Compare commits
63 Commits
c3ccffe417
...
feat/10-op
| Author | SHA1 | Date | |
|---|---|---|---|
| b00d8bd60e | |||
| 7ec9d514ec | |||
| b8a88cb531 | |||
| 28fd4ca964 | |||
| 2c1734c251 | |||
| 1b89b45d21 | |||
| 7e8c5d7b51 | |||
| 2b9eb5eb41 | |||
| 60df0845aa | |||
| 2a746736dc | |||
| 986e36bc7d | |||
| 7e152e4432 | |||
| 5bf25f094d | |||
| 0e6c7d2066 | |||
| 39923e0e68 | |||
| 2e00ad38ba | |||
| be016f920c | |||
| d3f23a4da3 | |||
| 490e7347b0 | |||
| 4f311c9b5a | |||
| a55ba1160d | |||
| 4416d1f4ed | |||
| 074101e836 | |||
| 5089c2aea6 | |||
| 29f3dcc6cf | |||
| 2c196245c2 | |||
| 72c2bdfae7 | |||
| 311aab0aba | |||
| fcdb117768 | |||
| c3f0710a18 | |||
| 7c363099ff | |||
| a069ab07a2 | |||
| 34969659f7 | |||
| fd90c4abe2 | |||
| 3824f85af6 | |||
| ef877ebc80 | |||
| 9c961f9a13 | |||
| 0b82841b14 | |||
| 5a4331a416 | |||
| 96d447832f | |||
| a07d8277d6 | |||
| 69d6e80378 | |||
| 5d32d4f15e | |||
| d767430ad7 | |||
| 751ca006a7 | |||
| fea806848b | |||
| 2f5d656b54 | |||
| 72efab3ae0 | |||
| 1edd34e2db | |||
| f885e0a3be | |||
| ac874bf746 | |||
| 67f0ffb88d | |||
| 5a3f28ac6d | |||
| e9a873c152 | |||
| 79dcd8f14b | |||
| 22ab38f328 | |||
| 0d34d60797 | |||
| 6d4adaf957 | |||
| 39b2388a9d | |||
| 8d176c2603 | |||
| 53751fd1bc | |||
| cc9e7852e1 | |||
| c9edf27a48 |
17
.editorconfig
Normal file
17
.editorconfig
Normal file
@@ -0,0 +1,17 @@
|
||||
# Editor configuration, see http://editorconfig.org
|
||||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
insert_final_newline = true
|
||||
trim_trailing_whitespace = true
|
||||
|
||||
# .NET sources use 4-space indent (dotnet format enforces this). The 2-space default
|
||||
# above is for the frontend (TS/HTML/CSS/JSON); C# keeps the .NET convention.
|
||||
[*.cs]
|
||||
indent_size = 4
|
||||
|
||||
[*.md]
|
||||
max_line_length = off
|
||||
trim_trailing_whitespace = false
|
||||
@@ -23,6 +23,16 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
# Cache the NuGet package store so each .NET job restores from disk, not the network. There are
|
||||
# no lock files (so setup-dotnet's built-in cache doesn't apply); key on the project files. @v3
|
||||
# avoids the GHES guard that breaks @v4 on Gitea (gitea-actions-gotchas.md); cache is best-effort
|
||||
# — a miss just restores from the network. See issue #73.
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make lint
|
||||
|
||||
build:
|
||||
@@ -32,6 +42,12 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make build
|
||||
|
||||
unit:
|
||||
@@ -41,8 +57,28 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make unit
|
||||
|
||||
# Frontend (Nx/Angular) lane: install with pnpm, then Nx lint + test + build.
|
||||
frontend:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/pnpm/action-setup@v4
|
||||
with:
|
||||
version: 11
|
||||
- uses: https://github.com/actions/setup-node@v4
|
||||
with:
|
||||
node-version: '24'
|
||||
cache: 'pnpm'
|
||||
- run: make frontend
|
||||
|
||||
mutation:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
@@ -50,24 +86,48 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make mutation
|
||||
# Publish the Stryker HTML report. `if: always()` uploads it even when the
|
||||
# Publish the Stryker HTML reports. `if: always()` uploads them even when the
|
||||
# ratchet fails — that is exactly when you want to inspect the survivors.
|
||||
# Glob handles Stryker's non-deterministic StrykerOutput/<timestamp>/ dir.
|
||||
# Pinned to @v3 deliberately: @v4 refuses to run on Gitea (GHES guard) —
|
||||
# see docs/runbooks/gitea-actions-gotchas.md §4.
|
||||
# `continue-on-error` keeps the upload best-effort: the mutation *gate* is the
|
||||
# ratchet (make mutation's exit code), not the report, so a Gitea artifact-backend
|
||||
# 500 must not fail the job (gitea-actions-gotchas.md §4). Glob handles Stryker's
|
||||
# non-deterministic StrykerOutput/<timestamp>/ dir. Pinned @v3: @v4's bundled
|
||||
# @actions/artifact hard-aborts on non-github.com (GHES guard) — see the runbook.
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: acl-mutation-report
|
||||
path: services/acl/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: event-subscriber-mutation-report
|
||||
path: services/event-subscriber/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: domain-mutation-report
|
||||
path: services/domain/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: bff-mutation-report
|
||||
path: services/bff/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
|
||||
# One stage for every check that needs the live stack. On the single self-hosted
|
||||
# runner jobs run sequentially, so booting OpenZaak once (instead of once per job)
|
||||
@@ -88,10 +148,16 @@ jobs:
|
||||
run: make verify-nrc
|
||||
- name: OpenZaak → NRC → Event Subscriber → projection-api
|
||||
run: make verify-projection
|
||||
- name: Domain → Flowable → ACL → OpenZaak
|
||||
run: make verify-domain
|
||||
- name: BFF → Keycloak + domain + projection
|
||||
run: make verify-bff
|
||||
- name: Self-service e2e (Playwright, login → submit → success)
|
||||
run: make verify-e2e
|
||||
# Log dump must precede teardown (which removes the containers).
|
||||
- name: Dump container logs on failure
|
||||
if: failure()
|
||||
run: docker compose -f infra/docker-compose.yml logs --no-color --tail=100 oz-init openzaak nrc-init nrc-web nrc-celery nrc-beat flowable-init keycloak acl bff projection-db event-subscriber projection-api 2>&1 || true
|
||||
run: docker compose -f infra/docker-compose.yml logs --no-color --tail=100 oz-init openzaak nrc-init nrc-web nrc-celery nrc-beat flowable-db flowable-rest flowable-init keycloak acl bff domain projection-db event-subscriber projection-api self-service 2>&1 || true
|
||||
- name: Tear down
|
||||
if: always()
|
||||
run: make down
|
||||
|
||||
22
.gitignore
vendored
22
.gitignore
vendored
@@ -35,3 +35,25 @@ site/
|
||||
# OS
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# ── Frontend (Nx / Angular / pnpm) ──
|
||||
node_modules/
|
||||
dist/
|
||||
tmp/
|
||||
out-tsc/
|
||||
/coverage
|
||||
.angular/
|
||||
.nx/cache
|
||||
.nx/workspace-data
|
||||
.nx/self-healing
|
||||
.nx/migrate-runs
|
||||
.nx/polygraph
|
||||
vite.config.*.timestamp*
|
||||
vitest.config.*.timestamp*
|
||||
|
||||
.angular
|
||||
|
||||
# Playwright e2e (installed/generated in-container or on local runs)
|
||||
tests/e2e/node_modules/
|
||||
tests/e2e/test-results/
|
||||
tests/e2e/playwright-report/
|
||||
|
||||
8
.prettierignore
Normal file
8
.prettierignore
Normal file
@@ -0,0 +1,8 @@
|
||||
# Add files here to ignore them from prettier formatting
|
||||
/dist
|
||||
/coverage
|
||||
/.nx/cache
|
||||
/.nx/workspace-data
|
||||
.angular
|
||||
|
||||
.nx/self-healing
|
||||
3
.prettierrc
Normal file
3
.prettierrc
Normal file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"singleQuote": true
|
||||
}
|
||||
41
BACKLOG.md
41
BACKLOG.md
@@ -151,32 +151,47 @@ The skeleton proves the spine end-to-end: a registration, a workflow, a zaak in
|
||||
|
||||
### S-08 · Self-Service portal (Angular, NL DS) — submit a registration
|
||||
|
||||
**Outcome:** The self-service Angular app, in the Nx monorepo, lets a zorgprofessional log in via mock DigiD and submit a registration. NL Design System styling. Generated API client.
|
||||
> **S-08 was split** (CLAUDE.md §13; issue #9 closed) into the sub-slices below — it bundled the
|
||||
> Nx bootstrap, the generated client, the NL DS + DigiD form, and a full-stack Playwright e2e, well
|
||||
> past 1–2 days. Each sub-slice is independently demoable and CI-green.
|
||||
|
||||
- **S-08a (#65)** · Nx monorepo + Angular tooling + CI Node lane. Placeholder `self-service` app; `nx lint/test/build` green in a new CI Node lane.
|
||||
- **S-08b (#66)** · Generated api-client lib from `services/bff/openapi.json` (never hand-written, §10) + a mocked-BFF unit test.
|
||||
- **S-08c (#67)** · Self-service submit form — NL Design System `libs/ui`, DigiD OIDC `libs/auth`, component tests (Angular Testing Library), axe WCAG 2.1 AA on the submit page.
|
||||
- **S-08d (#68)** · Playwright happy-path e2e (login → submit → success) against the full stack + compose serving + CI e2e lane.
|
||||
|
||||
**Out of scope (whole of S-08):** document upload, status tracking page.
|
||||
|
||||
### S-09 · Openbaar Register portal — public lookup *(#10)*
|
||||
|
||||
**Outcome:** The openbaar Angular app shows a search box. Anonymous. Queries the BFF's `/openbaar/register` which reads only the projection's **public-safe** fields. Shows the public-visibility half of the walking skeleton.
|
||||
|
||||
_Split from the original S-09 — scoped to the portal only; the approval flow is **S-09b (#75)**._
|
||||
|
||||
**Acceptance:**
|
||||
|
||||
- E2E test (Playwright): full happy path, login → submit → success page.
|
||||
- Component tests (Testing Library) for the form.
|
||||
- Accessibility audit (axe-core) passes WCAG 2.1 AA on the submit page.
|
||||
- E2E test: after a zorgprofessional registers via self-service (S-08), the openbaar register shows the entry (as `INGEDIEND`).
|
||||
- Public-safe field whitelist enforced and tested (already in the BFF; add a portal component test + a11y check).
|
||||
|
||||
**Touches:** `apps/self-service/`, `libs/ui/`, `libs/auth/`, `libs/api-client/`, tests.
|
||||
**Touches:** `apps/openbaar/`, compose serving, e2e, docs.
|
||||
|
||||
**Out of scope:** document upload, status tracking page.
|
||||
**Out of scope:** approval/status transition (S-09b), advanced search filters, sorting.
|
||||
|
||||
### S-09 · Openbaar Register portal — public lookup
|
||||
### S-09b · Approval flow — temp admin endpoint + status transition to projection *(#75)*
|
||||
|
||||
**Outcome:** The openbaar Angular app shows a search box. Anonymous. Queries the BFF's `/openbaar/register` which reads only the projection's **public-safe** fields. Confirms the walking skeleton end-to-end.
|
||||
**Outcome:** A behandelaar approves a submitted registration via a temporary admin endpoint (no behandel-portal yet — S-12). The approval transitions the zaak status through the ACL → NRC → event-subscriber → projection, and the openbaar register then shows the entry as approved.
|
||||
|
||||
**Acceptance:**
|
||||
|
||||
- E2E test: zorgprofessional registers via self-service (S-08), behandelaar approves via a temporary admin endpoint (no behandel-portal yet), openbaar register shows the entry.
|
||||
- Public-safe field whitelist enforced and tested.
|
||||
- A new terminal/approved status (e.g. `INGESCHREVEN`) exists and is projected.
|
||||
- Temporary admin approve endpoint transitions a registration via a real ZGW status set (behind the ACL, §8).
|
||||
- E2E: register (S-08) → approve → openbaar shows the entry as approved.
|
||||
|
||||
**Touches:** `apps/openbaar/`, projection-api hardening, tests.
|
||||
**Touches:** `services/domain`, `services/acl`, `services/event-subscriber`, `services/projection-api`, e2e.
|
||||
|
||||
**Out of scope:** advanced search filters, sorting.
|
||||
**Out of scope:** behandel-portal UI (S-12), assessment logic (S-13), escalation (S-15).
|
||||
|
||||
**End of walking skeleton.** Demo: submit → process → projection → public visibility. All CI gates green on Gitea Actions. Cut release `vYYYY.MM.0` and publish via Gitea Releases.
|
||||
**End of walking skeleton** (S-09 + S-09b). Demo: submit → process → projection → public visibility. All CI gates green on Gitea Actions. Cut release `vYYYY.MM.0` and publish via Gitea Releases.
|
||||
|
||||
---
|
||||
|
||||
|
||||
46
Makefile
46
Makefile
@@ -10,7 +10,7 @@ COMPOSE := infra/docker-compose.yml
|
||||
# Long-running services with a healthcheck — the smoke polls these for readiness
|
||||
# (infra/wait-healthy.sh). One-shot init jobs (oz-init, nrc-init, flowable-init)
|
||||
# are not polled; they only need to have run. See docs/runbooks/gitea-actions-gotchas.md.
|
||||
WAIT_SVCS := openzaak nrc-web acl bff event-subscriber projection-api
|
||||
WAIT_SVCS := openzaak nrc-web acl bff domain event-subscriber projection-api self-service openbaar
|
||||
# Config files (OpenZaak data.yaml, Keycloak realms, Flowable BPMN) are streamed
|
||||
# into external named volumes via `docker cp` (infra/seed-config.sh) instead of
|
||||
# bind-mounted, because bind mounts don't reach sibling containers on the
|
||||
@@ -43,11 +43,23 @@ export DOCKER_HOST := unix://$(PODMAN_SOCK)
|
||||
endif
|
||||
endif
|
||||
|
||||
.PHONY: ci lint build unit mutation integration verify verify-up verify-acl verify-nrc verify-projection verify-notifications smoke up down local local-down changelog openzaak-up openzaak-smoke openzaak-seed openzaak-down stack-up stack-smoke stack-down keycloak-up keycloak-smoke keycloak-down flowable-up flowable-smoke flowable-down help
|
||||
.PHONY: ci lint build unit mutation frontend integration verify verify-up verify-acl verify-nrc verify-projection verify-bff verify-domain verify-notifications smoke up down local local-down changelog openzaak-up openzaak-smoke openzaak-seed openzaak-down stack-up stack-smoke stack-down keycloak-up keycloak-smoke keycloak-down flowable-up flowable-smoke flowable-down help
|
||||
|
||||
## ci: run the full pipeline — lint, build, unit, mutation, verify (mirrors Gitea Actions)
|
||||
## ci: run the full pipeline — lint, build, unit, mutation, frontend, verify (mirrors Gitea Actions)
|
||||
## `verify` is the live-stack stage (full stack up once → ACL + notification checks).
|
||||
ci: lint build unit mutation verify
|
||||
ci: lint build unit mutation frontend verify
|
||||
|
||||
## frontend: install deps and run the Nx lint/test/build for the portals (pnpm + Node required)
|
||||
# Tests run in their own phase, ahead of the build. The @angular/build:unit-test
|
||||
# (Vitest) runner spawns a worker with a hard-coded 60s/90s startup timeout that is
|
||||
# not configurable. When the ~5min production build shares the run-many pool, it
|
||||
# starves that worker of CPU on constrained CI runners and Vitest fails with
|
||||
# "Timeout waiting for worker to respond". Splitting the phases keeps tests off the
|
||||
# heavy build's back so the worker starts well inside its window.
|
||||
frontend:
|
||||
pnpm install --frozen-lockfile
|
||||
pnpm nx run-many -t lint test
|
||||
pnpm nx run-many -t build
|
||||
|
||||
## lint: verify formatting (no changes)
|
||||
lint:
|
||||
@@ -64,12 +76,14 @@ unit:
|
||||
## mutation: run the Stryker.NET ratchet on each service with branching logic (fails below baseline)
|
||||
# Stryker is pinned as a local dotnet tool (.config/dotnet-tools.json); `tool restore`
|
||||
# makes `make mutation` work from a fresh clone. Each service owns its config + break
|
||||
# threshold (the ratchet, CLAUDE.md §5): services/acl/stryker-config.json and
|
||||
# services/event-subscriber/stryker-config.json. Scores never regress below baseline.
|
||||
# threshold (the ratchet, CLAUDE.md §5): each services/<svc>/stryker-config.json.
|
||||
# Scores never regress below baseline.
|
||||
mutation:
|
||||
dotnet tool restore
|
||||
cd services/acl && dotnet stryker
|
||||
cd services/event-subscriber && dotnet stryker
|
||||
cd services/domain && dotnet stryker
|
||||
cd services/bff && dotnet stryker
|
||||
|
||||
## smoke: seed config, bring the whole stack up, wait for health-checked services, tear down
|
||||
# SEED populates the external config volumes first (upstream images used verbatim;
|
||||
@@ -136,6 +150,21 @@ verify-nrc:
|
||||
verify-projection:
|
||||
bash infra/run-projection-check.sh
|
||||
|
||||
## verify-domain: domain → Flowable → ACL → OpenZaak end-to-end (S-05), against the
|
||||
## already-running stack. Recreates the acl service to inject the seeded zaaktype URL.
|
||||
verify-domain:
|
||||
bash infra/run-domain-check.sh
|
||||
|
||||
## verify-bff: BFF end-to-end (S-07) against the up stack — token validation on self-service
|
||||
## + anonymous public-safe openbaar register (ADR-0010).
|
||||
verify-bff:
|
||||
bash infra/run-bff-check.sh
|
||||
|
||||
## verify-e2e: walking-skeleton Playwright e2e (S-08d) against the up stack — DigiD login →
|
||||
## submit → confirmation, driven inside the compose network.
|
||||
verify-e2e:
