feat: enhance Socket.IO configuration and update AuthService token handling

- Introduced custom Socket.IO ping interval and timeout settings to improve connection stability.
- Updated AuthService to exclude 'mfaVerifiedAt' from JWT sign options when renewing tokens, ensuring cleaner token management.
- Enhanced LifecycleHooksService to conditionally set identity state based on lifecycle mutations, improving identity processing logic.
- Added tests to verify the exclusion of 'mfaVerifiedAt' in token renewal process.

Author: tacxou

apps/api/src/_common/adapters/sesame-io.adapter.ts

@@ -3,6 +3,10 @@ import { Server as HttpServer } from 'http';
 import { Server as HttpsServer } from 'https';
 import { ServerOptions } from 'socket.io';
 
+/** Défaut Socket.IO : 25 s — trop verbeux en long-polling seul (dev). */
+const SOCKET_IO_PING_INTERVAL_MS = 60_000;
+const SOCKET_IO_PING_TIMEOUT_MS = 45_000;
+
 export class SesameIoAdapter extends IoAdapter {
   private ioServer: ReturnType<IoAdapter['createIOServer']> | undefined;
 
@@ -12,7 +16,11 @@ export class SesameIoAdapter extends IoAdapter {
 
   public createIOServer(port: number, options?: ServerOptions) {
     if (!this.ioServer) {
-      this.ioServer = super.createIOServer(port, options);
+      this.ioServer = super.createIOServer(port, {
+        ...options,
+        pingInterval: SOCKET_IO_PING_INTERVAL_MS,
+        pingTimeout: SOCKET_IO_PING_TIMEOUT_MS,
+      });
     }
 
     return this.ioServer;

apps/api/src/core/auth/auth.service.ts

@@ -764,7 +764,7 @@ export class AuthService extends AbstractService implements OnModuleInit {
         expiresIn: this.ACCESS_TOKEN_EXPIRES_IN,
         jwtid,
         subject: `${identity._id}`,
-        ...omit(options, ['scopes', 'mfaVerified']),
+        ...omit(options, ['scopes', 'mfaVerified', 'mfaVerifiedAt']),
       },
     );
     this.logger.debug(

apps/api/src/management/lifecycle/_functions/has-lifecycle-mutation.function.ts

@@ -0,0 +1,3 @@
+export function hasLifecycleMutation(mutation: object | undefined | null): boolean {
+  return mutation != null && typeof mutation === 'object' && Object.keys(mutation).length > 0;
+}

apps/api/src/management/lifecycle/lifecycle-hooks.service.ts

@@ -5,9 +5,11 @@ import { CronJob } from 'cron';
 import dayjs from 'dayjs';
 import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { isConsoleEntrypoint } from '~/_common/functions/is-cli';
+import { IdentityState } from '../identities/_enums/states.enum';
 import { Identities } from '../identities/_schemas/identities.schema';
 import { AbstractLifecycleService } from './_abstracts/abstract.lifecycle.service';
 import { ConfigRulesObjectSchemaDTO } from './_dto/config-rules.dto';
+import { hasLifecycleMutation } from './_functions/has-lifecycle-mutation.function';
 import { loadCustomStates } from './_functions/load-custom-states.function';
 import { loadLifecycleRules } from './_functions/load-lifecycle-rules.function';
 import { validateLifecycleCronRules } from './_functions/validate-lifecycle-cron-rules.function';
@@ -331,13 +333,15 @@ export class LifecycleHooksService extends AbstractLifecycleService {
             this.logger.verbose(`identities process request`, JSON.stringify(req, null, 2));
 
             for (const identity of identities) {
+              const hasMutation = hasLifecycleMutation(resolvedMutation);
               const updated = await this.identitiesService.model.findOneAndUpdate(
                 { _id: identity._id },
                 {
                   $set: {
                     ...resolvedMutation,
                     lifecycle: idRule.target,
                     lastLifecycleUpdate: new Date(),
+                    ...(hasMutation ? { state: IdentityState.TO_SYNC } : {}),
                   },
                 },
                 { new: true },
@@ -526,6 +530,7 @@ export class LifecycleHooksService extends AbstractLifecycleService {
           continue; // Skip processing if it's a trigger-based rule
         }
 
