@adatechnology/auth-keycloak 0.0.2 → 0.0.3

package/dist/roles.guard.js

@@ -0,0 +1,103 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RolesGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const roles_decorator_1 = require("./roles.decorator");
+const keycloak_token_1 = require("./keycloak.token");
+const shared_1 = require("@adatechnology/shared");
+let RolesGuard = class RolesGuard {
+    reflector;
+    config;
+    constructor(reflector, config) {
+        this.reflector = reflector;
+        this.config = config;
+    }
+    canActivate(context) {
+        const meta = this.reflector.get(roles_decorator_1.ROLES_META_KEY, context.getHandler()) ||
+            this.reflector.get(roles_decorator_1.ROLES_META_KEY, context.getClass());
+        if (!meta || !meta.roles || meta.roles.length === 0)
+            return true;
+        const req = context.switchToHttp().getRequest();
+        const authHeader = req.headers?.authorization || req.headers?.Authorization;
+        const token = authHeader
+            ? String(authHeader).split(" ")[1]
+            : req.query?.token;
+        if (!token)
+            throw new shared_1.BaseAppError({
+                message: "Authorization token not provided",
+                status: 403,
+                code: "FORBIDDEN_MISSING_TOKEN",
+                context: {},
+            });
+        const payload = this.decodeJwtPayload(token);
+        const availableRoles = new Set();
+        // realm roles
+        if (payload?.realm_access?.roles &&
+            Array.isArray(payload.realm_access.roles)) {
+            payload.realm_access.roles.forEach((r) => availableRoles.add(r));
+        }
+        // client roles (resource_access)
+        const clientId = this.config?.credentials?.clientId;
+        if (clientId && payload?.resource_access?.[clientId]?.roles) {
+            payload.resource_access[clientId].roles.forEach((r) => availableRoles.add(r));
+        }
+        // also consider all client roles if type is 'both' and resource_access exists
+        if (meta.type === "both" && payload?.resource_access) {
+            Object.values(payload.resource_access).forEach((entry) => {
+                if (entry?.roles && Array.isArray(entry.roles)) {
+                    entry.roles.forEach((r) => availableRoles.add(r));
+                }
+            });
+        }
+        // matching
+        const required = meta.roles || [];
+        const hasMatch = required.map((r) => availableRoles.has(r));
+        const result = meta.mode === "all" ? hasMatch.every(Boolean) : hasMatch.some(Boolean);
+        if (!result)
+            throw new shared_1.BaseAppError({
+                message: "Insufficient roles",
+                status: 403,
+                code: "FORBIDDEN_INSUFFICIENT_ROLES",
+                context: { required: required },
+            });
+        return true;
+    }
+    decodeJwtPayload(token) {
+        try {
+            const parts = token.split(".");
+            if (parts.length < 2)
+                return {};
+            const payload = parts[1];
+            const BufferCtor = globalThis.Buffer;
+            if (!BufferCtor)
+                return {};
+            const decoded = BufferCtor.from(payload, "base64").toString("utf8");
+            return JSON.parse(decoded);
+        }
+        catch (e) {
+            return {};
+        }
+    }
+};
+exports.RolesGuard = RolesGuard;
+exports.RolesGuard = RolesGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(core_1.Reflector)),
+    __param(1, (0, common_1.Optional)()),
+    __param(1, (0, common_1.Inject)(keycloak_token_1.KEYCLOAK_CONFIG)),
+    __metadata("design:paramtypes", [core_1.Reflector, Object])
+], RolesGuard);
+//# sourceMappingURL=roles.guard.js.map

