@adatechnology/auth-keycloak 0.0.8 → 0.1.0

package/README.md

@@ -10,7 +10,8 @@ e um interceptor opcional. O módulo foi projetado para ser usado junto ao `@ada
 - `KeycloakModule` — módulo principal. Suporta `KeycloakModule.forRoot(config?)`.
 - `KEYCLOAK_CLIENT` — provider token para injetar o cliente Keycloak (`@Inject(KEYCLOAK_CLIENT)`).
 - `KEYCLOAK_HTTP_INTERCEPTOR` — provider token para injetar o interceptor (opcional).
-- `Roles` / `RolesGuard` — decorator e guard para autorização baseada em roles.
+- `BearerTokenGuard` — guard que valida o token Bearer via introspecção no Keycloak (401 em falha).
+- `Roles` / `RolesGuard` — decorator e guard para autorização baseada em roles (403 em falha).
 - `KeycloakError` — classe de erro tipada com `statusCode` e `details`.
 
 ### Instalação
@@ -128,6 +129,35 @@ Resultado no log:
 [MyController.getToken][InMemoryCacheProvider.set] → token cached
 ```
 
+### BearerTokenGuard — autenticação B2B via introspecção
+
+Valida que o header `Authorization: Bearer <token>` contém um token ativo chamando
+`POST /token/introspect` no Keycloak. Use sempre em conjunto com `RolesGuard` em rotas B2B.
+
+```ts
+import { Controller, Headers, Post, UseGuards } from "@nestjs/common";
+import { BearerTokenGuard, Roles, RolesGuard } from "@adatechnology/auth-keycloak";
+
+@Controller("orders")
+export class OrdersController {
+  @Post()
+  @Roles("manage-requests")
+  @UseGuards(BearerTokenGuard, RolesGuard)
+  create(@Headers("x-user-id") keycloakId: string) {}
+}
+```
+
+**Por que dois guards em sequência?**
+
+| Guard | Mecanismo | HTTP? | Falha |
+|---|---|---|---|
+| `BearerTokenGuard` | `POST /token/introspect` ao Keycloak | Sim | 401 — token inativo/expirado/forjado |
+| `RolesGuard` | Decode local do payload JWT | Não | 403 — permissão insuficiente |
+
+O `RolesGuard` sozinho **não é seguro** para autenticação: ele apenas decodifica o payload JWT
+sem verificar a assinatura, o que significa que um token forjado passaria. O `BearerTokenGuard`
+é quem garante autenticidade via introspecção.
+
 ### Autorização com @Roles
 
 ```ts

package/dist/index.d.ts

@@ -1,6 +1,7 @@
 import * as _nestjs_common from '@nestjs/common';
 import { DynamicModule, CanActivate, ExecutionContext } from '@nestjs/common';
 import { AxiosRequestConfig, AxiosInstance } from 'axios';
+import { LoggerProviderInterface } from '@adatechnology/logger';
 import { Reflector } from '@nestjs/core';
 
 /**
@@ -87,6 +88,32 @@ declare class KeycloakModule {
     static forRoot(config: KeycloakConfig, httpConfig?: AxiosRequestConfig | AxiosInstance): DynamicModule;
 }
 
+/**
+ * Guard that validates the Bearer token in the Authorization header via
+ * Keycloak token introspection (POST /token/introspect).
+ *
+ * Use together with RolesGuard for B2B (service-to-service) routes that trust
+ * an X-User-Id header injected by an upstream authenticated service:
+ *
+ * @example
+ * ```ts
+ * @Roles('manage-requests')
+ * @UseGuards(BearerTokenGuard, RolesGuard)
+ * async create(@Headers('x-user-id') keycloakId: string) {}
+ * ```
+ *
+ * Execution order:
+ *  1. BearerTokenGuard  — validates token is active (HTTP → Keycloak) → 401 on failure
+ *  2. RolesGuard        — checks roles from decoded JWT payload (local) → 403 on failure
+ */
+declare class BearerTokenGuard implements CanActivate {
+    private readonly keycloakClient?;
+    private readonly logger?;
+    constructor(keycloakClient?: KeycloakClientInterface, logger?: LoggerProviderInterface);
+    private log;
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
 declare const KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
 declare const KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
 declare const KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
@@ -129,4 +156,4 @@ declare class KeycloakError extends Error {
     });
 }
 
