feat: add domain verification on proconnect (#250)

Co-authored-by: Revu <[email protected]>

Author: rap2hpoutre

web/.env.example

@@ -13,6 +13,7 @@ NEXTAUTH_URL=http://localhost:3000
 
 # Use "integration" for testing, "production" for prod
 PROCONNECT_ENV=integration
+NEXT_PUBLIC_PROCONNECT_ENV=integration
 
 # Get these from ProConnect portal
 PROCONNECT_CLIENT_ID=

web/src/app/access-denied/page.tsx

@@ -0,0 +1,6 @@
+import { AccessDeniedContent } from "@/modules/auth/AccessDeniedContent";
+
+export default function AccessDeniedPage() {
+  return <AccessDeniedContent />;
+}
+

web/src/hooks/use-auth.tsx

@@ -5,11 +5,18 @@ import { useSession } from "next-auth/react";
 export function useAuth() {
   const { data: session, status } = useSession();
 
+  // A user is truly authenticated only if:
+  // 1. They have a valid session (status === "authenticated")
+  // 2. They are NOT marked as unauthorized
+  const isAuthenticated =
+    status === "authenticated" && !session?.unauthorized;
+
   return {
     session,
     status,
-    isAuthenticated: status === "authenticated",
+    isAuthenticated,
     isLoading: status === "loading",
     user: session?.user,
+    isUnauthorized: session?.unauthorized === true,
   };
 }

web/src/lib/auth/ProConnectProvider.ts

@@ -1,4 +1,5 @@
 import type { OAuthConfig, OAuthUserConfig } from "next-auth/providers/oauth";
+import * as jose from "jose";
 
 export interface ProConnectProfile {
   sub: string;
@@ -31,23 +32,16 @@ export default function ProConnectProvider<P extends ProConnectProfile>(
       ? "https://auth.agentconnect.gouv.fr/api/v2/"
       : "https://fca.integ01.dev-agentconnect.fr/api/v2";
 
-  console.log("🔗 ProConnect Provider Configuration:");
-  console.log("  Domain:", PROCONNECT_DOMAIN);
-  console.log(
-    "  WellKnown:",
-    `${PROCONNECT_DOMAIN}/.well-known/openid-configuration`
-  );
-  console.log("  Client ID:", options.clientId ? "✓ Set" : "✗ Missing");
-  console.log("  Client Secret:", options.clientSecret ? "✓ Set" : "✗ Missing");
-
   return {
     id: "proconnect",
     name: "ProConnect",
     type: "oauth",
     wellKnown: `${PROCONNECT_DOMAIN}/.well-known/openid-configuration`,
     authorization: {
       params: {
-        scope: "openid email profile",
+        // ProConnect requires individual scopes for each claim
+        // See: https://partenaires.proconnect.gouv.fr/docs/fournisseur-service/scope-claims
+        scope: "openid email given_name usual_name uid siret",
         acr_values: "eidas1", // Level of authentication required
       },
     },
@@ -56,8 +50,62 @@ export default function ProConnectProvider<P extends ProConnectProfile>(
     client: {
       token_endpoint_auth_method: "client_secret_post",
     },
+    // ProConnect returns userinfo as a JWT signed with HS256 (using client_secret)
+    // We need to manually fetch and verify it
+    // See: https://partenaires.proconnect.gouv.fr/docs/fournisseur-service/scope-claims
+    userinfo: {
+      url: `${PROCONNECT_DOMAIN}/userinfo`,
+      async request({ tokens }) {
+        const response = await fetch(`${PROCONNECT_DOMAIN}/userinfo`, {
+          headers: {
+            Authorization: `Bearer ${tokens.access_token}`,
+          },
+        });
+
+        if (!response.ok) {
+          throw new Error(`Userinfo request failed: ${response.status}`);
+        }
+
+        // ProConnect returns userinfo as a signed JWT (HS256, RS256, or ES256)
+        const jwt = await response.text();
+        const header = jose.decodeProtectedHeader(jwt);
+
+        if (header.alg === "HS256") {
+          // For HS256, verify with client_secret
+          const secret = new TextEncoder().encode(options.clientSecret);
+          const { payload } = await jose.jwtVerify(jwt, secret, {
+            algorithms: ["HS256"],
+          });
+          return payload as unknown as P;
+        } else if (header.alg === "RS256" || header.alg === "ES256") {
+          // For RS256/ES256, verify with JWKS
+          const jwksUrls = [
+            `${PROCONNECT_DOMAIN}/jwks`,
+            `${PROCONNECT_DOMAIN}/.well-known/jwks.json`,
+          ];
+
+          for (const jwksUrl of jwksUrls) {
+            try {
+              const JWKS = jose.createRemoteJWKSet(new URL(jwksUrl));
+              const { payload } = await jose.jwtVerify(jwt, JWKS, {
+                algorithms: ["RS256", "ES256"],
+              });
+              return payload as unknown as P;
+            } catch {
+              // Try next URL
+              continue;
+            }
+          }
+
+          throw new Error(
+            `Could not verify ${header.alg} JWT with available JWKS endpoints`
+          );
+        }
+
+        throw new Error(`Unsupported JWT algorithm: ${header.alg}`);
+      },
+    },
     profile(profile) {
-      console.log("👤 Profile mapping:", profile);
       return {
         id: profile.sub,
         email: profile.email,

