scandic/web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in feat/LOY-230-Microsoft-Entra-ID-Auth (pull request #2113)

Browse Source 
Feat(LOY-230): DTMC Routes with Entra ID Auth & Error Page Handling

* feat(LOY-230): Link Scandic Friends and Azure accounts

* fix(LOY-230): remove employee id param setting

* fix(LOY-230): return token in jwt callback for auth.dtmc.ts


Approved-by: Michael Zetterberg
Approved-by: Christian Andolf
This commit is contained in:
Chuma Mcphoy (We Ahead)
2025-06-18 10:22:04 +00:00
parent 9df19fda7c
commit 2101b79db1
23 changed files with 568 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/scandic-web/.env.local.example
View File

@@ -73,4 +73,8 @@ SAS_AUTH_CLIENTID=""
LOKALISE_API_KEY="" LOKALISE_API_KEY=""
DTMC_ENTRA_ID_CLIENT=""
DTMC_ENTRA_ID_ISSUER=""
DTMC_ENTRA_ID_SECRET=""
CAMPAIGN_PAGES_ENABLED="0" # 0 - disabled, 1 - enabled CAMPAIGN_PAGES_ENABLED="0" # 0 - disabled, 1 - enabled

45
apps/scandic-web/app/[lang]/(live)/(public)/dtmc/route.ts Normal file
View File

@@ -0,0 +1,45 @@
import { NextResponse } from "next/server"
import { AuthError } from "next-auth"
import { dtmcApiCallback } from "@/constants/routes/dtmc"
import { env } from "@/env/server"
import { internalServerError, serviceUnavailable } from "@/server/errors/next"
import { signIn } from "@/auth.dtmc"
export async function GET() {
try {
const redirectUrl = await signIn(
"microsoft-entra-id",
{
redirectTo: `${env.PUBLIC_URL}${dtmcApiCallback}`,
redirect: false,
},
{
prompt: "login",
}
)
if (redirectUrl) {
console.log(`[dtmc] redirecting to: ${redirectUrl}`)
return NextResponse.redirect(redirectUrl)
} else {
console.error(`[dtmc] missing redirectUrl response from signIn()`)
return internalServerError(
"[dtmc] Missing redirect URL from authentication service"
)
}
} catch (error) {
if (error instanceof AuthError) {
console.error({ signInAuthError: error })
return serviceUnavailable(
"[dtmc] Microsoft authentication service unavailable"
)
} else {
console.error({ signInError: error })
return internalServerError(
"[dtmc] Unexpected error during authentication"
)
}
}
}

24
apps/scandic-web/app/[lang]/(no-layout)/(protected)/link-employment/linkEmploymentPage.module.css → apps/scandic-web/app/[lang]/(no-layout)/(protected)/link-employment-error/linkEmploymentError.module.css
View File

@@ -20,7 +20,7 @@
} }
.nav { .nav {
padding: var(--Spacing-x2); padding: var(--Space-x2);
display: flex; display: flex;
align-items: center; align-items: center;
justify-content: space-between; justify-content: space-between;
@@ -50,8 +50,8 @@
display: flex; display: flex;
align-items: center; align-items: center;
justify-content: center; justify-content: center;
padding-left: var(--Spacing-x3); padding-left: var(--Space-x3);
padding-right: var(--Spacing-x3); padding-right: var(--Space-x3);
} }
.card { .card {
@@ -62,25 +62,25 @@
padding: var(--Spacing-x5); padding: var(--Spacing-x5);
border-radius: var(--Corner-radius-lg); border-radius: var(--Corner-radius-lg);
display: grid; display: grid;
gap: var(--Spacing-x3); gap: var(--Space-x3);
} }
.formElements { .formElements {
display: flex; display: flex;
flex-direction: column; flex-direction: column;
gap: var(--Spacing-x3); gap: var(--Space-x3);
} }
.checkboxContainer { .checkboxContainer {
display: flex; display: flex;
flex-direction: column; flex-direction: column;
gap: var(--Spacing-x1); gap: var(--Space-x1);
} }
.checkboxWrapper { .checkboxWrapper {
display: flex; display: flex;
align-items: center; align-items: center;
gap: var(--Spacing-x-one-and-half); gap: var(--Space-x15);
cursor: pointer; cursor: pointer;
} }
@@ -110,7 +110,7 @@
} }
.termsTextFull { .termsTextFull {
padding-left: var(--Spacing-x5); padding-left: var(--Space-x5);
} }
.link { .link {
@@ -118,3 +118,11 @@
text-decoration: underline; text-decoration: underline;
font-weight: var(--Font-weight-Bold); font-weight: var(--Font-weight-Bold);
} }
.contactSection {
padding-top: var(--Space-x3);
gap: var(--Space-x15);
display: flex;
flex-direction: column;
place-items: center;
}

