fix: jwt oversized + undefined errors + many things (#2455)

https://www.notion.so/fabnummas/27-02-2025-Erreurs-d-authentifications-sur-EgaPro-1a8653b7be07806fbd22f12c9ba9a3a4

* fix: logger error

* fix: proconnect url in env vars

* fix: split urls and add scope plus client id

* fix: manage org url

* fix: multiple organisations

* personal information

* add prod configmap

* update preprod/dev configmap

* fix typo

* remove client id

* configmap ref

* fix: use system ca

* fix: use system ca

* fix: use system ca

* fix(dev): update dev setup to allow proconnect on local run

* fix: use system ca

* fix: use system ca

* feat: use fabriqueKeycloak provider on charon

* fix: kontinuous

* fix: client id keycloak client

* fix: remove oci helm image of kontinuous dependencies

* chore: wip

* fix: add redis chart & rebase !2459

* fix: replace argon2 by deterministic hash

* fix: maxTtl

* fix: redis prefix

* fix: add redis-auth secret

* fix: mount redis creds

* fix: remove keyPrefix

* fix: redis host and fullnameOverride

* fix: app needs redis

* fix: redis

* fix: type

* fix: types

* fix: types

* fix: don't use passwordFile in redis

* fix: don't use passwordFile in redis

* fix: log redis error properly

* fix: log redis error properly

* fix: disable redis restart on deploy

* fix: redis svc lookup

* fix: annotations

* fix: log next auth error properly

* fix: log jwt trigger

* fix: log jwt trigger

* fix: add logs

* fix: run in dev mode to allow debug server

* fix: lsiedfuvgnhbsiugnoqi"bgyfceuiy

* fix: redis disable restart

* chore: debugging the hard way

* fix: catch errors

* fix: restore dockerfile

* fix: filter

* fix: siret/siren

* fix: found main issues and draft plan to correct

* fix: last issues fixed & cleanup before deploy

* fix: docker build

* fix: docker build

* fix: cleanup

---------

Co-authored-by: fjeannot <[email protected]>
Co-authored-by: Kévin Sztern <[email protected]>
Co-authored-by: devthejo <[email protected]>

.kontinuous/Chart.yaml

@@ -0,0 +1,5 @@
+dependencies:
+- name: redis
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 20.10.1
+  condition: "redis.enabled"

.kontinuous/config.yaml

@@ -1,8 +1,3 @@
 projectName: egapro
 ciNamespace: ci-egapro
 repositoryName: egapro
-
-dependencies:
-  fabrique:
-    extends:
-      - name: ovh

.kontinuous/env/dev/templates/egapro.configmap.yaml

@@ -0,0 +1 @@
+../../preprod/templates/egapro.configmap.yaml

.kontinuous/env/dev/templates/redis-auth.sealedsecret.yaml

@@ -0,0 +1 @@
+../../preprod/templates/redis-auth.sealedsecret.yaml

.kontinuous/env/dev/values.yaml

@@ -17,4 +17,7 @@ app:
     MAILER_SMTP_SSL: "False"
 
 maildev: {}
-pgweb: {}
+pgweb: {}
+
+redis:
+  architecture: standalone

.kontinuous/env/preprod/templates/egapro.configmap.yaml

@@ -0,0 +1,10 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: egapro
+data:
+  EGAPRO_PROCONNECT_SCOPE: "openid email profile"
+  EGAPRO_PROCONNECT_DISCOVERY_URL: https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas
+  EGAPRO_PROCONNECT_SIGN_IN_URL: https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas/control-plane-egapro-preprod
+  EGAPRO_PROCONNECT_MANAGE_ORGANISATIONS_URL: https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas/account
+  EGAPRO_PROCONNECT_PERSONAL_INFORMATION_URL: https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas/account

