@adatechnology/auth-keycloak 0.0.7 → 0.1.0

package/README.md

@@ -5,34 +5,36 @@ Módulo Keycloak para autenticação de clients e usuários, seguindo o padrão
 Este pacote fornece um cliente leve para interagir com o Keycloak (obter/refresh de tokens, introspecção, userinfo)
 e um interceptor opcional. O módulo foi projetado para ser usado junto ao `@adatechnology/http-client`.
 
-Principais exportações
+### Principais exportações
 
-- `KeycloakModule` — módulo principal. Suporta `KeycloakModule.forRoot(config?)` (padrão dinâmico).
-- `KEYCLOAK_CLIENT` — provider token para injetar o cliente Keycloak (use `@Inject(KEYCLOAK_CLIENT)`).
-- `KEYCLOAK_HTTP_INTERCEPTOR` — provider token para injetar o interceptor (se necessário).
+- `KeycloakModule` — módulo principal. Suporta `KeycloakModule.forRoot(config?)`.
+- `KEYCLOAK_CLIENT` — provider token para injetar o cliente Keycloak (`@Inject(KEYCLOAK_CLIENT)`).
+- `KEYCLOAK_HTTP_INTERCEPTOR` — provider token para injetar o interceptor (opcional).
+- `BearerTokenGuard` — guard que valida o token Bearer via introspecção no Keycloak (401 em falha).
+- `Roles` / `RolesGuard` — decorator e guard para autorização baseada em roles (403 em falha).
+- `KeycloakError` — classe de erro tipada com `statusCode` e `details`.
 
-Instalação
+### Instalação
 
-Este pacote já declara dependência interna de workspace para `@adatechnology/http-client`. Em um monorepo PNPM/Turbo o pacote é resolvido automaticamente.
-
-Uso
+```bash
+# Este pacote já declara dependências de workspace para http-client, logger e cache.
+# Em um monorepo PNPM/Turbo os pacotes são resolvidos automaticamente.
+```
 
-- Configuração via código (recomendado quando quiser injetar configuração manualmente):
+### Uso básico
 
 ```ts
 import { Module } from "@nestjs/common";
-import { HttpModule } from "@adatechnology/http-client";
 import { KeycloakModule } from "@adatechnology/auth-keycloak";
 
 @Module({
   imports: [
-    HttpModule.forRoot({ baseURL: "https://pokeapi.co/api/v2", timeout: 5000 }),
     KeycloakModule.forRoot({
       baseUrl: "https://keycloak.example.com",
-      realm: "BACKEND",
+      realm: "myrealm",
       credentials: {
-        clientId: "backend-api",
-        clientSecret: "backend-api-secret",
+        clientId: "my-client",
+        clientSecret: "my-secret",
         grantType: "client_credentials",
       },
     }),
@@ -41,68 +43,154 @@ import { KeycloakModule } from "@adatechnology/auth-keycloak";
 export class AppModule {}
 ```
 
-- Configuração via `ConfigService` / variáveis de ambiente (padrão quando não passar `forRoot`):
+### Injeção do cliente
 
-As variáveis usadas pelo módulo interno são:
+```ts
+import { Inject } from '@nestjs/common';
+import { KEYCLOAK_CLIENT } from '@adatechnology/auth-keycloak';
+import type { KeycloakClientInterface } from '@adatechnology/auth-keycloak';
 
-- `KEYCLOAK_BASE_URL` (padrão: `http://localhost:8081`)
-- `KEYCLOAK_REALM` (padrão: `BACKEND`)
-- `KEYCLOAK_CLIENT_ID` (padrão: `backend-api`)
-- `KEYCLOAK_CLIENT_SECRET` (padrão: `backend-api-secret`)
+constructor(
+  @Inject(KEYCLOAK_CLIENT) private readonly keycloakClient: KeycloakClientInterface,
+) {}
+```
 
-API rápida (via token)
+### API do cliente
 
-- `KEYCLOAK_CLIENT.getAccessToken()` — obtém token com cache e deduplicação de requisições.
-- `KEYCLOAK_CLIENT.refreshToken(refreshToken)` — renova token.
-- `KEYCLOAK_CLIENT.validateToken(token)` — introspecção no Keycloak.
-- `KEYCLOAK_CLIENT.getUserInfo(token)` — retorna userinfo.
+| Método | Descrição |
+|---|---|
+| `getAccessToken()` | Obtém token com cache automático e deduplicação de requisições |
+| `getTokenWithCredentials({ username, password })` | Login com credenciais (resource-owner password grant) |
+| `refreshToken(refreshToken)` | Renova token e atualiza o cache interno |
+| `validateToken(token)` | Introspecção via endpoint `/token/introspect` |
+| `getUserInfo(token)` | Retorna claims via endpoint `/userinfo` |
+| `clearTokenCache()` | Remove o token do cache (útil para forçar renovação) |
 