146
apps/scandic-web/app/[lang]/(no-layout)/(protected)/link-employment-error/page.tsx Normal file
View File

@@ -0,0 +1,146 @@
"use client"
import Image from "next/image"
import { useSearchParams } from "next/navigation"
import { type IntlShape, useIntl } from "react-intl"
import { MaterialIcon } from "@scandic-hotels/design-system/Icons/MaterialIcon"
import ScandicLogoIcon from "@scandic-hotels/design-system/Icons/ScandicLogoIcon"
import { Typography } from "@scandic-hotels/design-system/Typography"
import { supportEmail, supportPhone } from "@/constants/contactSupport"
import { employeeBenefits } from "@/constants/routes/dtmc"
import ButtonLink from "@/components/ButtonLink"
import Link from "@/components/TempDesignSystem/Link"
import useLang from "@/hooks/useLang"
import background from "@/public/_static/img/Scandic_Computer_Coffee.png"
import styles from "./linkEmploymentError.module.css"
export default function LinkEmploymentErrorPage() {
const lang = useLang()
const intl = useIntl()
const searchParams = useSearchParams()
const error = searchParams.get("error")
const errorContent = getErrorContent(error, intl)
return (
<div className={styles.pageWrapper}>
<Image
src={background}
alt=""
fill
className={styles.backgroundImage}
priority
sizes="100vw"
/>
<div className={styles.contentContainer}>
<nav className={styles.nav}>
<ButtonLink href={employeeBenefits[lang]} variant="Text">
<MaterialIcon
icon="chevron_left"
size={20}
className={styles.backArrow}
/>
<span className={styles.navBackText}>
{intl.formatMessage({
defaultMessage: "Go back",
})}
</span>
</ButtonLink>
<div className={styles.logoContainer}>
<ScandicLogoIcon
color="Icon/Interactive/Accent"
height="20px"
width="94px"
/>
</div>
</nav>
<main className={styles.mainContent}>
<div style={{ textAlign: "center" }} className={styles.card}>
<Typography variant="Title/Subtitle/lg">
<h1>{errorContent.heading}</h1>
</Typography>
<Typography variant="Body/Paragraph/mdRegular">
<p>{errorContent.message}</p>
</Typography>
<div className={styles.contactSection}>
<Typography variant="Title/Subtitle/md">
<h3>
{intl.formatMessage({
defaultMessage: "Contact our member service",
})}
</h3>
</Typography>
<Typography variant="Link/sm">
<Link
color="Text/Interactive/Secondary"
href={`tel:${supportPhone[lang].replaceAll(" ", "")}`}
textDecoration="underline"
>
{supportPhone[lang]}
</Link>
</Typography>
<Typography variant="Link/sm">
<Link
href={`mailto:${supportEmail[lang]}`}
color="Text/Interactive/Secondary"
textDecoration="underline"
>
{supportEmail[lang]}
</Link>
</Typography>
</div>
</div>
</main>
</div>
</div>
)
}
const getErrorContent = (error: string | null, intl: IntlShape) => {
const defaultErrorContent = {
heading: intl.formatMessage({
defaultMessage: "Your account could not be connected",
}),
message: intl.formatMessage({
defaultMessage:
"We could not connect your accounts to give you access. Please contact us and we'll help you resolve this issue.",
}),
}
switch (error) {
case "unable_to_verify_employee_id":
return {
heading: intl.formatMessage({
defaultMessage: "You're not eligible for employee benefits",
}),
message: intl.formatMessage({
defaultMessage:
"This may be because your employment has not yet started, has ended, or you are a consultant. If you believe this is an error, please contact us for assistance.",
}),
}
case "employee_id_already_linked":
return {
heading: intl.formatMessage({
defaultMessage:
"Employee number already linked to another Scandic Friends membership.",
}),
message: intl.formatMessage({
defaultMessage:
"If you believe this is an error, please contact us for assistance.",
}),
}
case "missing_employee_id_profile":
case "missing_employee_id":
case "no_session":
return defaultErrorContent
default:
return defaultErrorContent
}
}

