nav/Fabric.Backend.Center

Go to file

hzhang 6afb935302 fix(security): close Critical auth gaps (C1/C2/C3)

C1: replace fragile path.endsWith() guard whitelist with a metadata
    @Public() decorator + Reflector (no more path-shape bypass surface).
C2: CenterApiKeyGuard attaches the authenticated GuildNode; introspect
    & resolve-names now reject when body.guildNodeId != that node
    (stops one node probing/enumerating another guild's identities).
C3: heartbeat/status are self-only (a node can't revoke/hijack another);
    GET /nodes no longer returns apiKeyHash (credential-hash leak).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 17:47:01 +01:00

src

fix(security): close Critical auth gaps (C1/C2/C3)

2026-05-16 17:47:01 +01:00

.env.example

refactor(center): prefix environment variables with FABRIC_BACKEND_CENTER

2026-05-13 12:58:28 +00:00

.gitignore

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

Dockerfile

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

eslint.config.mjs

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

package-lock.json

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

package.json

refactor: migrate to ES modules

2026-05-15 18:47:35 +01:00

README.md

docs: rewrite README to match current architecture

2026-05-16 12:53:22 +01:00

tsconfig.build.json

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

tsconfig.json

refactor: migrate to ES modules

2026-05-15 18:47:35 +01:00

vitest.config.ts

feat: bootstrap from Fabric monorepo

2026-05-13 07:06:02 +00:00

README.md

Fabric.Backend.Center

The identity hub for Fabric (NestJS, ES modules, MySQL/TypeORM). Default port 7001, global prefix /api.

Center is the single identity authority. Guild nodes register with it and introspect the tokens it issues; the frontend uses it to log in and to discover which guilds a user belongs to.

Responsibilities

Users & sessions — register/login, JWT access + refresh tokens, GET/ PATCH /auth/me. User display name defaults to the email until changed.
Agent auth — per-agent API keys (fak_…); POST /auth/agent/login exchanges a key for a normal user session (used by Fabric.OpenclawPlugin).
Guild-node registry — nodes register (/api/nodes/register, localhost or node API key) and are handed out to users as endpoints + short-lived guild access tokens.
Name resolution — POST /auth/resolve-names maps name/email → userId, scoped to a guild's members (used for <@user.name:NAME> mentions).
Membership — POST /auth/me/guilds/join, GET /auth/me/guilds (returns guilds + fresh guild access tokens), GET /auth/guilds/:nodeId/members.

CLI

node dist/cli.js user create  --email <e> --password <p>
node dist/cli.js user apikey  --email <e> [--label <l>]      # prints fak_… once
node dist/cli.js node register --node-id <id> --name <n> --endpoint <url>

Run

npm install
npm run build && npm start          # or: npm run start:dev

Typically run via the root docker-compose.local.yml (service backend-center). MySQL schema is auto-managed (DB_SYNC).

Notable env

FABRIC_BACKEND_CENTER_PORT (default 7001)
FABRIC_BACKEND_CENTER_DB_* (host/port/user/password/name)
JWT signing secret(s) — see src/ config

Auth model

A global CenterApiKeyGuard protects most routes; auth/session endpoints (login, agent/login, refresh, logout, me, me/guilds*, resolve-names, guild members, node register) are exempted so users, agents, and nodes can bootstrap.

Notes

ES modules (NodeNext); CJS deps are default-imported (import jwt from 'jsonwebtoken', import bcrypt from 'bcryptjs').
@IsEmail() rejects single-character TLDs — use e.g. @t.tt.