ФУНКЦИИ - NODEDC LAUNCHER: direct auth redirect

ФУНКЦИИ - МЕЖПРОЕКТНАЯ КОММУНИКАЦИЯ: Launcher live access и global logout
2026-05-04 21:39:56 +03:00 · 2026-05-04 18:54:07 +03:00
4 changed files with 313 additions and 20 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,4 @@ yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 *.tsbuildinfo
 public/storage/backups/
--- a/public/storage/launcher-data.json
+++ b/public/storage/launcher-data.json
@ -42,7 +42,7 @@
      "avatarUrl": "/storage/uploads/1777901476392-03f10a36-2022-10-13-20-52-47-0287-2037248814-scale20.00-k_euler_a-0287.jpg",
      "globalStatus": "active",
      "createdAt": "2026-05-04T00:00:00.000Z",
-      "updatedAt": "2026-05-04T14:15:10.555Z"
+      "updatedAt": "2026-05-04T15:26:08.500Z"
    }
  ],
  "memberships": [
@ -275,8 +275,8 @@
      "targetId": "user_silver_psih",
      "appRole": "member",
      "status": "active",
-      "createdAt": "2026-05-04T14:15:10.296Z",
+      "createdAt": "2026-05-04T15:26:07.830Z",
-      "updatedAt": "2026-05-04T14:15:10.296Z"
+      "updatedAt": "2026-05-04T15:26:07.830Z"
    }
  ],
  "exceptions": [],
@ -311,9 +311,9 @@
      "objectType": "user",
      "target": "authentik",
      "state": "synced",
-      "lastSyncAt": "2026-05-04T14:15:10.555Z",
+      "lastSyncAt": "2026-05-04T15:26:08.500Z",
      "error": null,
-      "updatedAt": "2026-05-04T14:15:10.555Z"
+      "updatedAt": "2026-05-04T15:26:08.500Z"
    },
    {
      "id": "sync_dctouch_groups_authentik",
@ -357,7 +357,7 @@
      "state": "pending",
      "lastSyncAt": null,
      "error": null,
-      "updatedAt": "2026-05-04T14:15:10.297Z"
+      "updatedAt": "2026-05-04T15:26:07.830Z"
    }
  ],
  "auditEvents": [
@ -1044,6 +1044,102 @@
      "clientId": null,
      "result": "success",
      "details": "Groups: nodedc:launcher:user, nodedc:taskmanager:user, service-digital-twin"
    },
    {
      "id": "audit_silver_psih_yahoo_com_task_manager_15",
      "at": "2026-05-04T14:50:51.260Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Обновлён доступ пользователя к сервису",
      "objectType": "grant",
      "objectName": "silver_psih@yahoo.com / task-manager",
      "clientId": null,
      "result": "success",
      "details": "Value: deny"
    },
    {
      "id": "audit_silver_psih_yahoo_com_39",
      "at": "2026-05-04T14:50:51.574Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Пользователь синхронизирован в Authentik",
      "objectType": "user",
      "objectName": "silver_psih@yahoo.com",
      "clientId": null,
      "result": "success",
      "details": "Groups: nodedc:launcher:user, service-digital-twin"
    },
    {
      "id": "audit_silver_psih_yahoo_com_task_manager_16",
      "at": "2026-05-04T14:51:46.812Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Обновлён доступ пользователя к сервису",
      "objectType": "grant",
      "objectName": "silver_psih@yahoo.com / task-manager",
      "clientId": null,
      "result": "success",
      "details": "Value: member"
    },
    {
      "id": "audit_silver_psih_yahoo_com_40",
      "at": "2026-05-04T14:51:47.092Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Пользователь синхронизирован в Authentik",
      "objectType": "user",
      "objectName": "silver_psih@yahoo.com",
      "clientId": null,
      "result": "success",
      "details": "Groups: nodedc:launcher:user, nodedc:taskmanager:user, service-digital-twin"
    },
    {
      "id": "audit_silver_psih_yahoo_com_task_manager_17",
