Nicolas Cantu
cfa1f435cb
Initial state: - HTTP proxy utilities (Bearer parsing, hop-by-hop headers, body limits, safe path validation) were duplicated between smart-ide-sso-gateway and smart-ide-global-api. - IA_DEV_ROOT auto-resolution order differed between bash (ensure-ia-dev-project-link.sh) and TypeScript (ia-dev-gateway getIaDevRoot), and could fall back to non-existing paths. Motivation: - Reduce duplication and drift across proxy layers. - Enforce consistent, explicit IA_DEV_ROOT behavior across scripts and services. Resolution: - Add package @4nk/smart-ide-http-utils and reuse it from smart-ide-sso-gateway and smart-ide-global-api. - Align IA_DEV_ROOT resolution to prefer ./services/ia_dev then ./ia_dev; fail fast when missing/misconfigured. Root cause: - Cross-service utilities were implemented ad-hoc in each service. - Historical layout transitions (ia_dev gitlink vs vendored services/ia_dev) left multiple resolvers with different priorities. Impacted features: - HTTP proxy chain (SSO gateway -> global API -> upstream services). - ia-dev-gateway startup/operation when IA_DEV_ROOT is missing or invalid. Code modified: - packages/smart-ide-http-utils/** - services/smart-ide-global-api/src/server.ts - services/smart-ide-sso-gateway/src/server.ts - services/ia-dev-gateway/src/paths.ts - scripts/ensure-ia-dev-project-link.sh Documentation modified: - docs/system-architecture.md - docs/ia_dev-module.md - docs/repo/README.md Configurations modified: - services/smart-ide-global-api/package.json - services/smart-ide-sso-gateway/package.json Files in deploy modified: - None Files in logs impacted: - None (runtime logs only) Databases and other sources modified: - None Off-project modifications: - None Files in .smartIde modified: - None Files in .secrets modified: - None New patch version in VERSION: - 0.0.6 CHANGELOG.md updated: - yes
smart-ide-sso-gateway
HTTP gateway that validates user access tokens from the docv / Enso OIDC issuer, then forwards requests to smart-ide-global-api, which proxies to internal smart_ide micro-services using each service’s technical credentials (Bearer or X-API-Key).
Responsibilities
- Verify
Authorization: Bearer <access_token>with JWKS (OIDC_ISSUER, optionalOIDC_AUDIENCE, optionalOIDC_JWKS_URI). - Expose
GET /healthwithout auth. - Expose
GET /v1/token/verifyandGET /v1/upstreamswith user Bearer (upstream keys from@4nk/smart-ide-upstreams). - Proxy
ANY /proxy/<upstream_key>/<path>to smart-ide-global-api (GLOBAL_API_URL,GLOBAL_API_INTERNAL_TOKEN), which relays to the target service and adds upstream auth plusX-OIDC-Sub/X-OIDC-Emailwhen present in the JWT.
Structured request logs (except GET /health and OPTIONS) are appended to .logs/sso-gateway/access.log under the monorepo root.
User accounts, project membership, and product databases stay in each application’s backend (docv, Enso, etc.); this gateway does not store them.
Run
Start smart-ide-global-api first, then:
cd services/smart-ide-sso-gateway
cp .env.example .env # edit OIDC_ISSUER, GLOBAL_API_INTERNAL_TOKEN (match global API)
set -a && source .env && set +a
npm ci
npm run build
npm start
Default listen: http://127.0.0.1:37148.
Micro-service URLs and tokens are configured on smart-ide-global-api (services/smart-ide-global-api/.env.example or aggregated config/services.local.env).
Documentation
- Feature:
docs/features/sso-gateway-service.md - API:
docs/API/sso-gateway-api.md - Global API:
docs/API/global-api.md