|
||||
bash infra/run-e2e-check.sh
|
||||
|
||||
## verify: local mirror of the CI verify-stack job — full stack up once, all checks,
|
||||
## tear down (always). For fast single-concern local iteration use `integration`
|
||||
## (oz-only) or `verify-notifications` (oz+nrc) instead.
|
||||
@@ -146,7 +175,10 @@ verify:
|
||||
WAIT_TIMEOUT=420 bash infra/wait-healthy.sh $(WAIT_SVCS) \
|
||||
&& bash infra/run-acl-integration.sh \
|
||||
&& bash infra/run-notification-check.sh \
|
||||
&& bash infra/run-projection-check.sh || rc=$$?; \
|
||||
&& bash infra/run-projection-check.sh \
|
||||
&& bash infra/run-domain-check.sh \
|
||||
&& bash infra/run-bff-check.sh \
|
||||
&& bash infra/run-e2e-check.sh || rc=$$?; \
|
||||
docker compose -f $(COMPOSE) down --volumes >/dev/null 2>&1; \
|
||||
docker volume rm -f $(CFG_VOLS) >/dev/null 2>&1; \
|
||||
exit $$rc'
|
||||
|
||||
21
apps/openbaar/Dockerfile
Normal file
21
apps/openbaar/Dockerfile
Normal file
@@ -0,0 +1,21 @@
|
||||
# Multi-stage build for the openbaar portal (Angular → nginx).
|
||||
# Build context is the repo root (the app needs the pnpm workspace + libs). See infra/docker-compose.yml.
|
||||
FROM node:24-slim AS build
|
||||
WORKDIR /src
|
||||
RUN corepack enable && corepack prepare pnpm@11.5.2 --activate
|
||||
|
||||
# Restore first (cached unless the manifests change).
|
||||
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml nx.json tsconfig.base.json eslint.config.mjs ./
|
||||
RUN pnpm install --frozen-lockfile
|
||||
|
||||
# Sources (only what the app + its libs need).
|
||||
COPY apps/openbaar apps/openbaar
|
||||
COPY libs libs
|
||||
RUN pnpm nx build openbaar
|
||||
|
||||
FROM nginx:1.27-alpine AS runtime
|
||||
COPY apps/openbaar/nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --from=build /src/dist/apps/openbaar/browser /usr/share/nginx/html
|
||||
# No runtime config: the openbaar register is anonymous (no OIDC authority to inject).
|
||||
|
||||
EXPOSE 80
|
||||
34
apps/openbaar/eslint.config.mjs
Normal file
34
apps/openbaar/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'app',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'app',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
23
apps/openbaar/nginx.conf
Normal file
23
apps/openbaar/nginx.conf
Normal file
@@ -0,0 +1,23 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
# Resolve the BFF via Docker's embedded DNS at request time (variable proxy_pass), so nginx starts
|
||||
# even before the BFF is up and picks up restarts — instead of failing to load the config.
|
||||
resolver 127.0.0.11 ipv6=off valid=30s;
|
||||
|
||||
# Same-origin API: proxy the anonymous openbaar endpoint group to the bff service. The api-client
|
||||
# uses relative URLs, so the browser calls this origin and nginx forwards to the BFF — no CORS.
|
||||
location /openbaar/ {
|
||||
set $bff http://bff:8080;
|
||||
proxy_pass $bff;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# SPA fallback — Angular client-side routing.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
}
|
||||
80
apps/openbaar/project.json
Normal file
80
apps/openbaar/project.json
Normal file
@@ -0,0 +1,80 @@
|
||||
{
|
||||
"name": "openbaar",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"projectType": "application",
|
||||
"prefix": "app",
|
||||
"sourceRoot": "apps/openbaar/src",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"build": {
|
||||
"executor": "@angular/build:application",
|
||||
"outputs": ["{options.outputPath}"],
|
||||
"defaultConfiguration": "production",
|
||||
"options": {
|
||||
"outputPath": "dist/apps/openbaar",
|
||||
"browser": "apps/openbaar/src/main.ts",
|
||||
"tsConfig": "apps/openbaar/tsconfig.app.json",
|
||||
"assets": [
|
||||
{
|
||||
"glob": "**/*",
|
||||
"input": "apps/openbaar/public"
|
||||
}
|
||||
],
|
||||
"styles": ["apps/openbaar/src/styles.css"]
|
||||
},
|
||||
"configurations": {
|
||||
"production": {
|
||||
"budgets": [
|
||||
{
|
||||
"type": "initial",
|
||||
"maximumWarning": "1mb",
|
||||
"maximumError": "2mb"
|
||||
},
|
||||
{
|
||||
"type": "anyComponentStyle",
|
||||
"maximumWarning": "4kb",
|
||||
"maximumError": "8kb"
|
||||
}
|
||||
],
|
||||
"outputHashing": "all"
|
||||
},
|
||||
"development": {
|
||||
"optimization": false,
|
||||
"extractLicenses": false,
|
||||
"sourceMap": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"serve": {
|
||||
"continuous": true,
|
||||
"executor": "@angular/build:dev-server",
|
||||
"defaultConfiguration": "development",
|
||||
"configurations": {
|
||||
"production": {
|
||||
"buildTarget": "openbaar:build:production"
|
||||
},
|
||||
"development": {
|
||||
"buildTarget": "openbaar:build:development"
|
||||
}
|
||||
}
|
||||
},
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"test": {
|
||||
"executor": "@angular/build:unit-test",
|
||||
"options": {
|
||||
"watch": false
|
||||
}
|
||||
},
|
||||
"serve-static": {
|
||||
"continuous": true,
|
||||
"executor": "@nx/web:file-server",
|
||||
"options": {
|
||||
"buildTarget": "openbaar:build",
|
||||
"staticFilePath": "dist/apps/openbaar/browser",
|
||||
"spa": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
BIN
apps/openbaar/public/favicon.ico
Normal file
BIN
apps/openbaar/public/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 15 KiB |
19
apps/openbaar/src/app/app.config.ts
Normal file
19
apps/openbaar/src/app/app.config.ts
Normal file
@@ -0,0 +1,19 @@
|
||||
import { provideHttpClient } from '@angular/common/http';
|
||||
import {
|
||||
ApplicationConfig,
|
||||
provideBrowserGlobalErrorListeners,
|
||||
} from '@angular/core';
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { appRoutes } from './app.routes';
|
||||
|
||||
/**
|
||||
* The openbaar register is a public, anonymous read: no DigiD, no auth interceptor. The app is served
|
||||
* same-origin as the BFF (nginx proxies /openbaar), so the api-client's relative calls stay same-origin.
|
||||
*/
|
||||
export const appConfig: ApplicationConfig = {
|
||||
providers: [
|
||||
provideBrowserGlobalErrorListeners(),
|
||||
provideRouter(appRoutes),
|
||||
provideHttpClient(),
|
||||
],
|
||||
};
|
||||
0
apps/openbaar/src/app/app.css
Normal file
0
apps/openbaar/src/app/app.css
Normal file
1
apps/openbaar/src/app/app.html
Normal file
1
apps/openbaar/src/app/app.html
Normal file
@@ -0,0 +1 @@
|
||||
<router-outlet></router-outlet>
|
||||
4
apps/openbaar/src/app/app.routes.ts
Normal file
4
apps/openbaar/src/app/app.routes.ts
Normal file
@@ -0,0 +1,4 @@
|
||||
import { Route } from '@angular/router';
|
||||
import { RegisterPage } from './register/register-page';
|
||||
|
||||
export const appRoutes: Route[] = [{ path: '', component: RegisterPage }];
|
||||
14
apps/openbaar/src/app/app.spec.ts
Normal file
14
apps/openbaar/src/app/app.spec.ts
Normal file
@@ -0,0 +1,14 @@
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { render } from '@testing-library/angular';
|
||||
import { App } from './app';
|
||||
|
||||
describe('App', () => {
|
||||
it('renders the router outlet shell', async () => {
|
||||
const { container } = await render(App, {
|
||||
providers: [provideRouter([])],
|
||||
});
|
||||
|
||||
// The shell is a thin host for routed pages (the RegisterPage owns the heading).
|
||||
expect(container.querySelector('router-outlet')).toBeTruthy();
|
||||
});
|
||||
});
|
||||
12
apps/openbaar/src/app/app.ts
Normal file
12
apps/openbaar/src/app/app.ts
Normal file
@@ -0,0 +1,12 @@
|
||||
import { Component } from '@angular/core';
|
||||
import { RouterModule } from '@angular/router';
|
||||
|
||||
@Component({
|
||||
imports: [RouterModule],
|
||||
selector: 'app-root',
|
||||
templateUrl: './app.html',
|
||||
styleUrl: './app.css',
|
||||
})
|
||||
export class App {
|
||||
protected title = 'openbaar';
|
||||
}
|
||||
54
apps/openbaar/src/app/register/register-page.html
Normal file
54
apps/openbaar/src/app/register/register-page.html
Normal file
@@ -0,0 +1,54 @@
|
||||
<main utrecht-document class="utrecht-theme">
|
||||
<utrecht-article>
|
||||
<utrecht-heading-1>Openbaar BIG-register</utrecht-heading-1>
|
||||
<p utrecht-paragraph>
|
||||
Zoek in het openbare register van BIG-registraties. Alleen publieke gegevens worden getoond.
|
||||
</p>
|
||||
|
||||
<div role="search">
|
||||
<label for="register-search" utrecht-form-label>Zoek op referentie</label>
|
||||
<input
|
||||
id="register-search"
|
||||
type="search"
|
||||
utrecht-textbox
|
||||
[ngModel]="query()"
|
||||
(ngModelChange)="query.set($event)"
|
||||
[ngModelOptions]="{ standalone: true }"
|
||||
(keyup.enter)="search()"
|
||||
/>
|
||||
<button
|
||||
utrecht-button
|
||||
appearance="primary-action-button"
|
||||
type="button"
|
||||
[disabled]="loading()"
|
||||
(click)="search()"
|
||||
>
|
||||
Zoeken
|
||||
</button>
|
||||
</div>
|
||||
|
||||
@if (loading()) {
|
||||
<p utrecht-paragraph role="status">Bezig met laden…</p>
|
||||
} @else if (searched() && entries().length === 0) {
|
||||
<p utrecht-paragraph role="status">Geen inschrijvingen gevonden.</p>
|
||||
} @else if (entries().length > 0) {
|
||||
<table utrecht-table>
|
||||
<caption>Inschrijvingen in het openbaar register</caption>
|
||||
<thead>
|
||||
<tr>
|
||||
<th scope="col">Referentie</th>
|
||||
<th scope="col">Status</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
@for (entry of entries(); track entry.id) {
|
||||
<tr>
|
||||
<td>{{ entry.id }}</td>
|
||||
<td>{{ entry.status }}</td>
|
||||
</tr>
|
||||
}
|
||||
</tbody>
|
||||
</table>
|
||||
}
|
||||
</utrecht-article>
|
||||
</main>
|
||||
57
apps/openbaar/src/app/register/register-page.spec.ts
Normal file
57
apps/openbaar/src/app/register/register-page.spec.ts
Normal file
@@ -0,0 +1,57 @@
|
||||
import { fireEvent, render, screen } from '@testing-library/angular';
|
||||
import { of } from 'rxjs';
|
||||
import { BffApiV1Service, type OpenbaarEntry } from 'api-client';
|
||||
import { axe } from 'vitest-axe';
|
||||
import { RegisterPage } from './register-page';
|
||||
|
||||
const sample: OpenbaarEntry[] = [
|
||||
{ id: 'zaak-abc', status: 'INGEDIEND' },
|
||||
{ id: 'zaak-def', status: 'INGESCHREVEN' },
|
||||
];
|
||||
|
||||
function providers(get = vi.fn().mockReturnValue(of(sample))) {
|
||||
return {
|
||||
get,
|
||||
providers: [{ provide: BffApiV1Service, useValue: { getOpenbaarRegister: get } }],
|
||||
};
|
||||
}
|
||||
|
||||
describe('RegisterPage', () => {
|
||||
it('lists the public register entries from the BFF on open', async () => {
|
||||
const { get } = providers();
|
||||
await render(RegisterPage, { providers: providers(get).providers });
|
||||
|
||||
expect(get).toHaveBeenCalled();
|
||||
expect(await screen.findByText(/zaak-abc/)).toBeTruthy();
|
||||
expect(screen.getByText(/INGEDIEND/)).toBeTruthy();
|
||||
expect(screen.getByText(/zaak-def/)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('searches by the entered term', async () => {
|
||||
const get = vi.fn().mockReturnValue(of(sample));
|
||||
await render(RegisterPage, { providers: providers(get).providers });
|
||||
|
||||
fireEvent.input(screen.getByRole('searchbox'), { target: { value: 'zaak-abc' } });
|
||||
fireEvent.click(screen.getByRole('button', { name: /zoek/i }));
|
||||
|
||||
expect(get).toHaveBeenLastCalledWith({ q: 'zaak-abc' });
|
||||
});
|
||||
|
||||
it('shows an empty-state message when the register has no matches', async () => {
|
||||
const get = vi.fn().mockReturnValue(of([] as OpenbaarEntry[]));
|
||||
await render(RegisterPage, { providers: providers(get).providers });
|
||||
|
||||
expect(await screen.findByText(/geen inschrijvingen gevonden/i)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('has no WCAG 2.1 AA violations', async () => {
|
||||
document.documentElement.lang = 'nl';
|
||||
const { container } = await render(RegisterPage, { providers: providers().providers });
|
||||
|
||||
const results = await axe(container, {
|
||||
runOnly: { type: 'tag', values: ['wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa'] },
|
||||
});
|
||||
|
||||
expect(results.violations).toEqual([]);
|
||||
});
|
||||
});
|
||||
45
apps/openbaar/src/app/register/register-page.ts
Normal file
45
apps/openbaar/src/app/register/register-page.ts
Normal file
@@ -0,0 +1,45 @@
|
||||
import { Component, inject, signal } from '@angular/core';
|
||||
import { FormsModule } from '@angular/forms';
|
||||
import { BffApiV1Service, type OpenbaarEntry } from 'api-client';
|
||||
import { UtrechtComponentsModule } from 'ui';
|
||||
|
||||
/**
|
||||
* The openbaar (public) BIG-register: an anonymous search over the read projection's public-safe
|
||||
* view (id + status only — bsn/naam never leave the BFF; ADR-0010). Loads the full register on open
|
||||
* and filters by the search term via the BFF's `/openbaar/register?q=` endpoint (S-09).
|
||||
*/
|
||||
@Component({
|
||||
selector: 'app-register-page',
|
||||
imports: [FormsModule, UtrechtComponentsModule],
|
||||
templateUrl: './register-page.html',
|
||||
})
|
||||
export class RegisterPage {
|
||||
private readonly bff = inject(BffApiV1Service);
|
||||
|
||||
protected readonly query = signal('');
|
||||
protected readonly entries = signal<OpenbaarEntry[]>([]);
|
||||
protected readonly loading = signal(false);
|
||||
protected readonly searched = signal(false);
|
||||
|
||||
constructor() {
|
||||
// Show the full register on open; the search box narrows it.
|
||||
this.search();
|
||||
}
|
||||
|
||||
search(): void {
|
||||
const q = this.query().trim();
|
||||
this.loading.set(true);
|
||||
this.bff.getOpenbaarRegister(q ? { q } : {}).subscribe({
|
||||
next: (rows: OpenbaarEntry[]) => {
|
||||
this.entries.set(rows);
|
||||
this.loading.set(false);
|
||||
this.searched.set(true);
|
||||
},
|
||||
error: () => {
|
||||
this.entries.set([]);
|
||||
this.loading.set(false);
|
||||
this.searched.set(true);
|
||||
},
|
||||
});
|
||||
}
|
||||
}
|
||||
13
apps/openbaar/src/index.html
Normal file
13
apps/openbaar/src/index.html
Normal file
@@ -0,0 +1,13 @@
|
||||
<!doctype html>
|
||||
<html lang="nl">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<title>Openbaar BIG-register</title>
|
||||
<base href="/" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link rel="icon" type="image/x-icon" href="favicon.ico" />
|
||||
</head>
|
||||
<body>
|
||||
<app-root></app-root>
|
||||
</body>
|
||||
</html>
|
||||
6
apps/openbaar/src/main.ts
Normal file
6
apps/openbaar/src/main.ts
Normal file
@@ -0,0 +1,6 @@
|
||||
import { bootstrapApplication } from '@angular/platform-browser';
|
||||
import { App } from './app/app';
|
||||
import { appConfig } from './app/app.config';
|
||||
|
||||
// The openbaar register is anonymous (no DigiD, no runtime config) — bootstrap directly.