package/dist/roles.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.guard.js","sourceRoot":"","sources":["../src/roles.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAMwB;AACxB,uCAAyC;AACzC,uDAAiE;AACjE,qDAAmD;AAGnD,kDAAqD;AAG9C,IAAM,UAAU,GAAhB,MAAM,UAAU;IAGF;IAGA;IALnB,YAEmB,SAAoB,EAGpB,MAAuB;QAHvB,cAAS,GAAT,SAAS,CAAW;QAGpB,WAAM,GAAN,MAAM,CAAiB;IACvC,CAAC;IAEJ,WAAW,CAAC,OAAyB;QACnC,MAAM,IAAI,GACR,IAAI,CAAC,SAAS,CAAC,GAAG,CAAe,gCAAc,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC;YACtE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAe,gCAAc,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEvE,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEjE,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAChD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,aAAa,IAAI,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC;QAC5E,MAAM,KAAK,GAAG,UAAU;YACtB,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC;QAErB,IAAI,CAAC,KAAK;YACR,MAAM,IAAI,qBAAY,CAAC;gBACrB,OAAO,EAAE,kCAAkC;gBAC3C,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,yBAAyB;gBAC/B,OAAO,EAAE,EAAE;aACZ,CAAC,CAAC;QAEL,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAE7C,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;QAEzC,cAAc;QACd,IACE,OAAO,EAAE,YAAY,EAAE,KAAK;YAC5B,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,EACzC,CAAC;YACD,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,CAAC;QAED,iCAAiC;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC;QACpD,IAAI,QAAQ,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC;YAC5D,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAS,EAAE,EAAE,CAC5D,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CACtB,CAAC;QACJ,CAAC;QAED,8EAA8E;QAC9E,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBACvD,IAAI,KAAK,EAAE,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC9C,KAAK,CAAC,KAAkB,CAAC,OAAO,CAAC,CAAC,CAAS,EAAE,EAAE,CAC9C,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CACtB,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;QAED,WAAW;QACX,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5D,MAAM,MAAM,GACV,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzE,IAAI,CAAC,MAAM;YACT,MAAM,IAAI,qBAAY,CAAC;gBACrB,OAAO,EAAE,oBAAoB;gBAC7B,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,8BAA8B;gBACpC,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE;aAChC,CAAC,CAAC;QAEL,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,UAAU,GACd,UAQD,CAAC,MAAM,CAAC;YACT,IAAI,CAAC,UAAU;gBAAE,OAAO,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAuB,CAAC;QACnD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF,CAAA;AArGY,gCAAU;qBAAV,UAAU;IADtB,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,eAAM,EAAC,gBAAS,CAAC,CAAA;IAEjB,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,gCAAe,CAAC,CAAA;qCAFI,gBAAS;GAH5B,UAAU,CAqGtB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adatechnology/auth-keycloak",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "publishConfig": {
     "access": "public"
   },
@@ -11,7 +11,9 @@
     "dist"
   ],
   "dependencies": {
-    "@adatechnology/http-client": "^0.0.2"
+    "@adatechnology/http-client": "0.0.3",
+    "@adatechnology/logger": "0.0.2",
+    "@adatechnology/shared": "0.0.1"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.16",
@@ -23,7 +25,7 @@
     "typescript": "^5.2.0"
   },
   "scripts": {
-    "build": "tsup",
+    "build": "rm -rf dist && tsc -p tsconfig.build.json",
     "build:watch": "tsup --watch",
     "check": "tsc -p tsconfig.json --noEmit",
     "test": "echo \"no tests\""

