b01c9b3bb0
Adds FederationAuthGuard that validates inbound mTLS client certs on federation API routes. Extracts custom OIDs (grantId, subjectUserId), loads the grant+peer from DB in one query, asserts active status, and validates cert serial as defense-in-depth. Attaches FederationContext to requests on success and uses federation wire-format error envelopes (not raw NestJS exceptions) for 401/403 responses. New files: - apps/gateway/src/federation/oid.util.ts — shared OID extraction (no dupe ASN.1 logic) - apps/gateway/src/federation/server/federation-auth.guard.ts — guard impl - apps/gateway/src/federation/server/federation-context.ts — FederationContext type + module augment - apps/gateway/src/federation/server/index.ts — barrel export - apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts — 11 unit tests Modified: - apps/gateway/src/federation/grants.service.ts — adds getGrantWithPeer() with join - apps/gateway/src/federation/federation.module.ts — registers FederationAuthGuard as provider Closes #462 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
30 lines
890 B
TypeScript
30 lines
890 B
TypeScript
import { Module } from '@nestjs/common';
|
|
import { AdminGuard } from '../admin/admin.guard.js';
|
|
import { CaService } from './ca.service.js';
|
|
import { EnrollmentController } from './enrollment.controller.js';
|
|
import { EnrollmentService } from './enrollment.service.js';
|
|
import { FederationController } from './federation.controller.js';
|
|
import { GrantsService } from './grants.service.js';
|
|
import { FederationClientService } from './client/index.js';
|
|
import { FederationAuthGuard } from './server/index.js';
|
|
|
|
@Module({
|
|
controllers: [EnrollmentController, FederationController],
|
|
providers: [
|
|
AdminGuard,
|
|
CaService,
|
|
EnrollmentService,
|
|
GrantsService,
|
|
FederationClientService,
|
|
FederationAuthGuard,
|
|
],
|
|
exports: [
|
|
CaService,
|
|
EnrollmentService,
|
|
GrantsService,
|
|
FederationClientService,
|
|
FederationAuthGuard,
|
|
],
|
|
})
|
|
export class FederationModule {}
|