feat(jsn-bridge): volunteer-dashboard + SSO redirect bridges + minimal rebrand

Two new bridge endpoints powering JSN's Volunteer Hub UI: 1. POST /api/volunteer/bridge/dashboard — bridge-secret-gated. Looks up User by email, reuses volunteerDashboardService.getDashboard(userId) to compose the same VolunteerDashboardPayload shape /volunteer/dashboard returns internally. Identical shape so JSN frontend renders with no schema translation. 404 when no cmlite user (JSN should provision identity first). 2. POST /api/auth/bridge/issue-sso-token (server-to-server, bridge-secret- gated) + GET /api/auth/bridge/sso?token=…&redirectTo=… (browser-facing). Mints a 60s one-time-use JWT signed with new SSO_BRIDGE_SECRET; consume atomically deletes a Redis sentinel (sso:<jti>, TTL 60s) — returns 401 if already consumed. On success, generates cmlite's normal cml_refresh cookie via the existing authService.generateTokenPair, redirects to ${ADMIN_URL}${redirectTo}. The SPA hydrates session on mount from the refresh cookie, so the user lands at the target path already logged in. redirectTo sanitization mirrors JSN's sanitizeReturnTo — protocol- relative, backslash-trick, traversal, and control-char protections. Both endpoints rate-limited at rl:bridge-sso: prefix. Minimal rebrand for the SSO-entry experience (VolunteerLayout.tsx): - useSearchParams() reads ?layout=embedded → hides PublicNavBar so the new tab feels like a continuation of whatever opener context the user came from. Footer nav stays (it's the in-cmlite navigation surface). - ConfigProvider colorPrimary already reads from siteSettings.publicColor Primary. Set via SQL once: UPDATE site_settings SET "publicColorPrimary" = '#b8362b' — JSN's campaign red. Persistent. NEW env var SSO_BRIDGE_SECRET (z.string().min(32).optional()) lives only on cmlite — JSN never sees it. Generate with openssl rand -hex 32. Distinct from JSN_BRIDGE_SECRET and all JWT_* secrets. End-to-end verified: JSN /account → click "Open Volunteer Hub" → new tab opens at http://localhost:3095/volunteer?layout=embedded with user authenticated via SSO bridge redirect, chrome hidden by layout flag, primary color matched. Bunker Admin
2026-05-25 21:36:25 -06:00 · 2026-05-25 21:36:25 -06:00 · d883be1b9c
commit d883be1b9c
parent 11f23c0072
9 changed files with 356 additions and 2 deletions
--- a/admin/src/components/VolunteerLayout.tsx
+++ b/admin/src/components/VolunteerLayout.tsx
@ -1,5 +1,5 @@
 import { useState, useMemo } from 'react';
-import { useNavigate, useLocation, Outlet } from 'react-router-dom';
+import { useNavigate, useLocation, useSearchParams, Outlet } from 'react-router-dom';
 import { ConfigProvider, Layout, Typography, theme, Drawer, Divider, Alert, Tag } from 'antd';
 import {
  LogoutOutlined,
@ -30,6 +30,12 @@ const { Content, Footer } = Layout;
 export default function VolunteerLayout() {
  const navigate = useNavigate();
  const location = useLocation();
  const [searchParams] = useSearchParams();
  // ?layout=embedded hides the top nav chrome (PublicNavBar) so the volunteer
  // surface feels like a continuation of whatever embedded/opener context the
  // user arrived from — currently the JSN /account → SSO redirect flow. The
  // footer nav stays (it's the in-cmlite navigation surface).
  const isEmbedded = searchParams.get('layout') === 'embedded';
  const { user, logout } = useAuthStore();
  const { settings } = useSettingsStore();
  const [menuOpen, setMenuOpen] = useState(false);
@ -99,7 +105,7 @@ export default function VolunteerLayout() {
      }}
    >
      <Layout style={{ minHeight: '100dvh', background: settings?.publicColorBgBase ?? '#0d1b2a' }}>
-        <PublicNavBar />
+        {!isEmbedded && <PublicNavBar />}
        <Content
          style={{
--- a/api/src/config/env.ts
+++ b/api/src/config/env.ts
@ -282,6 +282,13 @@ const envSchema = z.object({
  // accept calls. Generate with: openssl rand -hex 32
  JSN_BRIDGE_SECRET: z.string().min(32).optional(),
  // SSO redirect bridge: signs the short-lived (60s) one-time-use JWT issued
  // by /api/auth/bridge/issue-sso-token and verified by /api/auth/bridge/sso.
