npm - @adatechnology/auth-keycloak - Versions diffs - 0.0.3 → 0.0.6 - Mend

@adatechnology/auth-keycloak 0.0.3 → 0.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/index.d.ts +114 -6
package/dist/index.js +743 -16
package/package.json +6 -6
package/dist/errors/keycloak-error.d.ts +0 -11
package/dist/errors/keycloak-error.js +0 -20
package/dist/errors/keycloak-error.js.map +0 -1
package/dist/index.js.map +0 -1
package/dist/keycloak.client.d.ts +0 -27
package/dist/keycloak.client.js +0 -320
package/dist/keycloak.client.js.map +0 -1
package/dist/keycloak.http.interceptor.d.ts +0 -9
package/dist/keycloak.http.interceptor.js +0 -37
package/dist/keycloak.http.interceptor.js.map +0 -1
package/dist/keycloak.interface.d.ts +0 -74
package/dist/keycloak.interface.js +0 -3
package/dist/keycloak.interface.js.map +0 -1
package/dist/keycloak.module.d.ts +0 -6
package/dist/keycloak.module.js +0 -63
package/dist/keycloak.module.js.map +0 -1
package/dist/keycloak.token.d.ts +0 -3
package/dist/keycloak.token.js +0 -7
package/dist/keycloak.token.js.map +0 -1
package/dist/roles.decorator.d.ts +0 -19
package/dist/roles.decorator.js +0 -34
package/dist/roles.decorator.js.map +0 -1
package/dist/roles.guard.d.ts +0 -10
package/dist/roles.guard.js +0 -103
package/dist/roles.guard.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -1,16 +1,743 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.KeycloakError = exports.RolesGuard = exports.Roles = exports.KEYCLOAK_HTTP_INTERCEPTOR = exports.KEYCLOAK_CLIENT = exports.KEYCLOAK_CONFIG = exports.KeycloakModule = void 0;
-var keycloak_module_1 = require("./keycloak.module");
-Object.defineProperty(exports, "KeycloakModule", { enumerable: true, get: function () { return keycloak_module_1.KeycloakModule; } });
-var keycloak_token_1 = require("./keycloak.token");
-Object.defineProperty(exports, "KEYCLOAK_CONFIG", { enumerable: true, get: function () { return keycloak_token_1.KEYCLOAK_CONFIG; } });
-Object.defineProperty(exports, "KEYCLOAK_CLIENT", { enumerable: true, get: function () { return keycloak_token_1.KEYCLOAK_CLIENT; } });
-Object.defineProperty(exports, "KEYCLOAK_HTTP_INTERCEPTOR", { enumerable: true, get: function () { return keycloak_token_1.KEYCLOAK_HTTP_INTERCEPTOR; } });
-var roles_decorator_1 = require("./roles.decorator");
-Object.defineProperty(exports, "Roles", { enumerable: true, get: function () { return roles_decorator_1.Roles; } });
-var roles_guard_1 = require("./roles.guard");
-Object.defineProperty(exports, "RolesGuard", { enumerable: true, get: function () { return roles_guard_1.RolesGuard; } });
-var keycloak_error_1 = require("./errors/keycloak-error");
-Object.defineProperty(exports, "KeycloakError", { enumerable: true, get: function () { return keycloak_error_1.KeycloakError; } });
-//# sourceMappingURL=index.js.map
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
+// ../shared/dist/types.js
+var require_types = __commonJS({
+  "../shared/dist/types.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+  }
+});
+// ../shared/dist/utils.js
+var require_utils = __commonJS({
+  "../shared/dist/utils.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.noop = noop;
+    exports2.prefixWith = prefixWith;
+    function noop() {
+      return void 0;
+    }
+    function prefixWith(prefix, value) {
+      return `${prefix}-${value}`;
+    }
+  }
+});
+// ../shared/dist/errors/base-app-error.js
+var require_base_app_error = __commonJS({
+  "../shared/dist/errors/base-app-error.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.BaseAppError = void 0;
+    var BaseAppError2 = class extends Error {
+      code;
+      status;
+      context;
+      constructor(params) {
+        var _a;
+        super(params.message);
+        this.name = new.target.name;
+        this.status = params.status;
+        this.code = params.code;
+        this.context = params.context;
+        const capturable = Error;
+        (_a = capturable.captureStackTrace) == null ? void 0 : _a.call(capturable, this, this.constructor);
