@adatechnology/auth-keycloak 0.0.2 → 0.0.3

package/README.md

@@ -72,6 +72,52 @@ Notas
 - Este módulo depende de `@adatechnology/http-client` (provider `HTTP_PROVIDER`) para realizar chamadas HTTP ao Keycloak. Configure o `HttpModule` conforme necessário na aplicação que consome este pacote.
 - O interceptor `KeycloakHttpInterceptor` é fornecido caso queira integrar com outras camadas que aceitem interceptors.
 
+## Autorização (decorator @Roles)
+
+O pacote agora fornece um decorator `@Roles()` e um `RolesGuard` para uso nas rotas do NestJS. Exemplos:
+
+```ts
+import { Controller, Get, UseGuards } from "@nestjs/common";
+import { Roles } from "@adatechnology/auth-keycloak";
+import { RolesGuard } from "@adatechnology/auth-keycloak";
+
+@Controller("secure")
+@UseGuards(RolesGuard)
+export class SecureController {
+  @Get("admin")
+  @Roles("admin") // aceita um ou mais roles (OR por padrão)
+  adminOnly() {
+    return { ok: true };
+  }
+
+  @Get("team")
+  @Roles({ roles: ["manager", "lead"], mode: "all" }) // requer ambos (AND)
+  teamOnly() {
+    return { ok: true };
+  }
+}
+```
+
+O `RolesGuard` extrai roles do payload do JWT (claims `realm_access.roles` e `resource_access[clientId].roles`). Por padrão o decorator verifica ambos (realm e client). Você pode ajustar o comportamento usando as opções `{ type: 'realm'|'client'|'both' }`.
+
+## Erros
+
+O pacote exporta `KeycloakError` (classe) que é usada para representar falhas nas chamadas HTTP ao Keycloak. A classe contém `statusCode` e `details` para permitir um tratamento declarativo dos erros na aplicação que consome a biblioteca. Exemplo:
+
+```ts
+import { KeycloakError } from "@adatechnology/auth-keycloak";
+
+try {
+  await keycloakClient.getUserInfo(token);
+} catch (e) {
+  if (e instanceof KeycloakError) {
+    // tratar problema específico de Keycloak
+    console.error(e.statusCode, e.details);
+  }
+  throw e;
+}
+```
+
 Contribuições
 
 Relate issues/PRs no repositório principal. Mantenha compatibilidade com o padrão usado pelo `HttpModule`.

package/dist/errors/keycloak-error.d.ts

@@ -0,0 +1,11 @@
+export declare class KeycloakError extends Error {
+    readonly statusCode?: number;
+    readonly details?: unknown;
+    readonly keycloakError?: string;
+    constructor(message: string, opts?: {
+        statusCode?: number;
+        details?: unknown;
+        keycloakError?: string;
+    });
+}
+export default KeycloakError;

package/dist/errors/keycloak-error.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakError = void 0;
+class KeycloakError extends Error {
+    statusCode;
+    details;
+    keycloakError;
+    constructor(message, opts) {
+        super(message);
+        this.name = "KeycloakError";
+        this.statusCode = opts?.statusCode;
+        this.details = opts?.details;
+        this.keycloakError = opts?.keycloakError;
+        // maintain proper prototype chain
+        Object.setPrototypeOf(this, KeycloakError.prototype);
+    }
+}
+exports.KeycloakError = KeycloakError;
+exports.default = KeycloakError;
+//# sourceMappingURL=keycloak-error.js.map

package/dist/errors/keycloak-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-error.js","sourceRoot":"","sources":["../../src/errors/keycloak-error.ts"],"names":[],"mappings":";;;AAAA,MAAa,aAAc,SAAQ,KAAK;IACtB,UAAU,CAAU;IACpB,OAAO,CAAW;IAClB,aAAa,CAAU;IAEvC,YACE,OAAe,EACf,IAAyE;QAEzE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,UAAU,GAAG,IAAI,EAAE,UAAU,CAAC;QACnC,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,OAAO,CAAC;QAC7B,IAAI,CAAC,aAAa,GAAG,IAAI,EAAE,aAAa,CAAC;QACzC,kCAAkC;QAClC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACvD,CAAC;CACF;AAjBD,sCAiBC;AAED,kBAAe,aAAa,CAAC"}