  // Lives only on cmlite — JSN never sees this secret; it asks cmlite to
  // mint a URL and opens that URL in the user's browser. Generate with:
  // openssl rand -hex 32. Distinct from JSN_BRIDGE_SECRET and JWT_*.
  SSO_BRIDGE_SECRET: z.string().min(32).optional(),
  // RC channel that every JSN-bridged supporter is invited into by the
  // identity bridge after RC user provisioning. Belt-and-braces alongside RC's
  // default-channel flag (which only fires at user creation time, leaving
--- a/api/src/modules/auth/sso-bridge.routes.ts
+++ b/api/src/modules/auth/sso-bridge.routes.ts
@ -0,0 +1,116 @@
 import { Router, type Request, type Response, type NextFunction } from 'express';
 import { timingSafeEqual } from 'node:crypto';
 import rateLimit from 'express-rate-limit';
 import RedisStore from 'rate-limit-redis';
 import { redis } from '../../config/redis';
 import { env } from '../../config/env';
 import { validate } from '../../middleware/validate';
 import { authService } from './auth.service';
 import { computeDeviceFingerprint } from '../../utils/device-fingerprint';
 import { issueSsoTokenSchema, consumeSsoTokenSchema } from './sso-bridge.schemas';
 import { ssoBridgeService } from './sso-bridge.service';
 import { logger } from '../../utils/logger';
 const router = Router();
 const REFRESH_COOKIE_NAME = 'cml_refresh';
 const REFRESH_COOKIE_MAX_AGE = 24 * 60 * 60 * 1000;
 // Mirrors auth.routes.ts setRefreshCookie. Re-implemented here rather than
 // imported because auth.routes.ts keeps it un-exported; copying preserves
 // future independence of the SSO bridge if auth.routes.ts changes its cookie
 // strategy.
 function setRefreshCookie(req: Request, res: Response, token: string) {
  res.cookie(REFRESH_COOKIE_NAME, token, {
    httpOnly: true,
    secure: req.secure,
    sameSite: req.secure ? 'strict' : 'lax',
    maxAge: REFRESH_COOKIE_MAX_AGE,
    path: '/api/auth',
  });
 }
 const bridgeRateLimit = rateLimit({
  windowMs: 60_000,
  max: 60,
  standardHeaders: true,
  legacyHeaders: false,
  store: new RedisStore({
    sendCommand: (command: string, ...args: string[]) =>
      redis.call(command, ...args) as Promise<any>,
    prefix: 'rl:bridge-sso:',
  }),
  message: { error: { message: 'Bridge rate limit exceeded', code: 'BRIDGE_RATE_LIMIT' } },
 });
 // Used only on the issue endpoint (server-to-server). The consume endpoint is
 // browser-facing and authorized by JWT possession instead.
 function requireBridgeSecret(req: Request, res: Response, next: NextFunction) {
  if (!env.JSN_BRIDGE_SECRET) {
    return res.status(503).json({ error: 'BRIDGE_DISABLED' });
  }
  const header = req.get('authorization') ?? '';
  const expected = `Bearer ${env.JSN_BRIDGE_SECRET}`;
  const headerBuf = Buffer.from(header);
  const expectedBuf = Buffer.from(expected);
  if (
    headerBuf.length !== expectedBuf.length ||
    !timingSafeEqual(headerBuf, expectedBuf)
  ) {
    return res.status(401).json({ error: 'UNAUTHORIZED' });
  }
  next();
 }
 // JSN api calls this server-to-server. Returns a one-time URL.
 router.post(
  '/bridge/issue-sso-token',
  bridgeRateLimit,
  requireBridgeSecret,
  validate(issueSsoTokenSchema),
  async (req, res, next) => {
    try {
      const result = await ssoBridgeService.issueToken(req.body);
      res.json(result);
    } catch (err) {
      next(err);
    }
  },
 );
 // Browser-facing. Verifies + deletes the one-time JWT, mints the normal cmlite
 // refresh-token cookie, redirects to the cmlite SPA at the sanitized path.
