feat(portal-bff): msal confidential client provider in AuthModule #104
Reference in New Issue
Block a user
Delete Branch "feat/portal-bff/auth-msal-client"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Second step of ADR-0009 wiring.
AuthModulenow exposes the@azure/msal-nodeconfidential client alongside the parsed Entra config from PR #102 — the building block the upcoming OIDC routes inject to issue the auth-code URL, exchange the callback code for tokens, and acquire downstream tokens on behalf of the user.What lands
@azure/msal-nodeadded as a direct dependency (^5.2.1).msal-client.token.ts—MSAL_CLIENTstring token +ConfidentialClientApplicationtype re-export. Same shape as theENTRA_CONFIGtoken.auth.module.tsgrows a factory provider forMSAL_CLIENT:ENTRA_CONFIG+ nestjs-pinoLogger.ConfidentialClientApplicationwithclientId,authority,clientSecretfrom the parsed config.system.loggerOptions.loggerCallbackto forward MSAL's internal log lines into the Pino stream (per ADR-0012) — Error →logger.error, Warning →logger.warn, Verbose / Trace →logger.debug, Info →logger.log. PII logging disabled so tokens / user identifiers never leak.logLevelset toInfo; Pino's own threshold re-filters from there.msalPino context for log-query isolation.AuthModule.exportsextended to includeMSAL_CLIENT.Decisions worth flagging
nestjs-pino'sLoggerModule.forRoot({ pinoHttp: { level: 'silent' } })to register the sameLoggerprovider the production app exposes viaObservabilityModule, without flooding test stdout. Adding a stub to the TestingModule'sprovidersdoes not work — Nest scoping rules mean providers declared at the test-module level are not visible to imported modules' factories.EntraAuthServiceexposingbuildAuthCodeUrl()etc.). Lands with the routes PR — premature abstraction otherwise.Verification
nx run-many -t lint test build --projects=portal-bff— green.ConfidentialClientApplicationis constructed).Next PRs on the auth track
/api/auth/login(PKCE-initiated redirect to Entra),/api/auth/callback(token exchange + ID-token validation: issuer, audience, signature, exp, nonce, amr).__Host-portal_sessioncookie). Closes the auth loop.@RequireMfa,@RequireRole('admin')).