package/dist/index.d.mts

@@ -1,65 +0,0 @@
-import { DynamicModule } from '@nestjs/common';
-import { AxiosRequestConfig, AxiosInstance } from 'axios';
-
-/**
- * Keycloak token response
- */
-interface KeycloakTokenResponse {
-    access_token: string;
-    expires_in: number;
-    refresh_expires_in: number;
-    refresh_token: string;
-    token_type: string;
-    'not-before-policy': number;
-    session_state: string;
-    scope: string;
-}
-/**
- * Keycloak client credentials
- */
-interface KeycloakCredentials {
-    clientId: string;
-    clientSecret: string;
-    username?: string;
-    password?: string;
-    grantType: 'client_credentials' | 'password';
-}
-/**
- * Keycloak configuration
- */
-interface KeycloakConfig {
-    baseUrl: string;
-    realm: string;
-    credentials: KeycloakCredentials;
-}
-/**
- * Keycloak client interface
- */
-interface KeycloakClientInterface {
-    /**
-     * Get access token
-     */
-    getAccessToken(): Promise<string>;
-    /**
-     * Refresh access token
-     */
-    refreshToken(refreshToken: string): Promise<KeycloakTokenResponse>;
-    /**
-     * Validate token
-     */
-    validateToken(token: string): Promise<boolean>;
-    /**
-     * Get user info
-     */
-    getUserInfo(token: string): Promise<any>;
-}
-
-declare class KeycloakModule {
-    static forRoot(config: KeycloakConfig, httpConfig?: AxiosRequestConfig | AxiosInstance): DynamicModule;
-}
-
-declare const KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-declare const KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-declare const KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-
-export { KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, type KeycloakClientInterface, type KeycloakConfig, KeycloakModule, type KeycloakTokenResponse };