|
||||
bootstrapApplication(App, appConfig).catch((err) => console.error(err));
|
||||
2
apps/openbaar/src/styles.css
Normal file
2
apps/openbaar/src/styles.css
Normal file
@@ -0,0 +1,2 @@
|
||||
/* NL Design System theme — Utrecht design tokens (docs/frontend-decisions.md). */
|
||||
@import '@utrecht/design-tokens/dist/index.css';
|
||||
9
apps/openbaar/tsconfig.app.json
Normal file
9
apps/openbaar/tsconfig.app.json
Normal file
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": ["src/**/*.spec.ts", "src/**/*.test.ts"]
|
||||
}
|
||||
31
apps/openbaar/tsconfig.json
Normal file
31
apps/openbaar/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.app.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
8
apps/openbaar/tsconfig.spec.json
Normal file
8
apps/openbaar/tsconfig.spec.json
Normal file
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": ["vitest/globals"]
|
||||
},
|
||||
"include": ["src/**/*.ts", "src/**/*.d.ts"]
|
||||
}
|
||||
23
apps/self-service/Dockerfile
Normal file
23
apps/self-service/Dockerfile
Normal file
@@ -0,0 +1,23 @@
|
||||
# Multi-stage build for the self-service portal (Angular → nginx).
|
||||
# Build context is the repo root (the app needs the pnpm workspace + libs). See infra/docker-compose.yml.
|
||||
FROM node:24-slim AS build
|
||||
WORKDIR /src
|
||||
RUN corepack enable && corepack prepare pnpm@11.5.2 --activate
|
||||
|
||||
# Restore first (cached unless the manifests change).
|
||||
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml nx.json tsconfig.base.json eslint.config.mjs ./
|
||||
RUN pnpm install --frozen-lockfile
|
||||
|
||||
# Sources (only what the app + its libs need).
|
||||
COPY apps/self-service apps/self-service
|
||||
COPY libs libs
|
||||
RUN pnpm nx build self-service
|
||||
|
||||
FROM nginx:1.27-alpine AS runtime
|
||||
COPY apps/self-service/nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --from=build /src/dist/apps/self-service/browser /usr/share/nginx/html
|
||||
# Compose-time OIDC config: the browser (Playwright, on the compose network) reaches Keycloak by
|
||||
# service name, so the token issuer matches the BFF's authority (host-consistent, ADR-0010).
|
||||
RUN printf '{ "authority": "http://keycloak:8080/realms/digid" }\n' > /usr/share/nginx/html/config.json
|
||||
|
||||
EXPOSE 80
|
||||
34
apps/self-service/eslint.config.mjs
Normal file
34
apps/self-service/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'app',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'app',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
29
apps/self-service/nginx.conf
Normal file
29
apps/self-service/nginx.conf
Normal file
@@ -0,0 +1,29 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
# Resolve the BFF via Docker's embedded DNS at request time (variable proxy_pass), so nginx starts
|
||||
# even before the BFF is up and picks up restarts — instead of failing to load the config.
|
||||
resolver 127.0.0.11 ipv6=off valid=30s;
|
||||
|
||||
# Same-origin API: proxy the BFF endpoint groups to the bff service. The api-client uses relative
|
||||
# URLs, so the browser calls this origin and nginx forwards to the BFF — no CORS, and the DigiD
|
||||
# token (same-origin) is attached by the app's interceptor (S-08d/ADR-0010).
|
||||
location /self-service/ {
|
||||
set $bff http://bff:8080;
|
||||
proxy_pass $bff;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
location /openbaar/ {
|
||||
set $bff http://bff:8080;
|
||||
proxy_pass $bff;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# SPA fallback — Angular client-side routing.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
}
|
||||
80
apps/self-service/project.json
Normal file
80
apps/self-service/project.json
Normal file
@@ -0,0 +1,80 @@
|
||||
{
|
||||
"name": "self-service",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"projectType": "application",
|
||||
"prefix": "app",
|
||||
"sourceRoot": "apps/self-service/src",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"build": {
|
||||
"executor": "@angular/build:application",
|
||||
"outputs": ["{options.outputPath}"],
|
||||
"defaultConfiguration": "production",
|
||||
"options": {
|
||||
"outputPath": "dist/apps/self-service",
|
||||
"browser": "apps/self-service/src/main.ts",
|
||||
"tsConfig": "apps/self-service/tsconfig.app.json",
|
||||
"assets": [
|
||||
{
|
||||
"glob": "**/*",
|
||||
"input": "apps/self-service/public"
|
||||
}
|
||||
],
|
||||
"styles": ["apps/self-service/src/styles.css"]
|
||||
},
|
||||
"configurations": {
|
||||
"production": {
|
||||
"budgets": [
|
||||
{
|
||||
"type": "initial",
|
||||
"maximumWarning": "1mb",
|
||||
"maximumError": "2mb"
|
||||
},
|
||||
{
|
||||
"type": "anyComponentStyle",
|
||||
"maximumWarning": "4kb",
|
||||
"maximumError": "8kb"
|
||||
}
|
||||
],
|
||||
"outputHashing": "all"
|
||||
},
|
||||
"development": {
|
||||
"optimization": false,
|
||||
"extractLicenses": false,
|
||||
"sourceMap": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"serve": {
|
||||
"continuous": true,
|
||||
"executor": "@angular/build:dev-server",
|
||||
"defaultConfiguration": "development",
|
||||
"configurations": {
|
||||
"production": {
|
||||
"buildTarget": "self-service:build:production"
|
||||
},
|
||||
"development": {
|
||||
"buildTarget": "self-service:build:development"
|
||||
}
|
||||
}
|
||||
},
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"test": {
|
||||
"executor": "@angular/build:unit-test",
|
||||
"options": {
|
||||
"watch": false
|
||||
}
|
||||
},
|
||||
"serve-static": {
|
||||
"continuous": true,
|
||||
"executor": "@nx/web:file-server",
|
||||
"options": {
|
||||
"buildTarget": "self-service:build",
|
||||
"staticFilePath": "dist/apps/self-service/browser",
|
||||
"spa": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
3
apps/self-service/public/config.json
Normal file
3
apps/self-service/public/config.json
Normal file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"authority": "http://localhost:8180/realms/digid"
|
||||
}
|
||||
BIN
apps/self-service/public/favicon.ico
Normal file
BIN
apps/self-service/public/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 15 KiB |
65
apps/self-service/src/app/app.config.spec.ts
Normal file
65
apps/self-service/src/app/app.config.spec.ts
Normal file
@@ -0,0 +1,65 @@
|
||||
import { provideHttpClient, withInterceptors } from '@angular/common/http';
|
||||
import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
|
||||
import { TestBed } from '@angular/core/testing';
|
||||
import { BffApiV1Service } from 'api-client';
|
||||
import { authInterceptor } from 'auth';
|
||||
import { AbstractSecurityStorage, ConfigurationService } from 'angular-auth-oidc-client';
|
||||
import { SECURE_API_ROUTES } from './app.config';
|
||||
|
||||
// Guards the DigiD token wiring end-to-end. The api-client calls the BFF with RELATIVE URLs, and the
|
||||
// angular-auth-oidc-client interceptor attaches the token only when `req.url` starts with a configured
|
||||
// secureRoute. A regression to an absolute origin (as once shipped) makes the relative URL never match,
|
||||
// so the submit goes out unauthenticated and fails silently. This drives the REAL interceptor and the
|
||||
// REAL api-client against the REAL production route value (SECURE_API_ROUTES); only the config source
|
||||
// and the token storage are faked, so the assertion turns on the actual route-matching.
|
||||
describe('self-service DigiD token wiring', () => {
|
||||
let http: HttpTestingController;
|
||||
let bff: BffApiV1Service;
|
||||
const token = 'digid-access-token';
|
||||
|
||||
beforeEach(() => {
|
||||
TestBed.configureTestingModule({
|
||||
providers: [
|
||||
provideHttpClient(withInterceptors([authInterceptor()])),
|
||||
provideHttpClientTesting(),
|
||||
{
|
||||
provide: ConfigurationService,
|
||||
useValue: {
|
||||
hasAtLeastOneConfig: () => true,
|
||||
getAllConfigurations: () => [{ configId: 'digid', secureRoutes: SECURE_API_ROUTES }],
|
||||
},
|
||||
},
|
||||
{
|
||||
// A signed-in session: the storage the interceptor's token lookup reads from.
|
||||
provide: AbstractSecurityStorage,
|
||||
useValue: {
|
||||
read: () => JSON.stringify({ authzData: token, authnResult: { id_token: 'id-token' } }),
|
||||
write: () => undefined,
|
||||
remove: () => undefined,
|
||||
clear: () => undefined,
|
||||
},
|
||||
},
|
||||
],
|
||||
});
|
||||
http = TestBed.inject(HttpTestingController);
|
||||
bff = TestBed.inject(BffApiV1Service);
|
||||
});
|
||||
|
||||
afterEach(() => http.verify());
|
||||
|
||||
it('attaches the bearer token to the relative self-service BFF call', () => {
|
||||
bff.postSelfServiceRegistrations().subscribe();
|
||||
|
||||
const req = http.expectOne('/self-service/registrations');
|
||||
expect(req.request.headers.get('Authorization')).toBe(`Bearer ${token}`);
|
||||
req.flush({ registrationId: 'reg-1', status: 'Ingediend' });
|
||||
});
|
||||
|
||||
it('leaves the anonymous openbaar register call unauthenticated', () => {
|
||||
bff.getOpenbaarRegister().subscribe();
|
||||
|
||||
const req = http.expectOne((r) => r.url === '/openbaar/register');
|
||||
expect(req.request.headers.has('Authorization')).toBe(false);
|
||||
req.flush([]);
|
||||
});
|
||||
});
|
||||
42
apps/self-service/src/app/app.config.ts
Normal file
42
apps/self-service/src/app/app.config.ts
Normal file
@@ -0,0 +1,42 @@
|
||||
import { provideHttpClient, withInterceptors } from '@angular/common/http';
|
||||
import {
|
||||
ApplicationConfig,
|
||||
provideBrowserGlobalErrorListeners,
|
||||
} from '@angular/core';
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { authInterceptor, provideDigiadAuth } from 'auth';
|
||||
import { appRoutes } from './app.routes';
|
||||
|
||||
/** Environment-specific settings fetched from /config.json at startup (see main.ts). */
|
||||
export interface RuntimeConfig {
|
||||
/** The Keycloak `digid` realm issuer as the browser reaches it (dev: localhost; compose: keycloak:8080). */
|
||||
authority: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Route prefixes whose requests carry the DigiD token. These MUST match the **relative** URLs the
|
||||
* api-client actually calls (same-origin via the nginx proxy) — the interceptor matches on `req.url`,
|
||||
* which stays relative, so an absolute origin would never match and the token would go unattached.
|
||||
* `/openbaar/` is deliberately excluded: it is the anonymous public register.
|
||||
*/
|
||||
export const SECURE_API_ROUTES = ['/self-service/'];
|
||||
|
||||
/**
|
||||
* Build the app providers from runtime config. `redirectUrl` is the app's own origin (where Keycloak
|
||||
* redirects back). `secureRoutes` uses {@link SECURE_API_ROUTES} — relative prefixes, not the origin.
|
||||
*/
|
||||
export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
||||
const origin = typeof window !== 'undefined' ? window.location.origin : '/';
|
||||
return {
|
||||
providers: [
|
||||
provideBrowserGlobalErrorListeners(),
|
||||
provideRouter(appRoutes),
|
||||
provideHttpClient(withInterceptors([authInterceptor()])),
|
||||
provideDigiadAuth({
|
||||
authority: runtime.authority,
|
||||
redirectUrl: origin,
|
||||
secureRoutes: SECURE_API_ROUTES,
|
||||
}),
|
||||
],
|
||||
};
|
||||
}
|
||||
0
apps/self-service/src/app/app.css
Normal file
0
apps/self-service/src/app/app.css
Normal file
1
apps/self-service/src/app/app.html
Normal file
1
apps/self-service/src/app/app.html
Normal file
@@ -0,0 +1 @@
|
||||
<router-outlet></router-outlet>
|
||||
7
apps/self-service/src/app/app.routes.ts
Normal file
7
apps/self-service/src/app/app.routes.ts
Normal file
@@ -0,0 +1,7 @@
|
||||
import { Route } from '@angular/router';
|
||||
import { authenticatedGuard } from 'auth';
|
||||
import { RegistrationPage } from './registration/registration-page';
|
||||
|
||||
export const appRoutes: Route[] = [
|
||||
{ path: '', component: RegistrationPage, canActivate: [authenticatedGuard] },
|
||||
];
|
||||
15
apps/self-service/src/app/app.spec.ts
Normal file
15
apps/self-service/src/app/app.spec.ts
Normal file
@@ -0,0 +1,15 @@
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { render, screen } from '@testing-library/angular';
|
||||
import { App } from './app';
|
||||
|
||||
describe('App', () => {
|
||||
it('renders the router outlet shell', async () => {
|
||||
const { container } = await render(App, {
|
||||
providers: [provideRouter([])],
|
||||
});
|
||||
|
||||
// The shell is a thin host for routed pages (the RegistrationPage owns the heading).
|
||||
expect(container.querySelector('router-outlet')).toBeTruthy();
|
||||
expect(screen).toBeTruthy();
|
||||
});
|
||||
});
|
||||
12
apps/self-service/src/app/app.ts
Normal file
12
apps/self-service/src/app/app.ts
Normal file
@@ -0,0 +1,12 @@
|
||||
import { Component } from '@angular/core';
|
||||
import { RouterModule } from '@angular/router';
|
||||
|
||||
@Component({
|
||||
imports: [RouterModule],
|
||||
selector: 'app-root',
|
||||
templateUrl: './app.html',
|
||||
styleUrl: './app.css',
|
||||
})
|
||||
export class App {
|
||||
protected title = 'self-service';
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
<main utrecht-document class="utrecht-theme">
|
||||
<utrecht-article>
|
||||
<utrecht-heading-1>Zelfservice — BIG-registratie</utrecht-heading-1>
|
||||
|
||||
@if (submitted()) {
|
||||
<p utrecht-paragraph role="status">
|
||||
Uw registratie is ontvangen. Referentie: {{ reference() }}.
|
||||
</p>
|
||||
} @else {
|
||||
<p utrecht-paragraph>U bent ingelogd met BSN {{ bsn() }}.</p>
|
||||
@if (failed()) {
|
||||
<p utrecht-paragraph role="alert">
|
||||
Er ging iets mis bij het indienen van uw registratie. Probeer het opnieuw.
|
||||
</p>
|
||||
}
|
||||
<button
|
||||
utrecht-button
|
||||
appearance="primary-action-button"
|
||||
type="button"
|
||||
[disabled]="submitting()"
|
||||
(click)="submit()"
|
||||
>
|
||||
Registratie indienen
|
||||
</button>
|
||||
}
|
||||
</utrecht-article>
|
||||
</main>
|
||||
@@ -0,0 +1,71 @@
|
||||
import { signal } from '@angular/core';
|
||||
import { fireEvent, render, screen } from '@testing-library/angular';
|
||||
import { of, throwError } from 'rxjs';
|
||||
import { AuthService } from 'auth';
|
||||
import { BffApiV1Service } from 'api-client';
|
||||
import { axe } from 'vitest-axe';
|
||||
import { RegistrationPage } from './registration-page';
|
||||
|
||||
class FakeAuth extends AuthService {
|
||||
readonly isAuthenticated = signal(true);
|
||||
readonly bsn = signal<string | undefined>('123456782');
|
||||
login(): void {
|
||||
/* noop */
|
||||
}
|
||||
logout(): void {
|
||||
/* noop */
|
||||
}
|
||||
}
|
||||
|
||||
function providers(post = vi.fn().mockReturnValue(of({ registrationId: 'reg-9', status: 'Ingediend' }))) {
|
||||
return {
|
||||
post,
|
||||
providers: [
|
||||
{ provide: AuthService, useClass: FakeAuth },
|
||||
{ provide: BffApiV1Service, useValue: { postSelfServiceRegistrations: post } },
|
||||
],
|
||||
};
|
||||
}
|
||||
|
||||
describe('RegistrationPage', () => {
|
||||
it('shows the signed-in BSN', async () => {
|
||||
await render(RegistrationPage, { providers: providers().providers });
|
||||
expect(screen.getByText(/123456782/)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('submits the registration and confirms', async () => {
|
||||
const { post, providers: p } = providers();
|
||||
await render(RegistrationPage, { providers: p });
|
||||
|
||||
fireEvent.click(screen.getByRole('button', { name: /indienen/i }));
|
||||
|
||||
expect(post).toHaveBeenCalledTimes(1);
|
||||
expect(await screen.findByText(/ontvangen/i)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('shows an error and keeps the submit available when the BFF call fails', async () => {
|
||||
const { post, providers: p } = providers(vi.fn().mockReturnValue(throwError(() => new Error('BFF rejected'))));
|
||||
await render(RegistrationPage, { providers: p });
|
||||
|
||||
fireEvent.click(screen.getByRole('button', { name: /indienen/i }));
|
||||
|
||||
expect(post).toHaveBeenCalledTimes(1);
|
||||
// The failure is surfaced (not swallowed), the confirmation is not shown, and the user can retry.
|
||||
expect(await screen.findByRole('alert')).toBeTruthy();
|
||||
expect(screen.queryByText(/ontvangen/i)).toBeNull();
|
||||
expect(screen.getByRole('button', { name: /indienen/i })).toBeTruthy();
|
||||
});
|
||||
|
||||
it('has no WCAG 2.1 AA violations on the submit page', async () => {
|
||||
// The portal is Dutch; the real index.html sets lang. Set it here so the document-level
|
||||
// html-has-lang rule reflects the app, not the bare jsdom document.
|
||||
document.documentElement.lang = 'nl';
|
||||
const { container } = await render(RegistrationPage, { providers: providers().providers });
|
||||
|
||||
const results = await axe(container, {
|
||||
runOnly: { type: 'tag', values: ['wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa'] },
|
||||
});
|
||||
|
||||
expect(results.violations).toEqual([]);
|
||||
});
|
||||
});
|
||||
42
apps/self-service/src/app/registration/registration-page.ts
Normal file
42
apps/self-service/src/app/registration/registration-page.ts
Normal file
@@ -0,0 +1,42 @@
|
||||
import { Component, inject, signal } from '@angular/core';
|
||||
import { BffApiV1Service, type SubmitAccepted } from 'api-client';
|
||||
import { AuthService } from 'auth';
|
||||
import { UtrechtComponentsModule } from 'ui';
|
||||
|
||||
/**
|
||||
* The self-service submit page: a signed-in zorgprofessional confirms and submits their BIG
|
||||
* registration. The bsn comes from the DigiD token (not a form field), so this is a confirm-and-
|
||||
* submit flow that posts to the BFF and shows the returned reference (ADR-0010; S-08c).
|
||||
*/
|
||||
@Component({
|
||||
selector: 'app-registration-page',
|
||||
imports: [UtrechtComponentsModule],
|
||||
templateUrl: './registration-page.html',
|
||||
})
|
||||
export class RegistrationPage {
|
||||
private readonly auth = inject(AuthService);
|
||||
private readonly bff = inject(BffApiV1Service);
|
||||
|
||||
protected readonly bsn = this.auth.bsn;
|
||||
protected readonly submitting = signal(false);
|
||||
protected readonly reference = signal<string | undefined>(undefined);
|
||||
protected readonly submitted = signal(false);
|
||||
protected readonly failed = signal(false);
|
||||
|
||||
submit(): void {
|
||||
this.submitting.set(true);
|
||||
this.failed.set(false);
|
||||
this.bff.postSelfServiceRegistrations().subscribe({
|
||||
next: (accepted: SubmitAccepted) => {
|
||||
this.reference.set(accepted.registrationId);
|
||||
this.submitted.set(true);
|
||||
this.submitting.set(false);
|
||||
},
|
||||
// Surface the failure instead of swallowing it: re-enable the button so the user can retry.