.kontinuous/env/preprod/templates/moncomptepro.sealed-secret.yaml

@@ -6,12 +6,12 @@ metadata:
   name: moncomptepro
 spec:
   encryptedData:
-    SECURITY_MONCOMPTEPRO_CLIENT_ID: AgCOs6T3jUF2GfqKhYmJWdxLN8ynaGFPb8hO/V/0PtViAoH9FsI8I/yJNQUPvaCseYRxViSy4BxnCOse1vRJQdgSprAlD95Qp3O6D8I3+W+rqZW2PJW6e5cewz+mA6MbIQyfPySKs9NpUrRm3CwEFPond+PJrpclUKeYMutC6MNejW/hteHse/uwWMDYLqrClJshp/stbpZpAF5/mrWoiPrFTQWTTtrbiBUXeygWXSYlsgH2LEjjopel1hpJfUvUAXcf2shiMFGtHQl91HNYJsSgZiqTmYhGf/KAzju87Idk8lnGwuciKkv5LIb9CnbXrGUsyGfOJpudsyXwKrvJVWogUL7jIuMjxiZWT68ep1eqd6ugBpM8TdMtU/VNbIy3ATL0przhzN7iZtR7+LlIOu0NAqc8lcDXzX18ttLO71V6bkbmY1WRZqEqgruYNkhLpmuZagHo3r5HuW6bppbgrXy+omQXyHcLBRSaiaMlRDY391I66eo3fLjDu6Bc7fGa1cADUu1lsAVts6Iecj9fNF/ARWatTmI2Tc5N1DZyRTdFSseLOxHJckENP3Lu4BLzJPoqyBVuiL/c/juYJ9VjDVUN1mIA6IIN7wqqVBc3z1td1qOTy4E+orFpF1gTYqIOkPEtWVcWUr5tJqPTaoxBQcJeAF1EKSOrAyZ9s4FdnR3rT9b6sa+hgbbN4WctQ8Vj755SoghA8ZV/b+35copp9ERNqU2UUPsUR1lG4RCApqyHrh8R4pfGxpzl6y3XvTSpworCwM0zCcKzJMA5p22Ot2WA9JWvon2R0PvgsxkG7FiGFmhKXXDAsl6o7hfvsF8+YdMcdHlyBc5Dcu7AGqKCjt4fZSzwHlKUIoDZioAfTo4MNg==
-    SECURITY_MONCOMPTEPRO_CLIENT_SECRET: AgCU/k8ujHNEaHFTIeoXg1PshppUO17YT7mPlLxAO8DscwNJkL7HaAdbn08LyYNOY/IGIg2UxveiaTuRziT2I+aeFmuv8kc9Wh1s+f3SkgLcpPb4uWdWV5rEAkmjkGLv+29uji35FTPmf+j6C7lXmuETRyfXuszo8mHnuTlzWpeBV4FPeYC9vh8yDv15OTd8ulmJnKuCRYDuHKOCWb0+RMvGtD8xTyOgAcnUXYWl12dQce8AUgkczbGtTMZxajQQ03uimvO/17KxlGd/duzjv3ggFN7zQ4Y5PkvCeBBQt7QxH2iMiZ1Z6dk8h97+beK1WXHaoK3hXRbHdaKEz3+XXnQWE9lkRjMU/OGZfDl5bHzhYcvK2oXQ5YMgjK+5QcnaMNbeZBbl7OFfxrBwvxI+89a6MkzLfMNhhIwzP/ZCSXpCt3Y8YiLN0XiEo0c69G9vaY89mC7pnayUw5+LqPTumxgC2MJrTpFZQYkcAG68O7A/JoIihRC7m9wKM1sDMCKAV/CutjKJuVz/MJKrYC0f/gYO6ZaVpSzFY6tc2aaCHvD1ORRrL3NdkBHW3SK4edIVcUflmwVoNTR0lXAEtDlFM42RPBZ8cjMhpKNv70M9CMPQ8QWVxWPl9WwaobtO+i58HKza+V8C6HyEjonvm8+QY//Doo9JdRxIjcwIHSi1N4lmdQHEQZZpf37dsjTazsV6/1KK1XgQ03TODTrbhQpLmL3DQhhkacx0skmWC3P1FzM5GiqCAhsP6k/bLOwCGqrvb2D8uqhGfs2YWTM+MrJ7f8o4vVr8RzJQ5j6VPKNhAdQNfE86HaJ90TvAVmHmqcqdjXo6S0uFZ+T3B3VCkgtzv/mif97K2Y9snxqDPOqi2Hc2BA==
-    SECURITY_MONCOMPTEPRO_TEST: AgAA+yFcv5NRnZCZGCtINnxfDnP8To5cLOWR1LgzCUzLSPqTPG42NGmUAaNqiDCOCFAqH63iZwgEbpaJhj0FeK7iGwC66SjcwhwdC8oSTSDYpHXLyFDW07DwVyac6oygFkJ/YvgUJiiVxBnu5QfgTI4YLqGNlVDfaFvVbq7cxWiUmdDhlWZgkia882Tjq6OX0VAQ4osA7KuK18vzBA317IXWioS0uHE6mPfcdXnIh8EOjY+249ETjlXYeYfS8QKntfUp3II/69Bt35zlBWxs+iJNkdLhXZRhTV0EjVyWK3AcONP+6AJtVSJ/2tO1zsVJGymDXpmZPLKJQ7dhLH8MaBpIsr8w9aT+xSEkAxzTnx4dZWHDk0F6ExmCFcxsSRbgOKP8YhqeNbiXmZDwyUYm3PBNZf+gruHMRWELjH8GwRaEXO14dyL2t0gRpY4gslCvZ7fMXGEDCAXBCJZ9xuBLOkzq+r53GE6HdX/u4J+wgjsTbtRL9RmFrHhDpb63xzkA9wV6YKDCQsyLwrzknDPmTXtcE7b2U5JdN0SamqB4eEXJF11KCNNVaUcWPLr+vnZ5sozeg+EC3+7kDbfJqCRVm2s+CtNVyF1SiKxGnGvoLFRj6XK98Obs4IK/tXqRRRhinUpblgXIFsXRupGokY8yAOkWVAKh5jNgZexN/JRreRY6DknLcRIySPh1v548n+yAbOcUf9EJ