package/dist/index.mjs

@@ -1,200 +0,0 @@
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
-var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
-
-// src/keycloak.module.ts
-import { Module } from "@nestjs/common";
-import { HTTP_PROVIDER as HTTP_PROVIDER2, HttpModule } from "@adatechnology/http-client";
-
-// src/keycloak.client.ts
-import { Inject, Injectable } from "@nestjs/common";
-import { HTTP_PROVIDER } from "@adatechnology/http-client";
-var KeycloakClient = class {
-  constructor(config, httpProvider) {
-    this.config = config;
-    this.httpProvider = httpProvider;
-  }
-  tokenCache = null;
-  tokenPromise = null;
-  async getAccessToken() {
-    const now = Date.now();
-    if (this.tokenCache && now < this.tokenCache.expiresAt) {
-      return this.tokenCache.token;
-    }
-    if (this.tokenPromise) return this.tokenPromise;
-    this.tokenPromise = (async () => {
-      try {
-        const tokenResponse = await this.requestToken();
-        const expiresAt = Date.now() + (tokenResponse.expires_in - 60) * 1e3;
-        this.tokenCache = { token: tokenResponse.access_token, expiresAt };
-        return tokenResponse.access_token;
-      } finally {
-        this.tokenPromise = null;
-      }
-    })();
-    return this.tokenPromise;
-  }
-  async getTokenWithCredentials(username, password) {
-    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
-    const data = new URLSearchParams();
-    data.append("client_id", this.config.credentials.clientId);
-    data.append("grant_type", "password");
-    data.append("username", username);
-    data.append("password", password);
-    if (this.config.credentials.clientSecret) {
-      data.append("client_secret", this.config.credentials.clientSecret);
-    }
-    const response = await this.httpProvider.post(tokenUrl, data, {
-      headers: { "Content-Type": "application/x-www-form-urlencoded" }
-    });
-    return response.data;
-  }
-  async requestToken() {
-    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
-    const data = new URLSearchParams();
-    data.append("client_id", this.config.credentials.clientId);
-    data.append("grant_type", this.config.credentials.grantType);
-    if (this.config.credentials.clientSecret) {
-      data.append("client_secret", this.config.credentials.clientSecret);
-    }
-    if (this.config.credentials.grantType === "password") {
-      if (this.config.credentials.username && this.config.credentials.password) {
-        data.append("username", this.config.credentials.username);
-        data.append("password", this.config.credentials.password);
-      }
-    }
-    const response = await this.httpProvider.post(
-      tokenUrl,
-      data,
-      {
-        headers: { "Content-Type": "application/x-www-form-urlencoded" }
-      }
-    );
-    return response.data;
-  }
-  async refreshToken(refreshToken) {
-    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
-    const data = new URLSearchParams();
-    data.append("client_id", this.config.credentials.clientId);
-    data.append("grant_type", "refresh_token");
-    data.append("refresh_token", refreshToken);
-    if (this.config.credentials.clientSecret) {
-      data.append("client_secret", this.config.credentials.clientSecret);
-    }
-    const response = await this.httpProvider.post(
-      tokenUrl,
-      data,
-      {
-        headers: { "Content-Type": "application/x-www-form-urlencoded" }
-      }
-    );
-    const expiresAt = Date.now() + (response.data.expires_in - 60) * 1e3;
-    this.tokenCache = { token: response.data.access_token, expiresAt };
-    return response.data;
-  }
-  async validateToken(token) {
-    try {
-      const introspectUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token/introspect`;
-      const data = new URLSearchParams();
-      data.append("token", token);
-      data.append("client_id", this.config.credentials.clientId);
-      if (this.config.credentials.clientSecret) {
-        data.append("client_secret", this.config.credentials.clientSecret);
-      }
-      const response = await this.httpProvider.post(introspectUrl, data, {
-        headers: { "Content-Type": "application/x-www-form-urlencoded" }
-      });
-      return response.data.active === true;
-    } catch (error) {
-      return false;
-    }
-  }
-  async getUserInfo(token) {
-    const userInfoUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/userinfo`;
-    const response = await this.httpProvider.get(userInfoUrl, {
-      headers: { Authorization: `Bearer ${token}` }
-    });
-    return response.data;
-  }
-  clearTokenCache() {
-    this.tokenCache = null;
-  }
-  static maskToken(token, visibleChars = 8) {
-    if (!token || typeof token !== "string") return "";
-    return token.length <= visibleChars ? token : `${token.slice(0, visibleChars)}...`;
-  }
-};
-KeycloakClient = __decorateClass([
-  Injectable(),
-  __decorateParam(1, Inject(HTTP_PROVIDER))
-], KeycloakClient);
-
-// src/keycloak.http.interceptor.ts
-import {
-  Inject as Inject2,
-  Injectable as Injectable2
-} from "@nestjs/common";
-
-// src/keycloak.token.ts
-var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-
-// src/keycloak.http.interceptor.ts
-var KeycloakHttpInterceptor = class {
-  constructor(keycloakClient) {
-    this.keycloakClient = keycloakClient;
-  }
-  intercept(context, next) {
-    const request = context.switchToHttp().getRequest();
-    if (request.url && !request.url.includes("keycloak")) {
-    }
-    return next.handle();
-  }
-};
-KeycloakHttpInterceptor = __decorateClass([
-  Injectable2(),
-  __decorateParam(0, Inject2(KEYCLOAK_CLIENT))
-], KeycloakHttpInterceptor);
-
-// src/keycloak.module.ts
-var KeycloakModule = class {
-  static forRoot(config, httpConfig) {
-    return {
-      module: KeycloakModule,
-      global: true,
-      imports: [HttpModule.forRoot(httpConfig)],
-      providers: [
-        { provide: KEYCLOAK_CONFIG, useValue: config },
-        {
-          provide: KEYCLOAK_CLIENT,
-          useFactory: (cfg, httpProvider) => new KeycloakClient(cfg, httpProvider),
-          inject: [KEYCLOAK_CONFIG, HTTP_PROVIDER2]
-        },
-        {
-          provide: KEYCLOAK_HTTP_INTERCEPTOR,
-          useFactory: (client) => new KeycloakHttpInterceptor(client),
-          inject: [KEYCLOAK_CLIENT]
-        }
-      ],
-      exports: [KEYCLOAK_CLIENT, KEYCLOAK_HTTP_INTERCEPTOR]
-    };
-  }
-};
-KeycloakModule = __decorateClass([
-  Module({})
-], KeycloakModule);
-export {
-  KEYCLOAK_CLIENT,
-  KEYCLOAK_CONFIG,
-  KEYCLOAK_HTTP_INTERCEPTOR,
-  KeycloakModule
-};