package/dist/index.d.ts

@@ -1,65 +1,6 @@
-import { DynamicModule } from '@nestjs/common';
-import { AxiosRequestConfig, AxiosInstance } from 'axios';
-
-/**
- * Keycloak token response
- */
-interface KeycloakTokenResponse {
-    access_token: string;
-    expires_in: number;
-    refresh_expires_in: number;
-    refresh_token: string;
-    token_type: string;
-    'not-before-policy': number;
-    session_state: string;
-    scope: string;
-}
-/**
- * Keycloak client credentials
- */
-interface KeycloakCredentials {
-    clientId: string;
-    clientSecret: string;
-    username?: string;
-    password?: string;
-    grantType: 'client_credentials' | 'password';
-}
-/**
- * Keycloak configuration
- */
-interface KeycloakConfig {
-    baseUrl: string;
-    realm: string;
-    credentials: KeycloakCredentials;
-}
-/**
- * Keycloak client interface
- */
-interface KeycloakClientInterface {
-    /**
-     * Get access token
-     */
-    getAccessToken(): Promise<string>;
-    /**
-     * Refresh access token
-     */
-    refreshToken(refreshToken: string): Promise<KeycloakTokenResponse>;
-    /**
-     * Validate token
-     */
-    validateToken(token: string): Promise<boolean>;
-    /**
-     * Get user info
-     */
-    getUserInfo(token: string): Promise<any>;
-}
-
-declare class KeycloakModule {
-    static forRoot(config: KeycloakConfig, httpConfig?: AxiosRequestConfig | AxiosInstance): DynamicModule;
-}
-
-declare const KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-declare const KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-declare const KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-
-export { KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, type KeycloakClientInterface, type KeycloakConfig, KeycloakModule, type KeycloakTokenResponse };
+export { KeycloakModule } from "./keycloak.module";
+export { KEYCLOAK_CONFIG, KEYCLOAK_CLIENT, KEYCLOAK_HTTP_INTERCEPTOR, } from "./keycloak.token";
+export type { KeycloakConfig, KeycloakClientInterface, KeycloakTokenResponse, } from "./keycloak.interface";
+export { Roles } from "./roles.decorator";
+export { RolesGuard } from "./roles.guard";
+export { KeycloakError } from "./errors/keycloak-error";