+    SECURITY_MONCOMPTEPRO_CLIENT_ID: AgACx+9ZL8fVsnevkgQcfwAlirko3mgWlerBPa2JZzKY332Q17kw0qTKEPCl+Z9ZplR+/eEJ8T7sk/cyc4y5M5W5MuuZ7dHpBOU5td1f+F59VT1QFCbYsD2MHHjcDKXXOLV17M114+Yt1AV9LAYOT8DyvSC4u13OrNnsLblmT00oCQGms1Vnpr8EtGF0jl7ALnX1G5lQU9KXA0Zj4pggMMTVHqEtc4jd/zWG3c8j1reoaSp4FtPa4XG/+NtzaCnkxomyRPLllm4VnYFqJTPucmI9omHSbUKihE40YM8XJCEBsit/csGId0HdH5ED8Zbc28Q9P5UVzBic0YFhlAHaIFEmvqX7s5UwRAgkLexjndpxYMeZpbqf4wqkLdRuHad05+/LOEe5pi501TYjgv+MTxAq420/9zLp13GMjYV6LwykXElzcqzQDf7QxjfT6C5d2Q40HO1gE1Qp8/2rFnJkE919N+wApG2jVw4EfVBCT/hbDrAVFE8K6qh4AKE3Mmihf3p+C2Gu7DV8GbFScWO4a2k1BECDwmDc9MNM6EHKsl51jzeR0DO8KTkg9njAKtkPbuMFL7c/+Jlaj/6LOgY0jfgjRLCFZP2Tu31KZu3x2oGRcA+8aOxW3Wz0fdhI0U21ye6fPjIBglX2Okpo+hOM3vSrOhJLlPKbNAYbnbJoj9VeK0xQ1ClgTTnAWfTDu4H+C3NiVzTH6w4hdGTtA6psR5qEKOTmWXYQSL3Qp68d
+    SECURITY_MONCOMPTEPRO_CLIENT_SECRET: AgCtHpd05c/oH8BSkosTRVzFNsNRwke7VfMp66RnGA6z6YH7rWgDP5aYMq7E03i0hMVjfA+Fw6GG+9Gzq1y/I8q+Pa9SCpFOC70/eS4C2xw7ucWzFERLciARzOq0xlPwyuupk9+KlYg/voH35bVxixlL+hroXeoJFp281Rwsz9UFGII+adpny3puucmvqOPKC6pdlONwypxaFCluFnaqynEkpEEwH6tyT4sa+sFJIr67rJh2sGzEqqQDyyglEDISheGblezWUzfW2s9K9xuTieGnDaDAJSfiOgfv3D6kMi5PHQUtbQ644K3I6K/XAbEDu1w4+O78HgSenGsUORVxJBdC0nCEg+JHcV2iD62VfJWc5k3PRlGmZ/3BUcDGcxzEzE/7LLy7S0aw1py8x/mhhO2pqfZJdOxEs6iVaX0bJKxhwEiXA54VtSRFaCf5pR5TnJ2Bvoqe1g0/tGpGq6RN5QnkzxBduX8gziHpwrQwboQ8YTXKQMVfPCM8MDm03e3jdzFtMkeCbUvSrzPnuiePOr7KnRyN3Q6NY8ea2MZ4KOHyQhb0kCbbQywuzQvNC+C1BehTm9J2D4gIRyAJdVKpkhJuKuRRfBOkp8Bt/znJKAsZUonR5i/gdxSefVCJmh4D5Py2OzGNuQltWNRa45soguRX0DNH1aC3BRMr9sRRdqr7D7fWvtaYYJBNet2+g3zWzfk=
+    SECURITY_MONCOMPTEPRO_TEST: AgBjZAKXbE2jveXQf0KhCiJy8WQkphf1PBG79fveCxYSF/9UoLVymprridlnxkQpEKjZLIMFfnFNZGl7F4Nvmz02zvH8oSVyLJboyc7hlAOu9QR0Ln6eUBtdjwRg2wAzZDBlJMDR0wJ6r27L7o1h5Y4sDXAY4oxs8C4nmQGBO1pe58lmxUj/QFwXTxFRhckhQTYMQjQdPYZ9GNzh2LMMo7EX0sdw6NEs+a4CbRni8Gm9PozupCJUIXFHNUiLOpOsfATjie1jpc35W8UjSjMm4ykZAmzi4Gz8OLu+CWujytLv395AlvAEiQVQETAAO476XWBDTfMW6OZQibAQcUxLQoG8KC/L+3/Mw+qrGO1J6WZntQgTfsrcDyVHgNd7xoHqrrSNe+Gc6S86YUFFejdwcAUYzkMo0sUJYEVcHgh1BG194T/p9zIZMyANdSA8Fs+Xip1ZTDD4nYmNO0kbk++jSoBBVZtt+XfqdxLSDbMDfDyPETCWU+sfeA7Y/P01bGWRcnOiyZcw+ZBDUEAzeySfffo9vtmyHDO1ZluYNRDYOPeCGV3KzPzQnjOMXdvrvnYl5OSzzEDCR+qcoZDXK9kMQ9FJ+UfgN5GB7wAQXD5TYGLKgwJSuLWzxoq85a/62MwrfjGbSvyvFo2vPwX4kpIyxfXfafLLRpdaEoTS1A9pGalU413NHbHq5Mdu9Fk1DSC/EyotKlLmdQ==
   template:
     metadata:
       annotations:
         sealedsecrets.bitnami.com/cluster-wide: 'true'
       name: moncomptepro
-    type: Opaque
+    type: Opaque

