platform/portal
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fdfc45f1c996739d771eba1793bf0b0685c3d8cf
portal/src/auth.ts
T
sharang ac22ccef9b
ci / shared (pull_request) Failing after 4s
Details
ci / test (pull_request) Has been skipped
Details
ci / e2e (pull_request) Has been skipped
Details
ci / image (pull_request) Has been skipped
Details
feat(app): Next.js 15 + Auth.js v5 portal skeleton 
Lands the minimum surface so a developer can:

  cd platform/orca-platform && make dev-up
  cd platform/tenant-registry && make dev
  cd platform/portal && make install && make dev
  open http://acme.localhost:3000

and complete a real OIDC sign-in against the breakpilot-dev realm.

Layout:
  src/middleware.ts                host→slug URL rewrite; backstage carve-out
  src/auth.ts                      Auth.js v5 Keycloak provider; passes
                                   tenant_id/slug/org_roles/products/plan/status
                                   claims through to the session
  src/app/api/auth/[...nextauth]/  Auth.js handlers (GET, POST)
  src/app/layout.tsx               root html shell
  src/app/page.tsx                 apex landing
  src/app/[slug]/layout.tsx        fetches tenant via lib/tenant-registry
  src/app/[slug]/page.tsx          redirect to /dashboard
  src/app/[slug]/dashboard/page.tsx
                                   signed-out → Sign in with Keycloak
                                   signed-in  → welcome + Sign out
  src/lib/host.ts                  testable host parser (apex/tenant/backstage)
  src/lib/tenant-registry.ts       fetch client for the Go service

Tooling:
  vitest                           13 tests, 100% coverage of src/lib/
  Next.js 15 build                 compiles all routes; output: standalone
  ESLint flat config               next/core-web-vitals + next/typescript

Real RBAC enforcement, the rest of the customer-area surfaces, and the
backstage shell land per the M5.2 / M10.1 schedule. This is just enough
to be the first thing a developer codes in.

Refs: M5.1 (skeleton)
2026-05-18 22:54:52 +02:00

60 lines
2.1 KiB
TypeScript
Raw Blame History

// Auth.js v5 — Keycloak provider.
//
// Dev uses the breakpilot-dev realm from platform/orca-platform/dev. The
// realm's dev-portal client is a public PKCE client; we still pass a
// non-empty clientSecret because the Keycloak provider requires it
// structurally — it's unused in the auth code grant for public clients
// when PKCE is enabled.
import NextAuth from "next-auth";
import Keycloak from "next-auth/providers/keycloak";
export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [
Keycloak({
clientId: process.env.KEYCLOAK_CLIENT_ID ?? "dev-portal",
clientSecret: process.env.KEYCLOAK_CLIENT_SECRET ?? "unused-public-client",
issuer:
process.env.KEYCLOAK_ISSUER ??
"http://localhost:8080/realms/breakpilot-dev",
}),
],
callbacks: {
async jwt({ token, profile }) {
// Pass the breakpilot-dev realm's custom claims through to the session.
if (profile) {
token.tenant_id = (profile as Record<string, unknown>).tenant_id as
| string
| undefined;
token.tenant_slug = (profile as Record<string, unknown>).tenant_slug as
| string
| undefined;
token.org_roles = (profile as Record<string, unknown>).org_roles as
| string[]
| undefined;
token.products = (profile as Record<string, unknown>).products as
| string[]
| undefined;
token.plan = (profile as Record<string, unknown>).plan as
| string
| undefined;
token.tenant_status = (profile as Record<string, unknown>)
.tenant_status as string | undefined;
}
return token;
},
async session({ session, token }) {
session.user = session.user ?? { name: null, email: null, image: null };
Object.assign(session, {
tenant_id: token.tenant_id,
tenant_slug: token.tenant_slug,
org_roles: token.org_roles,
products: token.products,
plan: token.plan,
tenant_status: token.tenant_status,
});
return session;
},
},
});
Reference in New Issue View Git Blame Copy Permalink