GoSec_Cloud/gscMy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df6fca815ae788600efa6f0f2b57d95f3852832e
gscMy/middleware.ts
Super User be1c4fe5f9 chore: bootstrap gscMy on @gsc/web-kit + PAM/JIT request flow 
Initial commit for gscMy carved out as its own repo (was tracked
loosely under the monorepo's web/ which is gitignored).

What this contains:
- Auth: next-auth v5 via @gsc/web-kit createAuth (Keycloak only,
  identity sourced from claims, no admin.users writes)
- Chrome: @gsc/web-kit AdminShell — replaces the legacy MyShell.
  Sidebar JSON config carried over and mapped to DbMenuItem.
- Middleware: createAuthMiddleware. Public: /access-denied,
  /auth/keycloak, /signed-out, /api/health, /api/pam/approve.
- RP-initiated signout at /api/auth/signout → Keycloak end_session →
  /signed-out (mirrors gscAdmin).
- Phosphor-iconned access-denied + signed-out landing pages.

PAM/JIT request flow (ported from gscAdmin's pre-strip git history):
- /access page (Active + Eligible tables, request modal with
  duration slider + justification + optional MFA)
- API: /api/pam/{eligible, active, audit, request, approve/:token,
  revoke/:id}
- src/lib/{authz, pam, pam-mail, pam-mfa}.ts — same files as
  gscAdmin had before the strip. PAM tables (admin.privilege_*)
  are shared with gscAdmin; gscMy uses the same Prisma model defs.
- Top-bar widget shows active grants with countdown + revoke.

Build/Deploy: Dockerfile (monorepo-root context), k8s manifests for
my.gosec.internal, self-signed TLS placeholder, DNS A record.
Keycloak gsc-my client extended to include my.gosec.internal/* in
redirect_uris + web_origins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 13:46:13 +02:00

24 lines
746 B
TypeScript
Raw Blame History

import { createAuthMiddleware } from "@gsc/web-kit/auth/middleware";
// Default: require auth for all routes. gscMy is the user-facing
// portal; only public surfaces are the auth entry point + the two
// branded standalone pages.
export default createAuthMiddleware({
signInPath: "/auth/keycloak",
publicRoutes: [
"/api/health",
"/access-denied",
"/auth/keycloak",
"/signed-out",
// PAM approval link — token in URL is the auth. Matcher below
// also excludes it so the kit's redirect logic doesn't fire.
"/api/pam/approve",
],
});
export const config = {
matcher: [
"/((?!_next/static|_next/image|favicon.ico|robots.txt|api/health|access-denied|auth/keycloak|signed-out|api/pam/approve).+)",
],
};
Reference in New Issue View Git Blame Copy Permalink