feat(#353): Create VaultService NestJS module for OpenBao Transit
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Implements secure credential encryption using OpenBao Transit API with automatic fallback to AES-256-GCM when OpenBao is unavailable. Features: - AppRole authentication with automatic token renewal at 50% TTL - Transit encrypt/decrypt with 4 named keys - Automatic fallback to CryptoService when OpenBao unavailable - Auto-detection of ciphertext format (vault:v1: vs AES) - Request timeout protection (5s default) - Health indicator for monitoring - Backward compatible with existing AES-encrypted data Security: - ERROR-level logging for fallback - Proper error propagation (no silent failures) - Request timeouts prevent hung operations - Secure credential file reading Migrations: - Account encryption middleware uses VaultService - Uses TransitKey.ACCOUNT_TOKENS for OAuth tokens - Backward compatible with existing encrypted data Tests: 56 tests passing (36 VaultService + 20 middleware) Closes #353 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
19
apps/api/src/vault/vault.module.ts
Normal file
19
apps/api/src/vault/vault.module.ts
Normal file
@@ -0,0 +1,19 @@
|
||||
/**
|
||||
* Vault Module
|
||||
*
|
||||
* Global module providing OpenBao Transit encryption services.
|
||||
*/
|
||||
|
||||
import { Module, Global } from "@nestjs/common";
|
||||
import { ConfigModule } from "@nestjs/config";
|
||||
import { VaultService } from "./vault.service";
|
||||
import { VaultHealthIndicator } from "./vault.health";
|
||||
import { CryptoService } from "../federation/crypto.service";
|
||||
|
||||
@Global()
|
||||
@Module({
|
||||
imports: [ConfigModule],
|
||||
providers: [VaultService, VaultHealthIndicator, CryptoService],
|
||||
exports: [VaultService, VaultHealthIndicator],
|
||||
})
|
||||
export class VaultModule {}
|
||||
Reference in New Issue
Block a user