web/src/lib/auth/auth-options.ts

@@ -2,22 +2,30 @@ import { NextAuthOptions } from "next-auth";
 import ProConnectProvider, { ProConnectProfile } from "./ProConnectProvider";
 import * as Sentry from "@sentry/nextjs";
 
-// Debug logging
-console.log("🔧 NextAuth Configuration:");
-console.log("  PROCONNECT_ENV:", process.env.PROCONNECT_ENV);
-console.log(
-  "  PROCONNECT_CLIENT_ID:",
-  process.env.PROCONNECT_CLIENT_ID ? "✓ Set" : "✗ Missing"
-);
-console.log(
-  "  PROCONNECT_CLIENT_SECRET:",
-  process.env.PROCONNECT_CLIENT_SECRET ? "✓ Set" : "✗ Missing"
-);
-console.log("  NEXTAUTH_URL:", process.env.NEXTAUTH_URL);
-console.log(
-  "  NEXTAUTH_SECRET:",
-  process.env.NEXTAUTH_SECRET ? "✓ Set" : "✗ Missing"
-);
+// Allowed email domains for access control
+const ALLOWED_EMAIL_DOMAINS = [
+  "pyrenees-atlantiques.gouv.fr",
+  "seine-maritime.gouv.fr",
+  "correze.gouv.fr",
+  "dreets.gouv.fr",
+  "travail.gouv.fr",
+  "fabrique.social.gouv.fr",
+  "sg.social.gouv.fr",
+  // Add beta.gouv.fr for local development
+  ...(process.env.NODE_ENV === "development" ? ["beta.gouv.fr"] : []),
+];
+
+// Helper function to check if email domain is allowed
+function isEmailDomainAllowed(email: string | null | undefined): boolean {
+  if (!email) return false;
+
+  const emailDomain = email.split("@")[1]?.toLowerCase();
+  if (!emailDomain) return false;
+
+  return ALLOWED_EMAIL_DOMAINS.some(
+    (domain) => emailDomain === domain.toLowerCase()
+  );
+}
 
 export const authOptions: NextAuthOptions = {
   providers: [
@@ -27,62 +35,57 @@ export const authOptions: NextAuthOptions = {
     }),
   ],
   callbacks: {
-    async jwt({ token, account, profile }) {
-      console.log("📝 JWT Callback:", {
-        hasAccount: !!account,
-        hasProfile: !!profile,
-      });
-      // Persist the OAuth access_token and profile to the token right after signin
+    async signIn() {
+      // Always return true to allow session creation with id_token
+      // This is needed for proper ProConnect logout (requires id_token_hint)
+      //
+      // Security: Authorization is enforced in multiple layers:
+      // 1. JWT callback marks unauthorized users (token.unauthorized = true)
+      // 2. useAuth() returns isAuthenticated = false for unauthorized users
+      // 3. AuthorizationCheck redirects unauthorized users to /access-denied
+      //
+      // This approach prevents the "user jail" problem while maintaining security
+      return true;
+    },
+    async jwt({ token, account, profile, user }) {
+      // Persist the OAuth tokens and profile after signin
       if (account) {
-        console.log("  Account type:", account.provider);
         token.accessToken = account.access_token;
         token.idToken = account.id_token;
       }
       if (profile) {
-        console.log("  Profile email:", profile.email);
         token.profile = profile as ProConnectProfile;
+
+        // Check if the user's email domain is allowed
+        const email = profile.email || user?.email;
+        if (!isEmailDomainAllowed(email)) {
+          token.unauthorized = true;
+        }
       }
       return token;
     },
     async session({ session, token }) {
-      console.log("🔐 Session Callback:", {
-        hasToken: !!token,
-        hasUser: !!session.user,
-      });
-      // Send properties to the client
+      // Pass tokens and profile to the client session
       session.accessToken = token.accessToken as string;
       session.idToken = token.idToken as string;
       session.profile = token.profile as ProConnectProfile | undefined;
+      session.unauthorized = token.unauthorized as boolean | undefined;
       return session;
     },
   },
   pages: {
     signIn: "/",
-    error: "/",
+    error: "/access-denied",
   },
   events: {
     async signIn({ user }) {
-      console.log("✅ Sign in event:", user.email);
       Sentry.setUser({
         id: user.id,
         email: user.email || undefined,
       });
     },
     async signOut() {
-      console.log("👋 Sign out event");
       Sentry.setUser(null);
     },
   },
-  logger: {
-    error(code, metadata) {
-      console.error("❌ NextAuth Error:", code, metadata);
-    },
-    warn(code) {
-      console.warn("⚠️  NextAuth Warning:", code);
-    },
-    debug(code, metadata) {
-      console.log("🐛 NextAuth Debug:", code, metadata);
-    },
-  },
-  debug: true,
 };