 // The SPA's auth store hydrates by calling /api/auth/refresh on mount, which
 // reads the refresh cookie we just set.
 router.get(
  '/bridge/sso',
  bridgeRateLimit,
  validate(consumeSsoTokenSchema, 'query'),
  async (req, res, next) => {
    try {
      const { token } = req.query as { token: string; redirectTo: string };
      const { user, redirectTo } = await ssoBridgeService.consumeToken(token);
      // Mint cmlite's normal refresh token + set the cookie. Device fingerprint
      // ties the refresh token to this user-agent/IP combo, same as login.
      const fingerprint = computeDeviceFingerprint(req);
      const tokens = await authService.generateTokenPair(
        { id: user.id, email: user.email, role: user.role as never },
        fingerprint,
      );
      setRefreshCookie(req, res, tokens.refreshToken);
      logger.info('SSO bridge redirect', { userId: user.id, redirectTo });
      // Redirect to the cmlite SPA. Cookie is set on /api/auth path (matches
      // cmlite's normal login behavior), so /api/auth/refresh from the SPA on
      // hydrate will see it.
      const target = `${env.ADMIN_URL}${redirectTo}`;
      res.redirect(302, target);
    } catch (err) {
      next(err);
    }
  },
 );
 export { router as ssoBridgeRouter };
--- a/api/src/modules/auth/sso-bridge.schemas.ts
+++ b/api/src/modules/auth/sso-bridge.schemas.ts
@ -0,0 +1,36 @@
 import { z } from 'zod';
 // JSN-side server-to-server call: ask cmlite to mint a one-time-use SSO token.
 // The token is included in a URL JSN then opens in the user's browser via
 // window.open(...) so the user lands on cmlite already logged in.
 export const issueSsoTokenSchema = z.object({
  email: z.string().email(),
  // Path within cmlite to land on after consuming the token. Sanitized below
  // before being used as a redirect target.
  redirectTo: z.string().max(512).default('/volunteer'),
 });
 export type IssueSsoTokenInput = z.infer<typeof issueSsoTokenSchema>;
 // Querystring on the consume endpoint (GET /api/auth/bridge/sso?token=...&redirectTo=...).
 export const consumeSsoTokenSchema = z.object({
  token: z.string().min(20).max(4096),
  redirectTo: z.string().max(512).default('/volunteer'),
 });
 export type ConsumeSsoTokenInput = z.infer<typeof consumeSsoTokenSchema>;
 // Reject non-same-origin paths, protocol-relative tricks, traversal, control
 // chars. Same defense pattern as JSN's sanitizeReturnTo in apps/api/src/routes/
 // auth.ts — copied here so cmlite has the same protection on its own redirect.
 export function sanitizeRedirectTo(raw: string | undefined): string {
  const FALLBACK = '/volunteer';
  if (typeof raw !== 'string' || raw.length === 0 || raw.length > 512) return FALLBACK;
  if (!raw.startsWith('/')) return FALLBACK;
  if (raw.startsWith('//')) return FALLBACK; // protocol-relative
  if (raw.startsWith('/\\')) return FALLBACK;
  if (raw.includes('..')) return FALLBACK;
  // eslint-disable-next-line no-control-regex
  if (/[\x00-\x1f\s]/.test(raw)) return FALLBACK;
  return raw;
 }
--- a/api/src/modules/auth/sso-bridge.service.ts
+++ b/api/src/modules/auth/sso-bridge.service.ts
@ -0,0 +1,89 @@
 import jwt from 'jsonwebtoken';
 import { randomUUID } from 'node:crypto';
 import { prisma } from '../../config/database';
 import { redis } from '../../config/redis';
 import { env } from '../../config/env';
 import { AppError } from '../../middleware/error-handler';
 import { logger } from '../../utils/logger';
 import { authService } from './auth.service';
 import { sanitizeRedirectTo } from './sso-bridge.schemas';
 import type { IssueSsoTokenInput } from './sso-bridge.schemas';
 const TOKEN_TTL_SECONDS = 60;
 const TOKEN_ALGORITHM = 'HS256' as const;
 interface SsoTokenPayload {
  sub: string; // cmlite user id
  jti: string; // unique id used for the one-time-use Redis sentinel
  redirectTo: string;
 }
 export const ssoBridgeService = {
  async issueToken(input: IssueSsoTokenInput): Promise<{ url: string }> {
    if (!env.SSO_BRIDGE_SECRET) {
      throw new AppError(503, 'SSO bridge not configured', 'SSO_BRIDGE_DISABLED');
    }
    const email = input.email.trim().toLowerCase();
    const redirectTo = sanitizeRedirectTo(input.redirectTo);
    const user = await prisma.user.findUnique({
      where: { email },
      select: { id: true },
    });
    if (!user) {
      throw new AppError(404, 'No cmlite user for this email', 'NO_CMLITE_USER');
    }
    const jti = randomUUID();
    const payload: SsoTokenPayload = { sub: user.id, jti, redirectTo };
    const token = jwt.sign(payload, env.SSO_BRIDGE_SECRET, {
      algorithm: TOKEN_ALGORITHM,
      expiresIn: TOKEN_TTL_SECONDS,
    });
    // One-time-use sentinel. Setting with NX prevents accidental overwrite of
    // an unrelated key (impossibly low collision risk on uuid, but cheap to
    // be paranoid). EX matches the JWT expiry so Redis cleans up on its own.
