feat: implement MFA enhancements and agent authentication improvements

- Added MFA (Multi-Factor Authentication) support to the authentication process, requiring verification via TOTP (Time-based One-Time Password).
- Introduced a challenge mechanism for MFA, allowing users to complete authentication with an OTP code.
- Enhanced the agent controller to sanitize payloads and include MFA requirements for sensitive operations.
- Updated the authentication service to handle MFA challenges and verify OTP codes, improving security during login.
- Implemented additional checks for agent states and IP validation to ensure only authorized access.
- Refactored various controllers to enforce MFA on critical actions, enhancing overall application security.

Author: tacxou

apps/api/src/_common/decorators/require-mfa.decorator.ts

@@ -0,0 +1,4 @@
+import { applyDecorators, SetMetadata } from '@nestjs/common';
+
+export const META_REQUIRE_MFA = 'require-mfa';
+export const RequireMfa = () => applyDecorators(SetMetadata(META_REQUIRE_MFA, true));

apps/api/src/_common/functions/resolve-client-ip.ts

@@ -89,18 +89,6 @@ export function buildClientIpDebugPayload(req: Request): Record<string, unknown>
   const xffFirst = normalizeIp(firstCsvSegment(xffRaw) ?? (xffRaw?.trim() || null));
   const xffEchoesPeer = Boolean(peerIp && xffFirst && peerIp === xffFirst);
   const clientIp = resolveClientIp(req);
-  const hasTrustedForward =
-    Boolean(normalizeIp(headerString(req, 'x-real-ip'))) ||
-    Boolean(normalizeIp(headerString(req, 'cf-connecting-ip'))) ||
-    Boolean(normalizeIp(headerString(req, 'true-client-ip')));
-
-  let hintFr =
-    'clientIp = valeur utilisée par Nest (auth, audits). Ce n’est pas forcément « votre PC » si la connexion TCP passe par un relai (tunnel, port forward, Docker/Nitro).';
-
-  if (xffEchoesPeer && !hasTrustedForward) {
-    hintFr +=
-      ' Ici X-Forwarded-For ne fait que répéter l’IP du pair TCP (relai) : il est ignoré pour la résolution. Sans X-Real-IP / CF-Connecting-IP / premier hop X-Forwarded-For fiable, Nest ne peut pas inventer votre IP LAN. Solution : reverse-proxy (nginx, Traefik…) qui transmet le client, puis SESAME_TRUST_PROXY=1 sur l’API.';
-  }
 
   return {
     clientIp,
@@ -115,6 +103,5 @@ export function buildClientIpDebugPayload(req: Request): Record<string, unknown>
     cfConnectingIp: pick('cf-connecting-ip') ?? null,
     host: pick('host') ?? null,
     trustProxyEnv: process.env['SESAME_TRUST_PROXY'] ?? null,
-    hintFr,
   };
 }

apps/api/src/_common/guards/mfa.guard.ts

@@ -0,0 +1,20 @@
+import { CanActivate, ExecutionContext, ForbiddenException, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { META_REQUIRE_MFA } from '~/_common/decorators/require-mfa.decorator';
+
+@Injectable()
+export class MfaGuard implements CanActivate {
+  public constructor(private readonly reflector: Reflector) {}
+
+  public canActivate(context: ExecutionContext): boolean {
+    const requiresMfa = this.reflector.getAllAndOverride<boolean>(META_REQUIRE_MFA, [
+      context.getClass(),
+      context.getHandler(),
+    ]);
+    if (!requiresMfa) return true;
+
+    const request = context.switchToHttp().getRequest<{ user?: { mfaVerified?: boolean } }>();
+    if (request?.user?.mfaVerified) return true;
+    throw new ForbiddenException('MFA required');
+  }
+}

apps/api/src/app.module.ts

@@ -32,6 +32,7 @@ import { isConsoleEntrypoint } from './_common/functions/is-cli';
 import { AccessControlModule, ACGuard, RolesBuilder } from 'nest-access-control';
 import { AcGuard } from './_common/guards/ac.guard';
 import { AclRuntimeService } from './core/roles/acl-runtime.service';
+import { MfaGuard } from './_common/guards/mfa.guard';
 
