Device Provisioning
Overview
Device provisioning covers the full lifecycle from initial registration through certificate issuance, tenant assignment, and ongoing status monitoring. Two services handle certificates: DeviceCertificatesService (file-based CA) and CertificateManagementService (database-stored).
Registration Flow
1. Auto-Register (Android TV devices)
Devices call POST /devices/auto-register with their hardware identifiers. The AutoRegisterDto validates the payload, and the device is created under the authenticated user's tenant (via Prisma middleware).
2. Manual Registration
Admins create devices via POST /devices with a CreateDeviceDto. The device gets an initial offline status and null lastSeen timestamp.
3. Device Connection
Devices call POST /devices/connect with a ConnectDeviceDto. This updates lastSeen and sets status to online.
Certificate Management
Issuance (issueCertificate)
- RSA 2048-bit key pair generated via
crypto.generateKeyPairSync - Self-signed certificate built with device-specific subject (
CN=Device-{id},O=BTManagement,C=IL) - Private key stored at
certificates/devices/private/{id}-key.pem(mode0o600) - Public cert stored at
certificates/devices/public/{id}-cert.pem - Certificate record saved to
DeviceCertificatemodel (global, not tenant-scoped) - Event
certificate.issuedemitted
Configuration
| Constant | Value | Description |
|---|---|---|
DEFAULT_CERT_VALIDITY_DAYS | 365 | Certificate lifetime |
RENEWAL_WARNING_DAYS | 30 | Days before expiry to warn |
AUTO_RENEWAL_DAYS | 7 | Days before expiry to auto-renew |
DEFAULT_KEY_SIZE | 2048 | RSA modulus length |
Certificate Lifecycle
pending → active → (renewal warning at 30d) → (auto-renew at 7d) → expired
→ revoked
- Monitoring:
startMonitoring()runs on module init, checking expiry dates periodically - Renewal: Auto-renewal triggers when a certificate is within
AUTO_RENEWAL_DAYSof expiry - Revocation: Certificates can be revoked with a reason;
revokedAtandrevocationReasonare recorded - Validation:
validateCertificate()checks expiry, revocation status, and fingerprint match
CA Infrastructure
On first init (initializeCA), the service generates a self-signed CA key pair stored at:
certificates/ca-key.pem— CA private keycertificates/ca-cert.pem— CA certificate
All device certificates are signed by this CA.
Device Status Management
Status Flags
| Status | Meaning |
|---|---|
online | Device has reported within the last 5 minutes |
offline | Device has not reported within the last 5 minutes |
Status Detection
The DeviceStatusTask runs every minute (@Cron(CronExpression.EVERY_MINUTE)):
- Queries devices where
status = 'online'ANDlastSeen < (now - 5min) - Batch-updates matching devices to
offline - Emits
device.status_changedevent per device for downstream processing (alerts, notifications, dashboard updates)
The 5-minute threshold is defined as RECENT_THRESHOLD_MS = 5 * 60 * 1000 in DevicesService.
Stats Overview
getStatsOverview() returns a real-time summary:
- total / active / offline device counts
- alerts in last 24h — derived from
DeviceMetrics(CPU > 90%, RAM > 85%) - recent alerts list with severity levels
Multi-Tenancy Notes
Deviceis a tenant-scoped model — all queries are auto-filtered byuserIdvia Prisma middlewareDeviceCertificateis a global model — not tenant-filtered. Certificate operations must validate device ownership explicitly- Never add manual
userIdfilters to device queries
Related Modules
- DeviceConfigurationsModule — per-device display settings
- DeviceMetricsModule — CPU, RAM, storage telemetry
- DeviceMonitoringsModule — monitoring rules and thresholds
- DeviceSettingsModule — user-facing device preferences
- RemoteControlModule — remote command execution
- SoftwareUpdatesModule — OTA update distribution