c7025ee396
- Add config/allowed_users.yaml as the source of truth for access control (email → role mapping, case-insensitive) - New backend/app/services/allowlist.py loads the YAML and provides lookup() - auth.py checks the allowlist on every SSO login; denies with 403 if not listed; syncs AppUser.role from YAML on each login - PyYAML added to requirements.txt - docker-compose mounts ./config:/app/config into the backend container - Frontend: axios response interceptor catches 403 not_allowlisted and fires a custom DOM event; AuthProvider renders a NoAccessPage with Sign out button - .env.example: clarify DEV_AUTH_BYPASS usage, document ALLOWED_USERS_PATH Azure AD: add https://optical-dev.oliver.solutions/oliver-sales-ops-platform/ as a SPA redirect URI in app registration 9079054c (done separately by zlalani). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
22 lines
988 B
Text
22 lines
988 B
Text
POSTGRES_PASSWORD=your_strong_password_here
|
|
ANTHROPIC_API_KEY=your-anthropic-api-key
|
|
AZURE_TENANT_ID=your-azure-tenant-id
|
|
AZURE_CLIENT_ID=your-azure-client-id
|
|
# Set to true ONLY for local dev to skip SSO. NEVER set on optical-dev or any deployed env.
|
|
# Leave blank (or false) to enable real Azure AD SSO.
|
|
DEV_AUTH_BYPASS=
|
|
VITE_DEV_AUTH_BYPASS=
|
|
# Optional: override path to allowed_users.yaml. Default in Docker: /app/config/allowed_users.yaml
|
|
# For local dev outside Docker: set to ./config/allowed_users.yaml
|
|
ALLOWED_USERS_PATH=
|
|
# Absolute path to the directory containing reference data (GMAL Excel etc.)
|
|
# Defaults to ./data (relative to repo) if not set
|
|
DATA_DIR=./data
|
|
# Mailgun — leave MAILGUN_API_KEY blank in dev to log emails instead of sending
|
|
MAILGUN_API_KEY=
|
|
MAILGUN_DOMAIN=
|
|
MAILGUN_FROM=OLIVER Sales Ops <noreply@example.com>
|
|
MAILGUN_REGION=us
|
|
# Public URL the app serves on — used to build approval email links
|
|
APP_PUBLIC_URL=http://localhost:3011
|
|
APP_PATH_PREFIX=/osop
|