+      }
+    };
+    exports2.BaseAppError = BaseAppError2;
+  }
+});
+// ../shared/dist/errors/errors.constants.js
+var require_errors_constants = __commonJS({
+  "../shared/dist/errors/errors.constants.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.SHARED_INTERNAL_FRAME_RE = exports2.SHARED_ERROR_MESSAGES = exports2.SHARED_ERRORS = void 0;
+    exports2.SHARED_ERRORS = {
+      DEFAULT_STATUS: 502,
+      INTERNAL_STATUS: 500
+    };
+    exports2.SHARED_ERROR_MESSAGES = {
+      UPSTREAM_ERROR: "Upstream error",
+      NO_RESPONSE: "No response from upstream service",
+      UNEXPECTED_ERROR: "Unexpected error",
+      MAPPING_FAILURE: "Error mapping failure"
+    };
+    exports2.SHARED_INTERNAL_FRAME_RE = /node_modules|internal|\(internal|axios|packages\/http|@adatechnology\/http-client/;
+  }
+});
+// ../shared/dist/errors/error-mapper.service.js
+var require_error_mapper_service = __commonJS({
+  "../shared/dist/errors/error-mapper.service.js"(exports2) {
+    "use strict";
+    var __decorate = exports2 && exports2.__decorate || function(decorators, target, key, desc) {
+      var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+      if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+      else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+      return c > 3 && r && Object.defineProperty(target, key, r), r;
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ErrorMapperService = void 0;
+    var common_1 = require("@nestjs/common");
+    var base_app_error_1 = require_base_app_error();
+    var errors_constants_1 = require_errors_constants();
+    var ErrorMapperService = class ErrorMapperService {
+      /**
+       * Map an upstream/internal error to a BaseAppError with normalized fields.
+       * Keeps a small context to help tracing origin without leaking secrets.
+       */
+      mapUpstreamError(err) {
+        if (err instanceof base_app_error_1.BaseAppError)
+          return err;
+        try {
+          const obj = err ?? void 0;
+          const context = {};
+          if (obj && typeof obj.stack === "string") {
+            const frames = this.parseStack(obj.stack);
+            if (frames.length) {
+              context.stack = frames;
+              const origin = frames.find((f) => !this.isInternalFrame(f.file));
+              if (origin)
+                context.origin = origin;
+            }
+          }
+          if (obj && typeof obj.config === "object" && obj.config !== null) {
+            const cfg = obj.config;
+            context.url = typeof cfg.url === "string" ? cfg.url : typeof cfg.baseURL === "string" ? cfg.baseURL : void 0;
+            context.method = typeof cfg.method === "string" ? cfg.method : void 0;
+          }
+          if (obj && typeof obj.response === "object" && obj.response !== null) {
+            const resp = obj.response;
+            const status = typeof resp.status === "number" ? resp.status : errors_constants_1.SHARED_ERRORS.DEFAULT_STATUS;
+            const data = resp.data;
+            const message = data && typeof data.message === "string" ? data.message : typeof obj.message === "string" ? obj.message : errors_constants_1.SHARED_ERROR_MESSAGES.UPSTREAM_ERROR;
+            const code = typeof obj.code === "string" ? obj.code : void 0;
+            return new base_app_error_1.BaseAppError({
+              message,
+              status,
+              code,
+              context
+            });
+          }
+          if (obj && typeof obj.request === "object") {
+            const code = typeof obj.code === "string" ? obj.code : void 0;
+            return new base_app_error_1.BaseAppError({
+              message: errors_constants_1.SHARED_ERROR_MESSAGES.NO_RESPONSE,
+              status: errors_constants_1.SHARED_ERRORS.DEFAULT_STATUS,
+              code,
+              context
+            });
+          }
+          return new base_app_error_1.BaseAppError({
+            message: obj && typeof obj.message === "string" ? obj.message : errors_constants_1.SHARED_ERROR_MESSAGES.UNEXPECTED_ERROR,