      "at": "2026-05-04T15:25:51.639Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Обновлён доступ пользователя к сервису",
      "objectType": "grant",
      "objectName": "silver_psih@yahoo.com / task-manager",
      "clientId": null,
      "result": "success",
      "details": "Value: deny"
    },
    {
      "id": "audit_silver_psih_yahoo_com_41",
      "at": "2026-05-04T15:25:51.952Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Пользователь синхронизирован в Authentik",
      "objectType": "user",
      "objectName": "silver_psih@yahoo.com",
      "clientId": null,
      "result": "success",
      "details": "Groups: nodedc:launcher:user, service-digital-twin"
    },
    {
      "id": "audit_silver_psih_yahoo_com_task_manager_18",
      "at": "2026-05-04T15:26:07.830Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Обновлён доступ пользователя к сервису",
      "objectType": "grant",
      "objectName": "silver_psih@yahoo.com / task-manager",
      "clientId": null,
      "result": "success",
      "details": "Value: member"
    },
    {
      "id": "audit_silver_psih_yahoo_com_42",
      "at": "2026-05-04T15:26:08.500Z",
      "actorUserId": "user_root",
      "actorName": "DC SUDO",
      "action": "Пользователь синхронизирован в Authentik",
      "objectType": "user",
      "objectName": "silver_psih@yahoo.com",
      "clientId": null,
      "result": "success",
      "details": "Groups: nodedc:launcher:user, nodedc:taskmanager:user, service-digital-twin"
    }
  ]
 }
--- a/server/dev-server.mjs
+++ b/server/dev-server.mjs
@ -1,6 +1,6 @@
 import express from "express";
 import { createServer as createHttpServer } from "node:http";
-import { randomBytes, randomUUID, createHash } from "node:crypto";
+import { randomBytes, randomUUID, createHash, timingSafeEqual } from "node:crypto";
 import { existsSync, readFileSync } from "node:fs";
 import { mkdir, writeFile } from "node:fs/promises";
 import { dirname, extname, join, resolve } from "node:path";
@ -16,6 +16,7 @@ const maxStorageJsonBodyBytes = "260mb";
 const pendingLoginTtlMs = 10 * 60 * 1000;
 const sessionTtlMs = 12 * 60 * 60 * 1000;
 const oidcStateCookieName = "nodedc_oidc_state";
 const maxOidcStateCookieEntries = 8;
 const sessionCookieName = "nodedc_session";
 loadEnvFiles([
@ -44,6 +45,7 @@ app.get("/healthz", (_req, res) => {
    service: "nodedc-launcher-bff",
    oidcConfigured: config.oidcConfigured,
    authentikApiConfigured: authentikSyncClient.isConfigured(),
    internalAccessApiConfigured: Boolean(config.internalAccessToken),
  });
 });
@ -65,7 +67,7 @@ app.get("/auth/login", asyncRoute(async (req, res) => {
    expiresAt: Date.now() + pendingLoginTtlMs,
  });
-  res.cookie(oidcStateCookieName, state, cookieOptions(pendingLoginTtlMs));
+  setOidcStateCookie(res, [state, ...getValidOidcCookieStates(req)].slice(0, maxOidcStateCookieEntries));
  const authorizationUrl = new URL(discovery.authorization_endpoint);
  authorizationUrl.searchParams.set("response_type", "code");
@ -96,15 +98,17 @@ app.get("/auth/callback", asyncRoute(async (req, res) => {
  const code = typeof req.query.code === "string" ? req.query.code : null;
  const state = typeof req.query.state === "string" ? req.query.state : null;
-  const cookieState = parseCookies(req.headers.cookie)[oidcStateCookieName];
+  const cookieStates = getValidOidcCookieStates(req);
-  if (!code || !state || state !== cookieState) {
+  if (!code || !state || !cookieStates.includes(state)) {
-    throw new Error("OIDC callback state validation failed");