-Exemplo de injeção no NestJS:
+### Cache de token
+
+O `KeycloakClient` usa `@adatechnology/cache` para armazenar o access token obtido via `client_credentials`.
+Por padrão é criado um `InMemoryCacheProvider` local. Você pode substituir por Redis ou qualquer implementação
+de `CacheProviderInterface` injetando o provider `CACHE_PROVIDER` no contexto do módulo:
 
 ```ts
-import { Inject } from '@nestjs/common';
-import { KEYCLOAK_CLIENT } from '@adatechnology/auth-keycloak';
-import type { KeycloakClientInterface } from '@adatechnology/auth-keycloak';
+import { Module } from "@nestjs/common";
+import { CacheModule } from "@adatechnology/cache";
+import { KeycloakModule } from "@adatechnology/auth-keycloak";
 
-constructor(@Inject(KEYCLOAK_CLIENT) private readonly keycloakClient: KeycloakClientInterface) {}
+@Module({
+  imports: [
+    // Registra CACHE_PROVIDER como Redis — KeycloakClient o usará automaticamente
+    CacheModule.forRoot({
+      type: 'redis',
+      redis: { host: 'localhost', port: 6379 },
+    }),
+    KeycloakModule.forRoot({ ... }),
+  ],
+})
+export class AppModule {}
 ```
 
-Notas
+Se `CACHE_PROVIDER` não for registrado no módulo, o `KeycloakClient` cria um `InMemoryCacheProvider`
+interno sem necessidade de configuração adicional.
 
-- Este módulo depende de `@adatechnology/http-client` (provider `HTTP_PROVIDER`) para realizar chamadas HTTP ao Keycloak. Configure o `HttpModule` conforme necessário na aplicação que consome este pacote.
-- O interceptor `KeycloakHttpInterceptor` é fornecido caso queira integrar com outras camadas que aceitem interceptors.
+O TTL do cache é derivado do campo `expires_in` do token (com 60 segundos de margem). Você pode
+sobrescrever com a opção `tokenCacheTtl` (em **milissegundos**):
 
-## Autorização (decorator @Roles)
+```ts
+KeycloakModule.forRoot({
+  ...
+  tokenCacheTtl: 60_000, // força TTL de 60 s independente do token
+})
+```
+
+### Propagação de contexto de log (cascade)
 
