chore(infra): IaC, compose, radix, redis, oauth2-proxy baseline

Infra & deployment topology:
- IaC: app-registration + resources deploy scripts, bicep updates
- docker-compose: align dev/override, wire oauth2-proxy service
- radixconfig: updated config
- redis: standalone Dockerfile + entrypoint
- secrets: README and .gitignore
- root: env template, gitattributes, release-please, mise lint task,
  dependabot, pre-commit hooks

OAuth2 proxy & nginx:
- web/oauth2: dedicated Dockerfile, entrypoint, oauth2-proxy config
- web/nginx: oauth2 auth_request/redirect snippets, security headers,
  default.conf updates
- web/Dockerfile: align with oauth2 split

Author: eoaksnes

.env-template

@@ -15,3 +15,13 @@ MONGODB_USERNAME=root
 MONGODB_PASSWORD=mongodb
 MONGODB_HOSTNAME=db
 MONGODB_PORT=27017
+# monitoring (Application Insights)
+# Leave empty to disable telemetry locally; set to a real connection string
+# to ship traces/page-views/exceptions through the API to Azure Monitor.
+APPINSIGHTS_CONSTRING=
+# Optional: service principal used to authenticate App Insights ingestion
+# (mirrors CoreDM). When all three (AZURE_TENANT_ID, OAUTH_CLIENT_ID,
+# OAUTH_CLIENT_SECRET) are set, ingestion uses ClientSecretCredential.
+# Otherwise it falls back to the instrumentation key in the connection
+# string above.
+OAUTH_CLIENT_SECRET=

.github/dependabot.yml

@@ -13,14 +13,9 @@ updates:
       interval: "monthly" # when template is used, recommended interval is "weekly"
     groups:
       web:
-        exclude-patterns:
-          - "@hey-api/openapi-ts"
         update-types:
           - "minor"
           - "patch"
-      openapi-ts:
-        patterns:
-          - "@hey-api/openapi-ts"
 
   - package-ecosystem: "docker"
     directories:

.github/release-please-config.json

@@ -1,10 +1,10 @@
 {
-  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
-  "packages": {
-    ".": {
-      "release-type": "simple",
-      "changelog-path": "docs/docs/changelog/changelog.md",
-      "extra-files": ["web/package.json"]
-    }
-  }
+	"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+	"packages": {
+		".": {
+			"release-type": "simple",
+			"changelog-path": "docs/docs/changelog/changelog.md",
+			"extra-files": ["web/package.json"]
+		}
+	}
 }

.github/release-please-manifest.json

@@ -1 +1 @@
-{".":"1.5.0"}
+{ ".": "1.5.0" }

.pre-commit-config.yaml

@@ -76,7 +76,7 @@ repos:
         files: ^api/.*\.py$
 
   - repo: https://github.com/biomejs/pre-commit
-    rev: v2.4.14
+    rev: v2.4.13
     hooks:
       - id: biome-check
         name: "Lint : biome (ts/js)"

IaC/app-registration.bicep

@@ -1,85 +1,150 @@
-extension microsoftGraph
-param applicationName string = 'template-fastapi-react'
-param repositoryName string = 'template-fastapi-react'
+extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0'
+targetScope = 'subscription'
 