 @Module({
   imports: [
@@ -128,7 +129,7 @@ import { AclRuntimeService } from './core/roles/acl-runtime.service';
       imports: [CoreModule],
       inject: [AclRuntimeService],
       useFactory: async (service: AclRuntimeService): Promise<RolesBuilder> => {
-        return await service.getGuardRolesBuilder()
+        return await service.getGuardRolesBuilder();
       },
     }),
     FactorydriveModule.forRootAsync({
@@ -165,6 +166,10 @@ import { AclRuntimeService } from './core/roles/acl-runtime.service';
       provide: APP_GUARD,
       useClass: AcGuard(),
     },
+    {
+      provide: APP_GUARD,
+      useClass: MfaGuard,
+    },
     // {
     //   provide: APP_FILTER,
     //   useClass: AllExceptionFilter,
@@ -183,4 +188,4 @@ import { AclRuntimeService } from './core/roles/acl-runtime.service';
     },
   ],
 })
-export class AppModule { }
+export class AppModule {}

apps/api/src/core/agents/_dto/agents.dto.ts

@@ -1,9 +1,9 @@
-import { ApiProperty, PartialType } from '@nestjs/swagger'
-import { IsString, IsNotEmpty, ValidateNested, IsEmail, IsBoolean, IsMongoId, IsOptional } from 'class-validator'
-import { Type } from 'class-transformer'
-import { StatePartDTO } from './parts/state.part.dto'
-import { SecurityPartDTO } from './parts/security.part.dto'
-import { CustomFieldsDto } from '~/_common/abstracts/dto/custom-fields.dto'
+import { ApiProperty, PartialType } from '@nestjs/swagger';
+import { IsString, IsNotEmpty, ValidateNested, IsEmail, IsBoolean, IsMongoId, IsOptional } from 'class-validator';
+import { Type } from 'class-transformer';
+import { StatePartDTO } from './parts/state.part.dto';
+import { SecurityPartDTO } from './parts/security.part.dto';
+import { CustomFieldsDto } from '~/_common/abstracts/dto/custom-fields.dto';
 
 /**
  * DTO pour la création d'un agent.
@@ -56,7 +56,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsString()
   @IsNotEmpty()
   @ApiProperty()
-  public username: string
+  public username: string;
 
   /**
    * Nom d'affichage de l'agent.
@@ -67,7 +67,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsString()
   @IsOptional()
   @ApiProperty()
-  public displayName?: string
+  public displayName?: string;
 
   /**
    * Adresse email unique de l'agent.
@@ -79,7 +79,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsEmail()
   @IsNotEmpty()
   @ApiProperty()
-  public email: string
+  public email: string;
 
   /**
    * Mot de passe de l'agent.
@@ -91,7 +91,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsString()
   @IsNotEmpty()
   @ApiProperty()
-  public password: string
+  public password: string;
 
   /**
    * Méthode d'authentification tierce.
@@ -104,7 +104,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsString()
   @IsOptional()
   @ApiProperty()
-  public thirdPartyAuth?: string
+  public thirdPartyAuth?: string;
 
   /**
    * État de lifecycle de l'agent.
@@ -116,7 +116,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @Type(() => StatePartDTO)
   @IsNotEmpty()
   @ApiProperty({ type: StatePartDTO })
-  public state: StatePartDTO
+  public state: StatePartDTO;
 
   /**
    * URL de base pour l'agent.
@@ -128,7 +128,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsString()
   @IsOptional()
   @ApiProperty()
-  public baseURL?: string
+  public baseURL?: string;
 
   /**
    * Rôles de l'agent.
@@ -140,7 +140,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsString({ each: true })
   @IsOptional()
   @ApiProperty()
-  public roles?: string[]
+  public roles?: string[];
 
   /**
    * Configuration de sécurité de l'agent.
@@ -151,7 +151,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @ValidateNested()
   @Type(() => SecurityPartDTO)
   @ApiProperty({ type: SecurityPartDTO })
-  public security: SecurityPartDTO
+  public security: SecurityPartDTO;
 
   /**
    * Indicateur de visibilité de l'agent.
@@ -163,7 +163,7 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @IsBoolean()
   @IsOptional()
   @ApiProperty()
-  public hidden: boolean
+  public hidden: boolean;
 }
 
 /**
@@ -194,7 +194,7 @@ export class AgentsDto extends AgentsCreateDto {
    */
   @IsMongoId()
   @ApiProperty({ type: String })
-  public _id: string
+  public _id: string;
 }
 
 /**
@@ -225,4 +225,11 @@ export class AgentsDto extends AgentsCreateDto {
  * };
  * ```
  */
-export class AgentsUpdateDto extends PartialType(AgentsCreateDto) { }
+export class AgentsUpdateDto extends PartialType(AgentsCreateDto) {}
+
+export class AgentsSelfUpdateDto extends AgentsUpdateDto {
+  @IsString()
+  @IsOptional()
+  @ApiProperty()
+  public currentPassword?: string;
+}