.kontinuous/env/preprod/templates/redis-auth.sealedsecret.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: 'true'
+  name: redis-auth
+spec:
+  encryptedData:
+    REDIS_PASSWORD: AgAa9HeRViyTc4lbQrdG5+8mUUz+2XQAevYQdlLqjny6VvxtGccsPn43cccGX8ljfuKOMwWdmWIYtojoJHbSF1Aje+ZNufnU45dzfgRib/lmjs1dDDa/vL9x5l5Ap/4LHkRZF0GU+H9fRGmWvBQf1fwAurqRFuCRVC9RMA1aKaZxnyrWniM+nx35cs+idjVdgNcy8v1Z5bxVaCX+RS8xzwjkw5FRZNUKJ1OB4C6Rf/XbijfreLUruW/MSM9vxBj4GP9whXTWD3rnMvUn9/MollOFYqx0GXPif6Nd0qVSlRTbWpU0JaYZYXFM2PTCWFg0XrCQSDWf/TCqH2TEz5JMtN/6Qe55aULYJSS0ceTLgUw/mlC7WdosIWERaXqWWi2juOudWR6wKKPKSGVKCVImBA5GN0Ntkrp61iFQNsTfN+rbUYkWDNs4/E3B9GFc3iAluqJglTBVSnsUvkUNGOG2Fud5me8+SXWWcMlymg74Wj88TRep3I84yDd/wXIUdY0m9lsvH352XuU7R9it7ybk7nUI0p+1WP347anEXxxGz3NmFH/RxsgxW1Sz5UkeiNp2XZADQllXOA0MyqxhcaoISrT6xZ9saNaayuBiQC/b4WNfPmHHFJDytva8dbuVw20nDK/5DsQP+bxgHm3WLS3PSKSqOiAMc/JfiSlCmX9QCsNzMDGzFtcDYAc6cWXkPFJVjRiO5yxZ/Eq01gL1NP706M5g
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: 'true'
+      name: redis-auth
+    type: Opaque

