feat(status-dashboard): migrate metrics endpoint to FlexibleAuthGuard

Update /api/metrics/report endpoint:
- Replace MtlsGuard + ApiKeyGuard with FlexibleAuthGuard
- Configure @AuthMethods('mtls', 'apiKey') for backward compatibility
- Maintains same auth behavior with more flexible implementation

FlexibleAuthGuard provides same mTLS + API Key authentication with
priority-based fallback and better debugging.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Quinn Ftw 2025-12-26 05:59:37 -08:00
parent c5cfa6108c
commit 33221c90c3

View file

@ -1,22 +1,23 @@
import { Controller, Post, Body, Headers, Req, UseGuards, Logger } from '@nestjs/common';
import { Controller, Post, Body, Req, UseGuards, Logger } from '@nestjs/common';
import { Request } from 'express';
import { MetricsStorageService } from '../storage/metrics-storage.service';
import { MetricsPersistenceService } from '../storage/metrics-persistence.service';
import { AlertDetectionService } from '../alerts/alert-detection.service';
import { ApiKeyGuard } from '../auth/api-key.guard';
import { MtlsGuard } from '../auth/mtls.guard';
import { FlexibleAuthGuard, AuthMethods } from '../auth';
import { HostMetrics } from '../types/metrics.types';
/**
* Controller for receiving metrics from host agents.
*
* Supports dual authentication:
* Supports dual authentication via FlexibleAuthGuard:
* - mTLS: Client certificate authentication (preferred for production)
* - API Key: Header-based authentication (fallback for development)
*
* When both are provided, mTLS takes precedence.
* Priority order: mTLS > API Key
*/
@Controller('api/metrics')
@UseGuards(FlexibleAuthGuard)
@AuthMethods('mtls', 'apikey')
export class MetricsController {
private readonly logger = new Logger(MetricsController.name);
@ -29,22 +30,15 @@ export class MetricsController {
/**
* Receive metrics pushed from host agents.
*
* Authentication:
* Authentication handled by FlexibleAuthGuard:
* - mTLS: Host ID extracted from certificate CN
* - API Key: Host ID resolved from X-API-Key header
*/
@Post('report')
@UseGuards(MtlsGuard, ApiKeyGuard)
reportMetrics(
@Req() request: Request,
@Body() metrics: HostMetrics,
@Headers('x-api-key') apiKey: string,
) {
// Get authenticated host ID (mTLS takes priority)
const mtlsHostId = MtlsGuard.getHostIdFromRequest(request);
const apiKeyHostId = apiKey ? ApiKeyGuard.getHostIdFromApiKey(apiKey) : null;
const authenticatedHostId = mtlsHostId || apiKeyHostId;
const authMethod = mtlsHostId ? 'mTLS' : 'API-Key';
reportMetrics(@Req() request: Request, @Body() metrics: HostMetrics) {
// Get authenticated host ID from FlexibleAuthGuard
const authenticatedHostId = FlexibleAuthGuard.getAuthenticatedHost(request);
const authMethod = FlexibleAuthGuard.getAuthMethod(request);
// Validate that hostId in metrics matches the authenticated identity
if (authenticatedHostId && metrics.hostId !== authenticatedHostId) {