8e969fe015
Adds a Postgres-backed user store with bcrypt + JWT cookie sessions,
login screen, role-gated UI, and Microsoft SSO scaffolding ready to
fill in.
Backend
- New `db` service (Postgres 16-alpine) in compose, healthcheck-gated
app startup, free-port autodetect (5435-5499) like other apps.
- `server/db.js` runs versioned `.sql` migrations on boot.
- `server/auth.js`: bcrypt + JWT cookie (httpOnly, sameSite=strict,
path-scoped to /adeo-maturity), rate-limited login (10/15min),
dummy bcrypt-compare on missing users to defeat timing oracles.
- `requireAdmin` on all writes (POST/import/sync); `authenticate`
on all reads. /api/health stays public.
- Microsoft SSO endpoints stubbed at /api/auth/msft/{login,callback}
(return 501); DB has azure_oid column ready; comments document
exactly how to wire @azure/msal-node.
Frontend
- Login screen with email/password + greyed-out "Sign in with
Microsoft" button; init() checks /api/auth/me first.
- Logout button + user badge in header.
- body.role-user CSS hides .admin-only elements (Update tab, New
Client cards). Server enforces regardless.
Deploy
- deploy.sh generates DB_PASSWORD and AUTH_SECRET on first run and
persists to .env, then runs `seed-users.js seed-defaults` to
create admin@oliver.agency + user@oliver.agency with random
passwords printed once. Subsequent deploys skip seeding unless
--reseed is passed.
- node server/seed-users.js set-password <email> <pw> for ad-hoc
resets later.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
24 lines
1.4 KiB
Text
24 lines
1.4 KiB
Text
# Generated and persisted by deploy/deploy.sh. Local devs can copy this
|
|
# file to .env and fill in values manually.
|
|
|
|
# ── Postgres ────────────────────────────────────────────────────────────
|
|
DB_NAME=adeo_maturity
|
|
DB_USER=adeo
|
|
DB_PASSWORD= # auto-generated on first deploy
|
|
ADEO_DB_PORT=5435 # auto-resolved (5435-5499)
|
|
|
|
# ── App ─────────────────────────────────────────────────────────────────
|
|
ADEO_PORT=3102 # auto-resolved (3102-3199)
|
|
AUTH_SECRET= # auto-generated on first deploy (>= 32 chars)
|
|
|
|
# Cookie scoping. On the optical-dev shared vhost we set this to the
|
|
# app's URL prefix so the session cookie isn't sent to other apps.
|
|
COOKIE_PATH=/adeo-maturity
|
|
COOKIE_SECURE=true # set to false for local HTTP dev
|
|
|
|
# ── Microsoft SSO (scaffolded, not yet active) ──────────────────────────
|
|
# Fill these in to enable the /api/auth/msft/{login,callback} flow.
|
|
# AZURE_CLIENT_ID=
|
|
# AZURE_TENANT_ID=
|
|
# AZURE_CLIENT_SECRET=
|
|
# AZURE_REDIRECT_URI=https://optical-dev.oliver.solutions/adeo-maturity/api/auth/msft/callback
|