-export { KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };
+export { BearerTokenGuard, KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };

package/dist/index.js

@@ -68,7 +68,7 @@ var require_base_app_error = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.BaseAppError = void 0;
-    var BaseAppError2 = class extends Error {
+    var BaseAppError3 = class extends Error {
       code;
       status;
       context;
@@ -83,7 +83,7 @@ var require_base_app_error = __commonJS({
         (_a = capturable.captureStackTrace) == null ? void 0 : _a.call(capturable, this, this.constructor);
       }
     };
-    exports2.BaseAppError = BaseAppError2;
+    exports2.BaseAppError = BaseAppError3;
   }
 });
 
@@ -268,6 +268,7 @@ var require_dist = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  BearerTokenGuard: () => BearerTokenGuard,
   KEYCLOAK_CLIENT: () => KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG: () => KEYCLOAK_CONFIG,
   KEYCLOAK_HTTP_INTERCEPTOR: () => KEYCLOAK_HTTP_INTERCEPTOR,
@@ -280,16 +281,174 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/keycloak.module.ts
-var import_common5 = require("@nestjs/common");
+var import_common6 = require("@nestjs/common");
 var import_core2 = require("@nestjs/core");
-var import_http_client2 = require("@adatechnology/http-client");
-var import_logger2 = require("@adatechnology/logger");
+var import_http_client3 = require("@adatechnology/http-client");
+var import_logger3 = require("@adatechnology/logger");
 var import_cache3 = require("@adatechnology/cache");
 