+            status: errors_constants_1.SHARED_ERRORS.INTERNAL_STATUS,
+            code: typeof (obj == null ? void 0 : obj.code) === "string" ? obj.code : void 0,
+            context
+          });
+        } catch (e) {
+          return new base_app_error_1.BaseAppError({
+            message: errors_constants_1.SHARED_ERROR_MESSAGES.MAPPING_FAILURE,
+            status: errors_constants_1.SHARED_ERRORS.INTERNAL_STATUS,
+            context: { original: String(err) }
+          });
+        }
+      }
+      parseStack(stack) {
+        const lines = stack.split("\n").map((l) => l.trim()).filter(Boolean);
+        const frames = [];
+        const re = /^at\s+(?:(.*?)\s+\()?(.*?):(\d+):(\d+)\)?$/;
+        for (const line of lines) {
+          const m = re.exec(line);
+          if (m) {
+            const fn = m[1] || void 0;
+            const file = m[2];
+            const lineNum = parseInt(m[3], 10);
+            const colNum = parseInt(m[4], 10);
+            frames.push({ fn, file, line: lineNum, column: colNum });
+          }
+        }
+        return frames;
+      }
+      isInternalFrame(file) {
+        if (!file)
+          return false;
+        return errors_constants_1.SHARED_INTERNAL_FRAME_RE.test(file);
+      }
+    };
+    exports2.ErrorMapperService = ErrorMapperService;
+    exports2.ErrorMapperService = ErrorMapperService = __decorate([
+      (0, common_1.Injectable)()
+    ], ErrorMapperService);
+  }
+});
+// ../shared/dist/errors/index.js
+var require_errors = __commonJS({
+  "../shared/dist/errors/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_base_app_error(), exports2);
+    __exportStar(require_error_mapper_service(), exports2);
+  }
+});
+// ../shared/dist/index.js
+var require_dist = __commonJS({
+  "../shared/dist/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_types(), exports2);
+    __exportStar(require_utils(), exports2);
+    __exportStar(require_errors(), exports2);
+  }
+});
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  KEYCLOAK_CLIENT: () => KEYCLOAK_CLIENT,
+  KEYCLOAK_CONFIG: () => KEYCLOAK_CONFIG,
+  KEYCLOAK_HTTP_INTERCEPTOR: () => KEYCLOAK_HTTP_INTERCEPTOR,
+  KeycloakError: () => KeycloakError,
+  KeycloakModule: () => KeycloakModule,
+  Roles: () => Roles,
+  RolesGuard: () => RolesGuard
+});
+module.exports = __toCommonJS(index_exports);
+// src/keycloak.module.ts
+var import_common5 = require("@nestjs/common");
+var import_core2 = require("@nestjs/core");
+var import_http_client2 = require("@adatechnology/http-client");
+var import_logger2 = require("@adatechnology/logger");
+// src/keycloak.client.ts
+var import_common = require("@nestjs/common");
+var import_http_client = require("@adatechnology/http-client");
+var import_logger = require("@adatechnology/logger");
+// src/errors/keycloak-error.ts
+var KeycloakError = class _KeycloakError extends Error {
+  statusCode;
+  details;
+  keycloakError;
+  constructor(message, opts) {
+    super(message);
+    this.name = "KeycloakError";
+    this.statusCode = opts == null ? void 0 : opts.statusCode;
+    this.details = opts == null ? void 0 : opts.details;
+    this.keycloakError = opts == null ? void 0 : opts.keycloakError;
+    Object.setPrototypeOf(this, _KeycloakError.prototype);
+  }
+};
+// src/keycloak.client.ts
+var LIB_NAME = "@adatechnology/auth-keycloak";
+var LIB_VERSION = "0.0.2";
+function extractErrorInfo(err) {
+  var _a, _b, _c, _d, _e;
+  const statusCode = (err == null ? void 0 : err.status) ?? ((_a = err == null ? void 0 : err.response) == null ? void 0 : _a.status);
+  const details = ((_b = err == null ? void 0 : err.response) == null ? void 0 : _b.data) ?? ((_c = err == null ? void 0 : err.context) == null ? void 0 : _c.data) ?? (err == null ? void 0 : err.context) ?? (err == null ? void 0 : err.details);
+  const errorCode = (err == null ? void 0 : err.code) ?? ((_e = (_d = err == null ? void 0 : err.response) == null ? void 0 : _d.data) == null ? void 0 : _e.error);
