Add platform configuration to restrict BackOffice menu option to internal users

Author: tjementum

application/account-management/Core/Features/Users/Domain/User.cs

@@ -1,4 +1,5 @@
 using PlatformPlatform.SharedKernel.Domain;
+using PlatformPlatform.SharedKernel.Platform;
 
 namespace PlatformPlatform.AccountManagement.Features.Users.Domain;
 
@@ -37,6 +38,8 @@ public string Email
 
     public string Locale { get; private set; }
 
+    public bool IsInternalUser => Email.EndsWith(Settings.Current.Identity.InternalEmailDomain, StringComparison.OrdinalIgnoreCase);
+
     public TenantId TenantId { get; }
 
     public static User Create(TenantId tenantId, string email, UserRole role, bool emailConfirmed, string? locale)

application/account-management/Core/Features/Users/Shared/UserInfoFactory.cs

@@ -32,7 +32,8 @@ public async Task<UserInfo> CreateUserInfoAsync(User user, CancellationToken can
             Title = user.Title,
             AvatarUrl = user.Avatar.Url,
             TenantName = tenant?.Name,
-            Locale = user.Locale
+            Locale = user.Locale,
+            IsInternalUser = user.IsInternalUser
         };
     }
 }

application/account-management/Tests/Users/Domain/UserTests.cs

@@ -0,0 +1,63 @@
+using FluentAssertions;
+using PlatformPlatform.AccountManagement.Features.Users.Domain;
+using PlatformPlatform.SharedKernel.Domain;
+using PlatformPlatform.SharedKernel.Platform;
+using Xunit;
+
+namespace PlatformPlatform.AccountManagement.Tests.Users.Domain;
+
+public sealed class UserTests
+{
+    private readonly TenantId _tenantId = TenantId.NewId();
+
+    [Fact]
+    public void IsInternalUser_ShouldReturnTrueForInternalEmails()
+    {
+        // Arrange
+        var internalEmails = new[]
+        {
+            $"user{Settings.Current.Identity.InternalEmailDomain}",
+            $"admin{Settings.Current.Identity.InternalEmailDomain}",
+            $"test.user{Settings.Current.Identity.InternalEmailDomain}",
+            $"user+tag{Settings.Current.Identity.InternalEmailDomain}",
+            $"USER{Settings.Current.Identity.InternalEmailDomain.ToUpperInvariant()}"
+        };
+
+        foreach (var email in internalEmails)
+        {
+            // Arrange
+            var user = User.Create(_tenantId, email, UserRole.Member, true, "en-US");
+
+            // Act
+            var isInternal = user.IsInternalUser;
+
+            // Assert
+            isInternal.Should().BeTrue($"Email {email} should be identified as internal");
+        }
+    }
+
+    [Fact]
+    public void IsInternalUser_ShouldReturnFalseForExternalEmails()
+    {
+        // Arrange
+        var externalEmails = new[]
+        {
+            "user@example.com",
+            "user@company.net",
+            $"{Settings.Current.Identity.InternalEmailDomain.Substring(1)}@example.com",
+            $"user@subdomain.{Settings.Current.Identity.InternalEmailDomain.Substring(1)}"
+        };
+
+        foreach (var email in externalEmails)
+        {
+            // Arrange
+            var user = User.Create(_tenantId, email, UserRole.Member, true, "en-US");
+
+            // Act
+            var isInternal = user.IsInternalUser;
+
+            // Assert
+            isInternal.Should().BeFalse($"Email {email} should be identified as external");
+        }
+    }
+}

application/account-management/WebApp/federated-modules/sideMenu/NavigationMenuItems.tsx

@@ -1,5 +1,6 @@
 import { t } from "@lingui/core/macro";
 import { Trans } from "@lingui/react/macro";
+import { useUserInfo } from "@repo/infrastructure/auth/hooks";
 import { FederatedMenuButton, SideMenuSeparator } from "@repo/ui/components/SideMenu";
 import { BoxIcon, CircleUserIcon, HomeIcon, UsersIcon } from "lucide-react";
 import type { FederatedSideMenuProps } from "./FederatedSideMenu";
@@ -8,6 +9,8 @@ import type { FederatedSideMenuProps } from "./FederatedSideMenu";
 export function NavigationMenuItems({
   currentSystem
 }: Readonly<{ currentSystem: FederatedSideMenuProps["currentSystem"] }>) {
+  const userInfo = useUserInfo();
+
   return (
     <>
       <FederatedMenuButton
@@ -34,16 +37,20 @@ export function NavigationMenuItems({
         isCurrentSystem={currentSystem === "account-management"}
       />
 