|
||||
error: () => {
|
||||
this.failed.set(true);
|
||||
this.submitting.set(false);
|
||||
},
|
||||
});
|
||||
}
|
||||
}
|
||||
13
apps/self-service/src/index.html
Normal file
13
apps/self-service/src/index.html
Normal file
@@ -0,0 +1,13 @@
|
||||
<!doctype html>
|
||||
<html lang="nl">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<title>self-service</title>
|
||||
<base href="/" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link rel="icon" type="image/x-icon" href="favicon.ico" />
|
||||
</head>
|
||||
<body>
|
||||
<app-root></app-root>
|
||||
</body>
|
||||
</html>
|
||||
10
apps/self-service/src/main.ts
Normal file
10
apps/self-service/src/main.ts
Normal file
@@ -0,0 +1,10 @@
|
||||
import { bootstrapApplication } from '@angular/platform-browser';
|
||||
import { App } from './app/app';
|
||||
import { appConfig, type RuntimeConfig } from './app/app.config';
|
||||
|
||||
// Load environment config before bootstrap so the OIDC authority is set per environment
|
||||
// (dev: localhost; compose: keycloak:8080) from a single build — 12-factor (S-08d).
|
||||
fetch('config.json')
|
||||
.then((response) => response.json() as Promise<RuntimeConfig>)
|
||||
.then((config) => bootstrapApplication(App, appConfig(config)))
|
||||
.catch((err) => console.error(err));
|
||||
2
apps/self-service/src/styles.css
Normal file
2
apps/self-service/src/styles.css
Normal file
@@ -0,0 +1,2 @@
|
||||
/* NL Design System theme — Utrecht design tokens (docs/frontend-decisions.md). */
|
||||
@import '@utrecht/design-tokens/dist/index.css';
|
||||
9
apps/self-service/tsconfig.app.json
Normal file
9
apps/self-service/tsconfig.app.json
Normal file
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": ["src/**/*.spec.ts", "src/**/*.test.ts"]
|
||||
}
|
||||
31
apps/self-service/tsconfig.json
Normal file
31
apps/self-service/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.app.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
8
apps/self-service/tsconfig.spec.json
Normal file
8
apps/self-service/tsconfig.spec.json
Normal file
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": ["vitest/globals"]
|
||||
},
|
||||
"include": ["src/**/*.ts", "src/**/*.d.ts"]
|
||||
}
|
||||
88
docs/architecture/adr-0009-external-task-job-worker.md
Normal file
88
docs/architecture/adr-0009-external-task-job-worker.md
Normal file
@@ -0,0 +1,88 @@
|
||||
# ADR-0009: The Domain Service drives Flowable as an external-task job worker
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-30
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-05 (#6); proposal #60; builds on ADR-0001 (loose coupling, §8.1/§8.2), S-03 (#4, the `registratie` BPMN), S-04 (#5, the ACL `OpenZaak` operation)
|
||||
|
||||
## Context
|
||||
|
||||
S-05 (#6) adds the **BIG Domain Service**. Submitting a registration must: create a
|
||||
`Registration` aggregate, **start the Flowable `registratie` process** (S-03), have the
|
||||
`OpenZaakAanmaken` task **open a zaak via the ACL** (S-04), and store the resulting zaak URL
|
||||
back on the aggregate.
|
||||
|
||||
`OpenZaakAanmaken` is a Flowable **external-worker** service task (`flowable:type="external-worker"`,
|
||||
topic `OpenZaakAanmaken`). Flowable does not push it anywhere — it parks the job and waits for a
|
||||
worker to **acquire and lock** it, do the work, and **complete** it. Two coupling rules constrain
|
||||
who may do what:
|
||||
|
||||
- **§8.2 — the Workflow Client is the only code that talks to Flowable.** BPMN models never embed
|
||||
OpenZaak knowledge; they ask the Workflow Client to execute external tasks.
|
||||
- **§8.1 — the ACL is the only code that talks to ZGW.** The worker opens the zaak *through the ACL*,
|
||||
never by constructing ZGW URLs itself.
|
||||
|
||||
This is an ADR-worthy moment (§14): a service boundary is defined and both coupling rules are
|
||||
exercised. The open question is *how* the external task is driven.
|
||||
|
||||
## Decision
|
||||
|
||||
**The Domain Service drives the `OpenZaakAanmaken` task as a hosted external-task job worker
|
||||
(PRD §36). Orchestration is eventually consistent, not request-synchronous.**
|
||||
|
||||
- **`POST /registrations` is fast and side-effecting only on the domain side.** It creates the
|
||||
`Registration` aggregate in state `INGEDIEND`, persists it, and asks the Workflow Client to start
|
||||
one `registratie` process instance, recording the process-instance id on the aggregate. It returns
|
||||
immediately; it does **not** wait for the zaak to be opened.
|
||||
- **A hosted worker polls Flowable for `OpenZaakAanmaken` jobs.** It acquires and locks a job, calls
|
||||
the ACL `OpenZaak` operation (§8.1), attaches the returned zaak URL to the matching aggregate
|
||||
(`Registration.AttachZaak`), and completes the job in Flowable. The process then runs to its end
|
||||
event.
|
||||
- **The Workflow Client is the only Flowable client (§8.2).** It lives in the Domain Service's
|
||||
`Infrastructure` layer and speaks Flowable's REST API (start process-instance; acquire/lock/complete
|
||||
external-worker jobs). No other code — not the Application layer, not the BPMN — knows Flowable
|
||||
exists.
|
||||
- **The worker *logic* is an Application service over ports**, not Flowable-aware code. `OpenZaakWorker`
|
||||
takes an acquired job (topic + the registration id it carries), calls `IAclClient` and
|
||||
`IRegistrationStore`, and returns the zaak URL to complete with. The **polling loop** is a thin
|
||||
`BackgroundService` in `Infrastructure` that fetches jobs via the Workflow Client and feeds them to
|
||||
the worker. So the orchestration is covered by fast unit tests against fakes; only the REST framing
|
||||
needs a container integration test.
|
||||
|
||||
## Scope decisions for the minimal slice
|
||||
|
||||
- **Registration persistence is in-memory.** The walking skeleton's *read* path is fed by
|
||||
NRC → Event Subscriber → projection (S-06, #7), not by the domain database. An EF-backed domain
|
||||
store buys nothing the demo needs yet, so it is a documented follow-up; the `IRegistrationStore`
|
||||
port keeps that change additive. (PRD §88 envisions EF Core for the domain DB eventually.)
|
||||
- **The aggregate's state machine is minimal:** `INGEDIEND` on submission. Later flows (withdrawal,
|
||||
beoordeling, herregistratie) add states in their own slices — they are out of scope here.
|
||||
- **No bsn flows to ZGW yet.** The ACL `OpenZaak` operation already default-fills the ZGW-mandatory
|
||||
fields (ADR-0003) and takes the bsn as its domain payload; the domain hands it through unchanged.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the submit request is decoupled from ACL/OpenZaak latency; the documented Common
|
||||
Ground pattern (external-task worker) is realised; both coupling rules (§8.1, §8.2) hold with the
|
||||
Flowable knowledge isolated to one Infrastructure class; the orchestration is unit-testable.
|
||||
- **Negative / deferred:**
|
||||
- Eventual consistency: immediately after `POST /registrations` the aggregate has no zaak URL yet.
|
||||
Acceptable — the read side is the projection, not the domain store.
|
||||
- In-memory registration state is lost on restart; fine for the skeleton, replaced by an EF store
|
||||
in a follow-up.
|
||||
- The worker polls (no push); poll interval is a tuning knob, not a correctness concern, since
|
||||
Flowable holds the job until completed.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Synchronous acquire+complete inside the `POST /registrations` request** — rejected: simpler and
|
||||
deterministic, but couples the submit request to ACL/OpenZaak latency and failure, and is not the
|
||||
external-task worker pattern PRD §36 mandates. It would also make the request fail if OpenZaak is
|
||||
briefly down, instead of the job simply staying parked for the worker to retry.
|
||||
- **A standalone Workflow Client service, separate from the Domain Service** — rejected for this
|
||||
slice: the worker needs the domain's aggregate store and the ACL client anyway, and PRD §9 places
|
||||
the Workflow Client inside the Domain Service deployment. A separate process adds a hop and a
|
||||
shared store for no current benefit.
|
||||
- **Flowable pushes to a webhook instead of being polled** — rejected: Flowable's external-worker
|
||||
model is pull-based (acquire/lock/complete); a push shim would re-implement it with weaker
|
||||
delivery guarantees.
|
||||
74
docs/architecture/adr-0010-bff-oidc.md
Normal file
74
docs/architecture/adr-0010-bff-oidc.md
Normal file
@@ -0,0 +1,74 @@
|
||||
# ADR-0010: The BFF validates Keycloak tokens and is the portals' only backend
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-07-01
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-07 (#8); proposal #63; builds on ADR-0001 (loose coupling, §8.3), S-02 (#3, Keycloak realms), S-05 (#6, Domain Service), S-06 (#7, read projection)
|
||||
|
||||
## Context
|
||||
|
||||
S-07 (#8) adds the **BFF (Backend-for-Frontend)** — the single backend the Angular portals talk
|
||||
to (CLAUDE.md §8.3). For the walking skeleton it exposes two endpoints and fans out to services
|
||||
already built:
|
||||
|
||||
- `POST /self-service/registrations` → Domain Service `POST /registrations` (S-05).
|
||||
- `GET /openbaar/register?q=…` → projection-api `GET /register` (S-06).
|
||||
|
||||
It must validate tokens issued by Keycloak (S-02). This is an ADR-worthy moment (§14): a new
|
||||
dependency (JWT bearer authentication) and two new service boundaries (BFF→domain, BFF→projection).
|
||||
|
||||
## Decision
|
||||
|
||||
**The BFF is the portals' only backend; it validates Keycloak `digid`-realm JWTs on the
|
||||
self-service endpoint, leaves the openbaar lookup anonymous, and fans out to the domain and
|
||||
projection over typed HTTP clients.**
|
||||
|
||||
- **Auth model.** `POST /self-service/registrations` requires a valid `digid`-realm bearer token;
|
||||
the BFF reads the `bsn` claim and forwards it to the domain. Missing / invalid / expired token →
|
||||
**401**. `GET /openbaar/register` is **anonymous** — the openbaar register is a public lookup
|
||||
(S-09), so no token is required.
|
||||
- **Portals talk only to the BFF (§8.3).** They never call the Domain Service, ACL, projection, or
|
||||
OpenZaak directly. The BFF orchestrates via typed `HttpClient`s whose base URLs come from config.
|
||||
Downstream calls are unauthenticated on the internal network for the walking skeleton; a
|
||||
service-to-service auth story (e.g. client-credentials) is a later slice, not this one.
|
||||
- **Validation is `Microsoft.AspNetCore.Authentication.JwtBearer`** pointed at the Keycloak `digid`
|
||||
realm authority. **New dependency justification:** it gives us standards-based OIDC/JWT validation
|
||||
(signature, issuer, expiry, audience) maintained by the framework; rolling our own JWT validation
|
||||
would be error-prone security code; the risk is a first-party ASP.NET Core package — minimal.
|
||||
- **Tests mint their own tokens.** `WebApplicationFactory` tests override the bearer options with a
|
||||
**test signing key**, so valid / invalid / expired tokens are minted in-process without a live
|
||||
Keycloak. Real Keycloak validation is exercised by a live-stack `verify-bff` check.
|
||||
- **OpenAPI is generated and committed** (`services/bff/openapi.json`) from .NET's built-in OpenAPI,
|
||||
so S-08's Angular client is generated from the spec, never hand-written (§10).
|
||||
|
||||
## Known wrinkle — container OIDC issuer mismatch
|
||||
|
||||
Keycloak stamps tokens with an `iss` equal to its **browser-facing** URL (what the portal used to
|
||||
log in), which differs from the BFF's **in-container** authority (`http://keycloak:8080/realms/digid`).
|
||||
Strict issuer validation then rejects otherwise-valid tokens. Unit tests avoid this (test key).
|
||||
`verify-bff` handles it by aligning the configured authority/issuer with the token's `iss` (and, if
|
||||
needed, disabling metadata address rewriting). Recorded so it is not rediscovered each time.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the walking skeleton gains its front door; §8.3 holds with all portal traffic going
|
||||
through one backend; token validation is standard and testable without infra; the committed
|
||||
OpenAPI unblocks S-08.
|
||||
- **Negative / deferred:**
|
||||
- Downstream service-to-service auth is deferred (internal-network trust for now).
|
||||
- The openbaar endpoint is anonymous; when public-safe field filtering tightens (S-09) it stays
|
||||
anonymous but the projection query narrows.
|
||||
- The issuer-mismatch handling is dev-oriented; a production reverse-proxy setup would align the
|
||||
browser and internal issuer URLs instead.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Token-gate the openbaar endpoint too** — rejected: the openbaar register is public by design
|
||||
(S-09); requiring a login would contradict the slice's intent.
|
||||
- **Validate tokens by calling Keycloak's introspection endpoint per request** — rejected: adds a
|
||||
network hop per call and a Keycloak dependency on the hot path; local JWT signature validation via
|
||||
the realm's JWKS is the standard, faster choice.
|
||||
- **Hand-written JWT parsing** — rejected: security-sensitive code we shouldn't own when a
|
||||
first-party validator exists.
|
||||
- **Generate the OpenAPI client by hand / keep the spec uncommitted** — rejected: §10 requires a
|
||||
generated client from a committed spec.
|
||||
@@ -5,6 +5,141 @@ copy-pasteable walkthrough against a local `make up` stack.
|
||||
|
||||
---
|
||||
|
||||
## S-08d — Walking skeleton complete: browser → submit, end-to-end
|
||||
|
||||
**Outcome:** the self-service portal is served in the stack and the full front-of-house happy path
|
||||
runs in a real browser — **mock DigiD login → submit → confirmation** — closing the walking skeleton
|
||||
(portal → BFF → domain → Flowable → ACL → OpenZaak, with the openbaar register reading the projection).
|
||||
|
||||
```bash
|
||||
# 1. Bring the whole stack up (portal served on :8140, BFF :8080, Keycloak :8180).
|
||||
make up
|
||||
|
||||
# 2. Automated happy path — Playwright, inside the compose network (issuer-consistent):
|
||||
make verify-e2e # → login as jan-burger → submit → "ontvangen" confirmation
|
||||
|
||||
# 3. By hand: open the portal, log in as jan-burger / test123, click "Registratie indienen".
|
||||
open http://localhost:8140
|
||||
```
|
||||
|
||||
> The portal is served same-origin with the BFF (nginx proxies `/self-service` + `/openbaar`), so no
|
||||
> CORS; the OIDC authority comes from `/config.json` at runtime. See `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-08c — Self-service submit form (NL Design System + DigiD)
|
||||
|
||||
**Outcome:** a zorgprofessional logs in via mock DigiD and submits a BIG registration through the
|
||||
self-service portal (NL Design System styling); the page confirms with the reference returned by the
|
||||
BFF. The bsn comes from the DigiD token, so it's a confirm-and-submit flow (no bsn field).
|
||||
|
||||
```bash
|
||||
# 1. Bring the backend + Keycloak up (BFF on :8080, Keycloak on :8180).
|
||||
make up
|
||||
|
||||
# 2. Serve the portal (dev server); it redirects to Keycloak for DigiD login.
|
||||
pnpm nx serve self-service # → http://localhost:4200
|
||||
|
||||
# 3. In the browser: log in as the mock DigiD user jan-burger / test123, then submit.
|
||||
# The page shows the returned registration reference.
|
||||
```
|
||||
|
||||
> First real UI. The full **login → submit → success** happy path is automated in **S-08d**
|
||||
> (Playwright, against the compose-served app). Component tests + an axe WCAG 2.1 AA check on the
|
||||
> submit page run headless in the `frontend` CI lane. See `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-08a — Nx workspace + self-service portal skeleton
|
||||
|
||||
**Outcome:** the frontend foundation — an Nx (pnpm) monorepo with the `self-service` Angular app
|
||||
(standalone + signals), lint/test/build green in a CI Node lane. The login + submit form follow in
|
||||
S-08c.
|
||||
|
||||
```bash
|
||||
# From a fresh clone (Node 24 + pnpm 11):
|
||||
pnpm install # native builds are pre-approved in pnpm-workspace.yaml
|
||||
pnpm nx test self-service # Vitest component test
|
||||
pnpm nx build self-service # production build
|
||||
pnpm nx serve self-service # → http://localhost:4200 (placeholder page)
|
||||
# Or the CI-equivalent one-shot:
|
||||
make frontend # install + nx lint/test/build
|
||||
```
|
||||
|
||||
> Nx manages only `apps/`+`libs/`; the .NET services stay on `dotnet`/the Makefile. NL Design System
|
||||
> and the real form arrive in S-08c (#67); see `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-07 — BFF: the portals' single backend
|
||||
|
||||
**Outcome:** the BFF validates Keycloak `digid` tokens on the self-service submit (forwarding the
|
||||
bsn to the domain) and serves the openbaar register anonymously with only public-safe fields — the
|
||||
front door the portals (S-08/S-09) will talk to.
|
||||
|
||||
**The path:** portal → BFF `POST /self-service/registrations` (token-gated) → domain; and
|
||||
BFF `GET /openbaar/register` (anonymous) → projection-api. See ADR-0010.