+        const hasMutation = hasLifecycleMutation(resolvedMutation);
         const res = await this.identitiesService.model.findOneAndUpdate(
           {
             ...resolvedRules,
@@ -537,6 +542,7 @@ export class LifecycleHooksService extends AbstractLifecycleService {
               ...resolvedMutation,
               lifecycle: lcs.target,
               lastLifecycleUpdate: new Date(),
+              ...(hasMutation ? { state: IdentityState.TO_SYNC } : {}),
             },
           },
           {
@@ -556,12 +562,17 @@ export class LifecycleHooksService extends AbstractLifecycleService {
           date: new Date(),
         });
 
-        const identities = res._id ? [{ id: res._id.toString(), before: after, after: res }] : [];
-        await this.backendsService.lifecycleChangedIdentities(identities);
-
-        this.logger.log(
-          `Identity <${res._id}> updated to lifecycle <${lcs.target}> based on rules from source <${after.lifecycle}>`,
-        );
+        if (hasMutation) {
+          this.logger.log(
+            `Identity <${res._id}> updated to lifecycle <${lcs.target}> with attribute mutation, set to TO_SYNC`,
+          );
+        } else {
+          const identities = res._id ? [{ id: res._id.toString(), before: after, after: res }] : [];
+          await this.backendsService.lifecycleChangedIdentities(identities);
+          this.logger.log(
+            `Identity <${res._id}> updated to lifecycle <${lcs.target}> based on rules from source <${after.lifecycle}>`,
+          );
+        }
         return;
       }
     }

apps/api/tests/unit/core/auth/auth.service.spec.ts

@@ -106,9 +106,36 @@ describe('AuthService', () => {
     expect(tokens.access_token).toBe('new-a');
     expect(createTokensSpy).toHaveBeenCalledWith({ _id: 'a1', username: 'john' }, 'existing-r', {
       mfaVerified: undefined,
+      mfaVerifiedAt: undefined,
     });
   });
 
+  it('should not pass mfaVerifiedAt to jwt sign options when renewing tokens', async () => {
+    const verifiedAt = 1_700_000_000_000;
+    redisGet.mockResolvedValueOnce(
+      JSON.stringify({ identityId: 'a1', mfaVerified: true, mfaVerifiedAt: verifiedAt }),
+    );
+    agentsFindOne.mockResolvedValueOnce({
+      _id: 'a1',
+      toObject: () => ({ _id: 'a1', username: 'john', password: 'hash' }),
+      toJSON: () => ({ _id: 'a1', username: 'john' }),
+    });
+    jwtSign.mockReturnValue('access-token');
+
+    await service.renewTokens('existing-r');
+
+    const signOptions = jwtSign.mock.calls[0]?.[1];
+    expect(signOptions).toEqual(
+      expect.objectContaining({
+        expiresIn: expect.any(Number),
+        jwtid: expect.any(String),
+        subject: 'a1',
+      }),
+    );
+    expect(signOptions).not.toHaveProperty('mfaVerifiedAt');
+    expect(signOptions).not.toHaveProperty('mfaVerified');
+  });
+
   it('should throw UnauthorizedException when renew token does not exist', async () => {
     redisGet.mockResolvedValue(null);
 

apps/api/tests/unit/management/lifecycle/has-lifecycle-mutation.function.spec.ts

@@ -0,0 +1,13 @@
+import { hasLifecycleMutation } from '~/management/lifecycle/_functions/has-lifecycle-mutation.function';
+
+describe('hasLifecycleMutation', () => {
+  it('should return false for empty or missing mutation', () => {
+    expect(hasLifecycleMutation(undefined)).toBe(false);
+    expect(hasLifecycleMutation(null)).toBe(false);
+    expect(hasLifecycleMutation({})).toBe(false);
+  });
+
+  it('should return true when mutation has at least one field', () => {
+    expect(hasLifecycleMutation({ 'inetOrgPerson.cn': 'mutated' })).toBe(true);
+  });
+});

apps/web/src/composables/useSocketIoClient.ts

@@ -39,5 +39,7 @@ export function buildSocketIoClientOptions(auth: { id: string; key: string }): P
     transports: socketIoTransports(),
     upgrade: !pollingOnly,
     reconnectionAttempts: 10,
+    reconnectionDelay: 5_000,
+    reconnectionDelayMax: 30_000,
   }
 }