    await redis.set(`sso:${jti}`, '1', 'EX', TOKEN_TTL_SECONDS, 'NX');
    const url = `${env.API_URL}/api/auth/bridge/sso?token=${encodeURIComponent(token)}&redirectTo=${encodeURIComponent(redirectTo)}`;
    return { url };
  },
  async consumeToken(rawToken: string): Promise<{
    user: { id: string; email: string; role: string };
    redirectTo: string;
  }> {
    if (!env.SSO_BRIDGE_SECRET) {
      throw new AppError(503, 'SSO bridge not configured', 'SSO_BRIDGE_DISABLED');
    }
    let payload: SsoTokenPayload;
    try {
      payload = jwt.verify(rawToken, env.SSO_BRIDGE_SECRET, {
        algorithms: [TOKEN_ALGORITHM],
      }) as SsoTokenPayload;
    } catch (err) {
      logger.debug('SSO token verify failed', {
        err: err instanceof Error ? err.message : String(err),
      });
      throw new AppError(401, 'Invalid or expired SSO token', 'SSO_TOKEN_INVALID');
    }
    // Atomically delete the sentinel — if it returns 0, the token was already
    // consumed (or expired, or was never minted by us). Either way, reject.
    const deleted = await redis.del(`sso:${payload.jti}`);
    if (deleted === 0) {
      throw new AppError(401, 'SSO token already used or expired', 'SSO_TOKEN_CONSUMED');
    }
    const user = await prisma.user.findUnique({
      where: { id: payload.sub },
      select: { id: true, email: true, role: true },
    });
    if (!user) {
      throw new AppError(404, 'User no longer exists', 'NO_CMLITE_USER');
    }
    return { user, redirectTo: sanitizeRedirectTo(payload.redirectTo) };
  },
 };
--- a/api/src/modules/volunteer/volunteer-bridge.routes.ts
+++ b/api/src/modules/volunteer/volunteer-bridge.routes.ts
@ -0,0 +1,60 @@
 import { Router, type Request, type Response, type NextFunction } from 'express';
 import { timingSafeEqual } from 'node:crypto';
 import rateLimit from 'express-rate-limit';
 import RedisStore from 'rate-limit-redis';
 import { redis } from '../../config/redis';
 import { env } from '../../config/env';
 import { validate } from '../../middleware/validate';
 import { bridgeVolunteerDashboardSchema } from './volunteer-bridge.schemas';
 import { volunteerBridgeService } from './volunteer-bridge.service';
 const router = Router();
 const bridgeRateLimit = rateLimit({
  windowMs: 60_000,
  max: 120,
  standardHeaders: true,
  legacyHeaders: false,
  store: new RedisStore({
    sendCommand: (command: string, ...args: string[]) =>
      redis.call(command, ...args) as Promise<any>,
    prefix: 'rl:bridge-volunteer:',
  }),
  message: {
    error: { message: 'Bridge rate limit exceeded', code: 'BRIDGE_RATE_LIMIT' },
  },
 });
 function requireBridgeSecret(req: Request, res: Response, next: NextFunction) {
  if (!env.JSN_BRIDGE_SECRET) {
    return res.status(503).json({ error: 'BRIDGE_DISABLED' });
  }
  const header = req.get('authorization') ?? '';
  const expected = `Bearer ${env.JSN_BRIDGE_SECRET}`;
  const headerBuf = Buffer.from(header);
  const expectedBuf = Buffer.from(expected);
  if (
    headerBuf.length !== expectedBuf.length ||
    !timingSafeEqual(headerBuf, expectedBuf)
  ) {
    return res.status(401).json({ error: 'UNAUTHORIZED' });
  }
  next();
 }
 router.post(
  '/bridge/dashboard',
  bridgeRateLimit,
  requireBridgeSecret,
  validate(bridgeVolunteerDashboardSchema),
  async (req, res, next) => {
    try {