-// The Entra ID application
-// Resource format https://learn.microsoft.com/en-us/graph/templates/reference/applications?view=graph-bicep-1.0
-resource app 'Microsoft.Graph/applications@v1.0' = {
-  displayName: '${applicationName}'
+// Provisions the two Entra ID app registrations required by the BFF auth setup:
+//   * <name>-api-<env>     — resource server. FastAPI validates JWTs whose
+//                            `aud` claim equals this app's appId.
+//   * <name>-oauth2-<env>  — OIDC client used by oauth2-proxy.
+//
+// Run via ./deploy-app-registration.sh (which also mints the BFF client secret).
+
+@description('Lowercase application slug, used as both the unique app name and to derive Radix URLs.')
+param applicationName string
+
+@description('Environment slug. Affects the registration suffix and the redirect URIs registered.')
+@allowed(['dev', 'test', 'prod'])
+param environment string
+
+@description('ServiceNow Configuration Item / Business Application ID. Required by Equinor IAM compliance for production use; may be empty for sandbox deployments.')
+param serviceManagementReference string = ''
+
+@description('Object IDs of users/groups that should own both App Registrations.')
+param ownerObjectIds string[]
+
+@description('Extra production hostnames whose /oauth2/callback should be a valid redirect URI.')
+param productionHostnames string[] = []
+
+var apiAccessScopeId = guid('api-access-${applicationName}')
+var adminRoleId = guid('admin-role-${applicationName}')
+
+var productionRedirectUris = [for host in productionHostnames: 'https://${host}/oauth2/callback']
+
+var bffRedirectUris = concat(
+  ['https://proxy-${applicationName}-${environment}.radix.equinor.com/oauth2/callback'],
+  environment == 'prod'
+    ? concat(
+        ['https://${applicationName}.app.radix.equinor.com/oauth2/callback'],
+        productionRedirectUris
+      )
+    : environment == 'dev' ? ['http://localhost/oauth2/callback'] : []
+)
+
+var graphAppId = '00000003-0000-0000-c000-000000000000'
+
+// ------------------------------------------------------------------
+// API app registration — the resource server.
+// ------------------------------------------------------------------
+resource apiApp 'Microsoft.Graph/applications@v1.0' = {
+  displayName: '${applicationName}-api-${environment}'
+  uniqueName: '${applicationName}-api-${environment}'
   signInAudience: 'AzureADMyOrg'
-  uniqueName: '${applicationName}'
-  spa: {
-    // The callback URL is the URL that the user is redirected to after the login,
-    // and it contains the URL of the application that is registered in Radix and localhost for doing development.
-    redirectUris: [
-      // Development
-      'https://proxy-${applicationName}-dev.radix.equinor.com/api/docs/oauth2-redirect'
-      'https://proxy-${applicationName}-dev.radix.equinor.com'
-      'https://proxy-${applicationName}-dev.radix.equinor.com/'
-      // Staging
-      'https://proxy-${applicationName}-staging.radix.equinor.com/api/docs/oauth2-redirect'
-      'https://proxy-${applicationName}-staging.radix.equinor.com'
-      'https://proxy-${applicationName}-staging.radix.equinor.com/'
-      // Production
-      'https://${applicationName}.app.radix.equinor.com/api/docs/oauth2-redirect'
-      'https://proxy-${applicationName}-prod.radix.equinor.com/'
-      'https://${applicationName}.app.radix.equinor.com/'
-      'https://${applicationName}.app.radix.equinor.com'
-      // For development
-      'http://localhost/api/docs/oauth2-redirect'
-      'http://localhost/'
-      'http://localhost:5000/docs/oauth2-redirect'
-    ]
+  serviceManagementReference: empty(serviceManagementReference) ? null : serviceManagementReference
+  owners: {
+    relationships: ownerObjectIds
+    relationshipSemantics: 'replace'
   }
+  identifierUris: [
+    'https://${environment}.${applicationName}.equinor.com/api'
+  ]
   api: {
-    // In version 2 the audience is always the client id, and does not contain the api:// in the decoded JWT.
-    // It is important to know this because the API expects a JWT token with a specific signature for validation,
-    // and this is specified in the configuration settings and must match.
+    // v2 access tokens carry the appId (a GUID) in `aud`, not api://...
     requestedAccessTokenVersion: 2
-    // To allow OpenAPI and clients to talk to the API, we need to add the scope to the API.
     oauth2PermissionScopes: [
-        {
-            id: '31a61854-0d6d-4c60-918b-efffd4fac373'
-            adminConsentDescription: 'Allow users to access the API'
-            adminConsentDisplayName: 'Read'
-            isEnabled: true
-            type: 'User'
-            userConsentDescription: 'Access the API'
-            userConsentDisplayName: 'Access the API'
-            value: 'api${app.appId}'
-        }
+      {
+        id: apiAccessScopeId
+        adminConsentDescription: 'Allow users to access the API'
+        adminConsentDisplayName: 'Read'
+        isEnabled: true
+        type: 'User'
+        userConsentDescription: 'Access the API'
+        userConsentDisplayName: 'Access the API'
+        value: 'access'
+      }
     ]
   }
   appRoles: [
     {
-        id: '31a61854-0d6d-4c60-918b-efffd4fac379'
-        allowedMemberTypes: [
-          'User'
-          'Application'
-        ]
-        description: '${applicationName} administrators. Access to all fields. Permission to edit admin values.'
-        displayName: 'Admin'
-        isEnabled: true
-        value: 'admin'
-      }
+      id: adminRoleId
+      allowedMemberTypes: ['User', 'Application']
+      description: '${applicationName} administrators.'
+      displayName: 'Admin'
+      isEnabled: true
+      value: 'admin'
+    }
   ]
-  // Resource format https://learn.microsoft.com/en-us/graph/templates/reference/federatedidentitycredentials?view=graph-bicep-1.0
-  resource githubFic 'federatedIdentityCredentials' = {
-    name: '${app.uniqueName}/githubFic'
-    audiences: [
-        'api://AzureADTokenExchange'
-    ]
-    description: 'Federated Identity Credentials for Github Actions to access Entra protected resources'
-    issuer: 'https://token.actions.githubusercontent.com'
-    // Subject is checked before issuing an Entra ID access token to access Azure resources.
-    // GitHub Actions subject examples can be found in https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims
-    subject: 'repo:equinor/${repositoryName}:ref:refs/heads/main'
+  requiredResourceAccess: [
+    {
+      resourceAppId: graphAppId
+      resourceAccess: [
+        // User.Read
+        { id: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d', type: 'Scope' }
+      ]
+    }
+  ]
+}
+
+resource apiAppSP 'Microsoft.Graph/servicePrincipals@v1.0' = {
+  appId: apiApp.appId
+  owners: {
+    relationships: ownerObjectIds
+    relationshipSemantics: 'replace'
   }
 }
 