package/dist/index.js

@@ -1,223 +1,16 @@
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
-var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
-
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  KEYCLOAK_CLIENT: () => KEYCLOAK_CLIENT,
-  KEYCLOAK_CONFIG: () => KEYCLOAK_CONFIG,
-  KEYCLOAK_HTTP_INTERCEPTOR: () => KEYCLOAK_HTTP_INTERCEPTOR,
-  KeycloakModule: () => KeycloakModule
-});
-module.exports = __toCommonJS(index_exports);
-
-// src/keycloak.module.ts
-var import_common3 = require("@nestjs/common");
-var import_http_client2 = require("@adatechnology/http-client");
-
-// src/keycloak.client.ts
-var import_common = require("@nestjs/common");
-var import_http_client = require("@adatechnology/http-client");
-var KeycloakClient = class {
-  constructor(config, httpProvider) {
-    this.config = config;
-    this.httpProvider = httpProvider;
-  }
-  tokenCache = null;
-  tokenPromise = null;
-  async getAccessToken() {
-    const now = Date.now();
-    if (this.tokenCache && now < this.tokenCache.expiresAt) {
-      return this.tokenCache.token;
-    }
-    if (this.tokenPromise) return this.tokenPromise;
-    this.tokenPromise = (async () => {
-      try {
-        const tokenResponse = await this.requestToken();
-        const expiresAt = Date.now() + (tokenResponse.expires_in - 60) * 1e3;
-        this.tokenCache = { token: tokenResponse.access_token, expiresAt };
-        return tokenResponse.access_token;
-      } finally {
-        this.tokenPromise = null;
-      }
-    })();
-    return this.tokenPromise;
-  }
-  async getTokenWithCredentials(username, password) {
-    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
-    const data = new URLSearchParams();
-    data.append("client_id", this.config.credentials.clientId);
-    data.append("grant_type", "password");
-    data.append("username", username);
-    data.append("password", password);
-    if (this.config.credentials.clientSecret) {
-      data.append("client_secret", this.config.credentials.clientSecret);
-    }
-    const response = await this.httpProvider.post(tokenUrl, data, {
-      headers: { "Content-Type": "application/x-www-form-urlencoded" }
-    });
-    return response.data;
-  }
-  async requestToken() {
-    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
-    const data = new URLSearchParams();
-    data.append("client_id", this.config.credentials.clientId);
-    data.append("grant_type", this.config.credentials.grantType);
-    if (this.config.credentials.clientSecret) {
-      data.append("client_secret", this.config.credentials.clientSecret);
-    }
-    if (this.config.credentials.grantType === "password") {
-      if (this.config.credentials.username && this.config.credentials.password) {
-        data.append("username", this.config.credentials.username);
-        data.append("password", this.config.credentials.password);
-      }
-    }
-    const response = await this.httpProvider.post(
-      tokenUrl,
-      data,
-      {
-        headers: { "Content-Type": "application/x-www-form-urlencoded" }
-      }
-    );
-    return response.data;
-  }
-  async refreshToken(refreshToken) {
-    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
-    const data = new URLSearchParams();
-    data.append("client_id", this.config.credentials.clientId);
-    data.append("grant_type", "refresh_token");
-    data.append("refresh_token", refreshToken);
-    if (this.config.credentials.clientSecret) {
-      data.append("client_secret", this.config.credentials.clientSecret);
-    }
-    const response = await this.httpProvider.post(
-      tokenUrl,
-      data,
-      {
-        headers: { "Content-Type": "application/x-www-form-urlencoded" }
-      }
-    );
-    const expiresAt = Date.now() + (response.data.expires_in - 60) * 1e3;
-    this.tokenCache = { token: response.data.access_token, expiresAt };
-    return response.data;
-  }
-  async validateToken(token) {
-    try {
-      const introspectUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token/introspect`;
-      const data = new URLSearchParams();
-      data.append("token", token);
-      data.append("client_id", this.config.credentials.clientId);
-      if (this.config.credentials.clientSecret) {
-        data.append("client_secret", this.config.credentials.clientSecret);
-      }
-      const response = await this.httpProvider.post(introspectUrl, data, {
-        headers: { "Content-Type": "application/x-www-form-urlencoded" }
-      });
-      return response.data.active === true;
-    } catch (error) {
-      return false;
-    }
-  }
-  async getUserInfo(token) {
-    const userInfoUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/userinfo`;
-    const response = await this.httpProvider.get(userInfoUrl, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
-    return response.data;
-  }
-  clearTokenCache() {
-    this.tokenCache = null;
-  }
-  static maskToken(token, visibleChars = 8) {