-O pacote agora fornece um decorator `@Roles()` e um `RolesGuard` para uso nas rotas do NestJS. Exemplos:
+O cliente lê o `logContext` do `AsyncLocalStorage` da lib `@adatechnology/logger`. Para que os logs
+de downstream (keycloak → cache) mostrem `className.methodName` da origem correta, use `runWithContext`
+no controller:
+
+```ts
+import { getContext, runWithContext } from '@adatechnology/logger';
+
+// No controller
+private withCtx<T>(logContext: object, fn: () => Promise<T>): Promise<T> {
+  return runWithContext({ ...(getContext() ?? {}), logContext }, fn);
+}
+
+async getToken() {
+  const logContext = { className: 'MyController', methodName: 'getToken' };
+  return this.withCtx(logContext, () => this.keycloakService.getAccessToken());
+}
+```
+
+Resultado no log:
+```
+[MyController.getToken][KeycloakClient.getAccessToken] → cache miss → request token
+[MyController.getToken][InMemoryCacheProvider.set] → token cached
+```
+
+### BearerTokenGuard — autenticação B2B via introspecção
+
+Valida que o header `Authorization: Bearer <token>` contém um token ativo chamando
+`POST /token/introspect` no Keycloak. Use sempre em conjunto com `RolesGuard` em rotas B2B.
+
+```ts
+import { Controller, Headers, Post, UseGuards } from "@nestjs/common";
+import { BearerTokenGuard, Roles, RolesGuard } from "@adatechnology/auth-keycloak";
+
+@Controller("orders")
+export class OrdersController {
+  @Post()
+  @Roles("manage-requests")
+  @UseGuards(BearerTokenGuard, RolesGuard)
+  create(@Headers("x-user-id") keycloakId: string) {}
+}
+```
+
+**Por que dois guards em sequência?**
+
+| Guard | Mecanismo | HTTP? | Falha |
+|---|---|---|---|
+| `BearerTokenGuard` | `POST /token/introspect` ao Keycloak | Sim | 401 — token inativo/expirado/forjado |
+| `RolesGuard` | Decode local do payload JWT | Não | 403 — permissão insuficiente |
+
+O `RolesGuard` sozinho **não é seguro** para autenticação: ele apenas decodifica o payload JWT
+sem verificar a assinatura, o que significa que um token forjado passaria. O `BearerTokenGuard`
+é quem garante autenticidade via introspecção.
+
+### Autorização com @Roles
 
 ```ts
 import { Controller, Get, UseGuards } from "@nestjs/common";
-import { Roles } from "@adatechnology/auth-keycloak";
-import { RolesGuard } from "@adatechnology/auth-keycloak";
+import { Roles, RolesGuard } from "@adatechnology/auth-keycloak";
 
 @Controller("secure")
-@UseGuards(RolesGuard)
 export class SecureController {
+  @Get("public")
+  @UseGuards(RolesGuard)
+  public() {
+    return { ok: true };
+  }
+
   @Get("admin")
-  @Roles("admin") // aceita um ou mais roles (OR por padrão)
+  @UseGuards(RolesGuard)
+  @Roles("admin")
   adminOnly() {
     return { ok: true };
   }
 
   @Get("team")
-  @Roles({ roles: ["manager", "lead"], mode: "all" }) // requer ambos (AND)
+  @UseGuards(RolesGuard)
+  @Roles({ roles: ["manager", "lead"], mode: "all" }) // AND — requer ambas as roles
   teamOnly() {
     return { ok: true };
   }
 }
 ```
 
-O `RolesGuard` extrai roles do payload do JWT (claims `realm_access.roles` e `resource_access[clientId].roles`). Por padrão o decorator verifica ambos (realm e client). Você pode ajustar o comportamento usando as opções `{ type: 'realm'|'client'|'both' }`.
-
-## Erros
+O `RolesGuard` extrai roles de `realm_access.roles` e `resource_access[clientId].roles` do JWT.
 
-O pacote exporta `KeycloakError` (classe) que é usada para representar falhas nas chamadas HTTP ao Keycloak. A classe contém `statusCode` e `details` para permitir um tratamento declarativo dos erros na aplicação que consome a biblioteca. Exemplo:
+### Tratamento de erros
 
 ```ts
 import { KeycloakError } from "@adatechnology/auth-keycloak";
@@ -111,17 +199,31 @@ try {
   await keycloakClient.getUserInfo(token);
 } catch (e) {
   if (e instanceof KeycloakError) {
-    // tratar problema específico de Keycloak
-    console.error(e.statusCode, e.details);
+    console.error(e.statusCode, e.details, e.keycloakError);
   }
   throw e;
 }
 ```
 
-Contribuições
+### Variáveis de ambiente (referência)
+
+| Variável | Padrão |
+|---|---|
+| `KEYCLOAK_BASE_URL` | `http://localhost:8081` |
+| `KEYCLOAK_REALM` | `BACKEND` |
+| `KEYCLOAK_CLIENT_ID` | `backend-api` |
+| `KEYCLOAK_CLIENT_SECRET` | `backend-api-secret` |
+
+### Notas
+
+- Este módulo depende de `@adatechnology/http-client` para chamadas HTTP ao Keycloak.
+- O interceptor `KeycloakHttpInterceptor` pode ser registrado como `APP_INTERCEPTOR` para integração global.
+- `clearTokenCache()` é assíncrono desde a versão `0.0.7` (retorna `Promise<void>`).
+
+### Contribuições
 
 Relate issues/PRs no repositório principal. Mantenha compatibilidade com o padrão usado pelo `HttpModule`.
 