-// src/keycloak.client.ts
+// src/bearer-token.guard.ts
 var import_common = require("@nestjs/common");
-var import_http_client = require("@adatechnology/http-client");
 var import_logger = require("@adatechnology/logger");
+var import_http_client = require("@adatechnology/http-client");
+var import_shared = __toESM(require_dist());
+
+// src/keycloak.token.ts
+var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
+var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
+var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
+var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
+
+// package.json
+var package_default = {
+  name: "@adatechnology/auth-keycloak",
+  version: "0.1.0",
+  publishConfig: {
+    access: "public"
+  },
+  main: "dist/index.js",
+  module: "dist/index.mjs",
+  types: "dist/index.d.ts",
+  files: [
+    "dist"
+  ],
+  scripts: {
+    build: "rm -rf dist && tsup",
+    "build:watch": "tsup --watch",
+    check: "tsc -p tsconfig.json --noEmit",
+    test: 'echo "no tests"'
+  },
+  dependencies: {
+    "@adatechnology/cache": "workspace:*",
+    "@adatechnology/http-client": "workspace:*",
+    "@adatechnology/logger": "workspace:*"
+  },
+  peerDependencies: {
+    "@nestjs/common": "^11.0.16",
+    "@nestjs/core": "^11"
+  },
+  devDependencies: {
+    "@adatechnology/shared": "workspace:*",
+    "@esbuild-plugins/tsconfig-paths": "^0.1.2",
+    tsup: "^8.5.1",
+    typescript: "^5.2.0"
+  }
+};
+
+// src/keycloak.constants.ts
+var LIB_NAME = package_default.name;
+var LIB_VERSION = package_default.version;
+var TOKEN_CACHE_KEY = "keycloak:access_token";
+var LOG_CONTEXT = {
+  KEYCLOAK_CLIENT: "KeycloakClient",
+  BEARER_TOKEN_GUARD: "BearerTokenGuard"
+};
+var HTTP_STATUS = {
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403
+};
+var BEARER_ERROR_CODE = {
+  MISSING_TOKEN: "UNAUTHORIZED_MISSING_TOKEN",
+  KEYCLOAK_NOT_CONFIGURED: "UNAUTHORIZED_KEYCLOAK_NOT_CONFIGURED",
+  TOKEN_VALIDATION_FAILED: "UNAUTHORIZED_TOKEN_VALIDATION_FAILED",
+  INACTIVE_TOKEN: "UNAUTHORIZED_INACTIVE_TOKEN"
+};
+var ROLES_ERROR_CODE = {
+  MISSING_TOKEN: "FORBIDDEN_MISSING_TOKEN",
+  INSUFFICIENT_ROLES: "FORBIDDEN_INSUFFICIENT_ROLES"
+};
+
+// src/bearer-token.guard.ts
+var BearerTokenGuard = class {
+  constructor(keycloakClient, logger) {
+    this.keycloakClient = keycloakClient;
+    this.logger = logger;
+  }
+  log(level, message, libMethod, meta) {
+    if (!this.logger) return;
+    const loggerCtx = (0, import_logger.getContext)();
+    const httpCtx = (0, import_http_client.getHttpRequestContext)();
+    const logContext = loggerCtx == null ? void 0 : loggerCtx.logContext;
+    const requestId = (loggerCtx == null ? void 0 : loggerCtx.requestId) ?? (httpCtx == null ? void 0 : httpCtx.requestId);
+    const source = (logContext == null ? void 0 : logContext.className) && (logContext == null ? void 0 : logContext.methodName) ? `${logContext.className}.${logContext.methodName}` : (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
+    const payload = {
+      message,
+      context: LOG_CONTEXT.BEARER_TOKEN_GUARD,
+      lib: LIB_NAME,
+      libVersion: LIB_VERSION,
+      libMethod,
+      source,
+      requestId,
+      meta
+    };
+    if (level === "debug") this.logger.debug(payload);
+    else if (level === "info") this.logger.info(payload);
+    else if (level === "warn") this.logger.warn(payload);
+    else if (level === "error") this.logger.error(payload);
+  }
+  async canActivate(context) {
+    var _a, _b;
+    const method = "canActivate";
+    this.log("debug", `${method} - Start`, method);
+    const request = context.switchToHttp().getRequest();
+    const authorization = ((_a = request.headers) == null ? void 0 : _a.authorization) ?? ((_b = request.headers) == null ? void 0 : _b.Authorization);
+    if (!(authorization == null ? void 0 : authorization.startsWith("Bearer "))) {
+      this.log("warn", `${method} - Missing or invalid Authorization header`, method);
+      throw new import_shared.BaseAppError({
+        message: "Missing or invalid Authorization header",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.MISSING_TOKEN,
+        context: {}
+      });
+    }
+    if (!this.keycloakClient) {
+      this.log("error", `${method} - Keycloak client not configured`, method);
+      throw new import_shared.BaseAppError({
+        message: "Keycloak client not configured",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.KEYCLOAK_NOT_CONFIGURED,
+        context: {}
+      });
+    }
+    const token = authorization.slice(7);
+    let isValid;
+    try {
+      isValid = await this.keycloakClient.validateToken(token);
+    } catch (err) {
+      const detail = err instanceof Error ? err.message : String(err);
+      this.log("error", `${method} - Token validation failed`, method, { detail });
+      throw new import_shared.BaseAppError({
+        message: "Token validation failed",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.TOKEN_VALIDATION_FAILED,
+        context: { detail }
+      });
+    }
+    if (!isValid) {
+      this.log("warn", `${method} - Inactive or expired token`, method);
+      throw new import_shared.BaseAppError({
+        message: "Inactive or expired token",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.INACTIVE_TOKEN,
+        context: {}
+      });
+    }
+    this.log("debug", `${method} - Token valid`, method);
+    return true;
+  }
+};
+BearerTokenGuard = __decorateClass([
+  (0, import_common.Injectable)(),
+  __decorateParam(0, (0, import_common.Optional)()),
+  __decorateParam(0, (0, import_common.Inject)(KEYCLOAK_CLIENT)),
+  __decorateParam(1, (0, import_common.Optional)()),
+  __decorateParam(1, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER))
+], BearerTokenGuard);
+
+// src/keycloak.client.ts
+var import_common2 = require("@nestjs/common");
+var import_http_client2 = require("@adatechnology/http-client");
+var import_logger2 = require("@adatechnology/logger");
 var import_cache = require("@adatechnology/cache");
 var import_cache2 = require("@adatechnology/cache");
 