139
apps/scandic-web/app/[lang]/(no-layout)/(protected)/link-employment/page.tsx
View File

@@ -1,139 +0,0 @@
"use client"
import Image from "next/image"
import { useState } from "react"
import { Checkbox as AriaCheckbox } from "react-aria-components"
import { useIntl } from "react-intl"
import { Button } from "@scandic-hotels/design-system/Button"
import { MaterialIcon } from "@scandic-hotels/design-system/Icons/MaterialIcon"
import ScandicLogoIcon from "@scandic-hotels/design-system/Icons/ScandicLogoIcon"
import { Typography } from "@scandic-hotels/design-system/Typography"
import { employeeBenefits } from "@/constants/routes/dtmc"
import ButtonLink from "@/components/ButtonLink"
import useLang from "@/hooks/useLang"
import styles from "./linkEmploymentPage.module.css"
export default function LinkEmploymentPage() {
const lang = useLang()
const intl = useIntl()
const [isChecked, setIsChecked] = useState(false)
const linkMyEmploymentText = intl.formatMessage({
defaultMessage: "Link my employment",
})
return (
<div className={styles.pageWrapper}>
<Image
src="/_static/img/Scandic_Computer_Coffee.png"
alt=""
fill
className={styles.backgroundImage}
priority
/>
<div className={styles.contentContainer}>
<nav className={styles.nav}>
<ButtonLink href={employeeBenefits[lang]} variant="Text">
<MaterialIcon
icon="chevron_left"
size={20}
className={styles.backArrow}
/>
<span className={styles.navBackText}>
{intl.formatMessage({
defaultMessage: "Go back",
})}
</span>
</ButtonLink>
<div className={styles.logoContainer}>
<ScandicLogoIcon
color="Icon/Interactive/Accent"
height="20px"
width="94px"
/>
</div>
</nav>
<main className={styles.mainContent}>
<div className={styles.card}>
<Typography variant="Title/Subtitle/lg">
<h1 className={styles.heading}>
{intl.formatMessage({
defaultMessage: "Link your employment to access benefits",
})}
</h1>
</Typography>
<div className={styles.formElements}>
<div className={styles.checkboxContainer}>
<AriaCheckbox
isSelected={isChecked}
onChange={setIsChecked}
className={styles.checkboxWrapper}
>
{({ isSelected: isAriaSelected }) => (
<>
<span className={styles.checkbox}>
{isAriaSelected && (
<MaterialIcon icon="check" color="Icon/Inverted" />
)}
</span>
<Typography variant="Body/Paragraph/mdRegular">
<span>
{intl.formatMessage({
defaultMessage: "I accept the terms and conditions",
})}
</span>
</Typography>
</>
)}
</AriaCheckbox>
<Typography variant="Body/Paragraph/mdRegular">
<p className={styles.termsTextFull}>
{intl.formatMessage(
{
defaultMessage:
"By accepting the {termsLink}, I agree to link my employment to access benefits. The connection will remain active during my employment or until I opt out by sending an email to Scandic's customer service.",
},
{
termsLink: (
// TODO: Update with actual URL for terms and conditions.
<a href={"#"} className={styles.link}>
{intl.formatMessage({
defaultMessage:
"Scandic Family Terms and Conditions",
})}
</a>
),
}
)}
</p>
</Typography>
</div>
{isChecked ? (
<ButtonLink
href={"#"} // TODO: Udpate with actual URL for linking employment.
>
{linkMyEmploymentText}
</ButtonLink>
) : (
<Button
variant="Primary"
typography="Body/Paragraph/mdRegular"
isDisabled
>
{linkMyEmploymentText}
</Button>
)}
</div>
</div>
</main>
</div>
</div>
)
}