-Licença
+### Licença
 
 MIT

package/dist/index.d.ts

@@ -1,6 +1,7 @@
 import * as _nestjs_common from '@nestjs/common';
 import { DynamicModule, CanActivate, ExecutionContext } from '@nestjs/common';
 import { AxiosRequestConfig, AxiosInstance } from 'axios';
+import { LoggerProviderInterface } from '@adatechnology/logger';
 import { Reflector } from '@nestjs/core';
 
 /**
@@ -75,7 +76,7 @@ interface KeycloakClientInterface {
     /**
      * Clear the internal access token cache maintained by the client.
      */
-    clearTokenCache(): void;
+    clearTokenCache(): Promise<void>;
 }
 /**
  * Provider-facing interface type to be used when injecting the keycloak provider token.
@@ -87,6 +88,32 @@ declare class KeycloakModule {
     static forRoot(config: KeycloakConfig, httpConfig?: AxiosRequestConfig | AxiosInstance): DynamicModule;
 }
 
+/**
+ * Guard that validates the Bearer token in the Authorization header via
+ * Keycloak token introspection (POST /token/introspect).
+ *
+ * Use together with RolesGuard for B2B (service-to-service) routes that trust
+ * an X-User-Id header injected by an upstream authenticated service:
+ *
+ * @example
+ * ```ts
+ * @Roles('manage-requests')
+ * @UseGuards(BearerTokenGuard, RolesGuard)
+ * async create(@Headers('x-user-id') keycloakId: string) {}
+ * ```
+ *
+ * Execution order:
+ *  1. BearerTokenGuard  — validates token is active (HTTP → Keycloak) → 401 on failure
+ *  2. RolesGuard        — checks roles from decoded JWT payload (local) → 403 on failure
+ */
+declare class BearerTokenGuard implements CanActivate {
+    private readonly keycloakClient?;
+    private readonly logger?;
+    constructor(keycloakClient?: KeycloakClientInterface, logger?: LoggerProviderInterface);
+    private log;
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
 declare const KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
 declare const KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
 declare const KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
@@ -129,4 +156,4 @@ declare class KeycloakError extends Error {
     });
 }
 
-export { KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };
+export { BearerTokenGuard, KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };

package/dist/index.js

@@ -68,7 +68,7 @@ var require_base_app_error = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.BaseAppError = void 0;
-    var BaseAppError2 = class extends Error {
+    var BaseAppError3 = class extends Error {
       code;
       status;
       context;
@@ -83,7 +83,7 @@ var require_base_app_error = __commonJS({
         (_a = capturable.captureStackTrace) == null ? void 0 : _a.call(capturable, this, this.constructor);
       }
     };
-    exports2.BaseAppError = BaseAppError2;
+    exports2.BaseAppError = BaseAppError3;
   }
 });
 
@@ -268,6 +268,7 @@ var require_dist = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  BearerTokenGuard: () => BearerTokenGuard,
   KEYCLOAK_CLIENT: () => KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG: () => KEYCLOAK_CONFIG,
   KEYCLOAK_HTTP_INTERCEPTOR: () => KEYCLOAK_HTTP_INTERCEPTOR,
@@ -280,15 +281,176 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/keycloak.module.ts
-var import_common5 = require("@nestjs/common");
+var import_common6 = require("@nestjs/common");
 var import_core2 = require("@nestjs/core");
-var import_http_client2 = require("@adatechnology/http-client");
-var import_logger2 = require("@adatechnology/logger");
+var import_http_client3 = require("@adatechnology/http-client");
+var import_logger3 = require("@adatechnology/logger");
+var import_cache3 = require("@adatechnology/cache");
 
