Merge branch 'v3-assessment' into unauthorized-assessment-redirects

Author: sjschlapbach

apps/auth/src/lib/constants.ts

@@ -1,14 +1,8 @@
 export const MANAGER_COOKIE_NAME = 'next-auth.session-token'
 export const PARTICIPANT_COOKIE_NAME = 'next-auth.participant-session-token'
 
-export const STUDENT_REDIRECT_COOKIE_NAME =
-  process.env.NODE_ENV === 'production'
-    ? '__Secure-klicker_student_redirect_to'
-    : 'klicker_student_redirect_to'
-export const LECTURER_REDIRECT_COOKIE_NAME =
-  process.env.NODE_ENV === 'production'
-    ? '__Secure-klicker_lecturer_redirect_to'
-    : 'klicker_lecturer_redirect_to'
+export const STUDENT_REDIRECT_COOKIE_NAME = 'klicker_student_redirect_to'
+export const LECTURER_REDIRECT_COOKIE_NAME = 'klicker_lecturer_redirect_to'
 
 export const DEFAULT_STUDENT_HOSTS = [
   'assessment.klicker.uzh.ch',

apps/auth/src/middleware.ts

@@ -7,9 +7,7 @@ import {
   STUDENT_REDIRECT_COOKIE_NAME,
 } from './lib/constants'
 
-const _TTL_RAW = Number(process.env.REDIRECT_COOKIE_TTL_SECONDS || '3600')
-const REDIRECT_COOKIE_TTL_SECONDS =
-  Number.isFinite(_TTL_RAW) && _TTL_RAW > 0 ? _TTL_RAW : 3600
+const REDIRECT_COOKIE_TTL_MS = 10000
 
 function parseCsvHosts(value: string | undefined): string[] {
   if (!value) return []
@@ -145,7 +143,7 @@ export async function middleware(request: NextRequest) {
       // Set lecturer-specific cookie, scoped to auth host
       response.cookies.set(LECTURER_REDIRECT_COOKIE_NAME, redirectTo, {
         ...commonCookieOpts,
-        maxAge: REDIRECT_COOKIE_TTL_SECONDS,
+        maxAge: REDIRECT_COOKIE_TTL_MS,
       })
       console.log('Root route: lecturer redirect cookie set')
       return response
@@ -174,7 +172,7 @@ export async function middleware(request: NextRequest) {
     // Set lecturer-specific cookie, scoped to auth host
     response.cookies.set(LECTURER_REDIRECT_COOKIE_NAME, redirectTo, {
       ...commonCookieOpts,
-      maxAge: REDIRECT_COOKIE_TTL_SECONDS,
+      maxAge: REDIRECT_COOKIE_TTL_MS,
     })
     console.log(
       'Lecturer route: set cookie and redirect to index UI:',
@@ -204,7 +202,7 @@ export async function middleware(request: NextRequest) {
     // Set student-specific cookie, scoped to auth host
     response.cookies.set(STUDENT_REDIRECT_COOKIE_NAME, redirectTo, {
       ...commonCookieOpts,
-      maxAge: REDIRECT_COOKIE_TTL_SECONDS,
+      maxAge: REDIRECT_COOKIE_TTL_MS,
     })
     console.log('Student route: cookie set, rendering student login page')
     return response
@@ -317,7 +315,7 @@ export async function middleware(request: NextRequest) {
           : LECTURER_REDIRECT_COOKIE_NAME
         response.cookies.set(cookieName, cb, {
           ...commonCookieOpts,
-          maxAge: REDIRECT_COOKIE_TTL_SECONDS,
+          maxAge: REDIRECT_COOKIE_TTL_MS,
         })
         console.log('Set redirect cookie on signin:', {
           cb,

apps/auth/src/pages/api/auth/[...nextauth].ts

@@ -10,7 +10,18 @@ import { sendTeamsNotifications } from '@/lib/util'
 import { PrismaAdapter } from '@auth/prisma-adapter'
 import { prisma } from '@klicker-uzh/prisma'
 import { UserLoginScope, UserRole } from '@klicker-uzh/prisma/client'
-import { JWTPayload, signJWT, verifyJWT } from '@klicker-uzh/util'
+import {
+  collectAllEmails,
+  deriveCookieDomainFromURL,
+  extractProviderFromAffiliationId,
+  generateRandomString,
+  JWTPayload,
+  parseCookiesHeader,
+  parseCsvHosts,
+  reduceCatalyst,
+  signJWT,
+  verifyJWT,
+} from '@klicker-uzh/util'
 import bcrypt from 'bcryptjs'
 import crypto from 'crypto'
 import type { NextApiRequest, NextApiResponse } from 'next'
@@ -28,31 +39,6 @@ if (!process.env.APP_ORIGIN_AUTH) {
 
