mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
fix/ms22-audit
stack/docs/scratchpads/4-authentik-oidc.md
Jason Woltje 12abdfe81d feat(#93): implement agent spawn via federation 
Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 14:37:06 -06:00

3.3 KiB
Raw Permalink Blame History

Issue #4: Authentik OIDC integration

Objective

Implement Authentik OIDC (OpenID Connect) authentication integration for the Mosaic Stack API. This will enable secure user authentication via the Authentik identity provider, supporting multi-tenant workspaces.

Approach

  1. Install BetterAuth library and dependencies
  2. Configure BetterAuth with Authentik OIDC provider
  3. Create auth module using BetterAuth
  4. Add authentication middleware and guards
  5. Configure environment variables for Authentik
  6. Create user management service integrated with BetterAuth
  7. Write comprehensive tests (TDD approach)

BetterAuth Configuration

  • Use BetterAuth's built-in OIDC support for Authentik
  • Leverage BetterAuth's session management
  • Integrate with Prisma ORM for user storage

Progress

  • Create scratchpad
  • Explore existing codebase
  • Install BetterAuth dependencies
  • Implement BetterAuth configuration
  • Create auth guards and decorators
  • Add auth service
  • Configure environment
  • Write tests (26 tests passing)
  • Build and verify
  • Code review (all critical issues fixed)
  • QA testing (identified improvements for future)
  • Fix code review issues

Testing

  • Unit tests for auth service and strategy
  • Integration tests for OIDC flow
  • E2E tests for protected endpoints
  • Target: 85% coverage minimum

Implementation Summary

Completed

  1. BetterAuth Integration: Implemented using BetterAuth library for modern, type-safe authentication
  2. Database Schema: Added Session, Account, and Verification tables for BetterAuth
  3. Auth Module: Created complete NestJS auth module with service, controller, guards, and decorators
  4. Shared Prisma Client: Fixed duplicate PrismaClient issue by using shared instance
  5. Type Safety: Added proper TypeScript types for AuthUser interface
  6. Error Handling: Sanitized error logging to prevent sensitive data exposure
  7. Test Coverage: 26 tests passing covering service, controller, and guards
  8. Code Review: All critical issues from code review have been addressed

Key Files Created/Modified

  • apps/api/src/auth/auth.config.ts - BetterAuth configuration
  • apps/api/src/auth/auth.service.ts - Authentication service
  • apps/api/src/auth/auth.controller.ts - Auth routes handler
  • apps/api/src/auth/guards/auth.guard.ts - Session validation guard
  • apps/api/src/auth/decorators/current-user.decorator.ts - User extraction decorator
  • apps/api/src/auth/types/auth-user.interface.ts - Type definitions
  • apps/api/prisma/schema.prisma - Added auth tables
  • Multiple test files with comprehensive coverage

Future Improvements (from QA)

  • Add token format validation tests (Priority 10)
  • Add database error handling tests (Priority 9)
  • Add session data integrity tests (Priority 9)
  • Add request mutation verification (Priority 8)
  • Create E2E/integration tests for full OAuth flow
  • Add CurrentUser decorator tests

Notes

  • Using BetterAuth instead of custom Passport implementation for modern, maintained solution
  • BetterAuth handles OIDC, session management, and user provisioning automatically
  • Environment variables configured in .env.example for Authentik
  • All code review findings addressed
  • Build and tests passing successfully (26/26 tests)
Reference in New Issue View Git Blame Copy Permalink