+  let keycloakError = void 0;
+  if (details && typeof details === "object" && details !== null) {
+    const raw = details.error;
+    if (typeof raw === "string") {
+      keycloakError = raw;
+    } else if (raw) {
+      try {
+        keycloakError = JSON.stringify(raw);
+      } catch {
+        keycloakError = String(raw);
+      }
+    }
+  }
+  return {
+    statusCode,
+    details: details ?? (err == null ? void 0 : err.message),
+    keycloakError: keycloakError ?? (errorCode ? `NETWORK_ERROR_${String(errorCode)}` : void 0)
+  };
+}
+var KeycloakClient = class {
+  constructor(config, httpProvider, logger) {
+    this.config = config;
+    this.httpProvider = httpProvider;
+    this.logger = logger;
+  }
+  tokenCache = null;
+  tokenPromise = null;
+  log(level, message, libMethod, meta) {
+    if (!this.logger) return;
+    const httpCtx = (0, import_http_client.getHttpRequestContext)();
+    const requestId = httpCtx == null ? void 0 : httpCtx.requestId;
+    const source = (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
+    const payload = {
+      message,
+      context: "KeycloakClient",
+      lib: LIB_NAME,
+      libVersion: LIB_VERSION,
+      libMethod,
+      source,
+      requestId,
+      meta
+    };
+    if (level === "debug") this.logger.debug(payload);
+    else if (level === "info") this.logger.info(payload);
+    else if (level === "warn") this.logger.warn(payload);
+    else if (level === "error") this.logger.error(payload);
+  }
+  async getAccessToken() {
+    const method = "getAccessToken";
+    this.log("debug", `${method} - Start`, method);
+    const now = Date.now();
+    if (this.tokenCache && now < this.tokenCache.expiresAt) {
+      this.log("debug", `${method} - Returning cached token`, method);
+      return this.tokenCache.token;
+    }
+    if (this.tokenPromise) {
+      this.log("debug", `${method} - Waiting for existing token request`, method);
+      return this.tokenPromise;
+    }
+    this.tokenPromise = (async () => {
+      try {
+        const tokenResponse = await this.requestToken();
+        const expiresAt = this.config.tokenCacheTtl ? Date.now() + this.config.tokenCacheTtl : Date.now() + (tokenResponse.expires_in - 60) * 1e3;
+        this.tokenCache = { token: tokenResponse.access_token, expiresAt };
+        this.log("debug", `${method} - Token obtained and cached`, method);
+        return tokenResponse.access_token;
+      } finally {
+        this.tokenPromise = null;
+      }
+    })();
+    return this.tokenPromise;
+  }
+  async getTokenWithCredentials(params) {
+    const method = "getTokenWithCredentials";
+    const { username } = params;
+    this.log("info", `${method} - Start for user: ${username}`, method);
+    const { password } = params;
+    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
+    const body = new URLSearchParams();
+    body.append("client_id", this.config.credentials.clientId);
+    body.append("grant_type", "password");
+    body.append("username", username);
+    body.append("password", password);
+    if (this.config.credentials.clientSecret) {
+      body.append("client_secret", this.config.credentials.clientSecret);
+    }
+    body.append("scope", KeycloakClient.scopesToString(this.config.scopes));
+    try {
+      const response = await this.httpProvider.post({
+        url: tokenUrl,
+        data: body,
+        config: {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          logContext: { className: "KeycloakClient", methodName: method }
+        }
+      });
+      this.log("info", `${method} - Success for user: ${username}`, method);
+      return response.data;
+    } catch (err) {
+      const { statusCode, details, keycloakError } = extractErrorInfo(err);
+      this.log("error", `${method} - Failed for user: ${username}`, method, { statusCode, keycloakError });
+      throw new KeycloakError("Failed to obtain token with credentials", {
+        statusCode,
+        details,
+        keycloakError