 // Context detection: prefer explicit URL params and paths; fall back to
 // referer and an ephemeral redirect cookie set by middleware on signin.
-function parseCookies(req: NextApiRequest): Record<string, string> {
-  const cookieHeader = req.headers.cookie || ''
-  const map: Record<string, string> = {}
-  cookieHeader.split(';').forEach((part) => {
-    const [rawKey, ...rawVal] = part.split('=')
-    if (!rawKey) return
-    const key = rawKey.trim()
-    const value = rawVal.join('=').trim()
-    if (!key) return
-    try {
-      map[key] = decodeURIComponent(value)
-    } catch {
-      map[key] = value
-    }
-  })
-  return map
-}
-
-function parseCsvHosts(value?: string | null): string[] {
-  if (!value) return []
-  return value
-    .split(',')
-    .map((s) => s.trim())
-    .filter(Boolean)
-}
 
 function getStudentHosts(): string[] {
   const env = parseCsvHosts(process.env.AUTH_STUDENT_ALLOWED_HOSTS)
@@ -79,7 +65,7 @@ function getAuthContext(
     participant?: string
     callbackUrl?: string
   }
-  const cookies = parseCookies(req)
+  const cookies = parseCookiesHeader(req.headers.cookie)
   const studentRedirect = cookies[STUDENT_REDIRECT_COOKIE_NAME]
   const lecturerRedirect = cookies[LECTURER_REDIRECT_COOKIE_NAME]
 
@@ -161,22 +147,6 @@ export interface ExtendedUser {
   catalystIndividual: boolean
 }
 
-function reduceCatalyst(acc: boolean, affiliation: string) {
-  try {
-    const parts = affiliation.split('@')
-    if (parts.length < 2) return acc || false
-
-    const domain = parts[1]
-    if (domain?.includes('uzh.ch') || domain?.includes('usz.ch')) {
-      return true
-    }
-
-    return acc || false
-  } catch (e) {
-    return false
-  }
-}
-
 export async function decode({ token, secret }: JWTDecodeParams) {
   if (!token) return null
   const secretString = typeof secret === 'string' ? secret : secret.toString()
@@ -191,53 +161,9 @@ export async function encode({ token, secret }: JWTEncodeParams) {
   })
 }
 
-function extractProviderFromAffiliationId(
-  affiliationId: string
-): string | null {
-  try {
-    const parts = affiliationId.split('@')
-    if (parts.length < 2) return null
+// extractProviderFromAffiliationId moved to @klicker-uzh/util
 
-    const domainParts = parts[1]?.split('.')
-    if (!domainParts || domainParts.length === 0) return null
-
-    const provider = domainParts[0]
-    return provider || null
-  } catch {
-    return null
-  }
-}
-
-function collectAllEmails(
-  primaryEmail?: string,
-  affiliationEmails?: string[]
-): string[] {
-  const emails = []
-  if (primaryEmail) emails.push(primaryEmail.toLowerCase())
-  if (affiliationEmails) {
-    emails.push(...affiliationEmails.map((email) => email.toLowerCase()))
-  }
-  return emails.filter(Boolean)
-}
-
-function generateRandomString(length: number) {
-  let result = ''
-  let characters
-  for (let i = 0; i < length; i++) {
-    if (i === 0 || i === length - 1) {
-      characters =
-        'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-    } else {
-      // TODO: re-introduce allowance for hyphens and underscores again when they are fully supported by manipulation forms
-      characters =
-        'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-      // 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'
-    }
-    const charactersLength = characters.length
-    result += characters.charAt(Math.floor(Math.random() * charactersLength))
-  }
-  return result
-}
+// generateRandomString moved to @klicker-uzh/util
 
 async function autoAcceptInvitations(emails: string[], participantId?: string) {
   let matchingParticipantId: string | undefined = participantId
@@ -289,11 +215,9 @@ async function autoAcceptInvitations(emails: string[], participantId?: string) {
             create: {
               courseId: invitation.courseId,
               participantId: matchingParticipantId!,
-              isActive: true,
-            },
-            update: {
-              isActive: true,
+              isActive: false,
             },
+            update: {},
           })
 
           // Mark invitation as accepted
@@ -577,20 +501,7 @@ export default async function auth(req: NextApiRequest, res: NextApiResponse) {
   // label from the NEXTAUTH_URL hostname (e.g., auth.klicker.com -> klicker.com).
   // Avoid setting Domain for localhost or IPs.
   const cookieDomain: string | undefined = (() => {
-    try {
-      if (!process.env.NEXTAUTH_URL) return undefined
-      const hostname = new URL(process.env.NEXTAUTH_URL).hostname
-      if (hostname === 'localhost' || /^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
-        return undefined
-      }
-      const parts = hostname.split('.')
-      if (parts.length < 2) return undefined
-      parts.shift()
-      if (parts.length < 2) return undefined
-      return parts.join('.')
-    } catch {
-      return undefined
-    }
+    return deriveCookieDomainFromURL(process.env.NEXTAUTH_URL)
   })()
 