21
apps/scandic-web/app/api/web/auth/[...nextauth]/route.ts
View File

@@ -1 +1,20 @@
export { GET, POST } from "@/auth" import { GET as DEFAULT_GET, POST as DEFAULT_POST } from "@/auth"
import { GET as DTMC_GET, POST as DTMC_POST } from "@/auth.dtmc"
import type { NextRequest } from "next/server"
export function GET(req: NextRequest) {
if (req.nextUrl.pathname.includes("microsoft-entra-id")) {
return DTMC_GET(req)
}
return DEFAULT_GET(req)
}
export function POST(req: NextRequest) {
if (req.nextUrl.pathname.includes("microsoft-entra-id")) {
return DTMC_POST(req)
}
return DEFAULT_POST(req)
}

106
apps/scandic-web/app/api/web/auth/dtmc/route.ts Normal file
View File

@@ -0,0 +1,106 @@
import { type NextRequest, NextResponse } from "next/server"
import { DTMC_SUCCESS_BANNER_KEY } from "@/constants/dtmc"
import { linkEmploymentError } from "@/constants/routes/dtmc"
import { overview } from "@/constants/routes/myPages"
import { internalServerError } from "@/server/errors/next"
import { getPublicURL } from "@/server/utils"
import { auth } from "@/auth"
import { auth as dtmcAuth } from "@/auth.dtmc"
import { getLang } from "@/i18n/serverContext"
import { isValidSession } from "@/utils/session"
async function linkEmployeeToUser(employeeId: string) {
try {
console.log(`[dtmc] Linking employee ID ${employeeId}`)
// TODO: Use the actual API once available. For now, return a mock success response.
return { success: true }
} catch (error) {
console.error("[dtmc] Error linking employee to user:", error)
throw error
}
}
/**
* This is the route that the NextAuth callback for Microsoft Entra ID provider
* will redirect too once it has created the session. Since it is its own cookie,
* here we can check both sessions, the Scandic Friends one and the Azure one.
*/
export async function GET(request: NextRequest) {
try {
const lang = await getLang()
const dtmcSession = await dtmcAuth()
const session = await auth()
const baseUrl = getPublicURL(request)
console.log("[dtmc] DTMC Callback handler - using baseUrl:", baseUrl)
if (!isValidSession(session)) {
console.error(
"[dtmc] DTMC Callback handler - No valid user session found"
)
const errorUrl = new URL(linkEmploymentError[lang], baseUrl)
errorUrl.searchParams.set("error", "no_session")
return NextResponse.redirect(errorUrl)
}
if (!isValidSession(dtmcSession)) {
console.error(
"[dtmc] DTMC Callback handler - No valid entra id session found"
)
const errorUrl = new URL(linkEmploymentError[lang], baseUrl)
errorUrl.searchParams.set("error", "no_entra_id_session")
return NextResponse.redirect(errorUrl)
}
const employeeId = dtmcSession.employeeId
console.log(
"[dtmc] DTMC Callback handler - Extracted employeeId:",
employeeId
)
if (!employeeId) {
console.error("[dtmc] DTMC Callback handler - No employeeId in session")
const errorUrl = new URL(linkEmploymentError[lang], baseUrl)
errorUrl.searchParams.set("error", "missing_employee_id")
return NextResponse.redirect(errorUrl)
}
console.log(
"[dtmc] DTMC Callback handler - Calling linkEmployeeToUser with ID:",
employeeId
)
const result = await linkEmployeeToUser(employeeId)
console.log(
"[dtmc] DTMC Callback handler - linkEmployeeToUser result:",
result
)
if (!result.success) {
console.error(
"[dtmc] DTMC Callback handler - Failed to verify employment"
)
const errorUrl = new URL(linkEmploymentError[lang], baseUrl)
errorUrl.searchParams.set("error", "unable_to_verify_employee_id")
return NextResponse.redirect(errorUrl)
}
console.log(
"[dtmc] DTMC Callback handler - Success! Employee linked with ID:",
employeeId
)
console.log("[dtmc] overview[lang]:", overview[lang])
const successUrl = new URL(overview[lang], baseUrl)
successUrl.searchParams.set(DTMC_SUCCESS_BANNER_KEY, "true")
console.log(
"[dtmc] DTMC Callback handler - Redirecting to success URL:",
successUrl.toString()
)
return NextResponse.redirect(successUrl)
} catch (error) {
console.error("[dtmc] DTMC Callback handler - Error in handler:", error)
return internalServerError()
}
}

