feat(auth): Add external authentication (OAuth/OIDC & LDAP) with admin management, UI, and encryption support

ts/interfaces/auth.interfaces.ts

@@ -286,3 +286,140 @@ export interface ICreateTokenDto {
   scopes: ITokenScope[];
   expiresAt?: Date;
 }
+
+// =============================================================================
+// External Authentication Types
+// =============================================================================
+
+export type TAuthProviderType = 'oidc' | 'ldap';
+export type TAuthProviderStatus = 'active' | 'disabled' | 'testing';
+
+export interface IOAuthConfig {
+  clientId: string;
+  clientSecretEncrypted: string; // AES-256-GCM encrypted
+  issuer: string; // OIDC issuer URL (used for discovery)
+  authorizationUrl?: string; // Override discovery
+  tokenUrl?: string; // Override discovery
+  userInfoUrl?: string; // Override discovery
+  scopes: string[];
+  callbackUrl: string;
+}
+
+export interface ILdapConfig {
+  serverUrl: string; // ldap:// or ldaps://
+  bindDn: string;
+  bindPasswordEncrypted: string; // AES-256-GCM encrypted
+  baseDn: string;
+  userSearchFilter: string; // e.g., "(uid={{username}})" or "(sAMAccountName={{username}})"
+  tlsEnabled: boolean;
+  tlsCaCert?: string;
+}
+
+export interface IAttributeMapping {
+  email: string;
+  username: string;
+  displayName: string;
+  avatarUrl?: string;
+  groups?: string;
+}
+
+export interface IProvisioningSettings {
+  jitEnabled: boolean; // Create user on first login
+  autoLinkByEmail: boolean; // Link to existing user by email match
+  allowedEmailDomains?: string[]; // Restrict to specific domains
+}
+
+export interface IAuthProvider {
+  id: string;
+  name: string;
+  displayName: string;
+  type: TAuthProviderType;
+  status: TAuthProviderStatus;
+  priority: number;
+  oauthConfig?: IOAuthConfig;
+  ldapConfig?: ILdapConfig;
+  attributeMapping: IAttributeMapping;
+  provisioning: IProvisioningSettings;
+  createdAt: Date;
+  updatedAt: Date;
+  createdById: string;
+  lastTestedAt?: Date;
+  lastTestResult?: 'success' | 'failure';
+  lastTestError?: string;
+}
+
+export interface IExternalIdentity {
+  id: string;
+  userId: string;
+  providerId: string;
+  externalId: string;
+  externalEmail?: string;
+  externalUsername?: string;
+  rawAttributes?: Record<string, unknown>;
+  lastLoginAt?: Date;
+  createdAt: Date;
+}
+
+export interface IPlatformAuthSettings {
+  localAuthEnabled: boolean;
+  allowUserRegistration: boolean;
+  sessionDurationMinutes: number;
+  defaultProviderId?: string;
+}
+
+export interface IPlatformSettings {
+  id: string;
+  auth: IPlatformAuthSettings;
+  updatedAt: Date;
+  updatedById?: string;
+}
+
+// External auth flow types
+export interface IExternalUserInfo {
+  externalId: string;
+  email: string;
+  username?: string;
+  displayName?: string;
+  avatarUrl?: string;
+  groups?: string[];
+  rawAttributes: Record<string, unknown>;
+}
+
+export interface IConnectionTestResult {
+  success: boolean;
+  latencyMs: number;
+  serverInfo?: Record<string, unknown>;
+  error?: string;
+}
+
+export interface IExternalAuthResult {
+  success: boolean;
+  user?: IUser;
+  accessToken?: string;
+  refreshToken?: string;
+  sessionId?: string;
+  isNewUser?: boolean;
+  errorCode?: string;
+  errorMessage?: string;
+}
+
+// Admin DTOs
+export interface ICreateAuthProviderDto {
+  name: string;
+  displayName: string;
+  type: TAuthProviderType;
+  oauthConfig?: IOAuthConfig;
+  ldapConfig?: ILdapConfig;
+  attributeMapping?: IAttributeMapping;
+  provisioning?: IProvisioningSettings;
+}
+
+export interface IUpdateAuthProviderDto {
+  displayName?: string;
+  status?: TAuthProviderStatus;
+  priority?: number;
+  oauthConfig?: Partial<IOAuthConfig>;
+  ldapConfig?: Partial<ILdapConfig>;
+  attributeMapping?: Partial<IAttributeMapping>;
+  provisioning?: Partial<IProvisioningSettings>;
+}