+      });
+    }
+  }
+  async requestToken() {
+    const method = "requestToken";
+    this.log("debug", `${method} - Start`, method);
+    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
+    const data = new URLSearchParams();
+    data.append("client_id", this.config.credentials.clientId);
+    data.append("grant_type", this.config.credentials.grantType);
+    if (this.config.credentials.clientSecret) {
+      data.append("client_secret", this.config.credentials.clientSecret);
+    }
+    if (this.config.credentials.grantType === "password") {
+      if (this.config.credentials.username && this.config.credentials.password) {
+        data.append("username", this.config.credentials.username);
+        data.append("password", this.config.credentials.password);
+        data.append("scope", KeycloakClient.scopesToString(this.config.scopes));
+      }
+    }
+    try {
+      const response = await this.httpProvider.post({
+        url: tokenUrl,
+        data,
+        config: {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          logContext: { className: "KeycloakClient", methodName: method }
+        }
+      });
+      this.log("debug", `${method} - Success`, method);
+      return response.data;
+    } catch (err) {
+      const { statusCode, details, keycloakError } = extractErrorInfo(err);
+      this.log("error", `${method} - Failed`, method, { statusCode, keycloakError });
+      throw new KeycloakError("Failed to request token", {
+        statusCode,
+        details,
+        keycloakError
+      });
+    }
+  }
+  async refreshToken(refreshToken) {
+    const method = "refreshToken";
+    this.log("debug", `${method} - Start`, method);
+    const tokenUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token`;
+    const data = new URLSearchParams();
+    data.append("client_id", this.config.credentials.clientId);
+    data.append("grant_type", "refresh_token");
+    data.append("refresh_token", refreshToken);
+    if (this.config.credentials.clientSecret) {
+      data.append("client_secret", this.config.credentials.clientSecret);
+    }
+    try {
+      const response = await this.httpProvider.post({
+        url: tokenUrl,
+        data,
+        config: {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          logContext: { className: "KeycloakClient", methodName: method }
+        }
+      });
+      const expiresAt = this.config.tokenCacheTtl ? Date.now() + this.config.tokenCacheTtl : Date.now() + (response.data.expires_in - 60) * 1e3;
+      this.tokenCache = { token: response.data.access_token, expiresAt };
+      this.log("debug", `${method} - Success`, method);
+      return response.data;
+    } catch (err) {
+      const { statusCode, details, keycloakError } = extractErrorInfo(err);
+      this.log("error", `${method} - Failed`, method, { statusCode, keycloakError });
+      throw new KeycloakError("Failed to refresh token", {
+        statusCode,
+        details,
+        keycloakError
+      });
+    }
+  }
+  async validateToken(token) {
+    var _a;
+    const method = "validateToken";
+    this.log("debug", `${method} - Start`, method);
+    try {
+      const introspectUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/token/introspect`;
+      const data = new URLSearchParams();
+      data.append("token", token);
+      data.append("client_id", this.config.credentials.clientId);
+      if (this.config.credentials.clientSecret) {
+        data.append("client_secret", this.config.credentials.clientSecret);
+      }
+      const response = await this.httpProvider.post({
+        url: introspectUrl,
+        data,
+        config: {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          logContext: { className: "KeycloakClient", methodName: method }
+        }
+      });
+      const active = ((_a = response.data) == null ? void 0 : _a.active) === true;
+      this.log("debug", `${method} - Success (Active: ${active})`, method);
+      return active;
+    } catch (error) {