-// src/keycloak.client.ts
+// src/bearer-token.guard.ts
 var import_common = require("@nestjs/common");
-var import_http_client = require("@adatechnology/http-client");
 var import_logger = require("@adatechnology/logger");
+var import_http_client = require("@adatechnology/http-client");
+var import_shared = __toESM(require_dist());
+
+// src/keycloak.token.ts
+var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
+var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
+var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
+var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
+
+// package.json
+var package_default = {
+  name: "@adatechnology/auth-keycloak",
+  version: "0.1.0",
+  publishConfig: {
+    access: "public"
+  },
+  main: "dist/index.js",
+  module: "dist/index.mjs",
+  types: "dist/index.d.ts",
+  files: [
+    "dist"
+  ],
+  scripts: {
+    build: "rm -rf dist && tsup",
+    "build:watch": "tsup --watch",
+    check: "tsc -p tsconfig.json --noEmit",
+    test: 'echo "no tests"'
+  },
+  dependencies: {
+    "@adatechnology/cache": "workspace:*",
+    "@adatechnology/http-client": "workspace:*",
+    "@adatechnology/logger": "workspace:*"
+  },
+  peerDependencies: {
+    "@nestjs/common": "^11.0.16",
+    "@nestjs/core": "^11"
+  },
+  devDependencies: {
+    "@adatechnology/shared": "workspace:*",
+    "@esbuild-plugins/tsconfig-paths": "^0.1.2",
+    tsup: "^8.5.1",
+    typescript: "^5.2.0"
+  }
+};
+
+// src/keycloak.constants.ts
+var LIB_NAME = package_default.name;
+var LIB_VERSION = package_default.version;
+var TOKEN_CACHE_KEY = "keycloak:access_token";
+var LOG_CONTEXT = {
+  KEYCLOAK_CLIENT: "KeycloakClient",
+  BEARER_TOKEN_GUARD: "BearerTokenGuard"
+};
+var HTTP_STATUS = {
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403
+};
+var BEARER_ERROR_CODE = {
+  MISSING_TOKEN: "UNAUTHORIZED_MISSING_TOKEN",
+  KEYCLOAK_NOT_CONFIGURED: "UNAUTHORIZED_KEYCLOAK_NOT_CONFIGURED",
+  TOKEN_VALIDATION_FAILED: "UNAUTHORIZED_TOKEN_VALIDATION_FAILED",
+  INACTIVE_TOKEN: "UNAUTHORIZED_INACTIVE_TOKEN"
+};
+var ROLES_ERROR_CODE = {
+  MISSING_TOKEN: "FORBIDDEN_MISSING_TOKEN",
+  INSUFFICIENT_ROLES: "FORBIDDEN_INSUFFICIENT_ROLES"
+};
+
+// src/bearer-token.guard.ts
+var BearerTokenGuard = class {
+  constructor(keycloakClient, logger) {
+    this.keycloakClient = keycloakClient;
+    this.logger = logger;
+  }
+  log(level, message, libMethod, meta) {
+    if (!this.logger) return;
+    const loggerCtx = (0, import_logger.getContext)();
+    const httpCtx = (0, import_http_client.getHttpRequestContext)();
+    const logContext = loggerCtx == null ? void 0 : loggerCtx.logContext;
+    const requestId = (loggerCtx == null ? void 0 : loggerCtx.requestId) ?? (httpCtx == null ? void 0 : httpCtx.requestId);
+    const source = (logContext == null ? void 0 : logContext.className) && (logContext == null ? void 0 : logContext.methodName) ? `${logContext.className}.${logContext.methodName}` : (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
+    const payload = {
+      message,
