f50d2d66c0
Phase-3a step per ADR-0020 §"Sessions — distinct from `portal-shell`".
Wires a second `express-session` middleware on `/api/admin/*` carrying
`__Host-portal_admin_session` over Redis prefix `session:admin:` and
ships the parallel `/api/admin/auth/{login,callback,me,logout}` flow
that populates it. Signing in to one surface no longer signs the user
into the other — Entra SSO at the IdP level still preserves the
click-through experience.
What lands
- `session/admin-session-cookie.ts`: `adminSessionCookieName()` mirrors
the existing user-portal pattern (`__Host-` prefix in prod, plain
name in dev).
- `SessionModule` provides two parallel `express-session` instances
via a shared `buildSessionMiddleware()` factory:
SESSION_MIDDLEWARE cookie portal_session prefix session:
ADMIN_SESSION_MIDDLEWARE cookie portal_admin_session prefix session:admin:
The TTL policy, encryption key, signing secret, and session-id
entropy are unchanged — only the cookie name + Redis key prefix
differ.
- `main.ts` mounts a tiny path-routed dispatch: requests under
`/api/admin` get the admin session, everything else gets the user
one. Running both middlewares unconditionally would have the second
overwrite `req.session` from the first, collapsing the two surfaces.
- `EntraConfig` gains `adminRedirectUri` + `adminPostLogoutRedirectUri`,
validated at boot. The validator refuses to start when admin and
user redirect URIs collide (would silently fuse the two surfaces).
Both URIs must be registered on the same Entra app registration.
- `AuthService.{beginAuthCodeFlow,completeAuthCodeFlow,buildLogoutUrl}`
now take their redirect / post-logout URI as a parameter. Callers
pick which set to pass.
- New shared service `SessionEstablisher`:
establish(user, req, res, surface) — full sign-in recipe: mint
CSRF, populate session fields, save, register in
user_sessions index, emit auth.sign_in audit, log.
destroy(actor | undefined, req) — sign-out recipe: when actor
is set, remove from index + emit auth.sign_out audit; always
destroy the session (with Redis-hiccup tolerance).
Both `AuthController` and the new `AdminAuthController` call it —
no duplication of the 150-LOC session lifecycle logic.
- `AdminAuthController` mounts `/api/admin/auth/{login,callback,me,logout}`.
Structurally identical to `AuthController` but passes
`adminRedirectUri` / `adminPostLogoutRedirectUri` and clears the
admin session cookie on logout. `me` exposes the `roles` claim
(the SPA needs it for conditional admin UI); the user-portal `me`
intentionally still doesn't.
New env vars (mandatory at boot)
- ENTRA_ADMIN_REDIRECT_URI
- ENTRA_ADMIN_POST_LOGOUT_REDIRECT_URI
Tests: +25 specs (admin cookie 3, session-establisher 11, admin auth
controller 9, entra config 2). Existing AuthController tests
preserved through the refactor by passing a real `SessionEstablisher`
constructed with the same audit / index / logger mocks.
45 lines
1.8 KiB
TypeScript
45 lines
1.8 KiB
TypeScript
import type { RequestHandler } from 'express';
|
|
|
|
/**
|
|
* DI token for the user-portal `express-session` middleware. Resolved
|
|
* once at bootstrap (`main.ts`) and mounted with `app.use(...)`
|
|
* after `cookie-parser` so cookies are already parsed when the
|
|
* session middleware reads the session id.
|
|
*
|
|
* Carries the `portal_session` / `__Host-portal_session` cookie and
|
|
* persists payloads under the `session:` Redis prefix. Bound to
|
|
* every path EXCEPT `/api/admin/*` by the dispatch in `main.ts`.
|
|
*
|
|
* Usage:
|
|
* const session = app.get<RequestHandler>(SESSION_MIDDLEWARE);
|
|
* app.use(session);
|
|
*/
|
|
export const SESSION_MIDDLEWARE = 'SESSION_MIDDLEWARE';
|
|
|
|
/**
|
|
* DI token for the admin-portal `express-session` middleware. Same
|
|
* underlying `express-session` + `connect-redis` plumbing as
|
|
* {@link SESSION_MIDDLEWARE}, but configured for the admin surface
|
|
* per ADR-0020 §"Sessions — distinct from `portal-shell`":
|
|
*
|
|
* - Cookie name: `portal_admin_session` / `__Host-portal_admin_session`.
|
|
* - Redis key prefix: `session:admin:`.
|
|
* - Same idle / absolute TTL policy (ADR-0010); admin tightening
|
|
* can come later through env without code changes.
|
|
*
|
|
* Bound to `/api/admin/*` only by the dispatch in `main.ts`. Signing
|
|
* into one surface does NOT sign the user into the other — Entra
|
|
* SSO at the IdP level still preserves a click-through experience.
|
|
*/
|
|
export const ADMIN_SESSION_MIDDLEWARE = 'ADMIN_SESSION_MIDDLEWARE';
|
|
|
|
/**
|
|
* DI token for the absolute-timeout middleware (per ADR-0010 §"TTL
|
|
* policy"). Resolved at bootstrap and mounted in `main.ts`
|
|
* immediately after {@link SESSION_MIDDLEWARE} so it runs on every
|
|
* request that carries a session cookie.
|
|
*/
|
|
export const SESSION_ABSOLUTE_TIMEOUT_MIDDLEWARE = 'SESSION_ABSOLUTE_TIMEOUT_MIDDLEWARE';
|
|
|
|
export type { RequestHandler };
|