web/src/lib/auth/proconnect-logout.ts

@@ -0,0 +1,39 @@
+/**
+ * ProConnect logout utilities
+ * Handles proper logout from both NextAuth and ProConnect (OpenID Connect provider)
+ */
+
+/**
+ * Get the ProConnect end_session_endpoint URL based on environment
+ */
+export function getProConnectLogoutUrl(): string {
+  const PROCONNECT_DOMAIN =
+    process.env.NEXT_PUBLIC_PROCONNECT_ENV === "production"
+      ? "https://auth.agentconnect.gouv.fr/api/v2"
+      : "https://fca.integ01.dev-agentconnect.fr/api/v2";
+
+  // OpenID Connect standard logout endpoint
+  return `${PROCONNECT_DOMAIN}/session/end`;
+}
+
+/**
+ * Build the complete logout URL for ProConnect with required parameters
+ * @param idToken - The ID token from the current session (optional - per OIDC spec)
+ * @param postLogoutRedirectUri - Where to redirect after logout (must be registered in ProConnect)
+ */
+export function buildProConnectLogoutUrl(
+  idToken: string,
+  postLogoutRedirectUri: string
+): string {
+  const logoutUrl = getProConnectLogoutUrl();
+  const params = new URLSearchParams({
+    post_logout_redirect_uri: postLogoutRedirectUri,
+  });
+
+  // Only add id_token_hint if we have one (it's optional per OIDC spec)
+  if (idToken) {
+    params.set("id_token_hint", idToken);
+  }
+
+  return `${logoutUrl}?${params.toString()}`;
+}

web/src/modules/auth/AccessDeniedContent.tsx

@@ -0,0 +1,75 @@
+"use client";
+
+import { Alert } from "@codegouvfr/react-dsfr/Alert";
+import { Button } from "@codegouvfr/react-dsfr/Button";
+import { signOut, useSession } from "next-auth/react";
+import { buildProConnectLogoutUrl } from "@/lib/auth/proconnect-logout";
+
+export const AccessDeniedContent = () => {
+  const { data: session } = useSession();
+
+  const handleSignOut = async () => {
+    try {
+      const idToken = session?.idToken;
+
+      if (idToken) {
+        // Full ProConnect logout with id_token
+        const postLogoutRedirectUri = window.location.origin;
+        const proconnectLogoutUrl = buildProConnectLogoutUrl(
+          idToken,
+          postLogoutRedirectUri
+        );
+
+        await signOut({ redirect: false });
+        window.location.href = proconnectLogoutUrl;
+      } else {
+        // Fallback if no id_token
+        await signOut({ callbackUrl: "/" });
+      }
+    } catch (error) {
+      console.error("Error signing out:", error);
+      await signOut({ callbackUrl: "/" });
+    }
+  };
+
+  return (
+    <div className="fr-container fr-my-6w">
+      <div className="fr-grid-row fr-grid-row--center">
+        <div className="fr-col-12 fr-col-md-8 fr-col-lg-7">
+          <Alert
+            severity="error"
+            title="Accès non autorisé"
+            description={
+              session?.user?.email
+                ? `L'adresse email ${session.user.email} n'est pas autorisée à accéder à cette application. Seuls les agents des domaines gouvernementaux autorisés peuvent se connecter.`
+                : "Votre adresse email n'est pas autorisée à accéder à cette application. Seuls les agents des domaines gouvernementaux autorisés peuvent se connecter."
+            }
+            className="fr-mb-4w"
+          />
+
+          <div className="fr-callout fr-mb-4w">
+            <h3 className="fr-callout__title">Domaines autorisés</h3>
+            <ul>
+              <li>pyrenees-atlantiques.gouv.fr</li>
+              <li>seine-maritime.gouv.fr</li>
+              <li>correze.gouv.fr</li>
+              <li>dreets.gouv.fr</li>
+              <li>travail.gouv.fr</li>
+              <li>fabrique.social.gouv.fr</li>
+              <li>sg.social.gouv.fr</li>
+            </ul>
+          </div>
+
+          <p className="fr-text--sm fr-mb-4w">
+            Si vous pensez que votre domaine devrait être autorisé, veuillez
+            contacter l&apos;administrateur de l&apos;application.
+          </p>
+
+          <Button onClick={handleSignOut} priority="primary">
+            Se déconnecter et retourner à l&apos;accueil
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+};