      const dash = await volunteerBridgeService.getDashboardByEmail(req.body);
      res.json(dash);
    } catch (err) {
      next(err);
    }
  },
 );
 export { router as volunteerBridgeRouter };
--- a/api/src/modules/volunteer/volunteer-bridge.schemas.ts
+++ b/api/src/modules/volunteer/volunteer-bridge.schemas.ts
@ -0,0 +1,7 @@
 import { z } from 'zod';
 export const bridgeVolunteerDashboardSchema = z.object({
  email: z.string().email(),
 });
 export type BridgeVolunteerDashboardInput = z.infer<typeof bridgeVolunteerDashboardSchema>;
--- a/api/src/modules/volunteer/volunteer-bridge.service.ts
+++ b/api/src/modules/volunteer/volunteer-bridge.service.ts
@ -0,0 +1,29 @@
 import { prisma } from '../../config/database';
 import { AppError } from '../../middleware/error-handler';
 import {
  volunteerDashboardService,
  type VolunteerDashboardPayload,
 } from '../volunteer-dashboard/volunteer-dashboard.service';
 import type { BridgeVolunteerDashboardInput } from './volunteer-bridge.schemas';
 export const volunteerBridgeService = {
  async getDashboardByEmail(
    input: BridgeVolunteerDashboardInput,
  ): Promise<VolunteerDashboardPayload> {
    const email = input.email.trim().toLowerCase();
    const user = await prisma.user.findUnique({
      where: { email },
      select: { id: true },
    });
    if (!user) {
      throw new AppError(404, 'No cmlite user for this email', 'NO_CMLITE_USER');
    }
    const dash = await volunteerDashboardService.getDashboard(user.id);
    if (!dash) {
      // getDashboard returns null only if profile lookup fails — same effect
      // as user-not-found for our purposes, but distinct code to aid debug.
      throw new AppError(404, 'Dashboard could not be assembled', 'DASHBOARD_UNAVAILABLE');
    }
    return dash;
  },
 };
--- a/api/src/server.ts
+++ b/api/src/server.ts
@ -18,6 +18,8 @@ import { giteaSsoRouter } from './modules/auth/gitea-sso.routes';
 import { identityBridgeRouter } from './modules/auth/identity-bridge.routes';
 import { socialLinkBridgeRouter } from './modules/auth/social-link-bridge.routes';
 import { donationBridgeRouter } from './modules/payments/donation-bridge.routes';
 import { volunteerBridgeRouter } from './modules/volunteer/volunteer-bridge.routes';
 import { ssoBridgeRouter } from './modules/auth/sso-bridge.routes';
 import { usersRouter } from './modules/users/users.routes';
 import { provisioningRouter } from './modules/users/provisioning.routes';
 import { campaignsRouter } from './modules/influence/campaigns/campaigns.routes';
@ -275,6 +277,8 @@ app.use('/api/auth', authRouter);
 app.use('/api/auth', identityBridgeRouter);                    // JSN bridge: server-to-server user provisioning
 app.use('/api/auth', socialLinkBridgeRouter);                  // JSN bridge: social handle sync
 app.use('/api/payments', donationBridgeRouter);                // JSN bridge: donation mirror
 app.use('/api/volunteer', volunteerBridgeRouter);              // JSN bridge: volunteer dashboard data
 app.use('/api/auth', ssoBridgeRouter);                         // JSN bridge: SSO redirect (issue + consume)
 app.use('/api/auth', giteaSsoRouter);                          // Gitea SSO validation (nginx auth_request)
 app.use('/api/users', usersRouter);
 app.use('/api/users', provisioningRouter);                   // User provisioning management (ADMIN roles)