feat(#413): add OIDC provider health check with 30s cache
All checks were successful
ci/woodpecker/push/api Pipeline was successful
All checks were successful
ci/woodpecker/push/api Pipeline was successful
- isOidcProviderReachable() fetches discovery URL with 2s timeout - getAuthConfig() omits authentik when provider unreachable - 30-second cache prevents repeated network calls Refs #413 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
@@ -6,12 +6,23 @@ import type { AuthConfigResponse, AuthProviderConfig } from "@mosaic/shared";
|
||||
import { PrismaService } from "../prisma/prisma.service";
|
||||
import { createAuth, isOidcEnabled, type Auth } from "./auth.config";
|
||||
|
||||
/** Duration in milliseconds to cache the OIDC health check result */
|
||||
const OIDC_HEALTH_CACHE_TTL_MS = 30_000;
|
||||
|
||||
/** Timeout in milliseconds for the OIDC discovery URL fetch */
|
||||
const OIDC_HEALTH_TIMEOUT_MS = 2_000;
|
||||
|
||||
@Injectable()
|
||||
export class AuthService {
|
||||
private readonly logger = new Logger(AuthService.name);
|
||||
private readonly auth: Auth;
|
||||
private readonly nodeHandler: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
|
||||
|
||||
/** Timestamp of the last OIDC health check */
|
||||
private lastHealthCheck = 0;
|
||||
/** Cached result of the last OIDC health check */
|
||||
private lastHealthResult = false;
|
||||
|
||||
constructor(private readonly prisma: PrismaService) {
|
||||
// PrismaService extends PrismaClient and is compatible with BetterAuth's adapter
|
||||
// Cast is safe as PrismaService provides all required PrismaClient methods
|
||||
@@ -105,14 +116,59 @@ export class AuthService {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the OIDC provider (Authentik) is reachable by fetching the discovery URL.
|
||||
* Results are cached for 30 seconds to prevent repeated network calls.
|
||||
*
|
||||
* @returns true if the provider responds with HTTP 200, false otherwise
|
||||
*/
|
||||
async isOidcProviderReachable(): Promise<boolean> {
|
||||
const now = Date.now();
|
||||
|
||||
// Return cached result if still valid
|
||||
if (now - this.lastHealthCheck < OIDC_HEALTH_CACHE_TTL_MS) {
|
||||
this.logger.debug("OIDC health check: returning cached result");
|
||||
return this.lastHealthResult;
|
||||
}
|
||||
|
||||
const discoveryUrl = `${process.env.OIDC_ISSUER ?? ""}.well-known/openid-configuration`;
|
||||
this.logger.debug(`OIDC health check: fetching ${discoveryUrl}`);
|
||||
|
||||
try {
|
||||
const response = await fetch(discoveryUrl, {
|
||||
signal: AbortSignal.timeout(OIDC_HEALTH_TIMEOUT_MS),
|
||||
});
|
||||
|
||||
this.lastHealthCheck = Date.now();
|
||||
this.lastHealthResult = response.ok;
|
||||
|
||||
if (!response.ok) {
|
||||
this.logger.warn(
|
||||
`OIDC provider returned non-OK status: ${String(response.status)} from ${discoveryUrl}`
|
||||
);
|
||||
}
|
||||
|
||||
return this.lastHealthResult;
|
||||
} catch (error: unknown) {
|
||||
this.lastHealthCheck = Date.now();
|
||||
this.lastHealthResult = false;
|
||||
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
this.logger.warn(`OIDC provider unreachable at ${discoveryUrl}: ${message}`);
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get authentication configuration for the frontend.
|
||||
* Returns available auth providers so the UI can render login options dynamically.
|
||||
* When OIDC is enabled, performs a health check to verify the provider is reachable.
|
||||
*/
|
||||
getAuthConfig(): AuthConfigResponse {
|
||||
async getAuthConfig(): Promise<AuthConfigResponse> {
|
||||
const providers: AuthProviderConfig[] = [{ id: "email", name: "Email", type: "credentials" }];
|
||||
|
||||
if (isOidcEnabled()) {
|
||||
if (isOidcEnabled() && (await this.isOidcProviderReachable())) {
|
||||
providers.push({ id: "authentik", name: "Authentik", type: "oauth" });
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user