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up.
|
||||
make up
|
||||
|
||||
# 2. Drive the BFF end-to-end (401 without a token, 202 with a real digid token, anonymous openbaar).
|
||||
make verify-bff # → "OK — BFF: 401 without token, 202 with a digid token, anonymous ..."
|
||||
|
||||
# 3. Try it by hand (BFF on host port 8080).
|
||||
# a) A digid access token for the mock user jan-burger (bsn 123456782):
|
||||
tok=$(curl -s -X POST http://localhost:8180/realms/digid/protocol/openid-connect/token \
|
||||
-d grant_type=password -d client_id=big-portal -d username=jan-burger -d password=test123 \
|
||||
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
|
||||
|
||||
# b) Submit — without the token it is 401; with it, 202:
|
||||
curl -s -o /dev/null -w "no token -> %{http_code}\n" -X POST http://localhost:8080/self-service/registrations
|
||||
curl -s -o /dev/null -w "with token-> %{http_code}\n" -X POST http://localhost:8080/self-service/registrations \
|
||||
-H "Authorization: Bearer $tok"
|
||||
|
||||
# c) The openbaar register is anonymous and exposes only id + status (never the bsn):
|
||||
curl -fsS http://localhost:8080/openbaar/register | jq
|
||||
```
|
||||
|
||||
> The self-service token is validated against Keycloak's `digid` realm; the openbaar lookup needs no
|
||||
> token (S-09). The generated contract lives at `services/bff/openapi.json` — S-08's client is built
|
||||
> from it.
|
||||
|
||||
---
|
||||
|
||||
## S-05 — BIG Domain Service: submit a registration
|
||||
|
||||
**Outcome:** submitting a registration starts a Flowable process; the external-task worker
|
||||
opens a zaak via the ACL and records it on the aggregate — the upstream half of the skeleton
|
||||
that produces the zaak S-06 then projects.
|
||||
|
||||
**The path:** domain `POST /registrations` → Flowable `registratie` process → `OpenZaakAanmaken`
|
||||
worker → ACL → OpenZaak; `GET /registrations/{id}` shows the opened zaak (ADR-0009).
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up (seeds config, builds our services, waits for health).
|
||||
make up
|
||||
|
||||
# 2. Drive the full path end-to-end. This also seeds a published BIG zaaktype and points the
|
||||
# ACL at it (the zaak's zaaktype URL is server-assigned, so it isn't known at bring-up).
|
||||
make verify-domain # → "OK — the domain opened a zaak and recorded it on the registration"
|
||||
|
||||
# 3. Submit one yourself (domain on host port 8130). Returns 202 + a Location to read back.
|
||||
loc=$(curl -fsS -D - -o /dev/null -X POST http://localhost:8130/registrations \
|
||||
-H 'Content-Type: application/json' -d '{"bsn":"123456782"}' | sed -n 's/\r$//; s/^[Ll]ocation: //p')
|
||||
|
||||
# 4. The worker opens the zaak off the request path (eventual consistency, ADR-0009); poll
|
||||
# until zaakUrl is filled. (Step 2 must have run first, so the ACL knows the zaaktype.)
|
||||
curl -fsS "http://localhost:8130$loc" | jq
|
||||
# → { "registrationId": "...", "status": "Ingediend", "zaakUrl": "http://.../zaken/api/v1/zaken/<uuid>" }
|
||||
```
|
||||
|
||||
> Registration state is in-memory for this slice (ADR-0009); the rebuildable read model is the
|
||||
> projection (S-06), fed by the very zaak this flow opens.
|
||||
|
||||
---
|
||||
|
||||
## S-06 — Event Subscriber + read projection
|
||||
|
||||
**Outcome:** a zaak created in OpenZaak flows through NRC to the Event Subscriber, which
|
||||
@@ -33,3 +168,32 @@ curl -fsS http://localhost:8120/register | jq 'length' # → unchanged
|
||||
|
||||
> `bsn` / `naam_placeholder` are deferred (ADR-0008) — the notification doesn't carry them and
|
||||
> the subscriber may not read OpenZaak directly (§8.1). They surface in a later slice.
|
||||
|
||||
---
|
||||
|
||||
## S-09 — Openbaar Register portal (public visibility)
|
||||
|
||||
**Outcome:** the entry a zorgprofessional submits via self-service becomes publicly visible in the
|
||||
anonymous openbaar register portal — closing the walking-skeleton loop (submit → process → projection
|
||||
→ public visibility).
|
||||
|
||||
**The path:** self-service submit → BFF → domain → (zaak) OpenZaak → NRC → Event Subscriber →
|
||||
projection → openbaar portal reads the BFF's public-safe `GET /openbaar/register`.
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up (self-service :8140, openbaar :8141).
|
||||
make up
|
||||
|
||||
# 2. Submit a registration via the self-service portal (mock DigiD: jan-burger / test123),
|
||||
# or drive the whole happy path automatically (login → submit → public visibility):
|
||||
make verify-e2e
|
||||
|
||||
# 3. Open the public register — no login. It lists the submitted entry (id + status only).
|
||||
# Only public-safe fields cross the BFF: bsn / naam never appear.
|
||||
open http://localhost:8141/ # search box; searches the BFF by referentie
|
||||
curl -fsS http://localhost:8140/openbaar/register | jq # same public-safe view via the BFF proxy
|
||||
# → [ { "id": "<zaak-uuid>", "status": "INGEDIEND" } ]
|
||||
```
|
||||
|
||||
> The register shows `INGEDIEND` entries today; the approval transition to a terminal status
|
||||
> (e.g. `INGESCHREVEN`) lands with the approval flow (S-09b, #75).
|
||||
|
||||
119
docs/frontend-decisions.md
Normal file
119
docs/frontend-decisions.md
Normal file
@@ -0,0 +1,119 @@
|
||||
# Frontend decisions
|
||||
|
||||
A running log of frontend tooling and component decisions (CLAUDE.md §10). One entry per
|
||||
decision; record *why*, and note any deviation from NL Design System.
|
||||
|
||||
---
|
||||
|
||||
## Workspace & tooling (S-08a, #65)
|
||||
|
||||
The portals live in an **Nx monorepo at the repository root**, alongside the .NET `services/`.
|
||||
|
||||
- **Package manager: pnpm.** Native build scripts are approved explicitly in `pnpm-workspace.yaml`
|
||||
under `allowBuilds` (pnpm 11 fails the install otherwise). Node 24, pnpm 11.
|
||||
- **Angular, standalone components + signals, no NgModules** (§10). Apps are generated with
|
||||
`@nx/angular:application`.
|
||||
- **Unit tests: Vitest** via Angular's built-in `@angular/build:unit-test` (the `vitest-angular`
|
||||
runner). **Angular Testing Library** is added for component tests when the first real components
|
||||
land (S-08c); the S-08a placeholder uses a plain `TestBed` render assertion.
|
||||
- **Lint: ESLint** (flat config, `@nx/eslint`).
|
||||
- **Nx is scoped to `apps/` + `libs/` only.** The `@nx/docker` and `@nx/dotnet` plugins are **not**
|
||||
installed — the .NET services are built by `dotnet`/the Makefile, and `@nx/docker` would otherwise
|
||||
infer every `services/*/Dockerfile` as an unnamed Nx project and break the project graph.
|
||||
- **No Nx Cloud.** `nxCloudId` is stripped from `nx.json`; remote caching would depend on an
|
||||
external service, and the repo is Gitea-only (§8.7). Nx's "configure-ai-agents" additions
|
||||
(`.claude/settings.json`, a CLAUDE.md section referencing a GitHub marketplace) are **not**
|
||||
committed for the same reason.
|
||||
- **CI:** a `frontend` job (`make frontend` → `pnpm install --frozen-lockfile` + `nx run-many -t
|
||||
lint test build`) runs on pnpm + Node, with pinned action URLs (§15).
|
||||
|
||||
**NL Design System:** not yet introduced — the S-08a app is a placeholder. NL DS components arrive
|
||||
with the submit form (S-08c, #67); any deviation from NL DS will be recorded here.
|
||||
|
||||
---
|
||||
|
||||
## API client generator (S-08b, #66)
|
||||
|
||||
`libs/api-client` is **generated from `services/bff/openapi.json`** — never hand-written (§10).
|
||||
|
||||
- **Generator: orval** (`client: 'angular'`), a **node-based** generator (no Java, unlike
|
||||
`openapi-generator`), so it runs in the pnpm/Node CI lane. It emits an injectable
|
||||
`BffApiV1Service` using Angular's `HttpClient` — which means the DigiD bearer token can be attached
|
||||
by an **`HttpInterceptor`** (S-08c), the idiomatic Angular approach; a fetch-based SDK would bypass
|
||||
the interceptor pipeline.
|
||||
- **Config:** `libs/api-client/orval.config.ts` (single-file output into `src/lib/generated/`,
|
||||
`clean: true`, prettier). **Regenerate with `nx run api-client:generate`** after the BFF spec
|
||||
changes; the output is deterministic (idempotent), and `src/lib/generated/` is never hand-edited.
|
||||
- **Tested** against a mocked BFF via `HttpClientTesting` (`libs/api-client/src/lib/bff-api.spec.ts`).
|
||||
- The BFF endpoints carry no `operationId`, so orval synthesises method names
|
||||
(`postSelfServiceRegistrations`, `getOpenbaarRegister`); adding explicit operation ids to the BFF
|
||||
is a possible later polish.
|
||||
|
||||
---
|
||||
|
||||
## Self-service form: NL DS, DigiD auth, testing (S-08c, #67)
|
||||
|
||||
- **NL Design System via `@utrecht/component-library-angular`** (`libs/ui`) + `@utrecht/design-tokens`
|
||||
(imported once in `apps/self-service/src/styles.css`). Utrecht is NL DS's reference Angular
|
||||
implementation. Its v3 components are **NgModule-based, not standalone**, so `libs/ui` re-exports
|
||||
`UtrechtComponentsModule` (and the component classes, so the AOT compiler resolves the template
|
||||
directives through the barrel); standalone components consume it via `imports: [UtrechtComponentsModule]`.
|
||||
§10's "no NgModules in new code" governs *our* code — consuming a third-party module is fine.
|
||||
- **DigiD login via `angular-auth-oidc-client`** (`libs/auth`): auth-code + PKCE against the Keycloak
|
||||
`digid` realm (public client `big-portal`). A small **`AuthService` abstraction** (bsn /
|
||||
isAuthenticated / login) wraps the library so components and the `authenticatedGuard` depend on a
|
||||
mockable surface; a **token `HttpInterceptor`** attaches the bearer to BFF calls (secure route).
|
||||
The OIDC `authority`/`secureApiOrigin` are dev defaults in `app.config.ts`; the compose-served app
|
||||
overrides them (S-08d), and the browser-vs-container issuer alignment is handled there (ADR-0010).
|
||||
- **Testing:** component tests use **`@testing-library/angular`** (§10) with `AuthService` and the
|
||||
api-client mocked; the **axe** (`vitest-axe`) check runs scoped to WCAG 2.1 AA tags
|
||||
(`wcag2a/2aa/21a/21aa`) with the document `lang` set, asserting zero violations on the submit page.
|
||||
The real DigiD browser round-trip is exercised in S-08d (Playwright).
|
||||
- **Module boundaries:** replaced the demo eslint `depConstraints` (`scope:shop`/`scope:shared`, left
|
||||
over from the Nx angular template) with a permissive `*` default; scope/type tags can be
|
||||
introduced when the portal set grows.
|
||||
|
||||
---
|
||||
|
||||
## Serving + e2e (S-08d, #68)
|
||||
|
||||
- **Served by nginx, same-origin as the BFF.** The compose `self-service` image serves the built app
|
||||
and **reverse-proxies** `/self-service/*` + `/openbaar/*` to the `bff` service. Because the
|
||||
api-client uses **relative URLs**, the browser calls the app's own origin → nginx forwards to the
|
||||
BFF: **no CORS**, and the DigiD token (same-origin) is attached by the interceptor. nginx resolves
|
||||
the BFF at request time (a `resolver` + variable `proxy_pass`) so it starts before the BFF is up.
|
||||
- **Runtime config.** The app fetches `/config.json` before bootstrap (`main.ts`); `appConfig` is a
|
||||
factory. The dev default (`public/config.json`) points at `localhost:8180`; the Docker image bakes
|
||||
the compose value (`keycloak:8080`). One build, per-environment OIDC authority.
|
||||
- **e2e runs inside the compose network.** `infra/run-e2e-check.sh` runs Playwright in a container on
|
||||
`cg`, so the browser reaches Keycloak as `keycloak:8080` — the **same issuer** the BFF validates
|
||||
against (resolves the browser-vs-container mismatch, ADR-0010). It uses the official
|
||||
`mcr.microsoft.com/playwright:<version>` image with browsers pre-baked, rather than downloading
|
||||
~150 MB of Chromium on every run (issue #73) — the image tag is kept in lockstep with
|
||||
`tests/e2e/package.json`'s `@playwright/test` version. The spec is copied in (`docker cp`), not
|
||||
mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in the `verify-stack`
|
||||
CI job.
|
||||
- **e2e treats the portal origin as secure.** In-network the portal is served over plain HTTP on a
|
||||
non-localhost origin (`http://self-service`), which is **not a secure context**, so Web Crypto
|
||||
(`crypto.subtle`) is unavailable. angular-auth-oidc-client needs it for the PKCE code challenge, so
|
||||
`authorize()` throws and the login redirect never fires. Production runs behind HTTPS where this is
|
||||
a non-issue; rather than terminate TLS in the throwaway stack, the Playwright config passes
|
||||
`--unsafely-treat-insecure-origin-as-secure` (honoured only by the full `channel: 'chromium'`
|
||||
build, not the default headless-shell). This emulates the production HTTPS secure context without
|
||||
touching the app or its production config.
|
||||
- `tests/e2e` is a standalone Playwright project (its own `package.json`), not an Nx project — it's a
|
||||
live-stack check like the other `verify-*` runners, not part of the `frontend` unit lane.
|
||||
|
||||
## Openbaar Register portal (S-09, #10)
|
||||
|
||||
- **Anonymous, no auth.** The openbaar register is a public read, so `apps/openbaar` has no
|
||||
`angular-auth-oidc-client`, no interceptor, and no `config.json` — `main.ts` bootstraps `appConfig`
|
||||
directly with just `provideHttpClient` + `provideRouter`. This is the deliberate contrast to
|
||||
self-service and keeps the app trivially cacheable/CDN-able.
|
||||
- **Same-origin via nginx, like self-service.** The compose `openbaar` image serves the built app and
|
||||
reverse-proxies `/openbaar` to the BFF; the api-client's relative calls stay same-origin (no CORS).
|
||||
Served on `:8141`, health-checked over IPv4 (`127.0.0.1`), no Keycloak dependency.
|
||||
- **Public-safe by construction.** The portal only ever sees the BFF's `OpenbaarProjection.PublicView`
|
||||
(id + status); `bsn`/`naam` never leave the BFF. The e2e asserts the bsn never renders.
|
||||
- **Loads on open, filters on search.** `RegisterPage` fetches the full register on construction and
|
||||
re-queries `/openbaar/register?q=` on search — no client-side filtering, the BFF owns the query.
|
||||
@@ -14,6 +14,7 @@ those containers share a filesystem — or a `localhost` — breaks.
|
||||
| `docker compose up --wait` is unsupported / flaky | poll health with `docker inspect` | `infra/wait-healthy.sh` |
|
||||
| `pg_isready` passes before PostGIS is ready | add a `PostGIS_Version()` probe | the db healthchecks |
|
||||
| `upload-artifact@v4` fails ("not supported on GHES") | pin `@v3` | `.gitea/workflows/ci.yaml` (`mutation` job) |
|
||||
| `upload-artifact@v3` fails with "Artifact service responded with 500" | mark the upload `continue-on-error: true` (server-side; issue #62) | `.gitea/workflows/ci.yaml` (`mutation` job) |
|
||||
|
||||
---
|
||||
|
||||
@@ -125,6 +126,22 @@ guard. Inputs are the same (`name`, `path`, `if-no-files-found`), so it is a dro
|
||||
swap. Do **not** bump to `@v4` until act_runner advertises github.com-compatible
|
||||
artifact support.
|
||||
|
||||
**Second failure mode — the server's artifact backend returns 500.** Even on the
|
||||
correctly-pinned `@v3`, uploads can fail with:
|
||||
|
||||
```
|
||||
Create Artifact Container - Attempt 5 of 5 failed with error: Artifact service responded with 500
|
||||
::error::Create Artifact Container failed: Artifact service responded with 500
|
||||
```
|
||||
|
||||
This is the **Gitea server's** artifact storage failing (not the action's GHES guard),
|
||||
so it is outside the repo's control. Because the `mutation` job's upload steps run with
|
||||
`if: always()`, that 500 would fail the job even though the ratchet passed. **Fix:** mark
|
||||
the uploads `continue-on-error: true` (issue #62). The mutation *gate* is the Stryker
|
||||
ratchet — `make mutation`'s exit code fails the job on a real regression — so the report
|
||||
upload is best-effort: when the server's artifact storage is restored, reports publish
|
||||
again with no workflow change.
|
||||
|
||||
---
|
||||
|
||||
## 5. A runner process can't reach a service container's published port
|
||||
|
||||
48
eslint.config.mjs
Normal file
48
eslint.config.mjs
Normal file
@@ -0,0 +1,48 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/base'],
|
||||
...nx.configs['flat/typescript'],
|
||||
...nx.configs['flat/javascript'],
|
||||
{
|
||||
ignores: [
|
||||
'**/dist',
|
||||
'**/vite.config.*.timestamp*',
|
||||
'**/vitest.config.*.timestamp*',
|
||||
],
|
||||
},
|
||||
{
|
||||
files: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
|
||||
rules: {
|
||||
'@nx/enforce-module-boundaries': [
|
||||
'error',
|
||||
{
|
||||
enforceBuildableLibDependency: true,
|
||||
allow: ['^.*/eslint(\\.base)?\\.config\\.[cm]?[jt]s$'],
|
||||
// Permissive default — apps/libs are untagged for now. Introduce scope/type tags
|
||||
// when the portal set grows (docs/frontend-decisions.md).