+      const { statusCode, details, keycloakError } = extractErrorInfo(error);
+      this.log("error", `${method} - Failed`, method, { statusCode, keycloakError });
+      throw new KeycloakError("Token introspection failed", {
+        statusCode,
+        details,
+        keycloakError
+      });
+    }
+  }
+  async getUserInfo(token) {
+    const method = "getUserInfo";
+    this.log("debug", `${method} - Start`, method);
+    const userInfoUrl = `${this.config.baseUrl}/realms/${this.config.realm}/protocol/openid-connect/userinfo`;
+    try {
+      const response = await this.httpProvider.get({
+        url: userInfoUrl,
+        config: {
+          headers: { Authorization: `Bearer ${token}` },
+          logContext: { className: "KeycloakClient", methodName: method }
+        }
+      });
+      this.log("debug", `${method} - Success`, method);
+      return response.data;
+    } catch (err) {
+      const { statusCode, details, keycloakError } = extractErrorInfo(err);
+      this.log("error", `${method} - Failed`, method, { statusCode, keycloakError });
+      throw new KeycloakError("Failed to retrieve userinfo", {
+        statusCode,
+        details,
+        keycloakError
+      });
+    }
+  }
+  clearTokenCache() {
+    this.tokenCache = null;
+  }
+  static maskToken(token, visibleChars = 8) {
+    if (!token || typeof token !== "string") return "";
+    return token.length <= visibleChars ? token : `${token.slice(0, visibleChars)}...`;
+  }
+  static scopesToString(scopes) {
+    if (!scopes) return "openid profile email";
+    return Array.isArray(scopes) ? scopes.join(" ") : String(scopes);
+  }
+};
+KeycloakClient = __decorateClass([
+  (0, import_common.Injectable)(),
+  __decorateParam(1, (0, import_common.Inject)(import_http_client.HTTP_PROVIDER)),
+  __decorateParam(2, (0, import_common.Optional)()),
+  __decorateParam(2, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER))
+], KeycloakClient);
+// src/keycloak.http.interceptor.ts
+var import_common2 = require("@nestjs/common");
+var KeycloakHttpInterceptor = class {
+  constructor() {
+  }
+  intercept(context, next) {
+    const request = context.switchToHttp().getRequest();
+    if (typeof request.url === "string" && !request.url.includes("keycloak")) {
+    }
+    return next.handle();
+  }
+};
+KeycloakHttpInterceptor = __decorateClass([
+  (0, import_common2.Injectable)()
+], KeycloakHttpInterceptor);
+// src/roles.guard.ts
+var import_common4 = require("@nestjs/common");
+var import_core = require("@nestjs/core");
+// src/roles.decorator.ts
+var import_common3 = require("@nestjs/common");
+var ROLES_META_KEY = "roles";
+function Roles(...args) {
+  let payload;
+  if (args.length === 1 && typeof args[0] === "object" && !Array.isArray(args[0])) {
+    payload = args[0];
+  } else {
+    const roles = [].concat(
+      ...args.map((a) => Array.isArray(a) ? a : String(a))
+    );
+    payload = { roles };
+  }
+  payload.mode = payload.mode ?? "any";
+  payload.type = payload.type ?? "both";
+  return (0, import_common3.SetMetadata)(ROLES_META_KEY, payload);
+}
+// src/keycloak.token.ts
+var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
+var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
+var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
+// src/roles.guard.ts
+var import_shared = __toESM(require_dist());
+var RolesGuard = class {
+  constructor(reflector, config) {
+    this.reflector = reflector;
+    this.config = config;
+  }
+  canActivate(context) {
+    var _a, _b, _c, _d, _e, _f, _g, _h;
+    const meta = this.reflector.get(ROLES_META_KEY, context.getHandler()) || this.reflector.get(ROLES_META_KEY, context.getClass());
+    if (!meta || !meta.roles || meta.roles.length === 0) return true;
+    const req = context.switchToHttp().getRequest();
+    const authHeader = ((_a = req.headers) == null ? void 0 : _a.authorization) || ((_b = req.headers) == null ? void 0 : _b.Authorization);
+    const token = authHeader ? String(authHeader).split(" ")[1] : (_c = req.query) == null ? void 0 : _c.token;
