feat(reception): add passport device authentication flows and alert delivery management

2026-04-20 10:26:22 +00:00
parent 3cd7499f3f
commit 6044928c70
26 changed files with 2943 additions and 4 deletions
@@ -59,7 +59,20 @@ export class AppManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetGlobalAppStats>(
        'getGlobalAppStats',
        async (requestArg) => {
-          await this.verifyGlobalAdmin(requestArg.jwt);
+          const jwtData = await this.verifyGlobalAdmin(requestArg.jwt);
+          const user = await this.receptionRef.userManager.CUser.getInstance({
+            id: jwtData.data.userId,
+          });
+
+          await this.receptionRef.alertManager.createAlertsForEvent({
+            category: 'admin',
+            eventType: 'global_admin_access',
+            severity: 'high',
+            title: 'Global admin console accessed',
+            body: `${user?.data?.email || 'A global admin'} accessed the global app administration dashboard.`,
+            actorUserId: jwtData.data.userId,
+            relatedEntityType: 'global-admin-console',
+          });

          // Get all global apps (including inactive)
          const globalApps = await this.CApp.getInstances({
@@ -198,7 +211,7 @@ export class AppManager {
      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RegenerateAppCredentials>(
        'regenerateAppCredentials',
        async (requestArg) => {
-          await this.verifyGlobalAdmin(requestArg.jwt);
+          const jwtData = await this.verifyGlobalAdmin(requestArg.jwt);

          const app = await this.CApp.getInstance({ id: requestArg.appId });
          if (!app) {
@@ -214,6 +227,17 @@ export class AppManager {
          app.data.oauthCredentials.clientSecretHash = clientSecretHash;
          await app.save();

+          await this.receptionRef.alertManager.createAlertsForEvent({
+            category: 'security',
+            eventType: 'global_app_credentials_regenerated',
+            severity: 'critical',
+            title: 'Global app credentials regenerated',
+            body: `OAuth credentials for ${app.data.name} were regenerated.`,
+            actorUserId: jwtData.data.userId,
+            relatedEntityId: app.id,
+            relatedEntityType: 'global-app',
+          });
+
          return {
            clientId,
            clientSecret, // Only shown once