Second step of ADR-0009 wiring. AuthModule now exposes the
`@azure/msal-node` confidential client alongside the parsed Entra
config — the building block the upcoming OIDC routes inject to issue
the auth-code URL, exchange the callback code for tokens, and
acquire downstream tokens on behalf of the user.
What lands:
- `@azure/msal-node` added as a direct dependency (^5.2.1).
- `apps/portal-bff/src/auth/msal-client.token.ts` — `MSAL_CLIENT`
string token + `ConfidentialClientApplication` type re-export.
Mirrors the `ENTRA_CONFIG` token shape from PR #102.
- AuthModule grows a factory provider for `MSAL_CLIENT`:
- Injects `ENTRA_CONFIG` + nestjs-pino `Logger`.
- Builds a `ConfidentialClientApplication` with `clientId`,
`authority`, `clientSecret` from the parsed config.
- Wires `system.loggerOptions.loggerCallback` to forward MSAL's
internal log lines into the Pino stream (per ADR-0012) — Error
→ logger.error, Warning → logger.warn, Verbose / Trace →
logger.debug, Info → logger.log. PII logging is disabled by
default so tokens / user identifiers never leak into our
structured log records.
- Sets MSAL's `logLevel` to Info — Pino's own threshold
re-filters from there.
- All MSAL log lines carry the `msal` Pino context for easy
isolation in log queries.
- `AuthModule.exports` extended to include `MSAL_CLIENT`.
Verification:
- `nx run-many -t lint test build --projects=portal-bff` — green.
- 30/30 specs (was 29; +1 covering MSAL client construction).
- New spec imports `nestjs-pino`'s `LoggerModule.forRoot({ pinoHttp:
{ level: 'silent' } })` to provide the same Logger the production
app supplies via `ObservabilityModule`, without flooding test
stdout. Two tests assert the provider tree resolves correctly
(ENTRA_CONFIG + MSAL_CLIENT) and one re-checks the missing-env
failure mode still propagates through the new factory.
Construction is cheap — MSAL Node defers authority discovery to the
first auth call — so the client is built eagerly at module init.
The factory is injection-only; no MSAL methods get invoked yet.
Routes land in the next PR.
<!--
PR title format — becomes the squash-merge subject on main, validated by commitlint.
<type>(<scope>): <short description>
Examples:
feat(portal-shell): add user-preferences panel skeleton
fix(portal-bff): correct env var bracket access
docs(decisions): add ADR-0018 for security baseline
chore(deps): bump @nx/* to 22.7.2
Imperative mood, lowercase, no trailing period, target ≤ 70 chars.
See docs/development.md §5 for the full convention (types, scopes).
-->
## Summary
## Motivation
## Implementation notes
## Verification
- [ ] `pnpm ci:check` green locally
- [ ] `pnpm ci:audit` green (or pre-existing drift acknowledged)
- [ ] Tested manually:
- [ ] Architecture diagram updated (if `docs/architecture.md` was affected)
- [ ] ADR amended or added (if a decision changed)
## Related
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #104