Skip to content

Consolidate back-office into the account self-contained system with Entra ID Auth#876

Draft
tjementum wants to merge 44 commits intomainfrom
back-office-consolidation
Draft

Consolidate back-office into the account self-contained system with Entra ID Auth#876
tjementum wants to merge 44 commits intomainfrom
back-office-consolidation

Conversation

@tjementum
Copy link
Copy Markdown
Member

@tjementum tjementum commented Apr 28, 2026

Summary & Motivation

Collapse the back-office self-contained system into the account container and put authentication for the back-office subdomain behind Azure Container Apps built-in authentication (Easy Auth). The legacy back-office SCS, its Dockerfile, separate API, separate WebApp, and dedicated CI workflow are removed. The account container now serves both the public app (app.<host>) and the back-office app (back-office.<host>) on host-scoped routes, with EasyAuth enforced at the platform layer for the back-office host.

  • Add backend foundations: BackOfficeEndpoints, GetMe query, BackOfficeIdentityHandler for the X-MS-CLIENT-PRINCIPAL-* header contract, MockEasyAuthMiddleware for local development, and BackOfficeGroupRequirement for authorization
  • Add BackOfficeWebApp shell as a sibling to WebApp inside the account project, with its own routes, error pages, side menu, and translations, served via dual SPA hosting (HostScopedSinglePageApp + UseHostScopedSinglePageAppFallback)
  • Remove the entire application/back-office folder, the back-office.yml GitHub workflow, the back-office solution filter, and all references in AppHost, AppGateway, and the platform solution
  • Update main-cluster.bicep to drop the back-office container app and add container-app-auth-config.bicep so the account container app is provisioned with EasyAuth bound to the back-office subdomain; the cluster deploy script and account workflow are updated accordingly
  • Add Playwright smoke coverage for the back-office host in application/account/WebApp/tests/e2e/back-office-flows.spec.ts, plus subdomain-aware constants in shared-webapp/tests/e2e/utils/constants.ts
  • Fix runtime consolidation gaps surfaced after the move: endpoints are tagged with their target SPA host, the EndpointMetadataTests enforce the metadata, HostScopedSinglePageApp correctly resolves per-host fallbacks, and the back-office endpoint base test seeds an EasyAuth identity

Checklist

  • I have added tests, or done manual regression tests
  • I have updated the documentation, if necessary

tjementum added 18 commits April 27, 2026 11:12
@tjementum
Regenerate dev certificate when *.dev.localhost SAN is missing
808abec
@tjementum
Route AppGateway requests by host header to enable subdomain access
14f6cf8
@tjementum
Wire AppHost to publish per-host URLs and dashboard ordering
29711ce
@tjementum
Reload after tenant switch and recognize *.localhost as local dev
d3637ce
@tjementum
Migrate E2E base URL to subdomain and audit dev tooling
f0c34b1
@tjementum
Redirect naked localhost to canonical app URL
839fb8a
@tjementum
Pin OAuth callback URL to localhost in development
c7fe4e0
@tjementum
Make local port allocation a single source of truth via .workspace/po…
4435421 
…rt.txt
@tjementum
Accept base port as positional argument on pp run and pp restart
f80638b
@tjementum
Suffix Docker volume names with base port to isolate parallel Aspire …
c11529a 
…stacks
@tjementum
Switch Aspire MCP to stdio transport and document Aspire CLI install
3812dc2
@tjementum
Warn when Aspire CLI does not match Aspire SDK in AppHost.csproj
5071461
@tjementum
Add .claude/worktrees to .gitignore
f83b791
@tjementum
Accept basePort on MCP run and restart tools to match the CLI
5852226
@tjementum
Inject blob-storage connection string from Aspire so it works on any …
3b59d6c 
…base port
@tjementum
Allow pp run/restart in fresh worktrees and use fire-and-forget wordi…
11823af 
…ng in MCP
@tjementum
Drop CLI_ALIAS from agent docs so MCP fallback works in any worktree
7ac3606
@tjementum
Drop dead Aspire dashboard MCP config now that the stdio transport is…
373bd97 
… the only path
@tjementum tjementum added the Enhancement New feature or request label Apr 28, 2026
@tjementum tjementum self-assigned this Apr 28, 2026
@tjementum tjementum changed the title Consolidate back-office into the account self-contained system with Easy Auth Consolidate back-office into the account self-contained system with Entra ID Auth Apr 28, 2026
@tjementum tjementum moved this to 🏗 In Progress in Kanban board Apr 28, 2026
@tjementum tjementum added the Deploy to Staging Set this label on pull requests to deploy code or infrastructure to the Staging environment label Apr 28, 2026
@tjementum tjementum force-pushed the back-office-consolidation branch from 2294c40 to b972191 Compare April 28, 2026 17:45
tjementum added 14 commits April 28, 2026 20:53
@tjementum
Enable aspire and shadcn MCP servers in project settings
98167bd
@tjementum
Auto-pick base port for worktrees and drop CLI base port argument
474fdfa
@tjementum
Clarify interrupt hook message so agents that already saw the ID cont…
61b2501 
…inue
@tjementum
Reuse PortAllocation worktree candidate list in tests via InternalsVi…
1a4c638 
…sibleTo
@tjementum
Add backend foundations for back-office consolidation
1facf13
@tjementum
Add BackOfficeWebApp shell and dual SPA hosting
cfad568
@tjementum
Consolidate back-office into account container and remove legacy folder
df4a961
@tjementum
Update cloud infrastructure and CI for back-office consolidation
cfa36bb
@tjementum
Add end-to-end smoke tests for back-office host
6e0b800
@tjementum
Fix back-office runtime consolidation bugs
e26baeb
@tjementum
Rework back-office shell with avatar menu and rename Tenants to Accounts
8f20c28
@tjementum
Harden MockEasyAuth dev cookie with Secure flag and __Host- prefix
77a0c4f
@tjementum
Move MockEasyAuth picker to React with hero layout and dropdown controls
c9c55ff
@tjementum
Add back-office domain GitHub variables to deploy command
e735c31
@tjementum tjementum force-pushed the back-office-consolidation branch 3 times, most recently from e2c6abb to 858f9b0 Compare April 28, 2026 22:16
@tjementum tjementum force-pushed the back-office-consolidation branch from 858f9b0 to 4936ef6 Compare April 28, 2026 22:26
@tjementum tjementum force-pushed the back-office-consolidation branch from 4936ef6 to 06c0573 Compare April 28, 2026 23:02
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 29, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot
4.9% Duplication on New Code (required ≤ 4%)
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tjementum tjementum

Labels

Deploy to Staging Set this label on pull requests to deploy code or infrastructure to the Staging environment Enhancement New feature or request

Projects

Kanban board
Status: 🏗 In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tjementum