fix: configure Kong JWT auth flow with consumer credentials

- Add kid claim to auth-service JWT for Kong validation - Add Kong consumer with JWT credential (shared secret via env) - Add agent-config route to Kong for /api/v1/agent-config - Kong Dockerfile uses entrypoint script to inject JWT_SECRET at runtime - Fix frontend login path (/auth/login → /api/v1/auth/login) - Extract tenantId from JWT on login and store as current_tenant - Add auth guard in admin layout (redirect to /login if no token) - Pass JWT_SECRET env var to Kong container in docker-compose Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 23:20:06 -08:00 · 2026-02-21 23:20:06 -08:00 · 48e47975ca
parent 28131491e2
commit 48e47975ca
7 changed files with 55 additions and 3 deletions
--- a/deploy/docker/docker-compose.yml
+++ b/deploy/docker/docker-compose.yml
@ -40,6 +40,8 @@ services:
    build:
      context: ../../packages/gateway
    container_name: it0-api-gateway
+    environment:
+      - JWT_SECRET=${JWT_SECRET:-dev-jwt-secret}
    ports:
      - "18000:8000"
      - "18001:8001"
--- a/it0-web-admin/src/app/(admin)/layout.tsx
+++ b/it0-web-admin/src/app/(admin)/layout.tsx
@ -1,9 +1,25 @@
 'use client';

+import { useEffect, useState } from 'react';
+import { useRouter } from 'next/navigation';
 import { Sidebar } from '@/presentation/components/layout/sidebar';
 import { TopBar } from '@/presentation/components/layout/top-bar';

 export default function AdminLayout({ children }: { children: React.ReactNode }) {
+  const router = useRouter();
+  const [ready, setReady] = useState(false);
+
+  useEffect(() => {
+    const token = localStorage.getItem('access_token');
+    if (!token) {
+      router.replace('/login');
+    } else {
+      setReady(true);
+    }
+  }, [router]);
+
+  if (!ready) return null;
+
  return (
    <div className="flex h-screen">
      <Sidebar />
--- a/it0-web-admin/src/app/(auth)/login/page.tsx
+++ b/it0-web-admin/src/app/(auth)/login/page.tsx
@ -23,7 +23,7 @@ export default function LoginPage() {
    setError(null);

    try {
-      const data = await apiClient<LoginResponse>('/auth/login', {
+      const data = await apiClient<LoginResponse>('/api/v1/auth/login', {
        method: 'POST',
        body: { email, password },
      });
@ -32,6 +32,14 @@ export default function LoginPage() {
      localStorage.setItem('refresh_token', data.refreshToken);
      localStorage.setItem('user', JSON.stringify(data.user));

+      // Decode tenantId from JWT and store as current tenant
+      try {
+        const payload = JSON.parse(atob(data.accessToken.split('.')[1]));
+        if (payload.tenantId) {
+          localStorage.setItem('current_tenant', JSON.stringify({ id: payload.tenantId }));
+        }
+      } catch { /* ignore decode errors */ }
+
      router.push('/dashboard');
    } catch (err) {
      setError(err instanceof Error ? err.message : 'Login failed');
--- a/packages/gateway/Dockerfile
+++ b/packages/gateway/Dockerfile
@ -1,9 +1,13 @@
 FROM kong:3.7

-COPY config/kong.yml /etc/kong/kong.yml
+COPY config/kong.yml /etc/kong/kong.yml.tpl
+COPY config/docker-entrypoint.sh /custom-entrypoint.sh
+RUN chmod +x /custom-entrypoint.sh

 ENV KONG_DATABASE=off
 ENV KONG_DECLARATIVE_CONFIG=/etc/kong/kong.yml
 ENV KONG_PROXY_LISTEN=0.0.0.0:8000
 ENV KONG_ADMIN_LISTEN=0.0.0.0:8001
 ENV KONG_LOG_LEVEL=info
+
+ENTRYPOINT ["/custom-entrypoint.sh"]
--- a/packages/gateway/config/docker-entrypoint.sh
+++ b/packages/gateway/config/docker-entrypoint.sh
@ -0,0 +1,4 @@
+#!/bin/sh
+# Substitute JWT_SECRET into Kong declarative config at runtime
+sed "s/\${JWT_SECRET}/${JWT_SECRET:-dev-jwt-secret}/g" /etc/kong/kong.yml.tpl > /etc/kong/kong.yml
+exec /docker-entrypoint.sh kong docker-start
--- a/packages/gateway/config/kong.yml
+++ b/packages/gateway/config/kong.yml
@ -1,5 +1,12 @@
 _format_version: "3.0"

+consumers:
+  - username: it0-system
+    jwt_secrets:
+      - key: it0-auth
+        algorithm: HS256
+        secret: "${JWT_SECRET}"
+
 services:
  - name: auth-service
    url: http://auth-service:3001
@ -24,6 +31,14 @@ services:
          - http
          - https

+  - name: agent-config-service
+    url: http://agent-service:3002
+    routes:
+      - name: agent-config-routes
+        paths:
+          - /api/v1/agent-config
+        strip_path: false
+
  - name: ops-service
    url: http://ops-service:3003
    routes:
--- a/packages/services/auth-service/src/application/services/auth.service.ts
+++ b/packages/services/auth-service/src/application/services/auth.service.ts
@ -153,7 +153,10 @@ export class AuthService {
      roles: user.roles,
    };

-    const accessToken = this.jwtService.sign(jwtPayload);
+    const accessToken = this.jwtService.sign({
+      ...jwtPayload,
+      kid: 'it0-auth',
+    });

    const refreshToken = this.jwtService.sign(
      { sub: user.id, type: 'refresh' },