Work Request Portal – Production v1 Release Notes
Overview
This Production v1 release (🎉) of the Work Request Portal delivers:
- A hardened, OTP-based authentication flow with a Web BFF and strong security guarantees.
- A full submissions (work request) experience with dynamic forms, validation, and CLNG/Mackinac integration.
- Reliable background processing via Worker + Redis/BullMQ with Microsoft Entra authentication.
- Improved UX, styling, and stability across web, API, and worker services.
Authentication & Security
Auth0 Passwordless & BFF Architecture
- Implemented Auth0 passwordless authentication with tenant domain gating.
- Introduced a Web Backend-for-Frontend (BFF) for Auth0 passwordless flows.
- Forced Authorization Code Flow for Auth0 passwordless magic links.
- BFF Phase 1:
- Moved passwordless start flow into the Web app.
- Enforced Auth0 authorization code flow.
- Added internal API precheck.
- Unified session cookie behavior.
- BFF Phase 2:
- Removed public API auth endpoints.
- Added internal JWT-based authentication for Web/API communication.
Transition to OTP-Only Authentication
- Added PKCE (S256) to passwordless flow for both start and callback exchange.
- Added PKCE state expiry checks for enhanced security.
- Switched passwordless to OTP (email code) only; removed magic link flows from Web.
- Implemented Work Request MVP with OTP redirect and full CRUD behind an auth wall.
- Fixed OTP verification endpoint to return JSON instead of redirect for better client handling.
- Enforced OTP-only authentication wall, removed all magic-link UI, and added robust post-auth redirects.
- Fixed OTP auth redirect edge cases:
- Redirecting to localhost without port.
- Correct handling of
next=%2Fparameters.
Security Hardening
- Enforced precheck decision validation at OTP issuance and callback.
- Fixed OTP bypass vulnerability in domain validation.
- Corrected session JWT creation to use signed tokens instead of base64url-encoded JSON.
- Fixed JWT test failures caused by jsdom/Node environment mismatch.
Work Request / Submissions Experience
Core Submissions Flows
- Implemented Work Request Portal MVP with:
- Auth-gated redirect into the submission flow.
- Full CRUD functionality for submissions.
- Added Submission create + list flows with:
- E.164 phone number validation.
- PAN business rules enforcement.
- Replaced
/work-requestsroutes with/submissionsthroughout the application. - Fixed 500 errors in submission creation:
- Missing
Userforeign key constraints. - Unhandled
P2025user relation errors.
- Missing
- Corrected submission retrieval logic:
- Now queries by
createdByUserIdinstead ofuserId.
- Now queries by
UX & Form Behavior
- Moved login form to the homepage, updated text labels, and added a portal title.
- Added comprehensive styling with Tailwind CSS, Inter font, and accessibility-focused improvements.
- Added a submission details page with clickable navigation.
- Enforced a 100-character limit on the submission title field.
- Added a targetDate field to the Submission model and details page.
- Fixed boolean checkbox fields that weren’t saving when checked.
- Removed HTML5 validation that was blocking form submission in edge cases.
- Standardized field types:
- Removed
dataType: "coded"handling. - Standardized on
"select"for coded/select fields.
- Removed
- Improved layout and readability:
- Fixed dark mode styling for submission form inputs.
- Fixed mobile layout spacing on submissions pages.
- Widened submissions list container to prevent horizontal scrolling.
Routing & Redirects
- Login/auth redirects now correctly fall back to
/submissions/new. - Authentication redirects reliably land on
/submissions/newafter login. - Refined post-OTP redirect behavior and added a “signed in” toast notification for user feedback.
Mackinac & CLNG Integration
Mackinac Integration
- Implemented per-tenant Mackinac API integration with:
- Azure Key Vault–backed credential management.
- Spec-compliant implementation.
- Implemented dynamic form generation driven by Mackinac metadata APIs.
- Added support for a configurable layout property in WRP metadata.
- Fixed
tenantIdresolution in the metadata endpoint so tenants are correctly identified. - Corrected Mackinac API endpoint path in the Worker service.
- Fixed Mackinac API 400 errors by:
- Adding required fields.
- Correcting property name mappings for payloads.
CLNG Workflow
- Implemented CLNG Matter Creation workflow for attachmentless submissions.
- Fixed Worker payloads:
- Added missing description field to CLNG Matter creation payloads.
Mackinac/WRP Permissions & Scopes
- Updated Worker to request
mackinac:wrp.writescope for assignment matter creation.
Worker, Redis, and Background Processing
Worker Build & Runtime Fixes
- Fixed Worker Dockerfile issues:
- Ensured Prisma client generation runs at build time.
- Fixed
pnpm execcontext mismatches. - Resolved “Prisma not found” errors during build.
- Fixed Mackinac API endpoint usage in Worker.
Redis & BullMQ with Microsoft Entra
- Added Microsoft Entra authentication for Azure Managed Redis in Worker and API services.
- Migrated Redis/BullMQ to Microsoft Entra auth on port 10000 (standard mode, no legacy).
- Added Redis connection retry with exponential backoff in Worker.
- Fixed BullMQ
WRONGPASSerrors by:- Using ioredis instances with token refresh.
- Splitting client/subscriber where needed.
- Then consolidating to a single ioredis instance with
maxRetriesPerRequest = nullto avoid lockups.
- Derived Redis AUTH username from the token
oidclaim for Worker. - Removed deprecated
REDIS_MI_OBJECT_IDfrom Worker environment validation.
Web App, Infrastructure & CI/CD
Web App Build & Config
- Removed environment validation from the Web app build process to simplify builds.
- Replaced
NEXT_PUBLIC_WEB_BASEwithBASE_URLfor clearer environment configuration. - Fixed Web builds and CI:
- Moved
zodtodependenciesin theshared-typespackage. - Updated Web Docker build to copy
shared-types/package.jsonbeforepnpm install. - Declared workspace dependencies explicitly in Web Docker builds.
- Moved
- Removed conflicting
package-lock.jsonfiles for the pnpm monorepo.
Styling & Accessibility
- Added comprehensive styling with Tailwind CSS and Inter font.
- Included accessibility-related improvements in the Web application.
Testing & CI
- Fixed web service unit tests:
- Added missing mocks.
- Updated URL expectations.
- Fixed CI build issues related to dependency classification and shared types.
- Fixed GitHub workflow
workflow_runtrigger by updating workflow names indeploy-staging.yml. - CI/CD enhancements:
- Unified container image tagging to 8-character SHA.
- Added Worker service to deployment workflows.
Miscellaneous Fixes
- Fixed login redirect fallbacks and edge routing behaviors.
- Various small fixes to ensure stable, predictable behavior across login, submissions, and background workflows.
Comments
0 comments
Article is closed for comments.