105
apps/scandic-web/auth.dtmc.ts Normal file
View File

@@ -0,0 +1,105 @@
import NextAuth, { type NextAuthConfig } from "next-auth"
import MicrosoftEntraID from "next-auth/providers/microsoft-entra-id"
import { env } from "@/env/server"
const config = {
basePath: "/api/web/auth",
debug: env.NEXTAUTH_DEBUG,
cookies: {
sessionToken: {
name: "dtmc.session-token",
},
},
providers: [
MicrosoftEntraID({
clientId: env.DTMC_ENTRA_ID_CLIENT,
clientSecret: env.DTMC_ENTRA_ID_SECRET,
issuer: env.DTMC_ENTRA_ID_ISSUER,
authorization: {
params: {
scope: "openid profile email User.Read",
},
},
}),
],
redirectProxyUrl: env.NEXTAUTH_REDIRECT_PROXY_URL,
trustHost: true,
session: {
strategy: "jwt",
maxAge: 10 * 60, // 10 minutes
},
callbacks: {
async signIn() {
return true
},
async session({ session, token }) {
if (token && token.employeeId && typeof token.employeeId === "string") {
session.employeeId = token.employeeId
}
return session
},
async redirect({ baseUrl, url }) {
console.log(`[auth.dtmc] deciding redirect URL`, { baseUrl, url })
if (url.startsWith("/")) {
console.log(
`[auth.dtmc] relative URL accepted, returning: ${baseUrl}${url}`
)
// Allows relative callback URLs
return `${baseUrl}${url}`
} else {
// Assume absolute URL
try {
const parsedUrl = new URL(url)
if (
/\.scandichotels\.(dk|de|com|fi|no|se)$/.test(parsedUrl.hostname)
) {
console.log(`[auth.dtmc] subdomain URL accepted, returning: ${url}`)
// Allows any subdomains on all top level domains above
return url
} else if (parsedUrl.origin === baseUrl) {
// Allows callback URLs on the same origin
console.log(`[auth.dtmc] origin URL accepted, returning: ${url}`)
return url
}
} catch (e) {
console.error(
`[auth.dtmc] error parsing incoming URL for redirection`,
e
)
}
}
console.log(`[auth.dtmc] URL denied, returning base URL: ${baseUrl}`)
return baseUrl
},
async authorized() {
return true
},
async jwt({ account, trigger, profile, token }) {
if (
trigger === "signIn" &&
account &&
account.provider === "microsoft-entra-id" &&
profile
) {
const employeeId = profile["user.employeeid"]
if (employeeId && typeof employeeId === "string") {
return {
access_token: "", // JWT requires it, but DTMC does not need it, so save on cookie size by using empty string
loginType: "dtmc",
employeeId,
}
}
}
return token
},
},
} satisfies NextAuthConfig
export const {
auth,
handlers: { GET, POST },
signIn,
signOut,
} = NextAuth(config)

4
apps/scandic-web/auth.ts
View File

@@ -20,6 +20,10 @@ function getLoginType(user: User) {
async function refreshTokens(token: JWT) { async function refreshTokens(token: JWT) {
try { try {
if (!token.refresh_token) {
throw "Refresh token missing."
}
console.log("token-debug Access token expired, trying to refresh it.", { console.log("token-debug Access token expired, trying to refresh it.", {
expires_at: token.expires_at, expires_at: token.expires_at,
sub: token.sub, sub: token.sub,

8
apps/scandic-web/components/DigitalTeamMemberCard/EmployeeBenefits/CallToActions/index.tsx
View File