+      context: LOG_CONTEXT.BEARER_TOKEN_GUARD,
+      lib: LIB_NAME,
+      libVersion: LIB_VERSION,
+      libMethod,
+      source,
+      requestId,
+      meta
+    };
+    if (level === "debug") this.logger.debug(payload);
+    else if (level === "info") this.logger.info(payload);
+    else if (level === "warn") this.logger.warn(payload);
+    else if (level === "error") this.logger.error(payload);
+  }
+  async canActivate(context) {
+    var _a, _b;
+    const method = "canActivate";
+    this.log("debug", `${method} - Start`, method);
+    const request = context.switchToHttp().getRequest();
+    const authorization = ((_a = request.headers) == null ? void 0 : _a.authorization) ?? ((_b = request.headers) == null ? void 0 : _b.Authorization);
+    if (!(authorization == null ? void 0 : authorization.startsWith("Bearer "))) {
+      this.log("warn", `${method} - Missing or invalid Authorization header`, method);
+      throw new import_shared.BaseAppError({
+        message: "Missing or invalid Authorization header",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.MISSING_TOKEN,
+        context: {}
+      });
+    }
+    if (!this.keycloakClient) {
+      this.log("error", `${method} - Keycloak client not configured`, method);
+      throw new import_shared.BaseAppError({
+        message: "Keycloak client not configured",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.KEYCLOAK_NOT_CONFIGURED,
+        context: {}
+      });
+    }
+    const token = authorization.slice(7);
+    let isValid;
+    try {
+      isValid = await this.keycloakClient.validateToken(token);
+    } catch (err) {
+      const detail = err instanceof Error ? err.message : String(err);
+      this.log("error", `${method} - Token validation failed`, method, { detail });
+      throw new import_shared.BaseAppError({
+        message: "Token validation failed",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.TOKEN_VALIDATION_FAILED,
+        context: { detail }
+      });
+    }
+    if (!isValid) {
+      this.log("warn", `${method} - Inactive or expired token`, method);
+      throw new import_shared.BaseAppError({
+        message: "Inactive or expired token",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.INACTIVE_TOKEN,
+        context: {}
+      });
+    }
+    this.log("debug", `${method} - Token valid`, method);
+    return true;
+  }
+};
+BearerTokenGuard = __decorateClass([
+  (0, import_common.Injectable)(),
+  __decorateParam(0, (0, import_common.Optional)()),
+  __decorateParam(0, (0, import_common.Inject)(KEYCLOAK_CLIENT)),
+  __decorateParam(1, (0, import_common.Optional)()),
+  __decorateParam(1, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER))
+], BearerTokenGuard);
+
+// src/keycloak.client.ts
+var import_common2 = require("@nestjs/common");
+var import_http_client2 = require("@adatechnology/http-client");
+var import_logger2 = require("@adatechnology/logger");
+var import_cache = require("@adatechnology/cache");
+var import_cache2 = require("@adatechnology/cache");
 
