mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
Files
6878d57c831c075f05517bab04b0ea274f9f86e1
stack/apps/api/src/federation/audit.service.ts
Jason Woltje 6878d57c83 feat(#86): implement Authentik OIDC integration for federation 
Implements federated authentication infrastructure using OIDC:

- Add FederatedIdentity model to Prisma schema for identity mapping
- Create OIDCService with identity linking and token validation
- Add FederationAuthController with 5 endpoints:
  * POST /auth/initiate - Start federated auth flow
  * POST /auth/link - Link identity to remote instance
  * GET /auth/identities - List user's federated identities
  * DELETE /auth/identities/:id - Revoke identity
  * POST /auth/validate - Validate federated token
- Create comprehensive type definitions for OIDC flows
- Add audit logging for security events
- Write 24 passing tests (14 service + 10 controller)
- Achieve 79% coverage for OIDCService, 100% for controller

Notes:
- Token validation and auth URL generation are placeholder implementations
- Full JWT validation will be added when federation OIDC is actively used
- Identity mappings enforce workspace isolation
- All endpoints require authentication except /validate

Refs #86

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 12:34:24 -06:00

66 lines
1.6 KiB
TypeScript
Raw Blame History

/**
* Federation Audit Service
*
* Logs security-sensitive operations for compliance and monitoring.
* Uses application logger since ActivityLog requires workspace context.
*/
import { Injectable, Logger } from "@nestjs/common";
@Injectable()
export class FederationAuditService {
private readonly logger = new Logger(FederationAuditService.name);
/**
* Log instance keypair regeneration (system-level operation)
* Logged to application logs for security audit trail
*/
logKeypairRegeneration(userId: string, instanceId: string): void {
this.logger.warn({
event: "FEDERATION_KEYPAIR_REGENERATED",
userId,
instanceId,
timestamp: new Date().toISOString(),
securityEvent: true,
});
}
/**
* Log federated authentication initiation
*/
logFederatedAuthInitiation(userId: string, remoteInstanceId: string): void {
this.logger.log({
event: "FEDERATION_AUTH_INITIATED",
userId,
remoteInstanceId,
timestamp: new Date().toISOString(),
});
}
/**
* Log federated identity linking
*/
logFederatedIdentityLinked(userId: string, remoteInstanceId: string): void {
this.logger.log({
event: "FEDERATION_IDENTITY_LINKED",
userId,
remoteInstanceId,
timestamp: new Date().toISOString(),
securityEvent: true,
});
}
/**
* Log federated identity revocation
*/
logFederatedIdentityRevoked(userId: string, remoteInstanceId: string): void {
this.logger.warn({
event: "FEDERATION_IDENTITY_REVOKED",
userId,
remoteInstanceId,
timestamp: new Date().toISOString(),
securityEvent: true,
});
}
}
Reference in New Issue View Git Blame Copy Permalink