@@ -2,7 +2,7 @@ import React from "react"
import { Typography } from "@scandic-hotels/design-system/Typography" import { Typography } from "@scandic-hotels/design-system/Typography"
import { linkEmployment } from "@/constants/routes/dtmc" import { dtmcLogin } from "@/constants/routes/dtmc"
import { login } from "@/constants/routes/handleAuth" import { login } from "@/constants/routes/handleAuth"
import { signup } from "@/constants/routes/signup" import { signup } from "@/constants/routes/signup"
@@ -19,6 +19,8 @@ export default async function EmployeeBenefitsCallToActions() {
const intl = await getIntl() const intl = await getIntl()
const lang = await getLang() const lang = await getLang()
const loginAndLinkURL = `${login[lang]}?redirectTo=${encodeURIComponent(dtmcLogin[lang])}`
if (!isValidSession(session)) { if (!isValidSession(session)) {
return ( return (
<> <>
@@ -30,7 +32,7 @@ export default async function EmployeeBenefitsCallToActions() {
})} })}
</p> </p>
</Typography> </Typography>
<ButtonLink href={login[lang]} size="Medium" variant="Tertiary"> <ButtonLink href={loginAndLinkURL} size="Medium" variant="Tertiary">
{intl.formatMessage({ {intl.formatMessage({
defaultMessage: "Log in and link employment", defaultMessage: "Log in and link employment",
})} })}
@@ -62,7 +64,7 @@ export default async function EmployeeBenefitsCallToActions() {
return ( return (
<div className={styles.container}> <div className={styles.container}>
<ButtonLink <ButtonLink
href={linkEmployment[lang]} href={dtmcLogin[lang]}
size="Medium" size="Medium"
variant="Tertiary" variant="Tertiary"
color="Primary" color="Primary"

6
apps/scandic-web/components/MyPages/DigitalTeamMemberCard/Alert/index.tsx
View File

@@ -3,6 +3,8 @@
import { useRouter, useSearchParams } from "next/navigation" import { useRouter, useSearchParams } from "next/navigation"
import { useIntl } from "react-intl" import { useIntl } from "react-intl"
import { DTMC_SUCCESS_BANNER_KEY } from "@/constants/dtmc"
import Alert from "@/components/TempDesignSystem/Alert" import Alert from "@/components/TempDesignSystem/Alert"
import { AlertTypeEnum } from "@/types/enums/alert" import { AlertTypeEnum } from "@/types/enums/alert"
@@ -14,11 +16,11 @@ export default function DigitalTeamMemberCardAlert() {
function removeSearchParam() { function removeSearchParam() {
const params = new URLSearchParams(searchParams) const params = new URLSearchParams(searchParams)
params.delete("card_added") params.delete(DTMC_SUCCESS_BANNER_KEY)
router.replace(`${window.location.pathname}?${params.toString()}`) router.replace(`${window.location.pathname}?${params.toString()}`)
} }
if (searchParams.get("card_added") !== "true") { if (searchParams.get(DTMC_SUCCESS_BANNER_KEY) !== "true") {
return null return null
} }

30
apps/scandic-web/constants/contactSupport.ts Normal file
View File

@@ -0,0 +1,30 @@
import { Lang } from "./languages"
/**
* Contact support information (phone numbers and emails) by language.
*
* Note: These values are intentionally hardcoded rather than managed through
* Localise. Contact information changes infrequently, and hardcoding
* avoids the need to inform content editors and markets about updates, reducing
* potential support queries.
*/
const mainNumber = "+46 8 517 517 00"
export const supportPhone: Record<Lang, string> = {
[Lang.da]: "+45 33 48 04 01",
[Lang.de]: mainNumber,
[Lang.en]: mainNumber,
[Lang.fi]: "0200 81800",
[Lang.no]: "+47 23 15 50 00",
[Lang.sv]: mainNumber,
}
export const supportEmail: Record<Lang, string> = {
[Lang.da]: "memberdk.scandic@scandichotels.com",
[Lang.de]: "memberde@scandichotels.com",
[Lang.en]: "member@scandichotels.com",
[Lang.fi]: "memberfi@scandichotels.com",
[Lang.no]: "memberno@scandichotels.com",
[Lang.sv]: "memberse@scandichotels.com",
}