-      <SideMenuSeparator>
-        <Trans>Back Office</Trans>
-      </SideMenuSeparator>
+      {userInfo?.isInternalUser && (
+        <>
+          <SideMenuSeparator>
+            <Trans>Back Office</Trans>
+          </SideMenuSeparator>
 
-      <FederatedMenuButton
-        icon={BoxIcon}
-        label={t`Dashboard`}
-        href="/back-office"
-        isCurrentSystem={currentSystem === "back-office"}
-      />
+          <FederatedMenuButton
+            icon={BoxIcon}
+            label={t`Dashboard`}
+            href="/back-office"
+            isCurrentSystem={currentSystem === "back-office"}
+          />
+        </>
+      )}
     </>
   );
 }

application/shared-kernel/SharedKernel/Authentication/UserInfo.cs

@@ -1,5 +1,6 @@
 using System.Security.Claims;
 using PlatformPlatform.SharedKernel.Domain;
+using PlatformPlatform.SharedKernel.Platform;
 using PlatformPlatform.SharedKernel.SinglePageApp;
 
 namespace PlatformPlatform.SharedKernel.Authentication;
@@ -18,7 +19,8 @@ public class UserInfo
     public static readonly UserInfo System = new()
     {
         IsAuthenticated = false,
-        Locale = DefaultLocale
+        Locale = DefaultLocale,
+        IsInternalUser = false
     };
 
     public bool IsAuthenticated { get; init; }
@@ -43,32 +45,37 @@ public class UserInfo
 
     public string? TenantName { get; init; }
 
+    public bool IsInternalUser { get; init; }
+
     public static UserInfo Create(ClaimsPrincipal? user, string? browserLocale)
     {
         if (user?.Identity?.IsAuthenticated != true)
         {
             return new UserInfo
             {
                 IsAuthenticated = user?.Identity?.IsAuthenticated ?? false,
-                Locale = GetValidLocale(browserLocale)
+                Locale = GetValidLocale(browserLocale),
+                IsInternalUser = false
             };
         }
 
         var userId = user.FindFirstValue(ClaimTypes.NameIdentifier);
         var tenantId = user.FindFirstValue("tenant_id");
+        var email = user.FindFirstValue(ClaimTypes.Email);
         return new UserInfo
         {
             IsAuthenticated = true,
             Id = userId == null ? null : new UserId(userId),
             TenantId = tenantId == null ? null : new TenantId(long.Parse(tenantId)),
             Role = user.FindFirstValue(ClaimTypes.Role),
-            Email = user.FindFirstValue(ClaimTypes.Email),
+            Email = email,
             FirstName = user.FindFirstValue(ClaimTypes.GivenName),
             LastName = user.FindFirstValue(ClaimTypes.Surname),
             Title = user.FindFirstValue("title"),
             AvatarUrl = user.FindFirstValue("avatar_url"),
             TenantName = user.FindFirstValue("tenant_name"),
-            Locale = GetValidLocale(user.FindFirstValue("locale"))
+            Locale = GetValidLocale(user.FindFirstValue("locale")),
+            IsInternalUser = IsInternalUserEmail(email)
         };
     }
 
@@ -91,4 +98,9 @@ private static string GetValidLocale(string? locale)
 
         return foundLocale ?? DefaultLocale;
     }
+
+    private static bool IsInternalUserEmail(string? email)
+    {
+        return email is not null && email.EndsWith(Settings.Current.Identity.InternalEmailDomain, StringComparison.OrdinalIgnoreCase);
+    }
 }

application/shared-kernel/SharedKernel/Configuration/SharedDependencyConfiguration.cs

