Replaced placeholder OIDC token validation with real JWT verification
using the jose library. This fixes a critical authentication bypass
vulnerability where any attacker could impersonate any user on
federated instances.
Security Impact:
- FIXED: Complete authentication bypass (always returned valid:false)
- ADDED: JWT signature verification using HS256
- ADDED: Claim validation (iss, aud, exp, nbf, iat, sub)
- ADDED: Specific error handling for each failure type
- ADDED: 8 comprehensive security tests
Implementation:
- Made validateToken async (returns Promise)
- Added jose library integration for JWT verification
- Updated all callers to await async validation
- Fixed controller tests to use mockResolvedValue
Test Results:
- Federation tests: 229/229 passing ✅
- TypeScript: 0 errors ✅
- Lint: 0 errors ✅
Production TODO:
- Implement JWKS fetching from remote instances
- Add JWKS caching with TTL (1 hour)
- Support RS256 asymmetric keys
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements federated authentication infrastructure using OIDC:
- Add FederatedIdentity model to Prisma schema for identity mapping
- Create OIDCService with identity linking and token validation
- Add FederationAuthController with 5 endpoints:
* POST /auth/initiate - Start federated auth flow
* POST /auth/link - Link identity to remote instance
* GET /auth/identities - List user's federated identities
* DELETE /auth/identities/:id - Revoke identity
* POST /auth/validate - Validate federated token
- Create comprehensive type definitions for OIDC flows
- Add audit logging for security events
- Write 24 passing tests (14 service + 10 controller)
- Achieve 79% coverage for OIDCService, 100% for controller
Notes:
- Token validation and auth URL generation are placeholder implementations
- Full JWT validation will be added when federation OIDC is actively used
- Identity mappings enforce workspace isolation
- All endpoints require authentication except /validate
Refs #86
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