1
apps/scandic-web/constants/dtmc.ts Normal file
View File

@@ -0,0 +1 @@
export const DTMC_SUCCESS_BANNER_KEY = "card_added"

33
apps/scandic-web/constants/routes/dtmc.ts
View File

@@ -9,11 +9,30 @@ export const employeeBenefits: LangRoute = {
de: "/de/employee-benefits", de: "/de/employee-benefits",
} }
export const linkEmployment: LangRoute = { export const linkEmploymentError: LangRoute = {
en: "/en/link-employment", en: `/en/link-employment-error`,
sv: "/sv/link-employment", sv: `/sv/link-employment-error`,
no: "/no/link-employment", no: `/no/link-employment-error`,
fi: "/fi/link-employment", fi: `/fi/link-employment-error`,
da: "/da/link-employment", da: `/da/link-employment-error`,
de: "/de/link-employment", de: `/de/link-employment-error`,
} }
export const dtmcLogin: LangRoute = {
en: "/en/dtmc",
sv: "/sv/dtmc",
no: "/no/dtmc",
fi: "/fi/dtmc",
da: "/da/dtmc",
de: "/de/dtmc",
}
export const dtmcApiCallback = "/api/web/auth/dtmc"
// All DTMC routes that should be protected by the ENABLE_DTMC flag.
export const handleDTMC = [
// ...Object.values(employeeBenefits),
...Object.values(dtmcLogin),
...Object.values(linkEmploymentError),
dtmcApiCallback,
]

11
apps/scandic-web/env/server.ts vendored
View File

@@ -203,6 +203,13 @@ const _env = createEnv({
return val.split(",") return val.split(",")
}) })
.default(""), .default(""),
DTMC_ENTRA_ID_CLIENT: z.string(),
DTMC_ENTRA_ID_ISSUER: z.string(),
/**
* Optional until we have the secret in all environments.
* We currently have the secret in local and test environments.
*/
DTMC_ENTRA_ID_SECRET: z.string().optional(),
CAMPAIGN_PAGES_ENABLED: z CAMPAIGN_PAGES_ENABLED: z
.string() .string()
.refine((s) => s === "1" || s === "0") .refine((s) => s === "1" || s === "0")
@@ -301,6 +308,10 @@ const _env = createEnv({
ENABLE_WARMUP_HOTEL: process.env.ENABLE_WARMUP_HOTEL, ENABLE_WARMUP_HOTEL: process.env.ENABLE_WARMUP_HOTEL,
WARMUP_TOKEN: process.env.WARMUP_TOKEN, WARMUP_TOKEN: process.env.WARMUP_TOKEN,
NEW_SITE_LIVE_FOR_LANGS: process.env.NEXT_PUBLIC_NEW_SITE_LIVE_FOR_LANGS, NEW_SITE_LIVE_FOR_LANGS: process.env.NEXT_PUBLIC_NEW_SITE_LIVE_FOR_LANGS,
DTMC_ENTRA_ID_CLIENT: process.env.DTMC_ENTRA_ID_CLIENT,
DTMC_ENTRA_ID_ISSUER: process.env.DTMC_ENTRA_ID_ISSUER,
DTMC_ENTRA_ID_SECRET: process.env.DTMC_ENTRA_ID_SECRET,
CAMPAIGN_PAGES_ENABLED: process.env.CAMPAIGN_PAGES_ENABLED, CAMPAIGN_PAGES_ENABLED: process.env.CAMPAIGN_PAGES_ENABLED,
}, },
}) })

