follow-ups:
- a real user-profile feature (settings, preferences, etc.)
- showing the auth-loading state on the route the guard blocks
(today the user sees the previous route until /me resolves)
Documentation index
This is the entry point to all project documentation. It is maintained automatically: any addition, rename, or removal of a .md file under docs/ must be reflected here in the same change.
Conventions
- Documentation is written in English.
- One topic per file. Group related files into a folder when there are three or more.
- Cross-reference with relative links so they keep working in GitHub, IDEs, and exported sites.
- For architectural decisions, do not add them here — they belong in decisions/ as MADR 4.0.0 ADRs.
Sections
Daily development
- development.md — repo layout, prerequisites, initial setup, daily commands, observability dev-loop (Jaeger UI, log ↔ trace correlation), dependency updates (Renovate), conventional commit cycle. Day-to-day reference for working on the project.
Architecture
- architecture.md — cross-cutting Mermaid diagrams: C4 system context, C4 containers, Nx module boundaries, CI/CD pipeline. Single-decision diagrams (auth sequence, ERD, etc.) live inline in their ADR.
Onboarding & environment
Setup guides for new contributors:
- setup/01-wsl-terminal-setup.md — modern WSL terminal (Zsh + Powerlevel10k + CLI tools)
- setup/02-dev-web-stack.md — Node via nvm, pnpm via corepack, Docker
- setup/03-angular-nx-monorepo.md — Angular + Nx monorepo bootstrap
Operations & runbooks
Empty — to be populated when we deploy.
Security, performance, accessibility
Empty — placeholders to be filled with rationale docs alongside their corresponding ADRs.
Description
Languages
TypeScript
85.3%
JavaScript
5.4%
SCSS
4.3%
HTML
3.9%
Shell
0.8%
Other
0.3%