feat(#87): implement cross-instance identity linking for federation

Implements FED-004: Cross-Instance Identity Linking, building on the foundation from FED-001, FED-002, and FED-003. New Services: - IdentityLinkingService: Handles identity verification and mapping with signature validation and OIDC token verification - IdentityResolutionService: Resolves identities between local and remote instances with support for bulk operations New API Endpoints (IdentityLinkingController): - POST /api/v1/federation/identity/verify - Verify remote identity - POST /api/v1/federation/identity/resolve - Resolve remote to local user - POST /api/v1/federation/identity/bulk-resolve - Bulk resolution - GET /api/v1/federation/identity/me - Get current user's identities - POST /api/v1/federation/identity/link - Create identity mapping - PATCH /api/v1/federation/identity/:id - Update mapping - DELETE /api/v1/federation/identity/:id - Revoke mapping - GET /api/v1/federation/identity/:id/validate - Validate mapping Security Features: - Signature verification using remote instance public keys - OIDC token validation before creating mappings - Timestamp validation to prevent replay attacks - Workspace isolation via authentication guards - Comprehensive audit logging for all identity operations Enhancements: - Added SignatureService.verifyMessage() for remote signature verification - Added FederationService.getConnectionByRemoteInstanceId() - Extended FederationAuditService with identity logging methods - Created comprehensive DTOs with class-validator decorators Testing: - 38 new tests (19 service + 7 resolution + 12 controller) - All 132 federation tests passing - TypeScript compilation passing with no errors - High test coverage achieved (>85% requirement exceeded) Technical Details: - Leverages existing FederatedIdentity model from FED-003 - Uses RSA SHA-256 signatures for cryptographic verification - Supports one identity mapping per remote instance per user - Resolution service optimized for read-heavy operations - Built following TDD principles (Red-Green-Refactor) Closes #87 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 12:55:37 -06:00
parent fc87494137
commit 70a6bc82e0
15 changed files with 2115 additions and 2 deletions
--- a/apps/api/src/federation/signature.service.ts
+++ b/apps/api/src/federation/signature.service.ts
@@ -116,6 +116,40 @@ export class SignatureService {
    return this.sign(message, identity.privateKey);
  }

+  /**
+   * Verify a message signature using a remote instance's public key
+   * Fetches the public key from the connection record
+   */
+  async verifyMessage(
+    message: SignableMessage,
+    signature: string,
+    remoteInstanceId: string
+  ): Promise<SignatureValidationResult> {
+    try {
+      // Fetch remote instance public key from connection record
+      // For now, we'll fetch from any connection with this instance
+      // In production, this should be cached or fetched from instance identity endpoint
+      const connection =
+        await this.federationService.getConnectionByRemoteInstanceId(remoteInstanceId);
+
+      if (!connection) {
+        return {
+          valid: false,
+          error: "Remote instance not connected",
+        };
+      }
+
+      // Verify signature using remote public key
+      return this.verify(message, signature, connection.remotePublicKey);
+    } catch (error) {
+      this.logger.error("Failed to verify message", error);
+      return {
+        valid: false,
+        error: error instanceof Error ? error.message : "Verification failed",
+      };
+    }
+  }
+
  /**
   * Verify a connection request signature
   */