feat: add gk_bypass

.gitea/workflows/pipeline.yml

@@ -28,6 +28,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node_version: 20
+          cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -68,6 +69,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node_version: 20
+          cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -79,12 +81,28 @@ jobs:
           pnpm release:tag
 
   build-images:
-    name: 🐳 Build & Push Images
+    name: 🐳 Build ${{ matrix.name }}
     needs: qa
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: docker
     container:
       image: catthehacker/ubuntu:act-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: nextjs
+            file: packages/infra/docker/Dockerfile.nextjs
+            name: Build-Base
+          - image: runtime
+            file: packages/infra/docker/Dockerfile.runtime
+            name: Production Runtime
+          - image: gatekeeper
+            file: packages/infra/docker/Dockerfile.gatekeeper
+            name: Gatekeeper (Product)
+          - image: directus
+            file: packages/infra/docker/Dockerfile.directus
+            name: Directus (Base)
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -99,58 +117,19 @@ jobs:
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASS }}
 
-      - name: 🏗️ Build & Push Nextjs Build-Base
+      - name: 🏗️ Build & Push ${{ matrix.name }}
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: packages/infra/docker/Dockerfile.nextjs
+          file: ${{ matrix.file }}
           platforms: linux/arm64
           pull: true
           push: true
           secrets: |
             NPM_TOKEN=${{ secrets.NPM_TOKEN }}
           tags: |
-            registry.infra.mintel.me/mintel/nextjs:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/${{ matrix.image }}:${{ github.ref_name }}
-            registry.infra.mintel.me/mintel/nextjs:latest
+            registry.infra.mintel.me/mintel/${{ matrix.image }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: 🏗️ Build & Push Production Runtime
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: packages/infra/docker/Dockerfile.runtime
-          platforms: linux/arm64
-          pull: true
-          push: true
-          secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
-          tags: |
-            registry.infra.mintel.me/mintel/runtime:${{ github.ref_name }}
-            registry.infra.mintel.me/mintel/runtime:latest
-
-      - name: 🏗️ Build & Push Gatekeeper (Product)
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: packages/infra/docker/Dockerfile.gatekeeper
-          platforms: linux/arm64
-          pull: true
-          push: true
-          secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
-          tags: |
-            registry.infra.mintel.me/mintel/gatekeeper:${{ github.ref_name }}
-            registry.infra.mintel.me/mintel/gatekeeper:latest
-
-      - name: 🏗️ Build & Push Directus (Base)
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: packages/infra/docker/Dockerfile.directus
-          platforms: linux/arm64
-          pull: true
-          push: true
-          secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
-          tags: |
-            registry.infra.mintel.me/mintel/directus:${{ github.ref_name }}
-            registry.infra.mintel.me/mintel/directus:latest

.gitignore

@@ -1,6 +1,7 @@
 # dependencies
 node_modules
 .pnpm-debug.log*
+.pnpm-store/
 
 # next.js
 .next/

package.json

@@ -22,6 +22,7 @@
     "@mintel/husky-config": "workspace:*",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
+    "@types/node": "^20.17.16",
     "@types/react": "^19.2.10",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.2",

packages/eslint-config/package.json

@@ -20,6 +20,7 @@
   "dependencies": {
     "@eslint/eslintrc": "^3.0.0",
     "@eslint/js": "^9.39.2",
+    "@next/eslint-plugin-next": "15.1.6",
     "eslint-config-next": "15.1.6",
     "typescript-eslint": "^8.54.0"
   }

packages/gatekeeper/src/app/api/verify/route.ts

@@ -9,6 +9,45 @@ export async function GET(req: NextRequest) {
 
   const session = cookieStore.get(authCookieName);
 
+  // 1. URL Parameter Bypass (for automated tests/staging)
+  const originalUrl = req.headers.get("x-forwarded-uri") || "/";
+  const host =
+    req.headers.get("x-forwarded-host") || req.headers.get("host") || "";
+  const proto = req.headers.get("x-forwarded-proto") || "https";
+
+  try {
+    const url = new URL(originalUrl, `${proto}://${host}`);
+    if (url.searchParams.get("gk_bypass") === password) {
+      // Remove the bypass parameter from the redirect URL
+      url.searchParams.delete("gk_bypass");
+      const cleanUrl = url.pathname + url.search;
+      const absoluteCleanUrl = `${proto}://${host}${cleanUrl}`;
+
+      const response = NextResponse.redirect(absoluteCleanUrl);
+
+      // Set the session cookie so the bypass is persistent
+      const isDev = process.env.NODE_ENV === "development";
+      const cookieDomain = process.env.COOKIE_DOMAIN;
+      const sessionValue = JSON.stringify({
+        identity: "Bypass",
+        timestamp: Date.now(),
+      });
+
+      response.cookies.set(authCookieName, sessionValue, {
+        httpOnly: true,
+        secure: !isDev,
+        path: "/",
+        maxAge: 30 * 24 * 60 * 60, // 30 days
+        sameSite: "lax",
+        ...(cookieDomain ? { domain: cookieDomain } : {}),
+      });
+
+      return response;
+    }
+  } catch (e) {
+    // URL parsing failed, proceed with normal logic
+  }
+
   let isAuthenticated = false;
   let identity = "Guest";
 
@@ -38,11 +77,6 @@ export async function GET(req: NextRequest) {
   }
 
   // Traefik ForwardAuth headers
-  const originalUrl = req.headers.get("x-forwarded-uri") || "/";
-  const host =
-    req.headers.get("x-forwarded-host") || req.headers.get("host") || "";
-  const proto = req.headers.get("x-forwarded-proto") || "https";
-
   const gatekeeperUrl =
     process.env.NEXT_PUBLIC_BASE_URL || `${proto}://gatekeeper.${host}`;
   const absoluteOriginalUrl = `${proto}://${host}${originalUrl}`;

packages/gatekeeper/src/app/login/page.tsx

@@ -79,9 +79,11 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
         timestamp: Date.now(),
       });
 
+      const isDev = process.env.NODE_ENV === "development";
+
       cookieStore.set(authCookieName, sessionValue, {
         httpOnly: true,
-        secure: true,
+        secure: !isDev,
         path: "/",
         maxAge: 30 * 24 * 60 * 60, // 30 days
         sameSite: "lax",

pnpm-lock.yaml

@@ -29,6 +29,9 @@ importers:
       '@testing-library/react':
         specifier: ^16.3.2
         version: 16.3.2(@testing-library/dom@10.4.1)(@types/react-dom@19.2.3(@types/react@19.2.10))(@types/react@19.2.10)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+      '@types/node':
+        specifier: ^20.17.16
+        version: 20.19.30
       '@types/react':
         specifier: ^19.2.10
         version: 19.2.10
@@ -166,6 +169,9 @@ importers:
       '@eslint/js':
         specifier: ^9.39.2
         version: 9.39.2
+      '@next/eslint-plugin-next':
+        specifier: 15.1.6
+        version: 15.1.6
       eslint-config-next:
         specifier: 15.1.6
         version: 15.1.6(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3)
@@ -8566,7 +8572,7 @@ snapshots:
     dependencies:
       array-union: 2.1.0
       dir-glob: 3.0.1
-      fast-glob: 3.3.1
+      fast-glob: 3.3.3
       ignore: 5.3.2
       merge2: 1.4.1
       slash: 3.0.0