2
apps/scandic-web/middleware.ts
View File

@@ -12,6 +12,7 @@ import * as currentWebLogout from "@/middlewares/currentWebLogout"
import * as dateQueryParams from "@/middlewares/dateQueryParams" import * as dateQueryParams from "@/middlewares/dateQueryParams"
import * as familyAndFriends from "@/middlewares/familyAndFriends" import * as familyAndFriends from "@/middlewares/familyAndFriends"
import * as handleAuth from "@/middlewares/handleAuth" import * as handleAuth from "@/middlewares/handleAuth"
import * as handleDTMC from "@/middlewares/handleDTMC"
import * as invalidUrl from "@/middlewares/invalidUrl" import * as invalidUrl from "@/middlewares/invalidUrl"
import * as legacySearchParams from "@/middlewares/legacySearchParams" import * as legacySearchParams from "@/middlewares/legacySearchParams"
import * as myPages from "@/middlewares/myPages" import * as myPages from "@/middlewares/myPages"
@@ -59,6 +60,7 @@ export const middleware: NextMiddleware = async (request, event) => {
currentWebLogout, currentWebLogout,
authRequired, authRequired,
handleAuth, handleAuth,
handleDTMC,
myPages, myPages,
webView, webView,
dateQueryParams, dateQueryParams,

2
apps/scandic-web/middlewares/authRequired.ts
View File

@@ -51,7 +51,7 @@ export const middleware = auth(async (request) => {
* @returns boolean * @returns boolean
*/ */
function isMFAInvalid() { function isMFAInvalid() {
const isMFATokenValid = request.auth const isMFATokenValid = request.auth?.token.mfa_expires_at
? request.auth.token.mfa_expires_at > Date.now() ? request.auth.token.mfa_expires_at > Date.now()
: false : false
return !(request.auth?.token.mfa_scope && isMFATokenValid) return !(request.auth?.token.mfa_scope && isMFATokenValid)

20
apps/scandic-web/middlewares/handleDTMC.ts Normal file
View File

@@ -0,0 +1,20 @@
import { type NextMiddleware, NextResponse } from "next/server"
import { handleDTMC } from "@/constants/routes/dtmc"
import { env } from "@/env/server"
import { notFound } from "@/server/errors/next"
import type { MiddlewareMatcher } from "@/types/middleware"
export const middleware: NextMiddleware = (request) => {
if (!env.ENABLE_DTMC) {
throw notFound(
`ENABLE_DTMC is disabled, returning notFound for DTMC Route: ${request.nextUrl.pathname}`
)
}
return NextResponse.next()
}
export const matcher: MiddlewareMatcher = (request) => {
return handleDTMC.includes(request.nextUrl.pathname)
}

14
apps/scandic-web/server/errors/next.ts
View File

@@ -41,3 +41,17 @@ export function internalServerError(cause?: unknown) {
resInit resInit
) )
} }
export function serviceUnavailable(cause?: unknown) {
const resInit = {
status: 503,
statusText: "Service Unavailable",
}
return NextResponse.json(
{
cause,
},
resInit
)
}

3
apps/scandic-web/server/routers/user/query.ts
View File

@@ -40,7 +40,8 @@ export const userQueryRouter = router({
ctx: { ctx: {
...opts.ctx, ...opts.ctx,
isMFA: isMFA:
opts.ctx.session.token.mfa_scope && !!opts.ctx.session.token.mfa_scope &&
!!opts.ctx.session.token.mfa_expires_at &&
opts.ctx.session.token.mfa_expires_at > Date.now(), opts.ctx.session.token.mfa_expires_at > Date.now(),
}, },
}) })

1
apps/scandic-web/types/auth.d.ts vendored
View File

@@ -16,6 +16,7 @@ declare module "next-auth" {
*/ */
interface Session extends RefreshTokenError { interface Session extends RefreshTokenError {
token: JWT token: JWT
employeeId?: string | null
} }
/** /**

1
apps/scandic-web/types/components/tracking.ts
View File

@@ -34,6 +34,7 @@ export enum LoginTypeEnum {
email = "email", email = "email",
"membership number" = "membership number", "membership number" = "membership number",
"email link" = "email link", "email link" = "email link",
"dtmc" = "dtmc",
} }
export type LoginType = keyof typeof LoginTypeEnum export type LoginType = keyof typeof LoginTypeEnum

7
apps/scandic-web/types/jwt.d.ts vendored
View File

@@ -11,8 +11,9 @@ declare module "next-auth/jwt" {
access_token: string access_token: string
expires_at?: number expires_at?: number
loginType: LoginType loginType: LoginType
mfa_expires_at: number mfa_expires_at?: number
mfa_scope: boolean mfa_scope?: boolean
refresh_token: string refresh_token?: string
employeeId?: string
} }
} }