@@ -15,6 +15,7 @@
 using PlatformPlatform.SharedKernel.Integrations.Email;
 using PlatformPlatform.SharedKernel.Persistence;
 using PlatformPlatform.SharedKernel.PipelineBehaviors;
+using PlatformPlatform.SharedKernel.Platform;
 using PlatformPlatform.SharedKernel.Telemetry;
 
 namespace PlatformPlatform.SharedKernel.Configuration;
@@ -39,6 +40,7 @@ public static IServiceCollection AddSharedServices<T>(this IServiceCollection se
         return services
             .AddServiceDiscovery()
             .AddSingleton(GetTokenSigningService())
+            .AddSingleton(Settings.Current)
             .AddAuthentication()
             .AddDefaultJsonSerializerOptions()
             .AddPersistenceHelpers<T>()

application/shared-kernel/SharedKernel/Platform/Settings.cs

@@ -0,0 +1,44 @@
+using System.Text.Json;
+
+namespace PlatformPlatform.SharedKernel.Platform;
+
+public sealed class Settings
+{
+    private static readonly Lazy<Settings> Instance = new(LoadFromEmbeddedResource);
+
+    public static Settings Current => Instance.Value;
+
+    public required IdentityConfig Identity { get; init; }
+
+    public required BrandingConfig Branding { get; init; }
+
+    private static Settings LoadFromEmbeddedResource()
+    {
+        var assembly = Assembly.GetExecutingAssembly();
+        var resourceName = "PlatformPlatform.SharedKernel.Platform.platform-settings.jsonc";
+
+        using var stream = assembly.GetManifestResourceStream(resourceName)
+                           ?? throw new InvalidOperationException($"Could not find embedded resource: {resourceName}");
+
+        var options = new JsonSerializerOptions
+        {
+            PropertyNameCaseInsensitive = true,
+            ReadCommentHandling = JsonCommentHandling.Skip
+        };
+
+        return JsonSerializer.Deserialize<Settings>(stream, options)
+               ?? throw new InvalidOperationException("Failed to deserialize platform settings");
+    }
+
+    public sealed class IdentityConfig
+    {
+        public required string InternalEmailDomain { get; init; }
+    }
+
+    public sealed class BrandingConfig
+    {
+        public required string ProductName { get; init; }
+
+        public required string SupportEmail { get; init; }
+    }
+}

application/shared-kernel/SharedKernel/Platform/platform-settings.jsonc

@@ -0,0 +1,27 @@
+{
+  // Platform-wide configuration settings
+  // This file is prepared for sharing between backend (.NET), frontend (TypeScript), and tests
+  // 
+  // IMPORTANT: This configuration is embedded in the backend and injected at build time in the frontend
+  // Not all values are currently used - some are placeholders for future functionality
+  // 
+  // Security Note: Only include non-sensitive configuration here
+  // Sensitive values (like API keys) should be stored in environment variables or key vaults
+  
+  "identity": {
+    // Email domain suffix that identifies internal users
+    // Users with this domain get access to BackOffice and other internal features
+    // Currently used by backend only - frontend relies on isInternalUser flag from backend
+    "internalEmailDomain": "@platformplatform.net"
+  },
+  
+  "branding": {
+    // Product/platform name used throughout the application
+    // Placeholder for future use - currently hardcoded in various places
+    "productName": "PlatformPlatform",
+    
+    // Support email address for user inquiries
+    // Placeholder for future use - not currently referenced in the codebase
+    "supportEmail": "support@platformplatform.net"
+  }
+}

application/shared-kernel/SharedKernel/SharedKernel.csproj

@@ -57,4 +57,8 @@
         <PackageReference Include="Scrutor" />
     </ItemGroup>
 
+    <ItemGroup>
+        <EmbeddedResource Include="Platform\platform-settings.jsonc" />
+    </ItemGroup>
+
 </Project>

application/shared-webapp/build/environment.d.ts

@@ -84,6 +84,10 @@ export declare global {
      * Tenant name
      **/
     tenantName?: string;
+    /**
+     * Is internal user (has access to BackOffice)
+     **/
+    isInternalUser?: boolean;
   }
 
   /**