From 403b6b37f1fa793b246531c04499d5ee534e1c5b Mon Sep 17 00:00:00 2001
From: Claude VM <claude@beletage.ro>
Date: Mon, 18 May 2026 08:01:16 +0300
Subject: [PATCH] feat(auth): Faza B NextAuth Authentik scope=enrichment +
 forward access_token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Authentik OIDC provider now requests `openid email profile enrichment`
(from AUTHENTIK_SCOPES env, Infisical-fetched at boot). The enrichment
scope triggers Authentik scope mapping pk=41b23bc3-bdd8-4a61-b975-
6e0eff56df72 which emits enrichment_scope + is_beletage_group claims
based on LDAP group membership (Arhitecti/Administrators/Domain Admins
→ scope=full + is_beletage_group=true).

jwt callback captures account.access_token on first sign-in; session
callback exposes it as session.accessToken so api.gis.ac calls can
forward it. Used by Faza D thin client (src/lib/gis-api-client.ts,
pending) to authenticate against api.gis.ac.

Without scope=enrichment, every architools user falls through to
scope=none on api.gis.ac → 403 on every parcel/enrichment read.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/core/auth/auth-options.ts | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/core/auth/auth-options.ts b/src/core/auth/auth-options.ts
index d949b55..0a35617 100644
--- a/src/core/auth/auth-options.ts
+++ b/src/core/auth/auth-options.ts
@@ -7,10 +7,23 @@ export const authOptions: NextAuthOptions = {
       clientId: process.env.AUTHENTIK_CLIENT_ID || "",
       clientSecret: process.env.AUTHENTIK_CLIENT_SECRET || "",
       issuer: process.env.AUTHENTIK_ISSUER || "",
+      authorization: {
+        params: {
+          scope:
+            process.env.AUTHENTIK_SCOPES ||
+            "openid email profile enrichment",
+        },
+      },
     }),
   ],
   callbacks: {
-    async jwt({ token, user, profile }) {
+    async jwt({ token, user, profile, account }) {
+      // First sign-in: capture Authentik OIDC access_token so api.gis.ac
+      // calls can forward it. Carries enrichment_scope + is_beletage_group
+      // claims (mapped server-side in Authentik from LDAP group Arhitecti).
+      if (account?.access_token) {
+        token.accessToken = account.access_token;
+      }
       if (user) {
         token.id = user.id;
       }
@@ -41,6 +54,7 @@ export const authOptions: NextAuthOptions = {
         (session.user as any).role = token.role || "user";
         (session.user as any).company = token.company || "group";
       }
+      (session as any).accessToken = token.accessToken;
       return session;
     },
   },