+    if (!token)
+      throw new import_shared.BaseAppError({
+        message: "Authorization token not provided",
+        status: 403,
+        code: "FORBIDDEN_MISSING_TOKEN",
+        context: {}
+      });
+    const payload = this.decodeJwtPayload(token);
+    const availableRoles = /* @__PURE__ */ new Set();
+    if (((_d = payload == null ? void 0 : payload.realm_access) == null ? void 0 : _d.roles) && Array.isArray(payload.realm_access.roles)) {
+      payload.realm_access.roles.forEach((r) => availableRoles.add(r));
+    }
+    const clientId = (_f = (_e = this.config) == null ? void 0 : _e.credentials) == null ? void 0 : _f.clientId;
+    if (clientId && ((_h = (_g = payload == null ? void 0 : payload.resource_access) == null ? void 0 : _g[clientId]) == null ? void 0 : _h.roles)) {
+      payload.resource_access[clientId].roles.forEach(
+        (r) => availableRoles.add(r)
+      );
+    }
+    if (meta.type === "both" && (payload == null ? void 0 : payload.resource_access)) {
+      Object.values(payload.resource_access).forEach((entry) => {
+        if ((entry == null ? void 0 : entry.roles) && Array.isArray(entry.roles)) {
+          entry.roles.forEach(
+            (r) => availableRoles.add(r)
+          );
+        }
+      });
+    }
+    const required = meta.roles || [];
+    const hasMatch = required.map((r) => availableRoles.has(r));
+    const result = meta.mode === "all" ? hasMatch.every(Boolean) : hasMatch.some(Boolean);
+    if (!result)
+      throw new import_shared.BaseAppError({
+        message: "Insufficient roles",
+        status: 403,
+        code: "FORBIDDEN_INSUFFICIENT_ROLES",
+        context: { required }
+      });
+    return true;
+  }
+  decodeJwtPayload(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return {};
+      const payload = parts[1];
+      const BufferCtor = globalThis.Buffer;
+      if (!BufferCtor) return {};
+      const decoded = BufferCtor.from(payload, "base64").toString("utf8");
+      return JSON.parse(decoded);
+    } catch (e) {
+      return {};
+    }
+  }
+};
+RolesGuard = __decorateClass([
+  (0, import_common4.Injectable)(),
+  __decorateParam(0, (0, import_common4.Inject)(import_core.Reflector)),
+  __decorateParam(1, (0, import_common4.Optional)()),
+  __decorateParam(1, (0, import_common4.Inject)(KEYCLOAK_CONFIG))
+], RolesGuard);
+// src/keycloak.module.ts
+var KeycloakModule = class {
+  static forRoot(config, httpConfig) {
+    return {
+      module: KeycloakModule,
+      global: true,
+      imports: [
+        import_http_client2.HttpModule.forRoot(
+          httpConfig || { baseURL: config.baseUrl, timeout: 5e3 },
+          {
+            logging: {
+              enabled: true,
+              includeBody: true,
+              context: "KeycloakHttpClient",
+              environments: ["development", "test"]
+            }
+          }
+        )
+      ],
+      providers: [
+        { provide: import_core2.Reflector, useClass: import_core2.Reflector },
+        { provide: KEYCLOAK_CONFIG, useValue: config },
+        {
+          provide: KEYCLOAK_CLIENT,
+          useFactory: (cfg, httpProvider, logger) => new KeycloakClient(cfg, httpProvider, logger),
+          inject: [KEYCLOAK_CONFIG, import_http_client2.HTTP_PROVIDER, { token: import_logger2.LOGGER_PROVIDER, optional: true }]
+        },
+        {
+          provide: KEYCLOAK_HTTP_INTERCEPTOR,
+          useFactory: () => new KeycloakHttpInterceptor()
+        },
+        RolesGuard
+      ],
+      exports: [
+        import_core2.Reflector,
+        KEYCLOAK_CLIENT,
+        KEYCLOAK_HTTP_INTERCEPTOR,
+        KEYCLOAK_CONFIG,
+        RolesGuard
+      ]
+    };
+  }
+};
+KeycloakModule = __decorateClass([
+  (0, import_common5.Module)({})
+], KeycloakModule);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  KEYCLOAK_CLIENT,
+  KEYCLOAK_CONFIG,
+  KEYCLOAK_HTTP_INTERCEPTOR,
+  KeycloakError,
+  KeycloakModule,
+  Roles,
+  RolesGuard
+});