feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03)
Adds FederationAuthGuard that validates inbound mTLS client certs on federation API routes. Extracts custom OIDs (grantId, subjectUserId), loads the grant+peer from DB in one query, asserts active status, and validates cert serial as defense-in-depth. Attaches FederationContext to requests on success and uses federation wire-format error envelopes (not raw NestJS exceptions) for 401/403 responses. New files: - apps/gateway/src/federation/oid.util.ts — shared OID extraction (no dupe ASN.1 logic) - apps/gateway/src/federation/server/federation-auth.guard.ts — guard impl - apps/gateway/src/federation/server/federation-context.ts — FederationContext type + module augment - apps/gateway/src/federation/server/index.ts — barrel export - apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts — 11 unit tests Modified: - apps/gateway/src/federation/grants.service.ts — adds getGrantWithPeer() with join - apps/gateway/src/federation/federation.module.ts — registers FederationAuthGuard as provider Closes #462 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jarvis
39
apps/gateway/src/federation/server/federation-context.ts
Normal file
39
apps/gateway/src/federation/server/federation-context.ts
Normal file
@@ -0,0 +1,39 @@
|
||||
/**
|
||||
* FederationContext — attached to inbound federation requests after successful
|
||||
* mTLS + grant validation by FederationAuthGuard.
|
||||
*
|
||||
* Downstream verb controllers access this via `request.federationContext`.
|
||||
*/
|
||||
|
||||
/**
|
||||
* Augment FastifyRequest so TypeScript knows about the federation context
|
||||
* property that FederationAuthGuard attaches on success.
|
||||
*/
|
||||
declare module 'fastify' {
|
||||
interface FastifyRequest {
|
||||
federationContext?: FederationContext;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Typed context object attached to the request by FederationAuthGuard.
|
||||
* Carries all data extracted from the mTLS cert + grant DB row needed
|
||||
* by downstream federation verb handlers.
|
||||
*/
|
||||
export interface FederationContext {
|
||||
/** The federation grant ID extracted from OID 1.3.6.1.4.1.99999.1 */
|
||||
grantId: string;
|
||||
|
||||
/** The local subject user whose data is accessible under this grant */
|
||||
subjectUserId: string;
|
||||
|
||||
/** The peer gateway ID (from the grant's peerId FK) */
|
||||
peerId: string;
|
||||
|
||||
/**
|
||||
* Grant scope — determines which resources the peer may query.
|
||||
* Typed as Record<string, unknown> because the full scope schema lives in
|
||||
* scope-schema.ts; downstream handlers should narrow via parseFederationScope.
|
||||
*/
|
||||
scope: Record<string, unknown>;
|
||||
}
|
||||
Reference in New Issue
Block a user