.kontinuous/env/preprod/values.yaml

@@ -31,4 +31,8 @@ app:
       memory: 1G
 
 maildev: {}
-pgweb: {}
+pgweb: {}
+
+redis:
+  sentinel:
+    enabled: true

.kontinuous/env/prod/templates/redis-auth.sealedsecret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/namespace-wide: 'true'
+  name: redis-auth
+  namespace: egapro
+spec:
+  encryptedData:
+    REDIS_PASSWORD: AgBncuzYLOZzxnCjkehUxFZupFYIuVTmJzIeyb+5ZOpYpZUudNatQBn1SGOxM5WelgrxHiOeSU91IIFGCMbxOV32dY3VNRO+kgjhDVCcJJv5T0S9QBzRASmU/Dh0HBYydQ7zUbHeb1XfNhTVroI53JbjTX5Q5gw/Pf8tc7gkp1latKlwsbCJJon4ueiHQJmJOVVeq8m00vGcmz48jFLJmUR4eCFpO1Zr4+IOkva8iperUOIydXmQxG7j8MVjW+pNQWYQN5aVuzFnja0b7VCCuuKiZCQlwgtghFcPMNV+T5ERSP9nNDRxLMXpnLz1j41wtPydfNK+BNHgB+Oc6+hqHubyC+ET0FUbCUGx2mIkLN4iJLhbifWqCxLfN8tf35eyEOB7smkV2r5UBHZ+q1EuUCSFapJWiOwWsGXX/UeBTq674cst7hRqOr+pNDR55By3Bfco64qAq98dG8sbLw6bObEtjoTPN8m6RnoSYrBAusjz//8cG3XNixINGpfvRDS6PVHgu6TWDQ2t79Sm7+HIoNHAHj07dCFIW2HHPoUP+fC43hzGgIdHN+pTg/fGkQDPN3CbR3meemwtAz19tR9+T6jS8fN0YkNy0YVRlZyVnAJeTZmxmZ065fUNRMZ7oLrd9QgXM7n7oNGzZqkBqs6HXMTIwPL+ILFeaqhN/qz9C6hTFekCrRDh7eJq1fcThGyZeZhHxB8KgjLzjW8JMgvH1t/N
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/namespace-wide: 'true'
+      name: redis-auth
+    type: Opaque

.kontinuous/env/prod/values.yaml

@@ -69,3 +69,6 @@ nginx:
       cpu: 2
       memory: 2G
 
+redis:
+  sentinel:
+    enabled: true

.kontinuous/patches/patch-redis.js

@@ -0,0 +1,10 @@
+module.exports = async (manifests, _options, context) => {
+  for (const manifest of manifests) {
+    if(manifest.kind==="StatefulSet" && manifest.metadata?.labels?.["app.kubernetes.io/name"] === "redis"){
+      if(!manifest.metadata.annotations){
+        manifest.metadata.annotations = {}
+      }
+      manifest.metadata.annotations["kontinuous/plugin.forceRestart"] = "false"
+    }
+  }
+}