 // src/errors/keycloak-error.ts
 var KeycloakError = class _KeycloakError extends Error {
@@ -306,8 +468,6 @@ var KeycloakError = class _KeycloakError extends Error {
 };
 
 // src/keycloak.client.ts
-var LIB_NAME = "@adatechnology/auth-keycloak";
-var LIB_VERSION = "0.0.2";
 function extractErrorInfo(err) {
   var _a, _b, _c, _d, _e;
   const statusCode = (err == null ? void 0 : err.status) ?? ((_a = err == null ? void 0 : err.response) == null ? void 0 : _a.status);
@@ -333,21 +493,24 @@ function extractErrorInfo(err) {
   };
 }
 var KeycloakClient = class {
-  constructor(config, httpProvider, logger) {
+  constructor(config, httpProvider, logger, cacheProvider) {
     this.config = config;
     this.httpProvider = httpProvider;
     this.logger = logger;
+    this.cacheProvider = cacheProvider ?? new import_cache.InMemoryCacheProvider(logger);
   }
-  tokenCache = null;
+  cacheProvider;
   tokenPromise = null;
   log(level, message, libMethod, meta) {
     if (!this.logger) return;
-    const httpCtx = (0, import_http_client.getHttpRequestContext)();
-    const requestId = httpCtx == null ? void 0 : httpCtx.requestId;
-    const source = (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
+    const loggerCtx = (0, import_logger2.getContext)();
+    const httpCtx = (0, import_http_client2.getHttpRequestContext)();
+    const logContext = loggerCtx == null ? void 0 : loggerCtx.logContext;
+    const requestId = (loggerCtx == null ? void 0 : loggerCtx.requestId) ?? (httpCtx == null ? void 0 : httpCtx.requestId);
+    const source = (logContext == null ? void 0 : logContext.className) && (logContext == null ? void 0 : logContext.methodName) ? `${logContext.className}.${logContext.methodName}` : (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
     const payload = {
       message,
-      context: "KeycloakClient",
+      context: LOG_CONTEXT.KEYCLOAK_CLIENT,
       lib: LIB_NAME,
       libVersion: LIB_VERSION,
       libMethod,
@@ -363,10 +526,10 @@ var KeycloakClient = class {
   async getAccessToken() {
     const method = "getAccessToken";
     this.log("debug", `${method} - Start`, method);
-    const now = Date.now();
-    if (this.tokenCache && now < this.tokenCache.expiresAt) {
+    const cached = await this.cacheProvider.get(TOKEN_CACHE_KEY);
+    if (cached) {
       this.log("debug", `${method} - Returning cached token`, method);
-      return this.tokenCache.token;
+      return cached;
     }
     if (this.tokenPromise) {
       this.log("debug", `${method} - Waiting for existing token request`, method);
@@ -375,8 +538,8 @@ var KeycloakClient = class {
     this.tokenPromise = (async () => {
       try {
         const tokenResponse = await this.requestToken();
-        const expiresAt = this.config.tokenCacheTtl ? Date.now() + this.config.tokenCacheTtl : Date.now() + (tokenResponse.expires_in - 60) * 1e3;
-        this.tokenCache = { token: tokenResponse.access_token, expiresAt };
+        const ttlSeconds = this.config.tokenCacheTtl ? Math.floor(this.config.tokenCacheTtl / 1e3) : tokenResponse.expires_in - 60;
+        await this.cacheProvider.set(TOKEN_CACHE_KEY, tokenResponse.access_token, ttlSeconds);
         this.log("debug", `${method} - Token obtained and cached`, method);
         return tokenResponse.access_token;
       } finally {
@@ -406,7 +569,7 @@ var KeycloakClient = class {
         data: body,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("info", `${method} - Success for user: ${username}`, method);
@@ -444,7 +607,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("debug", `${method} - Success`, method);
@@ -476,11 +639,11 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
-      const expiresAt = this.config.tokenCacheTtl ? Date.now() + this.config.tokenCacheTtl : Date.now() + (response.data.expires_in - 60) * 1e3;
-      this.tokenCache = { token: response.data.access_token, expiresAt };
+      const ttlSeconds = this.config.tokenCacheTtl ? Math.floor(this.config.tokenCacheTtl / 1e3) : response.data.expires_in - 60;
+      await this.cacheProvider.set(TOKEN_CACHE_KEY, response.data.access_token, ttlSeconds);
       this.log("debug", `${method} - Success`, method);
       return response.data;
     } catch (err) {
@@ -510,7 +673,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       const active = ((_a = response.data) == null ? void 0 : _a.active) === true;
@@ -535,7 +698,7 @@ var KeycloakClient = class {
         url: userInfoUrl,
         config: {
           headers: { Authorization: `Bearer ${token}` },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("debug", `${method} - Success`, method);
@@ -550,12 +713,8 @@ var KeycloakClient = class {
       });
     }
   }
-  clearTokenCache() {
-    this.tokenCache = null;
-  }
-  static maskToken(token, visibleChars = 8) {
-    if (!token || typeof token !== "string") return "";
-    return token.length <= visibleChars ? token : `${token.slice(0, visibleChars)}...`;
+  async clearTokenCache() {
+    await this.cacheProvider.del(TOKEN_CACHE_KEY);
   }
   static scopesToString(scopes) {
     if (!scopes) return "openid profile email";
@@ -563,14 +722,16 @@ var KeycloakClient = class {
   }
 };
 KeycloakClient = __decorateClass([
-  (0, import_common.Injectable)(),
-  __decorateParam(1, (0, import_common.Inject)(import_http_client.HTTP_PROVIDER)),
-  __decorateParam(2, (0, import_common.Optional)()),
-  __decorateParam(2, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER))
+  (0, import_common2.Injectable)(),
+  __decorateParam(1, (0, import_common2.Inject)(import_http_client2.HTTP_PROVIDER)),
+  __decorateParam(2, (0, import_common2.Optional)()),
+  __decorateParam(2, (0, import_common2.Inject)(import_logger2.LOGGER_PROVIDER)),
+  __decorateParam(3, (0, import_common2.Optional)()),
+  __decorateParam(3, (0, import_common2.Inject)(import_cache2.CACHE_PROVIDER))
 ], KeycloakClient);
 