-    if (!token || typeof token !== "string") return "";
-    return token.length <= visibleChars ? token : `${token.slice(0, visibleChars)}...`;
-  }
-};
-KeycloakClient = __decorateClass([
-  (0, import_common.Injectable)(),
-  __decorateParam(1, (0, import_common.Inject)(import_http_client.HTTP_PROVIDER))
-], KeycloakClient);
-
-// src/keycloak.http.interceptor.ts
-var import_common2 = require("@nestjs/common");
-
-// src/keycloak.token.ts
-var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-
-// src/keycloak.http.interceptor.ts
-var KeycloakHttpInterceptor = class {
-  constructor(keycloakClient) {
-    this.keycloakClient = keycloakClient;
-  }
-  intercept(context, next) {
-    const request = context.switchToHttp().getRequest();
-    if (request.url && !request.url.includes("keycloak")) {
-    }
-    return next.handle();
-  }
-};
-KeycloakHttpInterceptor = __decorateClass([
-  (0, import_common2.Injectable)(),
-  __decorateParam(0, (0, import_common2.Inject)(KEYCLOAK_CLIENT))
-], KeycloakHttpInterceptor);
-
-// src/keycloak.module.ts
-var KeycloakModule = class {
-  static forRoot(config, httpConfig) {
-    return {
-      module: KeycloakModule,
-      global: true,
-      imports: [import_http_client2.HttpModule.forRoot(httpConfig)],
-      providers: [
-        { provide: KEYCLOAK_CONFIG, useValue: config },
-        {
-          provide: KEYCLOAK_CLIENT,
-          useFactory: (cfg, httpProvider) => new KeycloakClient(cfg, httpProvider),
-          inject: [KEYCLOAK_CONFIG, import_http_client2.HTTP_PROVIDER]
-        },
-        {
-          provide: KEYCLOAK_HTTP_INTERCEPTOR,
-          useFactory: (client) => new KeycloakHttpInterceptor(client),
-          inject: [KEYCLOAK_CLIENT]
-        }
-      ],
-      exports: [KEYCLOAK_CLIENT, KEYCLOAK_HTTP_INTERCEPTOR]
-    };
-  }
-};
-KeycloakModule = __decorateClass([
-  (0, import_common3.Module)({})
-], KeycloakModule);
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  KEYCLOAK_CLIENT,
-  KEYCLOAK_CONFIG,
-  KEYCLOAK_HTTP_INTERCEPTOR,
-  KeycloakModule
-});
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakError = exports.RolesGuard = exports.Roles = exports.KEYCLOAK_HTTP_INTERCEPTOR = exports.KEYCLOAK_CLIENT = exports.KEYCLOAK_CONFIG = exports.KeycloakModule = void 0;
+var keycloak_module_1 = require("./keycloak.module");
+Object.defineProperty(exports, "KeycloakModule", { enumerable: true, get: function () { return keycloak_module_1.KeycloakModule; } });
+var keycloak_token_1 = require("./keycloak.token");
+Object.defineProperty(exports, "KEYCLOAK_CONFIG", { enumerable: true, get: function () { return keycloak_token_1.KEYCLOAK_CONFIG; } });
+Object.defineProperty(exports, "KEYCLOAK_CLIENT", { enumerable: true, get: function () { return keycloak_token_1.KEYCLOAK_CLIENT; } });
+Object.defineProperty(exports, "KEYCLOAK_HTTP_INTERCEPTOR", { enumerable: true, get: function () { return keycloak_token_1.KEYCLOAK_HTTP_INTERCEPTOR; } });
+var roles_decorator_1 = require("./roles.decorator");
+Object.defineProperty(exports, "Roles", { enumerable: true, get: function () { return roles_decorator_1.Roles; } });
+var roles_guard_1 = require("./roles.guard");
+Object.defineProperty(exports, "RolesGuard", { enumerable: true, get: function () { return roles_guard_1.RolesGuard; } });
+var keycloak_error_1 = require("./errors/keycloak-error");
+Object.defineProperty(exports, "KeycloakError", { enumerable: true, get: function () { return keycloak_error_1.KeycloakError; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AACvB,mDAI0B;AAHxB,iHAAA,eAAe,OAAA;AACf,iHAAA,eAAe,OAAA;AACf,2HAAA,yBAAyB,OAAA;AAO3B,qDAA0C;AAAjC,wGAAA,KAAK,OAAA;AACd,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AACnB,0DAAwD;AAA/C,+GAAA,aAAa,OAAA"}

package/dist/keycloak.client.d.ts

@@ -0,0 +1,27 @@
+import type { HttpProviderInterface } from "@adatechnology/http-client";
+import { LoggerProviderInterface } from "@adatechnology/logger";
+import type { KeycloakClientInterface, KeycloakConfig, KeycloakTokenResponse } from "./keycloak.interface";
+/**
+ * Minimal Keycloak client implementation without external shared infra dependencies.
+ */
+export declare class KeycloakClient implements KeycloakClientInterface {
+    private readonly config;
+    private readonly httpProvider;
+    private readonly logger?;
+    private tokenCache;
+    private tokenPromise?;
+    constructor(config: KeycloakConfig, httpProvider: HttpProviderInterface, logger?: LoggerProviderInterface);
+    private log;
+    getAccessToken(): Promise<string>;
+    getTokenWithCredentials(params: {
+        username: string;
+        password: string;
+    }): Promise<KeycloakTokenResponse>;
+    private requestToken;
+    refreshToken(refreshToken: string): Promise<KeycloakTokenResponse>;
+    validateToken(token: string): Promise<boolean>;
+    getUserInfo(token: string): Promise<Record<string, unknown>>;
+    clearTokenCache(): void;
+    private static maskToken;
+    private static scopesToString;
+}