+    res.clearCookie(oidcStateCookieName, clearCookieOptions());
    res.redirect("/auth/login?returnTo=/");
    return;
  }
  const pendingLogin = pendingLogins.get(state);
  pendingLogins.delete(state);
-  res.clearCookie(oidcStateCookieName, clearCookieOptions());
+  setOidcStateCookie(res, cookieStates.filter((cookieState) => cookieState !== state));
  if (!pendingLogin || pendingLogin.expiresAt < Date.now()) {
    throw new Error("OIDC login state expired");
@ -152,7 +156,7 @@ app.get("/auth/logout", asyncRoute(async (req, res) => {
  const endSessionEndpoint = discovery.end_session_endpoint;
  if (!endSessionEndpoint) {
-    res.redirect(returnTo);
+    res.type("html").send(renderGlobalLogoutPage(getFrontchannelLogoutUrls(), new URL(returnTo, config.appBaseUrl).toString()));
    return;
  }
@ -164,7 +168,7 @@ app.get("/auth/logout", asyncRoute(async (req, res) => {
    logoutUrl.searchParams.set("id_token_hint", session.tokenSet.idToken);
  }
-  res.redirect(logoutUrl.toString());
+  res.type("html").send(renderGlobalLogoutPage(getFrontchannelLogoutUrls(), logoutUrl.toString()));
 }));
 app.get("/api/me", (req, res) => {
@ -182,7 +186,7 @@ app.get("/api/me", (req, res) => {
    user: runtimeContext.user,
    groups: runtimeContext.groups,
    isSuperAdmin: runtimeContext.groups.includes("nodedc:superadmin"),
-    logoutUrl: "/auth/logout",
+    logoutUrl: "/auth/logout?global=1&returnTo=/",
  });
 });
@ -232,6 +236,54 @@ app.get("/api/events", requireSession, (req, res) => {
  });
 });
 app.post("/api/internal/access/check", (req, res) => {
  if (!isInternalRequestAuthorized(req)) {
    res.status(config.internalAccessToken ? 401 : 503).json({
      ok: false,
      error: config.internalAccessToken ? "internal_access_unauthorized" : "internal_access_not_configured",
    });
    return;
  }
  const snapshot = controlPlaneStore.getSnapshot({ name: "NODE.DC internal access check" });
  const user = findInternalAccessUser(snapshot.data, req.body);
  const serviceSlug = sanitizeServiceSlug(req.body?.serviceSlug);
  if (!user) {
    res.json({
      ok: true,
      allowed: false,
      reason: "user_not_found",
      serviceSlug,
      groups: [],
      matchedGroups: [],
      user: null,
    });
    return;
  }
  const groups = resolveRequiredGroups(snapshot.data, user);
  const app = getAppsForUser(groups).find((candidate) => candidate.slug === serviceSlug);
  const allowed = Boolean(app?.hasAccess);
  res.json({
    ok: true,
    allowed,
    reason: allowed ? "access_confirmed" : "access_denied",
    serviceSlug,
    groups,
    matchedGroups: app?.matchedGroups ?? [],
    user: {
      id: user.id,
      email: user.email,
      name: user.name,
      avatarUrl: user.avatarUrl ?? null,
      authentikUserId: user.authentikUserId ?? null,
      globalStatus: user.globalStatus,
    },
  });
 });
 app.patch("/api/profile", requireSession, asyncRoute(async (req, res) => {
  const { actor } = getLauncherProfileContext(req.nodedcSession);
  const result = await controlPlaneStore.updateUserProfile(actor.id, sanitizeSelfProfilePatch(req.body), req.nodedcSession.user);
@ -506,6 +558,14 @@ function readConfig() {
      process.env.AUTHENTIK_SERVICE_TOKEN ??
      process.env.AUTHENTIK_BOOTSTRAP_TOKEN ??
      "",
    internalAccessToken:
      process.env.NODEDC_INTERNAL_ACCESS_TOKEN ??
      process.env.NODEDC_PLATFORM_SERVICE_TOKEN ??
      process.env.PLANE_OIDC_CLIENT_SECRET ??
      "",
    taskLogoutUrl:
      process.env.TASK_LOGOUT_URL ??