 // src/keycloak.http.interceptor.ts
-var import_common2 = require("@nestjs/common");
+var import_common3 = require("@nestjs/common");
 var KeycloakHttpInterceptor = class {
   constructor() {
   }
@@ -582,15 +743,15 @@ var KeycloakHttpInterceptor = class {
   }
 };
 KeycloakHttpInterceptor = __decorateClass([
-  (0, import_common2.Injectable)()
+  (0, import_common3.Injectable)()
 ], KeycloakHttpInterceptor);
 
 // src/roles.guard.ts
-var import_common4 = require("@nestjs/common");
+var import_common5 = require("@nestjs/common");
 var import_core = require("@nestjs/core");
 
 // src/roles.decorator.ts
-var import_common3 = require("@nestjs/common");
+var import_common4 = require("@nestjs/common");
 var ROLES_META_KEY = "roles";
 function Roles(...args) {
   let payload;
@@ -604,17 +765,11 @@ function Roles(...args) {
   }
   payload.mode = payload.mode ?? "any";
   payload.type = payload.type ?? "both";
-  return (0, import_common3.SetMetadata)(ROLES_META_KEY, payload);
+  return (0, import_common4.SetMetadata)(ROLES_META_KEY, payload);
 }
 
-// src/keycloak.token.ts
-var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
-
 // src/roles.guard.ts
-var import_shared = __toESM(require_dist());
+var import_shared2 = __toESM(require_dist());
 var RolesGuard = class {
   constructor(reflector, config) {
     this.reflector = reflector;
@@ -628,10 +783,10 @@ var RolesGuard = class {
     const authHeader = ((_a = req.headers) == null ? void 0 : _a.authorization) || ((_b = req.headers) == null ? void 0 : _b.Authorization);
     const token = authHeader ? String(authHeader).split(" ")[1] : (_c = req.query) == null ? void 0 : _c.token;
     if (!token)
-      throw new import_shared.BaseAppError({
+      throw new import_shared2.BaseAppError({
         message: "Authorization token not provided",
-        status: 403,
-        code: "FORBIDDEN_MISSING_TOKEN",
+        status: HTTP_STATUS.FORBIDDEN,
+        code: ROLES_ERROR_CODE.MISSING_TOKEN,
         context: {}
       });
     const payload = this.decodeJwtPayload(token);
@@ -658,10 +813,10 @@ var RolesGuard = class {
     const hasMatch = required.map((r) => availableRoles.has(r));
     const result = meta.mode === "all" ? hasMatch.every(Boolean) : hasMatch.some(Boolean);
     if (!result)
-      throw new import_shared.BaseAppError({
+      throw new import_shared2.BaseAppError({
         message: "Insufficient roles",
-        status: 403,
-        code: "FORBIDDEN_INSUFFICIENT_ROLES",
+        status: HTTP_STATUS.FORBIDDEN,
+        code: ROLES_ERROR_CODE.INSUFFICIENT_ROLES,
         context: { required }
       });
     return true;
@@ -681,10 +836,10 @@ var RolesGuard = class {
   }
 };
 RolesGuard = __decorateClass([
-  (0, import_common4.Injectable)(),
-  __decorateParam(0, (0, import_common4.Inject)(import_core.Reflector)),
-  __decorateParam(1, (0, import_common4.Optional)()),
-  __decorateParam(1, (0, import_common4.Inject)(KEYCLOAK_CONFIG))
+  (0, import_common5.Injectable)(),
+  __decorateParam(0, (0, import_common5.Inject)(import_core.Reflector)),
+  __decorateParam(1, (0, import_common5.Optional)()),
+  __decorateParam(1, (0, import_common5.Inject)(KEYCLOAK_CONFIG))
 ], RolesGuard);
 
 // src/keycloak.module.ts
@@ -694,7 +849,7 @@ var KeycloakModule = class {
       module: KeycloakModule,
       global: true,
       imports: [
-        import_http_client2.HttpModule.forRoot(
+        import_http_client3.HttpModule.forRoot(
           httpConfig || { baseURL: config.baseUrl, timeout: 5e3 },
           {
             logging: {
@@ -711,11 +866,12 @@ var KeycloakModule = class {
         { provide: KEYCLOAK_CONFIG, useValue: config },
         {
           provide: KEYCLOAK_CLIENT,
-          useFactory: (cfg, httpProvider, logger) => new KeycloakClient(cfg, httpProvider, logger),
+          useFactory: (cfg, httpProvider, logger, cacheProvider) => new KeycloakClient(cfg, httpProvider, logger, cacheProvider),
           inject: [
             KEYCLOAK_CONFIG,
-            import_http_client2.HTTP_PROVIDER,
-            { token: import_logger2.LOGGER_PROVIDER, optional: true }
+            import_http_client3.HTTP_PROVIDER,
+            { token: import_logger3.LOGGER_PROVIDER, optional: true },
+            { token: import_cache3.CACHE_PROVIDER, optional: true }
           ]
         },
         {
@@ -726,7 +882,8 @@ var KeycloakModule = class {
           provide: KEYCLOAK_HTTP_INTERCEPTOR,
           useFactory: () => new KeycloakHttpInterceptor()
         },
-        RolesGuard
+        RolesGuard,
+        BearerTokenGuard
       ],
       exports: [
         import_core2.Reflector,
@@ -734,16 +891,18 @@ var KeycloakModule = class {
         KEYCLOAK_PROVIDER,
         KEYCLOAK_HTTP_INTERCEPTOR,
         KEYCLOAK_CONFIG,
-        RolesGuard
+        RolesGuard,
+        BearerTokenGuard
       ]
     };
   }
 };
 KeycloakModule = __decorateClass([
-  (0, import_common5.Module)({})
+  (0, import_common6.Module)({})
 ], KeycloakModule);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  BearerTokenGuard,
   KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG,
   KEYCLOAK_HTTP_INTERCEPTOR,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adatechnology/auth-keycloak",
-  "version": "0.0.7",
+  "version": "0.1.0",
   "publishConfig": {
     "access": "public"
   },
@@ -11,8 +11,9 @@
     "dist"
   ],
   "dependencies": {
-    "@adatechnology/http-client": "0.0.7",
-    "@adatechnology/logger": "0.0.6"
+    "@adatechnology/cache": "0.0.8",
+    "@adatechnology/http-client": "0.0.9",
+    "@adatechnology/logger": "0.0.7"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.16",