|
||||
depConstraints: [
|
||||
{
|
||||
sourceTag: '*',
|
||||
onlyDependOnLibsWithTags: ['*'],
|
||||
},
|
||||
],
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: [
|
||||
'**/*.ts',
|
||||
'**/*.tsx',
|
||||
'**/*.cts',
|
||||
'**/*.mts',
|
||||
'**/*.js',
|
||||
'**/*.jsx',
|
||||
'**/*.cjs',
|
||||
'**/*.mjs',
|
||||
],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
@@ -285,7 +285,9 @@ services:
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/acl:dev
|
||||
environment:
|
||||
Acl__OpenZaak__BaseUrl: http://openzaak:8000/
|
||||
# Overridable so verify-domain can point the ACL at the same OpenZaak host that
|
||||
# owns the seeded zaaktype URL (host-consistent zaak creation, ADR-0009).
|
||||
Acl__OpenZaak__BaseUrl: ${ACL_OPENZAAK_BASEURL:-http://openzaak:8000/}
|
||||
Acl__OpenZaak__ClientId: big-reference-seed
|
||||
Acl__OpenZaak__Secret: insecure-dev-secret-change-me
|
||||
Acl__Defaults__Bronorganisatie: "517439943"
|
||||
@@ -306,12 +308,49 @@ services:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# ── BIG Domain Service (S-05) ──────────────────────────────────────────────
|
||||
# Orchestrates a registration: POST /registrations creates the aggregate and
|
||||
# starts the registratie Flowable process; a hosted worker acquires the
|
||||
# OpenZaakAanmaken job, opens a zaak via the ACL and completes it (ADR-0009).
|
||||
# Talks only to Flowable (Workflow Client, §8.2) and the ACL (§8.1).
|
||||
domain:
|
||||
build:
|
||||
context: ../services/domain
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/domain:dev
|
||||
environment:
|
||||
Flowable__BaseUrl: http://flowable-rest:8080/flowable-rest/
|
||||
Flowable__Username: rest-admin
|
||||
Flowable__Password: test
|
||||
Acl__BaseUrl: http://acl:8080/
|
||||
ports:
|
||||
- "8130:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
acl:
|
||||
condition: service_healthy
|
||||
flowable-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── BFF ──────────────────────────────────────────────────────────────────
|
||||
bff:
|
||||
build:
|
||||
context: ../services/bff
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/bff:dev
|
||||
environment:
|
||||
# The BFF is the portals' only backend; it validates digid tokens and fans out (ADR-0010).
|
||||
# Keycloak (start-dev) derives the issuer from the request host, so the BFF authority and the
|
||||
# verify token request both use keycloak:8080 to keep the issuer consistent.
|
||||
Keycloak__Authority: http://keycloak:8080/realms/digid
|
||||
Downstream__Domain__BaseUrl: http://domain:8080/
|
||||
Downstream__Projection__BaseUrl: http://projection-api:8080/
|
||||
ports:
|
||||
- "8080:8080"
|
||||
healthcheck:
|
||||
@@ -320,6 +359,13 @@ services:
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
domain:
|
||||
condition: service_healthy
|
||||
projection-api:
|
||||
condition: service_healthy
|
||||
keycloak:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# ── Read projection (S-06) ────────────────────────────────────────────────
|
||||
@@ -387,6 +433,52 @@ services:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# ── Self-Service portal (S-08d) ────────────────────────────────────────────
|
||||
# nginx serves the Angular app and reverse-proxies /self-service + /openbaar to the BFF
|
||||
# (same-origin, no CORS). The Playwright e2e drives it inside this network so the DigiD
|
||||
# token issuer (keycloak:8080) matches the BFF's authority (ADR-0010).
|
||||
self-service:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: apps/self-service/Dockerfile
|
||||
image: register-referentie/self-service:dev
|
||||
ports:
|
||||
- "8140:80"
|
||||
healthcheck:
|
||||
# 127.0.0.1, not localhost: nginx listens on IPv4 only, but localhost resolves to ::1 first.
|
||||
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1/ || exit 1"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
bff:
|
||||
condition: service_healthy
|
||||
keycloak:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# The openbaar (public) register portal: nginx serves the Angular app and reverse-proxies
|
||||
# /openbaar to the BFF. Anonymous — no DigiD, no Keycloak dependency (S-09).
|
||||
openbaar:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: apps/openbaar/Dockerfile
|
||||
image: register-referentie/openbaar:dev
|
||||
ports:
|
||||
- "8141:80"
|
||||
healthcheck:
|
||||
# 127.0.0.1, not localhost: nginx listens on IPv4 only, but localhost resolves to ::1 first.
|
||||
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1/ || exit 1"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
bff:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
oz-db:
|
||||
nrc-db:
|
||||
|
||||
@@ -210,6 +210,10 @@ def main():
|
||||
print(f"zaaktypen in BIG: {names}")
|
||||
assert "BIG-REGISTRATIE" in names, "BIG-REGISTRATIE not listed"
|
||||
state = "published" if PUBLISH else "concept"
|
||||
# Machine-readable line so callers (e.g. infra/run-domain-check.sh) can capture the
|
||||
# zaaktype URL to configure the ACL's default-fill (ADR-0003/0009).
|
||||
zt_url = next(z["url"] for z in zaaktypen if z.get("identificatie") == "BIG-REGISTRATIE")
|
||||
print(f"ZAAKTYPE_URL {zt_url}")
|
||||
print(f"OK — BIG catalogus seeded (BIG-REGISTRATIE {state} + bsn eigenschap)")
|
||||
|
||||
|
||||
|
||||
58
infra/run-bff-check.sh
Executable file
58
infra/run-bff-check.sh
Executable file
@@ -0,0 +1,58 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Verify the BFF end-to-end (S-07) against an ALREADY-RUNNING full stack. The BFF is the portals'
|
||||
# only backend (§8.3): it validates Keycloak digid tokens on the self-service submit and serves the
|
||||
# openbaar register anonymously with only public-safe fields (ADR-0010).
|
||||
#
|
||||
# Checks, in-network (services reached by container IP; Keycloak by its service name so the token's
|
||||
# host-derived issuer matches the BFF's authority — see the compose bff env and ADR-0010):
|
||||
# 1. POST /self-service/registrations without a token -> 401
|
||||
# 2. mint a real digid access token (direct grant) and POST it -> 202 (forwarded to the domain)
|
||||
# 3. GET /openbaar/register (anonymous) -> 200 JSON array, never a bsn
|
||||
#
|
||||
# Does NOT manage the stack lifecycle (the caller owns bring-up + teardown). Plain docker primitives.
|
||||
set -euo pipefail
|
||||
|
||||
ip() { docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"; }
|
||||
|
||||
bff="$(docker ps -q --filter 'name=[-_]bff[-_]' | head -1)"
|
||||
kc="$(docker ps -q --filter 'name=keycloak' | head -1)"
|
||||
[ -n "$bff" ] || { echo "ERROR: no running bff container — bring the stack up first" >&2; exit 1; }
|
||||
[ -n "$kc" ] || { echo "ERROR: no running keycloak container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$bff" | head -1)"
|
||||
bff_ip="$(ip "$bff")"
|
||||
echo ">> bff=$bff_ip network=$net"
|
||||
|
||||
# Helper: run curl inside a throwaway container on the stack network (reaches services by name/IP).
|
||||
net_curl() { docker run --rm --network "$net" curlimages/curl:latest "$@"; }
|
||||
|
||||
echo ">> 1. self-service submit without a token must be 401"
|
||||
code="$(net_curl -s -o /dev/null -w '%{http_code}' -X POST "http://$bff_ip:8080/self-service/registrations" \
|
||||
-H 'Content-Type: application/json' -d '{}')"
|
||||
echo " -> $code"; [ "$code" = "401" ] || { echo "FAIL: expected 401, got $code" >&2; exit 1; }
|
||||
|
||||
echo ">> 2. minting a digid token (direct grant) via keycloak:8080 (host-consistent issuer)"
|
||||
token=""
|
||||
for _ in $(seq 1 20); do
|
||||
token="$(net_curl -s -X POST "http://keycloak:8080/realms/digid/protocol/openid-connect/token" \
|
||||
-H 'Content-Type: application/x-www-form-urlencoded' \
|
||||
--data-urlencode 'grant_type=password' --data-urlencode 'client_id=big-portal' \
|
||||
--data-urlencode 'username=jan-burger' --data-urlencode 'password=test123' \
|
||||
| sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')"
|
||||
[ -n "$token" ] && break
|
||||
sleep 3
|
||||
done
|
||||
[ -n "$token" ] || { echo "FAIL: could not obtain a digid access token" >&2; exit 1; }
|
||||
echo " -> got a token"
|
||||
|
||||
echo ">> 2b. self-service submit with the token must be 202"
|
||||
code="$(net_curl -s -o /dev/null -w '%{http_code}' -X POST "http://$bff_ip:8080/self-service/registrations" \
|
||||
-H "Authorization: Bearer $token" -H 'Content-Type: application/json' -d '{}')"
|
||||
echo " -> $code"; [ "$code" = "202" ] || { echo "FAIL: expected 202, got $code" >&2; docker logs "$bff" 2>&1 | tail -15 >&2; exit 1; }
|
||||
|
||||
echo ">> 3. openbaar register (anonymous) must be 200 JSON, never a bsn"
|
||||
body="$(net_curl -s "http://$bff_ip:8080/openbaar/register")"
|
||||
echo "$body" | grep -q '^\[' || { echo "FAIL: openbaar did not return a JSON array: $body" >&2; exit 1; }
|
||||
if echo "$body" | grep -q '"bsn"'; then echo "FAIL: openbaar leaked a bsn field" >&2; exit 1; fi
|
||||
|
||||
echo "OK — BFF: 401 without token, 202 with a digid token, anonymous public-safe openbaar register"
|
||||
68
infra/run-domain-check.sh
Executable file
68
infra/run-domain-check.sh
Executable file
@@ -0,0 +1,68 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Verify the BIG Domain Service end-to-end (S-05) against an ALREADY-RUNNING full stack:
|
||||
# domain → Flowable (start the registratie process + external-task worker) → ACL → OpenZaak.
|
||||
# Submits a registration to the domain and asserts the worker opens a zaak in OpenZaak and
|
||||
# records its URL on the aggregate (ADR-0009).
|
||||
#
|
||||
# The seeded zaaktype URL is server-assigned, so it isn't knowable at initial bring-up. This
|
||||
# script therefore seeds a published BIG zaaktype and recreates the `acl` service configured to
|
||||
# default-fill it — pointing the ACL at the SAME OpenZaak host that owns the URL, so zaak creation
|
||||
# is host-consistent (exactly the configuration the ACL integration test proves, ADR-0006). That
|
||||
# one recreate aside, the caller owns stack bring-up + teardown.
|
||||
#
|
||||
# All in-network, reaching services by container IP (a single-label host isn't URL-valid; the
|
||||
# runner can't reach published ports — gitea-actions-gotchas.md §5/§6). Plain docker primitives.
|
||||
set -euo pipefail
|
||||
|
||||
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
root="$(cd "$here/.." && pwd)"
|
||||
compose="$root/infra/docker-compose.yml"
|
||||
|
||||
ip() { docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"; }
|
||||
|
||||
oz="$(docker ps -q --filter 'name=[-_]openzaak[-_]' | head -1)"
|
||||
dom="$(docker ps -q --filter 'name=domain' | head -1)"
|
||||
[ -n "$oz" ] || { echo "ERROR: no running OpenZaak container — bring the stack up first" >&2; exit 1; }
|
||||
[ -n "$dom" ] || { echo "ERROR: no running domain container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$oz" | head -1)"
|
||||
oz_ip="$(ip "$oz")"; dom_ip="$(ip "$dom")"
|
||||
oz_base="http://$oz_ip:8000"
|
||||
echo ">> openzaak=$oz_ip domain=$dom_ip network=$net"
|
||||
|
||||
echo ">> seeding a published BIG zaaktype (idempotent) and capturing its URL"
|
||||
sid="$(docker create --network "$net" -e "OZ_BASE=$oz_base" -e OZ_PUBLISH=1 python:3-slim python /seed.py)"
|
||||
docker cp "$here/openzaak/seed_catalogus.py" "$sid:/seed.py" >/dev/null
|
||||
zt_url="$(docker start -a "$sid" | sed -n 's/^ZAAKTYPE_URL //p' | head -1)"
|
||||
docker rm -f "$sid" >/dev/null
|
||||
[ -n "$zt_url" ] || { echo "ERROR: seed did not report a ZAAKTYPE_URL" >&2; exit 1; }
|
||||
echo ">> zaaktype: $zt_url"
|
||||
|
||||
echo ">> recreating the acl service pointed at the seeded zaaktype (host-consistent)"
|
||||
ACL_ZAAKTYPE_URL="$zt_url" ACL_OPENZAAK_BASEURL="$oz_base/" docker compose -f "$compose" up -d acl
|
||||
WAIT_TIMEOUT="${WAIT_TIMEOUT:-120}" bash "$here/wait-healthy.sh" acl
|
||||
|
||||
echo ">> submitting a registration to the domain"
|
||||
loc="$(docker run --rm --network "$net" curlimages/curl:latest \
|
||||
-fsS -D - -o /dev/null -X POST "http://$dom_ip:8080/registrations" \
|
||||
-H 'Content-Type: application/json' -d '{"bsn":"123456782"}' \
|
||||
| sed -n 's/\r$//; s/^[Ll]ocation: //p' | head -1)"
|
||||
[ -n "$loc" ] || { echo "ERROR: POST /registrations returned no Location" >&2; exit 1; }
|
||||
echo ">> registration accepted at $loc"
|
||||
|
||||
echo ">> polling the domain until the worker records the opened zaak"
|
||||
for _ in $(seq 1 30); do
|
||||
body="$(docker run --rm --network "$net" curlimages/curl:latest \
|
||||
-fsS "http://$dom_ip:8080$loc" 2>/dev/null || true)"
|
||||
if echo "$body" | grep -q '/zaken/api/v1/zaken/'; then
|
||||
echo "OK — the domain opened a zaak and recorded it on the registration:"
|
||||
echo "$body" | cut -c1-300
|
||||
exit 0
|
||||
fi
|
||||
sleep 2
|
||||
done
|
||||
echo "FAIL — the registration never received a zaak URL" >&2
|
||||
echo "--- domain log ---" >&2; docker logs "$dom" 2>&1 | tail -15 >&2
|
||||
acl="$(docker ps -q --filter 'name=[-_]acl[-_]' | head -1)"
|
||||
[ -n "$acl" ] && { echo "--- acl log ---" >&2; docker logs "$acl" 2>&1 | tail -15 >&2; }
|
||||
exit 1
|
||||
29
infra/run-e2e-check.sh
Executable file
29
infra/run-e2e-check.sh
Executable file
@@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Walking-skeleton e2e (S-08d) against an ALREADY-RUNNING full stack: drive the self-service portal
|
||||
# in a real browser through mock-DigiD login → submit → confirmation (login → BFF → domain).
|
||||
#
|
||||
# Runs Playwright INSIDE the compose network (a container on `cg`), so the browser reaches
|
||||
# Keycloak by service name (keycloak:8080) — the same authority the BFF validates against, so the
|
||||
# token issuer matches (ADR-0010). The spec is copied into the container (docker cp), not mounted,
|
||||
# so it leaves no root-owned files on the host. The caller owns stack bring-up + teardown.
|
||||
#
|
||||
# Uses the official Playwright image with browsers pre-baked, instead of downloading ~150 MB of
|
||||
# Chromium on every run (issue #73). The image tag MUST match tests/e2e/package.json's
|
||||
# @playwright/test version — bump both together.
|
||||
set -euo pipefail
|
||||
|
||||
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
root="$(cd "$here/.." && pwd)"
|
||||
|
||||
ss="$(docker ps -q --filter 'name=self-service' | head -1)"
|
||||
[ -n "$ss" ] || { echo "ERROR: no running self-service container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$ss" | head -1)"
|
||||
echo ">> running Playwright e2e on network $net against http://self-service"
|
||||
|
||||
cid="$(docker create --network "$net" -w /e2e --ipc=host \
|
||||
-e SELF_SERVICE_URL=http://self-service \
|
||||
mcr.microsoft.com/playwright:v1.61.1-noble sh -c 'npm install --no-audit --no-fund && npx playwright test')"
|
||||
trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT
|
||||
docker cp "$root/tests/e2e/." "$cid:/e2e" >/dev/null
|
||||
docker start -a "$cid"
|
||||
7
libs/api-client/README.md
Normal file
7
libs/api-client/README.md
Normal file
@@ -0,0 +1,7 @@
|
||||
# api-client
|
||||
|
||||
This library was generated with [Nx](https://nx.dev).
|
||||
|
||||
## Running unit tests
|
||||
|
||||
Run `nx test api-client` to execute the unit tests.
|
||||
34
libs/api-client/eslint.config.mjs
Normal file
34
libs/api-client/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'lib',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'lib',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
17
libs/api-client/orval.config.ts
Normal file
17
libs/api-client/orval.config.ts
Normal file
@@ -0,0 +1,17 @@
|
||||
import { defineConfig } from 'orval';
|
||||
|
||||
// Generates the BFF client (Angular HttpClient service + models) from the committed
|
||||
// OpenAPI contract. Never hand-edit the generated output — re-run `nx run api-client:generate`
|
||||
// after the BFF spec changes (CLAUDE.md §10; docs/frontend-decisions.md).
|
||||
export default defineConfig({
|
||||
bff: {
|
||||
input: '../../services/bff/openapi.json',
|
||||
output: {
|
||||
target: './src/lib/generated/bff-api.ts',
|
||||
client: 'angular',
|
||||
mode: 'single',
|
||||
clean: true,
|
||||
prettier: true,
|
||||
},
|
||||
},
|
||||
});
|
||||
20
libs/api-client/project.json
Normal file
20
libs/api-client/project.json
Normal file
@@ -0,0 +1,20 @@
|
||||
{
|
||||
"name": "api-client",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"sourceRoot": "libs/api-client/src",
|
||||
"prefix": "lib",
|
||||
"projectType": "library",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"generate": {
|
||||
"executor": "nx:run-commands",
|
||||
"options": {
|
||||
"command": "orval --config orval.config.ts",
|
||||
"cwd": "libs/api-client"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
3
libs/api-client/src/index.ts
Normal file
3
libs/api-client/src/index.ts
Normal file
@@ -0,0 +1,3 @@
|
||||
// The BFF API client is generated from services/bff/openapi.json (orval); never hand-edit
|
||||
// src/lib/generated. Re-run `nx run api-client:generate` after the BFF spec changes.