.kontinuous/templates/egapro.configmap.yaml

@@ -0,0 +1,10 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: egapro
+data:
+  EGAPRO_PROCONNECT_SCOPE: "openid email profile organizations phone"
+  EGAPRO_PROCONNECT_DISCOVERY_URL: "https://identite.proconnect.gouv.fr"
+  EGAPRO_PROCONNECT_SIGN_IN_URL: "https://identite.proconnect.gouv.fr/users/start-sign-in"
+  EGAPRO_PROCONNECT_MANAGE_ORGANISATIONS_URL: "https://identite.proconnect.gouv.fr/manage-organizations"
+  EGAPRO_PROCONNECT_PERSONAL_INFORMATION_URL: "https://identite.proconnect.gouv.fr/personal-information"

.kontinuous/values.yaml

@@ -27,7 +27,7 @@ global:
 
 app:
   ~chart: app
-  ~needs: [build-app]
+  ~needs: [build-app, redis]
   imagePackage: app
   probesPath: /healthz
   containerPort: 3000
@@ -44,6 +44,10 @@ app:
         name: "moncomptepro"
     - secretRef:
         name: github-oauth
+    - configMapRef:
+        name: egapro
+    - secretRef:
+        name: redis-auth
   env:
     - name: SENTRY_AUTH_TOKEN
       valueFrom:
@@ -65,6 +69,7 @@ app:
     SECURITY_JWT_SECRET: "$(EGAPRO_SECRET)"
     NEXT_PUBLIC_EGAPRO_ENV: "{{ .Values.global.env }}"
     NEXTAUTH_URL: "https://{{ .Values.global.host }}/api/auth"
+    REDIS_HOST: "redis-master"
 
 nginx:
   ~chart: app
@@ -136,6 +141,14 @@ api:
 pg:
   ~chart: pg
 
+redis:
+  fullnameOverride: redis
+  ~tpl~namespaceOverride: "{{ .Values.global.namespace }}"
+  auth:
+    existingSecret: redis-auth
+    existingSecretPasswordKey: REDIS_PASSWORD
+    usePasswordFiles: false  #  Remove when https://github.com/bitnami/charts/pull/32215 is merged
+
 files:
   ~chart: app
   ~needs: [build-api,build-files] # sidecar image

.tool-versions

@@ -0,0 +1 @@
+nodejs 20.18.3

docker-compose.yml

@@ -5,11 +5,11 @@ services:
     image: djfarrelly/maildev
     command: bin/maildev --hide-extensions STARTTLS
     ports:
-      - "${MAILDEV_SMTP_PORT}:${MAILDEV_SMTP_PORT}"
-      - "${MAILDEV_WEB_PORT}:${MAILDEV_WEB_PORT}"
+      - "${MAILDEV_SMTP_PORT:-1025}:${MAILDEV_SMTP_PORT:-1025}"
+      - "${MAILDEV_WEB_PORT:-1080}:${MAILDEV_WEB_PORT:-1080}"
     environment:
-      MAILDEV_WEB_PORT: ${MAILDEV_WEB_PORT}
-      MAILDEV_SMTP_PORT: ${MAILDEV_SMTP_PORT}
+      MAILDEV_WEB_PORT: ${MAILDEV_WEB_PORT:-1080}
+      MAILDEV_SMTP_PORT: ${MAILDEV_SMTP_PORT:-1025}
     restart: always
 
   api:
@@ -127,4 +127,4 @@ volumes:
   pgdata:
   pgadmin:
 
-  api_egginfos:
+  api_egginfos:

packages/app/.env.development

@@ -37,7 +37,7 @@ POSTGRES_PASSWORD=postgres
 # old EGAPRO_DBNAME
 POSTGRES_DB=egapro
 # old EGAPRO_DBPORT
-POSTGRES_PORT=5438
+POSTGRES_PORT=5437
 # old EGAPRO_DBHOST
 POSTGRES_HOST=localhost
 # old EGAPRO_DBSSL
@@ -48,8 +48,7 @@ POSTGRES_POOL_MIN_SIZE=2
 POSTGRES_POOL_MAX_SIZE=10
 
