API Events
Identity is a pull-based JWKS issuer; it does not participate in Kafka. Async surfaces are mail (Nodemailer), SMS (MQ-SMS), and WebSocket broadcasts.
1. Inbound
N/A. Identity exposes a HTTP REST surface only. No Kafka, BullMQ, or webhook ingestion.
2. Outbound — Mail
| Trigger | Template | Locale | Delivery |
|---|---|---|---|
AuthenticationService.signUp (post-create) | welcome-{en|vi} | from userProfile.locale | NodemailerComponent → SMTP |
VerifyEmailService.requestVerification | verify-email-{en|vi} | from request | code (6 digits) + verification URL |
ForgotPasswordService.requestReset | forgot-password-{en|vi} | from request | reset code/token |
AuthenticationService.changePassword (post-update) | password-changed-{en|vi} | from user | confirmation notice |
Templates seeded by
identity-0004-seed-mail-configurations.ts. Editable at runtime viaConfigurationtable (group=MAIL).
3. Outbound — SMS
| Trigger | Template | Locale |
|---|---|---|
PhoneOtpService.send (namespace=phone-auth) | phone-auth-{en|vi} | from request |
LinkAccountService.send (namespace=add-phone) | add-phone-{en|vi} | from request |
Provider: VN Pay SMS via
MQSMSComponent. Templates seeded byidentity-0007-seed-sms-templates.ts. Provider config viaConfiguration(group=SMS).
4. Outbound — WebSocket
IdentitySocketEventServicebroadcasts identity-domain events. Topics emitted viaApplicationWebSocketComponent(Redis-backed).
| Topic family | Trigger | Audience |
|---|---|---|
| User auth state | sign-in, sign-out, status change | merchant admin / observability |
| Role/permission update | policy definition mutation | dashboards |
| Profile update | user profile changes | self + admin |
Specific topic constants are defined in
IdentityWebSocketTopics(incomponents/websocket/); consult source for exact strings.
5. OTP State (Redis, not "events" but worth noting)
OTP services persist state in Redis (not Kafka):
| Key pattern | Purpose | TTL |
|---|---|---|
{namespace}:otp:{identifier} | Hashed code | 5–15 min per flow |
{namespace}:lock:{identifier} | Account-level lock after max attempts | 10–15 min |
{namespace}:session:{token} | Verified-session token | 1–24 h per flow |
{namespace}:cooldown:{identifier} | Resend cooldown | 60s |
{namespace}:daily:{identifier} | Daily quota counter | 24h |
Namespaces: verify-email, verify-phone, forgot-password, phone-auth, add-phone, add-email.
6. Request-Response Patterns
The "real" inbound surface is JWKS pull from sister services:
| From | To | Surface | Cadence |
|---|---|---|---|
Sister VerifierApplication | Identity /jw-certs | HTTP GET | At service boot + on key-id mismatch |