|
||||
export * from './lib/generated/bff-api';
|
||||
50
libs/api-client/src/lib/bff-api.spec.ts
Normal file
50
libs/api-client/src/lib/bff-api.spec.ts
Normal file
@@ -0,0 +1,50 @@
|
||||
import { provideHttpClient } from '@angular/common/http';
|
||||
import {
|
||||
HttpTestingController,
|
||||
provideHttpClientTesting,
|
||||
} from '@angular/common/http/testing';
|
||||
import { TestBed } from '@angular/core/testing';
|
||||
import {
|
||||
BffApiV1Service,
|
||||
type OpenbaarEntry,
|
||||
type SubmitAccepted,
|
||||
} from '../index';
|
||||
|
||||
describe('BffApiV1Service (generated from services/bff/openapi.json)', () => {
|
||||
let service: BffApiV1Service;
|
||||
let http: HttpTestingController;
|
||||
|
||||
beforeEach(() => {
|
||||
TestBed.configureTestingModule({
|
||||
providers: [provideHttpClient(), provideHttpClientTesting()],
|
||||
});
|
||||
service = TestBed.inject(BffApiV1Service);
|
||||
http = TestBed.inject(HttpTestingController);
|
||||
});
|
||||
|
||||
afterEach(() => http.verify());
|
||||
|
||||
it('submits a registration via POST /self-service/registrations', () => {
|
||||
let result: SubmitAccepted | undefined;
|
||||
service.postSelfServiceRegistrations().subscribe((r) => (result = r));
|
||||
|
||||
const req = http.expectOne('/self-service/registrations');
|
||||
expect(req.request.method).toBe('POST');
|
||||
req.flush({ registrationId: 'reg-1', status: 'Ingediend' });
|
||||
|
||||
expect(result?.registrationId).toBe('reg-1');
|
||||
expect(result?.status).toBe('Ingediend');
|
||||
});
|
||||
|
||||
it('reads the openbaar register via GET /openbaar/register with the query', () => {
|
||||
let rows: OpenbaarEntry[] | undefined;
|
||||
service.getOpenbaarRegister({ q: 'abc' }).subscribe((r) => (rows = r));
|
||||
|
||||
const req = http.expectOne((r) => r.url === '/openbaar/register');
|
||||
expect(req.request.method).toBe('GET');
|
||||
expect(req.request.params.get('q')).toBe('abc');
|
||||
req.flush([{ id: 'abc-111', status: 'INGEDIEND' }]);
|
||||
|
||||
expect(rows?.[0].id).toBe('abc-111');
|
||||
});
|
||||
});
|
||||
216
libs/api-client/src/lib/generated/bff-api.ts
Normal file
216
libs/api-client/src/lib/generated/bff-api.ts
Normal file
@@ -0,0 +1,216 @@
|
||||
/**
|
||||
* Generated by orval v8.19.0 🍺
|
||||
* Do not edit manually.
|
||||
* Bff.Api | v1
|
||||
* OpenAPI spec version: 1.0.0
|
||||
*/
|
||||
import {
|
||||
HttpClient,
|
||||
HttpHeaders,
|
||||
HttpResponse as AngularHttpResponse
|
||||
} from '@angular/common/http';
|
||||
import type {
|
||||
HttpContext,
|
||||
HttpEvent,
|
||||
HttpParams
|
||||
} from '@angular/common/http';
|
||||
|
||||
import {
|
||||
Injectable,
|
||||
inject
|
||||
} from '@angular/core';
|
||||
|
||||
import {
|
||||
Observable
|
||||
} from 'rxjs';
|
||||
|
||||
export interface OpenbaarEntry {
|
||||
id: string;
|
||||
status: string;
|
||||
}
|
||||
|
||||
export interface SubmitAccepted {
|
||||
registrationId: string;
|
||||
status: string;
|
||||
}
|
||||
|
||||
export type GetOpenbaarRegisterParams = {
|
||||
q?: string;
|
||||
};
|
||||
|
||||
interface HttpClientOptions {
|
||||
readonly headers?: HttpHeaders | Record<string, string | string[]>;
|
||||
readonly context?: HttpContext;
|
||||
readonly params?:
|
||||
| HttpParams
|
||||
| Record<string, string | number | boolean | Array<string | number | boolean>>;
|
||||
readonly reportProgress?: boolean;
|
||||
readonly withCredentials?: boolean;
|
||||
readonly credentials?: RequestCredentials;
|
||||
readonly keepalive?: boolean;
|
||||
readonly priority?: RequestPriority;
|
||||
readonly cache?: RequestCache;
|
||||
readonly mode?: RequestMode;
|
||||
readonly redirect?: RequestRedirect;
|
||||
readonly referrer?: string;
|
||||
readonly integrity?: string;
|
||||
readonly referrerPolicy?: ReferrerPolicy;
|
||||
readonly transferCache?: {includeHeaders?: string[]} | boolean;
|
||||
readonly timeout?: number;
|
||||
}
|
||||
|
||||
type HttpClientBodyOptions = HttpClientOptions & {
|
||||
readonly observe?: 'body';
|
||||
};
|
||||
|
||||
type HttpClientEventOptions = HttpClientOptions & {
|
||||
readonly observe: 'events';
|
||||
};
|
||||
|
||||
type HttpClientResponseOptions = HttpClientOptions & {
|
||||
readonly observe: 'response';
|
||||
};
|
||||
|
||||
type HttpClientObserveOptions = HttpClientOptions & {
|
||||
readonly observe?: 'body' | 'events' | 'response';
|
||||
};
|
||||
|
||||
type AngularHttpParamValue = string | number | boolean | Array<string | number | boolean>;
|
||||
type AngularHttpParamValueWithNullable = AngularHttpParamValue | null;
|
||||
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys?: ReadonlySet<string>,
|
||||
preserveRequiredNullables?: false,
|
||||
passthroughKeys?: undefined,
|
||||
): Record<string, AngularHttpParamValue>;
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys: ReadonlySet<string> | undefined,
|
||||
preserveRequiredNullables: true,
|
||||
passthroughKeys?: undefined,
|
||||
): Record<string, AngularHttpParamValueWithNullable>;
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys: ReadonlySet<string> | undefined,
|
||||
preserveRequiredNullables: boolean | undefined,
|
||||
passthroughKeys: ReadonlySet<string>,
|
||||
): Record<string, unknown>;
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys: ReadonlySet<string> = new Set(),
|
||||
preserveRequiredNullables = false,
|
||||
passthroughKeys: ReadonlySet<string> = new Set(),
|
||||
): Record<string, unknown> {
|
||||
const filteredParams: Record<string, unknown> = {};
|
||||
for (const [key, value] of Object.entries(params)) {
|
||||
if (passthroughKeys.has(key)) {
|
||||
if (value !== undefined) {
|
||||
filteredParams[key] = value;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
if (Array.isArray(value)) {
|
||||
const filtered = value.filter(
|
||||
(item) =>
|
||||
item != null &&
|
||||
(typeof item === 'string' ||
|
||||
typeof item === 'number' ||
|
||||
typeof item === 'boolean'),
|
||||
) as Array<string | number | boolean>;
|
||||
if (filtered.length) {
|
||||
filteredParams[key] = filtered;
|
||||
}
|
||||
} else if (
|
||||
preserveRequiredNullables &&
|
||||
value === null &&
|
||||
requiredNullableKeys.has(key)
|
||||
) {
|
||||
filteredParams[key] = null;
|
||||
} else if (
|
||||
value != null &&
|
||||
(typeof value === 'string' ||
|
||||
typeof value === 'number' ||
|
||||
typeof value === 'boolean')
|
||||
) {
|
||||
filteredParams[key] = value;
|
||||
}
|
||||
}
|
||||
return filteredParams;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@Injectable({ providedIn: 'root' })
|
||||
export class BffApiV1Service {
|
||||
private readonly http = inject(HttpClient);
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>( options?: HttpClientBodyOptions): Observable<TData>;
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>( options?: HttpClientEventOptions): Observable<HttpEvent<TData>>;
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>( options?: HttpClientResponseOptions): Observable<AngularHttpResponse<TData>>;
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>(
|
||||
options?: HttpClientObserveOptions): Observable<TData | HttpEvent<TData> | AngularHttpResponse<TData>> {
|
||||
if (options?.observe === 'events') {
|
||||
return this.http.post<TData>(
|
||||
`/self-service/registrations`,
|
||||
undefined,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'events',
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
if (options?.observe === 'response') {
|
||||
return this.http.post<TData>(
|
||||
`/self-service/registrations`,
|
||||
undefined,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'response',
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
return this.http.post<TData>(
|
||||
`/self-service/registrations`,
|
||||
undefined,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'body',
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(params?: GetOpenbaarRegisterParams, options?: HttpClientBodyOptions): Observable<TData>;
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(params?: GetOpenbaarRegisterParams, options?: HttpClientEventOptions): Observable<HttpEvent<TData>>;
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(params?: GetOpenbaarRegisterParams, options?: HttpClientResponseOptions): Observable<AngularHttpResponse<TData>>;
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(
|
||||
params?: GetOpenbaarRegisterParams, options?: HttpClientObserveOptions): Observable<TData | HttpEvent<TData> | AngularHttpResponse<TData>> {
|
||||
const filteredParams = filterParams({...params, ...options?.params}, new Set<string>([]));
|
||||
|
||||
if (options?.observe === 'events') {
|
||||
return this.http.get<TData>(
|
||||
`/openbaar/register`,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'events',
|
||||
params: filteredParams,}
|
||||
);
|
||||
}
|
||||
|
||||
if (options?.observe === 'response') {
|
||||
return this.http.get<TData>(
|
||||
`/openbaar/register`,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'response',
|
||||
params: filteredParams,}
|
||||
);
|
||||
}
|
||||
|
||||
return this.http.get<TData>(
|
||||
`/openbaar/register`,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'body',
|
||||
params: filteredParams,}
|
||||
);
|
||||
}
|
||||
|
||||
};
|
||||
5
libs/api-client/src/test-setup.ts
Normal file
5
libs/api-client/src/test-setup.ts
Normal file
@@ -0,0 +1,5 @@
|
||||
import '@angular/compiler';
|
||||
import '@analogjs/vitest-angular/setup-snapshots';
|
||||
import { setupTestBed } from '@analogjs/vitest-angular/setup-testbed';
|
||||
|
||||
setupTestBed({ zoneless: false });
|
||||
31
libs/api-client/tsconfig.json
Normal file
31
libs/api-client/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.lib.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
26
libs/api-client/tsconfig.lib.json
Normal file
26
libs/api-client/tsconfig.lib.json
Normal file
@@ -0,0 +1,26 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"declaration": true,
|
||||
"declarationMap": true,
|
||||
"inlineSources": true,
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": [
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.ts",
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/test-setup.ts"
|
||||
]
|
||||
}
|
||||
29
libs/api-client/tsconfig.spec.json
Normal file
29
libs/api-client/tsconfig.spec.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": [
|
||||
"vitest/globals",
|
||||
"vitest/importMeta",
|
||||
"vite/client",
|
||||
"node",
|
||||
"vitest"
|
||||
]
|
||||
},
|
||||
"include": [
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.ts",
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/**/*.d.ts"
|
||||
],
|
||||
"files": ["src/test-setup.ts"]
|
||||
}
|
||||
28
libs/api-client/vite.config.mts
Normal file
28
libs/api-client/vite.config.mts
Normal file
@@ -0,0 +1,28 @@
|
||||
/// <reference types='vitest' />
|
||||
import { defineConfig } from 'vite';
|
||||
import angular from '@analogjs/vite-plugin-angular';
|
||||
import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
|
||||
import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
|
||||
|
||||
export default defineConfig(() => ({
|
||||
root: __dirname,
|
||||
cacheDir: '../../node_modules/.vite/libs/api-client',
|
||||
plugins: [angular(), nxViteTsPaths(), nxCopyAssetsPlugin(['*.md'])],
|
||||
// Uncomment this if you are using workers.
|
||||
// worker: {
|
||||
// plugins: () => [ nxViteTsPaths() ],
|
||||
// },
|
||||
test: {
|
||||
name: 'api-client',
|
||||
watch: false,
|
||||
globals: true,
|
||||
environment: 'jsdom',
|
||||
include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
|
||||
setupFiles: ['src/test-setup.ts'],
|
||||
reporters: ['default'],
|
||||
coverage: {
|
||||
reportsDirectory: '../../coverage/libs/api-client',
|
||||
provider: 'v8' as const,
|
||||
},
|
||||
},
|
||||
}));
|
||||
7
libs/auth/README.md
Normal file
7
libs/auth/README.md
Normal file
@@ -0,0 +1,7 @@
|
||||
# auth
|
||||
|
||||
This library was generated with [Nx](https://nx.dev).
|
||||
|
||||
## Running unit tests
|
||||
|
||||
Run `nx test auth` to execute the unit tests.
|
||||
34
libs/auth/eslint.config.mjs
Normal file
34
libs/auth/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'lib',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'lib',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
13
libs/auth/project.json
Normal file
13
libs/auth/project.json
Normal file
@@ -0,0 +1,13 @@
|
||||
{
|
||||
"name": "auth",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"sourceRoot": "libs/auth/src",
|
||||
"prefix": "lib",
|
||||
"projectType": "library",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
}
|
||||
}
|
||||
}
|
||||
4
libs/auth/src/index.ts
Normal file
4
libs/auth/src/index.ts
Normal file
@@ -0,0 +1,4 @@
|
||||
export * from './lib/auth.service';
|
||||
export * from './lib/digid-auth.service';
|
||||
export * from './lib/digid-auth.providers';
|
||||
export * from './lib/authenticated.guard';
|
||||
16
libs/auth/src/lib/auth.service.ts
Normal file
16
libs/auth/src/lib/auth.service.ts
Normal file
@@ -0,0 +1,16 @@
|
||||
import { Signal } from '@angular/core';
|
||||
|
||||
/**
|
||||
* The portal's view of the signed-in user. An abstraction over the OIDC library so components and
|
||||
* guards depend on a small, mockable surface (the real implementation is DigiadAuthService).
|
||||
*/
|
||||
export abstract class AuthService {
|
||||
/** Whether a DigiD session is active. */
|
||||
abstract readonly isAuthenticated: Signal<boolean>;
|
||||
/** The citizen-service number from the DigiD token, once authenticated. */
|
||||
abstract readonly bsn: Signal<string | undefined>;
|
||||
/** Start the DigiD login (redirects to Keycloak). */
|
||||
abstract login(): void;
|
||||
/** End the session. */
|
||||
abstract logout(): void;
|
||||
}
|
||||
42
libs/auth/src/lib/authenticated.guard.spec.ts
Normal file
42
libs/auth/src/lib/authenticated.guard.spec.ts
Normal file
@@ -0,0 +1,42 @@
|
||||
import { signal } from '@angular/core';
|
||||
import { TestBed } from '@angular/core/testing';
|
||||
import { AuthService } from './auth.service';
|
||||
import { authenticatedGuard } from './authenticated.guard';
|
||||
|
||||
class FakeAuth extends AuthService {
|
||||
readonly isAuthenticated = signal(false);
|
||||
readonly bsn = signal<string | undefined>(undefined);
|
||||
login(): void {
|
||||
/* spied in tests */
|
||||
}
|
||||
logout(): void {
|
||||
/* noop */
|
||||
}
|
||||
}
|
||||
|
||||
function runGuard(authenticated: boolean) {
|
||||
const auth = new FakeAuth();
|
||||
auth.isAuthenticated.set(authenticated);
|
||||
const loginSpy = vi.spyOn(auth, 'login');
|
||||
TestBed.configureTestingModule({
|
||||
providers: [{ provide: AuthService, useValue: auth }],
|
||||
});
|
||||
const result = TestBed.runInInjectionContext(() =>
|
||||
authenticatedGuard(null as never, null as never),
|
||||
);
|
||||
return { result, loginSpy };
|
||||
}
|
||||
|
||||
describe('authenticatedGuard', () => {
|
||||
it('allows the route for an authenticated user', () => {
|
||||
const { result, loginSpy } = runGuard(true);
|
||||
expect(result).toBe(true);
|
||||
expect(loginSpy).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('blocks and starts DigiD login when not authenticated', () => {
|
||||
const { result, loginSpy } = runGuard(false);
|
||||
expect(result).toBe(false);
|
||||
expect(loginSpy).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
});
|
||||
13
libs/auth/src/lib/authenticated.guard.ts
Normal file
13
libs/auth/src/lib/authenticated.guard.ts
Normal file
@@ -0,0 +1,13 @@
|
||||
import { inject } from '@angular/core';
|
||||
import { CanActivateFn } from '@angular/router';
|
||||
import { AuthService } from './auth.service';
|
||||
|
||||
/** Allow the route only when a DigiD session is active; otherwise start the login. */
|
||||
export const authenticatedGuard: CanActivateFn = () => {
|
||||
const auth = inject(AuthService);
|
||||
if (auth.isAuthenticated()) {
|
||||
return true;
|
||||
}
|
||||
auth.login();
|
||||
return false;
|
||||
};
|
||||
55
libs/auth/src/lib/digid-auth.providers.ts
Normal file
55
libs/auth/src/lib/digid-auth.providers.ts
Normal file
@@ -0,0 +1,55 @@
|
||||
import { EnvironmentProviders, makeEnvironmentProviders } from '@angular/core';
|
||||
import {
|
||||
authInterceptor,
|
||||
LogLevel,
|
||||
provideAuth,
|
||||
withAppInitializerAuthCheck,
|
||||
} from 'angular-auth-oidc-client';
|
||||
import { AuthService } from './auth.service';
|
||||
import { DigiadAuthService } from './digid-auth.service';
|
||||
|
||||
export interface DigiadAuthOptions {
|
||||
/** The Keycloak `digid` realm issuer, as reachable from the browser. */
|
||||
authority: string;
|
||||
/** Where Keycloak redirects back to after login (usually the app origin). */
|
||||
redirectUrl: string;
|
||||
/**
|
||||
* Route prefixes whose requests get the bearer token attached. The api-client calls the BFF with
|
||||
* **relative** URLs (same-origin via the nginx proxy), so these must be relative path prefixes
|
||||
* (e.g. `/self-service/`) — angular-auth-oidc-client matches `req.url.startsWith(route)`, and a
|
||||
* relative `req.url` never starts with an absolute origin.
|
||||
*/
|
||||
secureRoutes: string[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Configure DigiD login (Keycloak `digid` realm, public client `big-portal`, auth-code + PKCE) and
|
||||
* bind {@link AuthService} to the OIDC-backed implementation. Register {@link authInterceptor} in the
|
||||
* app's HttpClient so BFF calls carry the token.