      `${(process.env.TASK_BASE_URL ?? `http://${process.env.TASK_DOMAIN ?? "task.local.nodedc"}`).replace(/\/$/, "")}/logout`,
  };
 }
@ -831,6 +891,68 @@ function getServiceUrl(service) {
  return service.launchUrl || service.url || "#";
 }
 function getFrontchannelLogoutUrls() {
  const urls = [config.taskLogoutUrl];
  const launcherData = readLauncherData();
  const services = Array.isArray(launcherData?.services) ? launcherData.services : [];
  for (const service of services) {
    if (typeof service.logoutUrl === "string" && service.logoutUrl.trim()) {
      urls.push(service.logoutUrl.trim());
    }
  }
  return [...new Set(urls.map(normalizeLogoutUrl).filter(Boolean))];
 }
 function normalizeLogoutUrl(value) {
  try {
    const url = new URL(value);
    if (url.protocol !== "http:" && url.protocol !== "https:") return null;
    return url.toString();
  } catch {
    return null;
  }
 }
 function renderGlobalLogoutPage(frontchannelLogoutUrls, finalRedirectUrl) {
  const logoutUrlsJson = JSON.stringify(frontchannelLogoutUrls);
  const redirectUrlJson = JSON.stringify(finalRedirectUrl);
  return `<!doctype html>
 <html lang="ru">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <title>Выход из NODE.DC</title>
    <style>
      html,body{height:100%;margin:0;background:#050606;color:#f4f4f4;font-family:Inter,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif}
      body{display:grid;place-items:center}
      main{max-width:28rem;padding:2rem;text-align:center}
      h1{margin:0 0 .75rem;font-size:1.5rem}
      p{margin:0;color:#a6a6a6;line-height:1.5}
    </style>
  </head>
  <body>
    <main>
      <h1>Выходим из NODE.DC</h1>
      <p>Закрываем сессии подключённых приложений и платформенный вход.</p>
    </main>
    <script>
      const logoutUrls = ${logoutUrlsJson};
      const finalRedirectUrl = ${redirectUrlJson};
      for (const logoutUrl of logoutUrls) {
        fetch(logoutUrl, { mode: "no-cors", credentials: "include", keepalive: true }).catch(() => undefined);
        const image = new Image();
        image.referrerPolicy = "no-referrer";
        image.src = logoutUrl;
      }
      window.setTimeout(() => window.location.replace(finalRedirectUrl), 700);
    </script>
  </body>
 </html>`;
 }
 function readLauncherData() {
  const dataPath = join(projectRoot, "public", "storage", "launcher-data.json");
@ -954,6 +1076,36 @@ function pruneExpiredState() {
  }
 }
 function getValidOidcCookieStates(req) {
  const rawValue = parseCookies(req.headers.cookie)[oidcStateCookieName];
  if (!rawValue) return [];
  const seen = new Set();
  return rawValue
    .split(".")
    .filter((state) => /^[A-Za-z0-9_-]{32,256}$/.test(state))
    .filter((state) => {
      if (seen.has(state)) return false;
      seen.add(state);
      return true;
    })
    .filter((state) => {
      const pendingLogin = pendingLogins.get(state);
      return Boolean(pendingLogin && pendingLogin.expiresAt >= Date.now());
    });
 }
 function setOidcStateCookie(res, states) {
  if (!states.length) {
    res.clearCookie(oidcStateCookieName, clearCookieOptions());
    return;
  }
  res.cookie(oidcStateCookieName, states.join("."), cookieOptions(pendingLoginTtlMs));
 }
 function parseCookies(cookieHeader) {
  if (!cookieHeader) return {};
@ -1000,6 +1152,47 @@ function requireSession(req, res, next) {
  next();
 }
 function isInternalRequestAuthorized(req) {
  if (!config.internalAccessToken) {
    return false;
  }
  const authorization = typeof req.headers.authorization === "string" ? req.headers.authorization : "";
  const bearerToken = authorization.match(/^Bearer\s+(.+)$/i)?.[1] ?? "";
  const headerToken = typeof req.headers["x-nodedc-internal-token"] === "string" ? req.headers["x-nodedc-internal-token"] : "";
  const requestToken = bearerToken || headerToken;
  return safeTokenEquals(requestToken, config.internalAccessToken);
 }
 function safeTokenEquals(actual, expected) {
  if (!actual || !expected) {
    return false;
  }
  const actualBuffer = Buffer.from(String(actual));
  const expectedBuffer = Buffer.from(String(expected));
  return actualBuffer.length === expectedBuffer.length && timingSafeEqual(actualBuffer, expectedBuffer);
 }
 function findInternalAccessUser(data, payload) {
  const subject = typeof payload?.subject === "string" ? payload.subject : "";
  const email = typeof payload?.email === "string" ? payload.email.toLowerCase() : "";
  const userId = typeof payload?.userId === "string" ? payload.userId : "";
  return (
    data.users.find((user) => userId && user.id === userId) ??
