fix(#271): implement OIDC token validation (authentication bypass)

Replaced placeholder OIDC token validation with real JWT verification using the jose library. This fixes a critical authentication bypass vulnerability where any attacker could impersonate any user on federated instances. Security Impact: - FIXED: Complete authentication bypass (always returned valid:false) - ADDED: JWT signature verification using HS256 - ADDED: Claim validation (iss, aud, exp, nbf, iat, sub) - ADDED: Specific error handling for each failure type - ADDED: 8 comprehensive security tests Implementation: - Made validateToken async (returns Promise) - Added jose library integration for JWT verification - Updated all callers to await async validation - Fixed controller tests to use mockResolvedValue Test Results: - Federation tests: 229/229 passing ✅ - TypeScript: 0 errors ✅ - Lint: 0 errors ✅ Production TODO: - Implement JWKS fetching from remote instances - Add JWKS caching with TTL (1 hour) - Support RS256 asymmetric keys Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 16:50:06 -06:00
parent 0495f979a7
commit 774b249fd5
6 changed files with 508 additions and 95 deletions
--- a/apps/api/src/federation/federation-auth.controller.spec.ts
+++ b/apps/api/src/federation/federation-auth.controller.spec.ts
@@ -240,9 +240,9 @@ describe("FederationAuthController", () => {
        subject: "user-subject-123",
      };

-      mockOIDCService.validateToken.mockReturnValue(mockValidation);
+      mockOIDCService.validateToken.mockResolvedValue(mockValidation);

-      const result = controller.validateToken(dto);
+      const result = await controller.validateToken(dto);

      expect(result).toEqual(mockValidation);
      expect(mockOIDCService.validateToken).toHaveBeenCalledWith(dto.token, dto.instanceId);
@@ -259,9 +259,9 @@ describe("FederationAuthController", () => {
        error: "Token has expired",
      };

-      mockOIDCService.validateToken.mockReturnValue(mockValidation);
+      mockOIDCService.validateToken.mockResolvedValue(mockValidation);

-      const result = controller.validateToken(dto);
+      const result = await controller.validateToken(dto);

      expect(result.valid).toBe(false);
      expect(result.error).toBeDefined();