|
||||
*/
|
||||
export function provideDigiadAuth(options: DigiadAuthOptions): EnvironmentProviders {
|
||||
return makeEnvironmentProviders([
|
||||
provideAuth(
|
||||
{
|
||||
config: {
|
||||
authority: options.authority,
|
||||
redirectUrl: options.redirectUrl,
|
||||
postLogoutRedirectUri: options.redirectUrl,
|
||||
clientId: 'big-portal',
|
||||
scope: 'openid profile',
|
||||
responseType: 'code',
|
||||
silentRenew: true,
|
||||
useRefreshToken: true,
|
||||
secureRoutes: options.secureRoutes,
|
||||
logLevel: LogLevel.Warn,
|
||||
},
|
||||
},
|
||||
// Run checkAuth() at startup so the DigiD callback (?code=…) is processed before the router
|
||||
// and guard run — without it the guard sees "not authenticated" and re-triggers login (loop).
|
||||
withAppInitializerAuthCheck(),
|
||||
),
|
||||
{ provide: AuthService, useClass: DigiadAuthService },
|
||||
]);
|
||||
}
|
||||
|
||||
export { authInterceptor };
|
||||
29
libs/auth/src/lib/digid-auth.service.ts
Normal file
29
libs/auth/src/lib/digid-auth.service.ts
Normal file
@@ -0,0 +1,29 @@
|
||||
import { inject, Injectable, Signal } from '@angular/core';
|
||||
import { toSignal } from '@angular/core/rxjs-interop';
|
||||
import { OidcSecurityService } from 'angular-auth-oidc-client';
|
||||
import { map } from 'rxjs';
|
||||
import { AuthService } from './auth.service';
|
||||
|
||||
/** DigiD-backed AuthService over angular-auth-oidc-client (Keycloak `digid` realm). */
|
||||
@Injectable()
|
||||
export class DigiadAuthService extends AuthService {
|
||||
private readonly oidc = inject(OidcSecurityService);
|
||||
|
||||
readonly isAuthenticated: Signal<boolean> = toSignal(
|
||||
this.oidc.isAuthenticated$.pipe(map((result) => result.isAuthenticated)),
|
||||
{ initialValue: false },
|
||||
);
|
||||
|
||||
readonly bsn: Signal<string | undefined> = toSignal(
|
||||
this.oidc.userData$.pipe(map((data) => (data.userData as { bsn?: string } | null)?.bsn)),
|
||||
{ initialValue: undefined },
|
||||
);
|
||||
|
||||
override login(): void {
|
||||
this.oidc.authorize();
|
||||
}
|
||||
|
||||
override logout(): void {
|
||||
this.oidc.logoff().subscribe();
|
||||
}
|
||||
}
|
||||
5
libs/auth/src/test-setup.ts
Normal file
5
libs/auth/src/test-setup.ts
Normal file
@@ -0,0 +1,5 @@
|
||||
import '@angular/compiler';
|
||||
import '@analogjs/vitest-angular/setup-snapshots';
|
||||
import { setupTestBed } from '@analogjs/vitest-angular/setup-testbed';
|
||||
|
||||
setupTestBed({ zoneless: false });
|
||||
31
libs/auth/tsconfig.json
Normal file
31
libs/auth/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.lib.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
26
libs/auth/tsconfig.lib.json
Normal file
26
libs/auth/tsconfig.lib.json
Normal file
@@ -0,0 +1,26 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"declaration": true,
|
||||
"declarationMap": true,
|
||||
"inlineSources": true,
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": [
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.ts",
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/test-setup.ts"
|
||||
]
|
||||
}
|
||||
29
libs/auth/tsconfig.spec.json
Normal file
29
libs/auth/tsconfig.spec.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": [
|
||||
"vitest/globals",
|
||||
"vitest/importMeta",
|
||||
"vite/client",
|
||||
"node",
|
||||
"vitest"
|
||||
]
|
||||
},
|
||||
"include": [
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.ts",
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/**/*.d.ts"
|
||||
],
|
||||
"files": ["src/test-setup.ts"]
|
||||
}
|
||||
28
libs/auth/vite.config.mts
Normal file
28
libs/auth/vite.config.mts
Normal file
@@ -0,0 +1,28 @@
|
||||
/// <reference types='vitest' />
|
||||
import { defineConfig } from 'vite';
|
||||
import angular from '@analogjs/vite-plugin-angular';
|
||||
import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
|
||||
import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
|
||||
|
||||
export default defineConfig(() => ({
|
||||
root: __dirname,
|
||||
cacheDir: '../../node_modules/.vite/libs/auth',
|
||||
plugins: [angular(), nxViteTsPaths(), nxCopyAssetsPlugin(['*.md'])],
|
||||
// Uncomment this if you are using workers.
|
||||
// worker: {
|
||||
// plugins: () => [ nxViteTsPaths() ],
|
||||
// },
|
||||
test: {
|
||||
name: 'auth',
|
||||
watch: false,
|
||||
globals: true,
|
||||
environment: 'jsdom',
|
||||
include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
|
||||
setupFiles: ['src/test-setup.ts'],
|
||||
reporters: ['default'],
|
||||
coverage: {
|
||||
reportsDirectory: '../../coverage/libs/auth',
|
||||
provider: 'v8' as const,
|
||||
},
|
||||
},
|
||||
}));
|
||||
7
libs/ui/README.md
Normal file
7
libs/ui/README.md
Normal file
@@ -0,0 +1,7 @@
|
||||
# ui
|
||||
|
||||
This library was generated with [Nx](https://nx.dev).
|
||||
|
||||
## Running unit tests
|
||||
|
||||
Run `nx test ui` to execute the unit tests.
|
||||
34
libs/ui/eslint.config.mjs
Normal file
34
libs/ui/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'lib',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'lib',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
13
libs/ui/project.json
Normal file
13
libs/ui/project.json
Normal file
@@ -0,0 +1,13 @@
|
||||
{
|
||||
"name": "ui",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"sourceRoot": "libs/ui/src",
|
||||
"prefix": "lib",
|
||||
"projectType": "library",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
}
|
||||
}
|
||||
}
|
||||
11
libs/ui/src/index.ts
Normal file
11
libs/ui/src/index.ts
Normal file
@@ -0,0 +1,11 @@
|
||||
// NL Design System building blocks — Utrecht is NL DS's reference Angular implementation
|
||||
// (docs/frontend-decisions.md). The portals depend on the design system through this one lib.
|
||||
// The design tokens/theme CSS is imported once, at the app level (apps/*/src/styles.css).
|
||||
//
|
||||
// The Utrecht v3 components are NgModule-based (not standalone), so we re-export the module.
|
||||
// A standalone component consumes them by importing UtrechtComponentsModule in its `imports`
|
||||
// (CLAUDE.md §10 forbids *declaring* NgModules in our code, not consuming a third-party one).
|
||||
// Re-export the whole Utrecht package: importing UtrechtComponentsModule pulls every component it
|
||||
// exports into the compiler's scope, so the AOT build needs all of them resolvable through this
|
||||
// barrel (a partial re-export fails with NG3004 for the first unused component).
|
||||
export * from '@utrecht/component-library-angular';
|
||||
7
libs/ui/src/lib/ui.spec.ts
Normal file
7
libs/ui/src/lib/ui.spec.ts
Normal file
@@ -0,0 +1,7 @@
|
||||
import { UtrechtComponentsModule } from '../index';
|
||||
|
||||
describe('ui barrel', () => {
|
||||
it('re-exports the NL Design System (Utrecht) module', () => {
|
||||
expect(UtrechtComponentsModule).toBeTruthy();
|
||||
});
|
||||
});
|
||||
5
libs/ui/src/test-setup.ts
Normal file
5
libs/ui/src/test-setup.ts
Normal file
@@ -0,0 +1,5 @@
|
||||
import '@angular/compiler';
|
||||
import '@analogjs/vitest-angular/setup-snapshots';
|
||||
import { setupTestBed } from '@analogjs/vitest-angular/setup-testbed';
|
||||
|
||||
setupTestBed({ zoneless: false });
|
||||
31
libs/ui/tsconfig.json
Normal file
31
libs/ui/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.lib.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
26
libs/ui/tsconfig.lib.json
Normal file
26
libs/ui/tsconfig.lib.json
Normal file
@@ -0,0 +1,26 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"declaration": true,
|
||||
"declarationMap": true,
|
||||
"inlineSources": true,
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": [
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.ts",
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/test-setup.ts"
|
||||
]
|
||||
}
|
||||
29
libs/ui/tsconfig.spec.json
Normal file
29
libs/ui/tsconfig.spec.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": [
|
||||
"vitest/globals",
|
||||
"vitest/importMeta",
|
||||
"vite/client",
|
||||
"node",
|
||||
"vitest"
|
||||
]
|
||||
},
|
||||
"include": [
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.ts",
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/**/*.d.ts"
|
||||
],
|
||||
"files": ["src/test-setup.ts"]
|
||||
}
|
||||
28
libs/ui/vite.config.mts
Normal file
28
libs/ui/vite.config.mts
Normal file
@@ -0,0 +1,28 @@
|
||||
/// <reference types='vitest' />
|
||||
import { defineConfig } from 'vite';
|
||||
import angular from '@analogjs/vite-plugin-angular';
|
||||
import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
|
||||
import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
|
||||
|
||||
export default defineConfig(() => ({
|
||||
root: __dirname,
|
||||
cacheDir: '../../node_modules/.vite/libs/ui',
|
||||
plugins: [angular(), nxViteTsPaths(), nxCopyAssetsPlugin(['*.md'])],
|
||||
// Uncomment this if you are using workers.
|
||||
// worker: {
|
||||
// plugins: () => [ nxViteTsPaths() ],
|
||||
// },
|
||||
test: {
|
||||
name: 'ui',
|
||||
watch: false,
|
||||
globals: true,
|
||||
environment: 'jsdom',
|
||||
include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
|
||||
setupFiles: ['src/test-setup.ts'],
|
||||
reporters: ['default'],
|
||||
coverage: {
|
||||
reportsDirectory: '../../coverage/libs/ui',
|
||||
provider: 'v8' as const,
|
||||
},
|
||||
},
|
||||
}));
|
||||
@@ -30,7 +30,10 @@ nav:
|
||||
- "ADR-0006: ACL integration test provisioning": architecture/adr-0006-integration-test-provisioning.md
|
||||
- "ADR-0007: OpenZaak → NRC notification wiring": architecture/adr-0007-notification-wiring.md
|
||||
- "ADR-0008: Read projection store": architecture/adr-0008-read-projection-store.md
|
||||
- "ADR-0009: External-task job worker": architecture/adr-0009-external-task-job-worker.md
|
||||
- "ADR-0010: BFF OIDC validation": architecture/adr-0010-bff-oidc.md
|
||||
- Working in Gitea: gitea-workflow.md
|
||||
- Frontend decisions: frontend-decisions.md
|
||||
- Demo script: demo-script.md
|
||||
- Runbooks:
|
||||
- CI: runbooks/ci.md
|
||||
|
||||
120
nx.json
Normal file
120
nx.json
Normal file
@@ -0,0 +1,120 @@
|
||||
{
|
||||
"$schema": "./node_modules/nx/schemas/nx-schema.json",
|
||||
"namedInputs": {
|
||||
"default": [
|
||||
"{projectRoot}/**/*",
|
||||
"sharedGlobals"
|
||||
],
|
||||
"production": [
|
||||
"default",
|
||||
"!{projectRoot}/.eslintrc.json",
|
||||
"!{projectRoot}/eslint.config.mjs",
|
||||
"!{projectRoot}/**/?(*.)+(spec|test).[jt]s?(x)?(.snap)",
|
||||
"!{projectRoot}/tsconfig.spec.json",
|
||||
"!{projectRoot}/src/test-setup.[jt]s",
|
||||
"!{projectRoot}/jest.config.[jt]s",
|
||||
"!{projectRoot}/test-setup.[jt]s"
|
||||
],
|
||||
"sharedGlobals": []
|
||||
},
|
||||
"targetDefaults": {
|
||||
"@angular/build:application": {
|
||||
"cache": true,
|
||||
"dependsOn": [
|
||||
"^build"
|
||||
],
|
||||
"inputs": [
|
||||
"production",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@nx/eslint:lint": {
|
||||
"cache": true,
|
||||
"inputs": [
|
||||
"default",
|
||||
"^default",
|
||||
"{workspaceRoot}/.eslintrc.json",
|
||||
"{workspaceRoot}/.eslintignore",
|
||||
"{workspaceRoot}/eslint.config.mjs",
|
||||
"{workspaceRoot}/tools/eslint-rules/**/*"
|
||||
]
|
||||
},
|
||||
"@nx/esbuild:esbuild": {
|
||||
"cache": true,
|
||||
"dependsOn": [
|
||||
"^build"
|
||||
],
|
||||
"inputs": [
|
||||
"production",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@nx/js:tsc": {
|
||||
"cache": true,
|
||||
"dependsOn": [
|
||||
"^build"
|
||||
],
|
||||
"inputs": [
|
||||
"production",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@nx/vitest:test": {
|
||||
"cache": true,
|
||||
"inputs": [
|
||||
"default",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@angular/build:unit-test": {
|
||||
"cache": true,
|
||||
"inputs": [
|
||||
"default",
|
||||
"^production"
|
||||
]
|
||||
}
|
||||
},
|
||||
"plugins": [
|
||||
{
|
||||
"plugin": "@nx/eslint/plugin",
|
||||
"options": {
|
||||
"targetName": "lint"
|
||||
}
|
||||
},
|
||||
{
|
||||
"plugin": "@nx/vite/plugin",
|
||||
"options": {
|
||||
"buildTargetName": "build",
|
||||
"serveTargetName": "serve",
|
||||
"devTargetName": "dev",
|
||||
"previewTargetName": "preview",
|
||||
"serveStaticTargetName": "serve-static",
|
||||
"typecheckTargetName": "typecheck",
|
||||
"buildDepsTargetName": "build-deps",
|
||||
"watchDepsTargetName": "watch-deps"
|
||||
}
|
||||
},
|
||||
{
|
||||
"plugin": "@nx/vitest",
|
||||
"options": {
|
||||
"testTargetName": "test"
|
||||
}
|
||||
}
|
||||
],
|
||||
"generators": {
|
||||
"@nx/angular:application": {
|
||||
"e2eTestRunner": "playwright",
|
||||
"linter": "eslint",
|
||||
"style": "css",
|
||||
"unitTestRunner": "vitest-analog"
|
||||
},
|
||||
"@nx/angular:library": {
|
||||
"linter": "eslint",
|
||||
"unitTestRunner": "vitest-analog"
|
||||
},
|
||||
"@nx/angular:component": {
|
||||
"style": "css"
|
||||
}
|
||||
},
|
||||
"analytics": false
|
||||
}
|
||||
71
package.json
Normal file
71
package.json
Normal file
@@ -0,0 +1,71 @@
|
||||
{
|
||||
"name": "register-referentie",
|
||||
"version": "0.0.0",
|
||||
"license": "MIT",
|
||||
"scripts": {},
|
||||
"private": true,
|
||||
"dependencies": {
|
||||
"@angular-devkit/build-angular": "21.2.7",
|
||||
"@angular/common": "21.2.9",
|
||||
"@angular/compiler": "21.2.9",
|
||||
"@angular/core": "21.2.9",
|
||||
"@angular/forms": "21.2.9",
|
||||
"@angular/platform-browser": "21.2.9",
|
||||
"@angular/router": "21.2.9",
|
||||
"@utrecht/component-library-angular": "^3.0.2",
|
||||
"@utrecht/design-tokens": "^6.2.1",
|
||||
"angular-auth-oidc-client": "^21.0.2",
|
||||
"rxjs": "~7.8.0",
|
||||
"zone.js": "0.16.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@analogjs/vite-plugin-angular": "2.2.0",
|
||||
"@analogjs/vitest-angular": "2.2.0",
|
||||
"@angular-devkit/core": "21.2.7",
|
||||
"@angular-devkit/schematics": "21.2.7",
|
||||
"@angular/build": "21.2.7",
|
||||
"@angular/cli": "21.2.7",
|
||||
"@angular/compiler-cli": "21.2.9",
|
||||
"@angular/language-service": "21.2.9",
|
||||
"@eslint/js": "^9.8.0",
|
||||
"@nx/angular": "23.0.1",
|
||||
"@nx/devkit": "23.0.1",
|
||||
"@nx/esbuild": "23.0.1",
|
||||
"@nx/eslint": "23.0.1",
|
||||
"@nx/eslint-plugin": "23.0.1",
|
||||
"@nx/js": "23.0.1",
|
||||
"@nx/vite": "23.0.1",
|
||||
"@nx/vitest": "23.0.1",
|
||||
"@nx/web": "23.0.1",
|
||||
"@nx/workspace": "23.0.1",
|
||||
"@oxc-project/runtime": "^0.115.0",
|
||||
"@schematics/angular": "21.2.7",
|
||||
"@swc-node/register": "1.11.1",
|
||||
"@swc/core": "1.15.8",
|
||||
"@swc/helpers": "0.5.18",
|
||||
"@testing-library/angular": "^19.4.1",
|
||||
"@types/node": "20.19.9",
|
||||
"@typescript-eslint/utils": "^8.40.0",
|
||||
"@vitest/coverage-v8": "~4.1.0",
|
||||
"@vitest/ui": "~4.1.0",
|
||||
"angular-eslint": "21.3.1",
|
||||
"axe-core": "^4.12.1",
|
||||
"esbuild": "^0.27.0",
|
||||
"eslint": "^9.8.0",
|
||||
"eslint-config-prettier": "^10.0.0",
|
||||
"jiti": "2.4.2",
|
||||
"jsdom": "~22.1.0",
|
||||
"jsonc-eslint-parser": "^2.1.0",
|
||||
"nx": "23.0.1",
|
||||
"orval": "^8.19.0",
|
||||
"prettier": "^3.8.1",
|
||||
"ts-node": "10.9.1",
|
||||
"tslib": "^2.3.0",
|
||||
"typescript": "~5.9.2",
|
||||
"typescript-eslint": "^8.40.0",
|
||||
"vite": "8.0.9",
|
||||
"vite-tsconfig-paths": "^5.1.4",
|
||||
"vitest": "~4.1.0",
|
||||
"vitest-axe": "^0.1.0"
|
||||
}
|
||||
}
|
||||
18863
pnpm-lock.yaml
generated
Normal file
18863
pnpm-lock.yaml
generated
Normal file
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user