 ## Misc
-EGAPRO_ENV=dev
-EGAPRO_READONLY=false
+EGAPRO_ENV=dev EGAPRO_READONLY=false
 EGAPRO_DOMAIN="https://index-egapro.travail.gouv.fr"
 EGAPRO_STAFF=""
 EGAPRO_USE_API_ENTREPRISE=false
@@ -63,6 +62,12 @@ EGAPRO_SITE_DESCRIPTION="Egapro"
 # (not used?)
 EGAPRO_ALLOW_ORIGIN="*"
 
+EGAPRO_PROCONNECT_DISCOVERY_URL="https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas"
+EGAPRO_PROCONNECT_MANAGE_ORGANISATIONS_URL="https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas/account"
+EGAPRO_PROCONNECT_PERSONAL_INFORMATION_URL="https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas/account"
+EGAPRO_PROCONNECT_SCOPE="openid email profile"
+EGAPRO_PROCONNECT_SIGN_IN_URL="https://keycloak.undercloud.fabrique.social.gouv.fr/realms/atlas/control-plane-egapro-preprod"
+
 ## Security
 # old EGAPRO_SECRET
 SECURITY_JWT_SECRET="sikretfordevonly"
@@ -77,4 +82,4 @@ SECURITY_GITHUB_CLIENT_ID=
 SECURITY_GITHUB_CLIENT_SECRET=
 SECURITY_CHARON_URL="https://egapro-charon.ovh.fabrique.social.gouv.fr"
 
-EMAIL_LOGIN=true
+EMAIL_LOGIN=false

packages/app/Dockerfile

@@ -50,6 +50,7 @@ RUN --mount=type=secret,id=sentry_auth_token export SENTRY_AUTH_TOKEN=$(cat /run
 RUN yarn workspaces focus app --production && yarn cache clean
 RUN mkdir -p ./packages/app/node_modules
 
+
 # Runner
 FROM node:$NODE_VERSION AS runner
 

packages/app/package.json

@@ -35,6 +35,8 @@
     "http-status-codes": "^2.3.0",
     "i18next": "^23.5.1",
     "immer": "^10.0.2",
+    "ioredis": "^5.5.0",
+    "jose": "^6.0.8",
     "js-xlsx": "^0.8.22",
     "jsonwebtoken": "^9.0.1",
     "lodash": "^4.17.21",
@@ -44,7 +46,6 @@
     "next": "14.0.4",
     "next-auth": "^4.24.5",
     "nodemailer": "^6.8.0",
-    "pg": "^8.8.0",
     "pino": "^8.17.2",
     "pino-pretty": "^10.3.1",
     "postgres": "^3.3.2",

packages/app/src/api/core-domain/infra/auth/ProConnectProvider.ts

@@ -7,6 +7,7 @@ export interface Organization {
   is_external: boolean;
   is_service_public: boolean;
   label: string | null;
+  siren: string;
   siret: string;
 }
 
@@ -22,22 +23,20 @@ export interface ProConnectProfile {
   updated_at: Date;
 }
 
-const ISSUER = (appTest: boolean) => `https://identite${appTest ? "-sandbox" : ""}.proconnect.gouv.fr`;
 export function ProConnectProvider<P extends ProConnectProfile>(
   options: OAuthUserConfig<P> & { appTest?: boolean },
 ): OAuthConfig<P> {
-  const issuer = options.issuer ?? ISSUER(options.appTest ?? false);
+  const scope = process.env.EGAPRO_PROCONNECT_SCOPE;
+  const proconnectDiscoveryUrl = process.env.EGAPRO_PROCONNECT_DISCOVERY_URL;
 
   return {
     id: "moncomptepro",
-    name: "Mon Compte Pro",
     type: "oauth",
-    wellKnown: `${issuer}/.well-known/openid-configuration`,
+    name: "Mon Compte Pro",
     allowDangerousEmailAccountLinking: true,
+    wellKnown: `${proconnectDiscoveryUrl}/.well-known/openid-configuration`,
     authorization: {
-      params: {
-        scope: "openid email profile organizations phone",
-      },
+      params: { scope },
     },
     checks: ["pkce", "state"],
     userinfo: {