    data.users.find((user) => subject && user.authentikUserId === subject) ??
    data.users.find((user) => email && user.email.toLowerCase() === email) ??
    null
  );
 }
 function sanitizeServiceSlug(value) {
  return typeof value === "string" && value ? value : "task-manager";
 }
 function getLauncherProfileContext(session) {
  const snapshot = controlPlaneStore.getSnapshot(session.user);
--- a/src/app/LauncherApp.tsx
+++ b/src/app/LauncherApp.tsx
@ -62,7 +62,6 @@ export function LauncherApp() {
  const [adminOpen, setAdminOpen] = useState(false);
  const [authSession, setAuthSession] = useState<AuthSession | null>(null);
  const [authApps, setAuthApps] = useState<LauncherAuthApp[] | null>(null);
  const [authError, setAuthError] = useState<string | null>(null);
  const [profileSettingsOpen, setProfileSettingsOpen] = useState(false);
  const [pendingAccessAssignments, setPendingAccessAssignments] = useState<Record<string, AccessAssignmentValue>>({});
@ -160,7 +159,6 @@ export function LauncherApp() {
        if (!isMounted) return;
        setAuthSession(session);
        setAuthError(null);
        if (!session.authenticated) {
          setAuthApps([]);
@ -178,7 +176,7 @@ export function LauncherApp() {
        setAuthSession({ authenticated: false, loginUrl: "/auth/login" });
        setAuthApps([]);
-        setAuthError(error instanceof Error ? error.message : "Не удалось проверить сессию платформы");
+        console.warn(error instanceof Error ? error.message : "Не удалось проверить сессию платформы");
      });
    return () => {
@ -186,6 +184,12 @@ export function LauncherApp() {
    };
  }, []);
  useEffect(() => {
    if (!authSession || authSession.authenticated) return;
    window.location.replace(authSession.loginUrl || "/auth/login");
  }, [authSession]);
  useEffect(() => {
    if (!authSession?.authenticated) return;
@ -247,7 +251,6 @@ export function LauncherApp() {
        if (!isMounted) return;
        setAuthSession(nextSession);
        setAuthError(null);
        if (!nextSession.authenticated) {
          setAuthApps([]);
@ -473,7 +476,7 @@ export function LauncherApp() {
  }
  if (!authSession.authenticated) {
-    return <AuthStateScreen title="Вход на платформу NODE.DC" description="Войдите, чтобы открыть рабочую область и доступы." error={authError} loginUrl={authSession.loginUrl} />;
+    return null;
  }
  return (
Author	SHA1	Message	Date
DCCONSTRUCTIONS	a1e8cacd88	ФУНКЦИИ - NODEDC LAUNCHER: direct auth redirect	2026-05-04 21:39:56 +03:00
DCCONSTRUCTIONS	a1fb2d0f83	ФУНКЦИИ - МЕЖПРОЕКТНАЯ КОММУНИКАЦИЯ: Launcher live access и global logout	2026-05-04 18:54:07 +03:00