nav/Fabric.Backend.Center

Go to file

hzhang 2a394969d2 feat(center): OIDC login (auto-provision by email) + CLI config-oidc

- OidcConfig entity (single row) + DB registration.
- OidcService: discovery, Authorization Code + PKCE, state/ticket as
  short-lived signed JWTs (no server session), userinfo/id_token claim
  resolution. Auto-provisions a passwordless user by email.
- Public endpoints /auth/oidc/{status,start,callback,exchange}; callback
  bounces a one-time ticket to the SPA in the URL fragment.
- AuthService.provisionOidcUser + issueSessionForUserId (login shape).
- CLI: 'config oidc' upserts issuer/clientId/secret/callback/redirect/
  scopes/enabled (secret masked on print).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 09:44:49 +01:00

src

feat(center): OIDC login (auto-provision by email) + CLI config-oidc

2026-05-18 09:44:49 +01:00

.env.example

refactor(center): prefix environment variables with FABRIC_BACKEND_CENTER

2026-05-13 12:58:28 +00:00

.gitignore

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

Dockerfile

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

eslint.config.mjs

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

package-lock.json

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

package.json

refactor: migrate to ES modules

2026-05-15 18:47:35 +01:00

README.md

docs: rewrite README to match current architecture

2026-05-16 12:53:22 +01:00

tsconfig.build.json

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

tsconfig.json

refactor: migrate to ES modules

2026-05-15 18:47:35 +01:00

vitest.config.ts

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

README.md

Fabric.Backend.Center

The identity hub for Fabric (NestJS, ES modules, MySQL/TypeORM). Default port 7001, global prefix /api.

Center is the single identity authority. Guild nodes register with it and introspect the tokens it issues; the frontend uses it to log in and to discover which guilds a user belongs to.

Responsibilities

Users & sessions — register/login, JWT access + refresh tokens, GET/ PATCH /auth/me. User display name defaults to the email until changed.
Agent auth — per-agent API keys (fak_…); POST /auth/agent/login exchanges a key for a normal user session (used by Fabric.OpenclawPlugin).
Guild-node registry — nodes register (/api/nodes/register, localhost or node API key) and are handed out to users as endpoints + short-lived guild access tokens.
Name resolution — POST /auth/resolve-names maps name/email → userId, scoped to a guild's members (used for <@user.name:NAME> mentions).
Membership — POST /auth/me/guilds/join, GET /auth/me/guilds (returns guilds + fresh guild access tokens), GET /auth/guilds/:nodeId/members.

CLI

node dist/cli.js user create  --email <e> --password <p>
node dist/cli.js user apikey  --email <e> [--label <l>]      # prints fak_… once
node dist/cli.js node register --node-id <id> --name <n> --endpoint <url>

Run

npm install
npm run build && npm start          # or: npm run start:dev

Typically run via the root docker-compose.local.yml (service backend-center). MySQL schema is auto-managed (DB_SYNC).

Notable env

FABRIC_BACKEND_CENTER_PORT (default 7001)
FABRIC_BACKEND_CENTER_DB_* (host/port/user/password/name)
JWT signing secret(s) — see src/ config

Auth model

A global CenterApiKeyGuard protects most routes; auth/session endpoints (login, agent/login, refresh, logout, me, me/guilds*, resolve-names, guild members, node register) are exempted so users, agents, and nodes can bootstrap.

Notes

ES modules (NodeNext); CJS deps are default-imported (import jwt from 'jsonwebtoken', import bcrypt from 'bcryptjs').
@IsEmail() rejects single-character TLDs — use e.g. @t.tt.