fix(portal-bff): align admin entra role name with Portal.Admin
The AdminRoleGuard was matching on `admin`, but the Entra app registration declares the role with value `Portal.Admin`. Sessions were established with `roles: []`, so every authenticated user got a 403 on `/api/admin/audit` and `/api/admin/users`. Single source of truth: the `ADMIN_ROLE` constant in admin-role.guard.ts. The spec already imports the constant, so the behaviour rolls through unchanged. Doc-comment touches in admin-role.guard.ts, admin.controller.ts and audit.service.ts keep the inline references accurate; ADR-0020, docs/architecture.md and CLAUDE.md updated to the new name.
This commit is contained in:
@@ -84,7 +84,7 @@ flowchart TB
|
||||
|
||||
Notes embedded in the diagram:
|
||||
|
||||
- **Two SPAs, one BFF.** `portal-shell` is the end-user surface; `portal-admin` is a separate Angular app on a distinct origin with its own bundle, sign-in flow, and session cookie (per ADR-0020). They share libs but never a runtime — an admin session is not silently authenticated to `portal-shell` and vice versa. The admin entry route is gated by an Entra `admin` app-role claim + `@RequireMfa({ freshness: 600 })` per ADR-0011.
|
||||
- **Two SPAs, one BFF.** `portal-shell` is the end-user surface; `portal-admin` is a separate Angular app on a distinct origin with its own bundle, sign-in flow, and session cookie (per ADR-0020). They share libs but never a runtime — an admin session is not silently authenticated to `portal-shell` and vice versa. The admin entry route is gated by an Entra `Portal.Admin` app-role claim + `@RequireMfa({ freshness: 600 })` per ADR-0011.
|
||||
- The SPAs carry no token. Only the opaque session id cookie (`__Host-portal_session` / `__Host-portal_admin_session`) plus the CSRF cookie (`__Host-portal_csrf`, read by JS for double-submit).
|
||||
- `traceparent` (W3C) propagates from the browser through the BFF to the downstream APIs — same `trace_id` end-to-end.
|
||||
- The OTel Collector is the only piece coupled to the eventual on-prem observability backend. Choice of backend (Grafana Loki + Tempo, ELK, …) is deferred to the on-prem infrastructure ADR.
|
||||
|
||||
Reference in New Issue
Block a user