   let sharedOptions: Partial<NextAuthOptions> = {

deploy/charts/klicker-uzh-v2/templates/cm-frontend-assessment.yaml

@@ -7,4 +7,4 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
 data:
   # SSR-only GraphQL endpoint for Assessment PWA (internal service DNS)
-  API_URL_SSR: "http://{{ include \"chart.fullname\" . }}-backend-assessment:3000/api/graphql"
+  API_URL_SSR: "http://{{ include "chart.fullname" . }}-backend-assessment:3000/api/graphql"

deploy/charts/klicker-uzh-v2/templates/cm-frontend-control.yaml

@@ -7,4 +7,4 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
 data:
   # SSR-only GraphQL endpoint for Control frontend (internal service DNS)
-  API_URL_SSR: "http://{{ include \"chart.fullname\" . }}-backend-graphql:3000/api/graphql"
+  API_URL_SSR: "http://{{ include "chart.fullname" . }}-backend-graphql:3000/api/graphql"

deploy/charts/klicker-uzh-v2/templates/cm-frontend-manage.yaml

@@ -7,4 +7,4 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
 data:
   # SSR-only GraphQL endpoint for Manage frontend (internal service DNS)
-  API_URL_SSR: "http://{{ include \"chart.fullname\" . }}-backend-graphql:3000/api/graphql"
+  API_URL_SSR: "http://{{ include "chart.fullname" . }}-backend-graphql:3000/api/graphql"

deploy/charts/klicker-uzh-v2/templates/cm-frontend-pwa.yaml

@@ -7,4 +7,4 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
 data:
   # SSR-only GraphQL endpoint for PWA (internal service DNS)
-  API_URL_SSR: "http://{{ include \"chart.fullname\" . }}-backend-graphql:3000/api/graphql"
+  API_URL_SSR: "http://{{ include "chart.fullname" . }}-backend-graphql:3000/api/graphql"

deploy/env-qa-v3/_restart.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 kubectl rollout restart -n klicker-v2-qa deployment klicker-v2-qa-klicker-uzh-v2-backend-graphql
 kubectl rollout restart -n klicker-v2-qa deployment klicker-v2-qa-klicker-uzh-v2-backend-assessment
+kubectl rollout restart -n klicker-v2-qa deployment klicker-v2-qa-klicker-uzh-v2-frontend-assessment
 kubectl rollout restart -n klicker-v2-qa deployment klicker-v2-qa-klicker-uzh-v2-frontend-manage
 kubectl rollout restart -n klicker-v2-qa deployment klicker-v2-qa-klicker-uzh-v2-frontend-pwa
 kubectl rollout restart -n klicker-v2-qa deployment klicker-v2-qa-klicker-uzh-v2-frontend-control

packages/graphql/.gitignore

@@ -6,3 +6,6 @@ src/public/emails
 dist/
 instrumented/
 hive.json
+
+!invitations_dev.csv
+invitations_*.csv

packages/graphql/package.json

@@ -87,16 +87,17 @@
     "build:ts": "rollup -c",
     "check": "tsc --noEmit",
     "dev": "npm-run-all --parallel dev:graphql dev:ts",
-    "dev:doppler": "doppler run --config dev -- pnpm run dev",
+    "dev:doppler": "CONFIG=dev ../../util/_run_with_doppler.sh pnpm run dev",
     "dev:graphql": "nodemon --watch 'src/graphql/ops/*.graphql' --watch 'src/**/*.ts' --exec 'graphql-codegen --config codegen.ts'",
     "dev:offline": "pnpm run dev",
     "dev:test": "pnpm run dev",
     "dev:ts": "cross-env NODE_ENV=development rollup -c --watch",
     "generate": "graphql-codegen --config codegen.ts",
-    "script": "ENV=development doppler run --config dev -- tsx --env-file=.env",
+    "script": "ENV=development CONFIG=dev ../../util/_run_with_doppler.sh tsx --env-file=.env",
     "script:invitations:dev": "CONFIG=dev_assessment ../../util/_run_with_doppler.sh tsx src/scripts/importParticipantInvitations.ts",
-    "script:prod": "ENV=production doppler run --config prd -- tsx",
-    "script:stg": "ENV=development doppler run --config stg -- tsx",
+    "script:invitations:stg": "CONFIG=stg ../../util/_run_with_doppler.sh tsx src/scripts/importParticipantInvitations.ts",
+    "script:prod": "CONFIG=prd ../../util/_run_with_doppler.sh  tsx",
+    "script:stg": "CONFIG=stg ../../util/_run_with_doppler.sh  tsx",
     "test": "vitest run",
     "test:local": "bash ./test/run-tests-local.sh",
     "test:watch": "vitest"