-// The Service Principle (or Enterprise App)
-resource appSP 'Microsoft.Graph/servicePrincipals@v1.0' = {
-  appId: app.appId
-  displayName: '${applicationName}'
+// ------------------------------------------------------------------
+// BFF (oauth2-proxy) app registration — the OIDC client.
+// ------------------------------------------------------------------
+resource oauth2App 'Microsoft.Graph/applications@v1.0' = {
+  displayName: '${applicationName}-oauth2-${environment}'
+  uniqueName: '${applicationName}-oauth2-${environment}'
+  signInAudience: 'AzureADMyOrg'
+  serviceManagementReference: empty(serviceManagementReference) ? null : serviceManagementReference
+  owners: {
+    relationships: ownerObjectIds
+    relationshipSemantics: 'replace'
+  }
+  web: {
+    redirectUris: bffRedirectUris
+  }
+  requiredResourceAccess: [
+    {
+      // The matching API registration.
+      resourceAppId: apiApp.appId
+      resourceAccess: [
+        { id: apiAccessScopeId, type: 'Scope' }
+      ]
+    }
+    {
+      resourceAppId: graphAppId
+      resourceAccess: [
+        { id: '37f7f235-527c-4136-accd-4a02d197296e', type: 'Scope' } // openid
+        { id: '14dad69e-099b-42c9-810b-d002981feec1', type: 'Scope' } // profile
+        { id: '64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0', type: 'Scope' } // email
+        { id: '7427e0e9-2fba-42fe-b0c0-848c9e6a8182', type: 'Scope' } // offline_access
+        { id: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d', type: 'Scope' } // User.Read
+      ]
+    }
+  ]
+}
 
+resource oauth2AppSP 'Microsoft.Graph/servicePrincipals@v1.0' = {
+  appId: oauth2App.appId
+  owners: {
+    relationships: ownerObjectIds
+    relationshipSemantics: 'replace'
+  }
 }
+
+output apiApplicationId string = apiApp.appId
+output apiScope string = 'api://${apiApp.appId}/access'
+output oauth2ApplicationId string = oauth2App.appId

IaC/bicepconfig.json

@@ -1,5 +1,8 @@
 {
-  "experimentalFeaturesEnabled": {
-    "extensibility": true
-  }
+	"experimentalFeaturesEnabled": {
+		"extensibility": true
+	},
+	"extensions": {
+		"MicrosoftGraph": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.2.0-preview"
+	}
 }