@@ -309,9 +468,6 @@ var KeycloakError = class _KeycloakError extends Error {
 };
 
 // src/keycloak.client.ts
-var LIB_NAME = "@adatechnology/auth-keycloak";
-var LIB_VERSION = "0.0.7";
-var TOKEN_CACHE_KEY = "keycloak:access_token";
 function extractErrorInfo(err) {
   var _a, _b, _c, _d, _e;
   const statusCode = (err == null ? void 0 : err.status) ?? ((_a = err == null ? void 0 : err.response) == null ? void 0 : _a.status);
@@ -347,14 +503,14 @@ var KeycloakClient = class {
   tokenPromise = null;
   log(level, message, libMethod, meta) {
     if (!this.logger) return;
-    const loggerCtx = (0, import_logger.getContext)();
-    const httpCtx = (0, import_http_client.getHttpRequestContext)();
+    const loggerCtx = (0, import_logger2.getContext)();
+    const httpCtx = (0, import_http_client2.getHttpRequestContext)();
     const logContext = loggerCtx == null ? void 0 : loggerCtx.logContext;
     const requestId = (loggerCtx == null ? void 0 : loggerCtx.requestId) ?? (httpCtx == null ? void 0 : httpCtx.requestId);
     const source = (logContext == null ? void 0 : logContext.className) && (logContext == null ? void 0 : logContext.methodName) ? `${logContext.className}.${logContext.methodName}` : (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
     const payload = {
       message,
-      context: "KeycloakClient",
+      context: LOG_CONTEXT.KEYCLOAK_CLIENT,
       lib: LIB_NAME,
       libVersion: LIB_VERSION,
       libMethod,
@@ -413,7 +569,7 @@ var KeycloakClient = class {
         data: body,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("info", `${method} - Success for user: ${username}`, method);
@@ -451,7 +607,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("debug", `${method} - Success`, method);
@@ -483,7 +639,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       const ttlSeconds = this.config.tokenCacheTtl ? Math.floor(this.config.tokenCacheTtl / 1e3) : response.data.expires_in - 60;
@@ -517,7 +673,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       const active = ((_a = response.data) == null ? void 0 : _a.active) === true;
@@ -542,7 +698,7 @@ var KeycloakClient = class {
         url: userInfoUrl,
         config: {
           headers: { Authorization: `Bearer ${token}` },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("debug", `${method} - Success`, method);
@@ -566,16 +722,16 @@ var KeycloakClient = class {
   }
 };
 KeycloakClient = __decorateClass([
-  (0, import_common.Injectable)(),
-  __decorateParam(1, (0, import_common.Inject)(import_http_client.HTTP_PROVIDER)),
-  __decorateParam(2, (0, import_common.Optional)()),
-  __decorateParam(2, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER)),
-  __decorateParam(3, (0, import_common.Optional)()),
-  __decorateParam(3, (0, import_common.Inject)(import_cache2.CACHE_PROVIDER))
+  (0, import_common2.Injectable)(),
+  __decorateParam(1, (0, import_common2.Inject)(import_http_client2.HTTP_PROVIDER)),
+  __decorateParam(2, (0, import_common2.Optional)()),
+  __decorateParam(2, (0, import_common2.Inject)(import_logger2.LOGGER_PROVIDER)),
+  __decorateParam(3, (0, import_common2.Optional)()),
+  __decorateParam(3, (0, import_common2.Inject)(import_cache2.CACHE_PROVIDER))
 ], KeycloakClient);
 
 // src/keycloak.http.interceptor.ts
-var import_common2 = require("@nestjs/common");
+var import_common3 = require("@nestjs/common");
 var KeycloakHttpInterceptor = class {
   constructor() {
   }
@@ -587,15 +743,15 @@ var KeycloakHttpInterceptor = class {
   }
 };
 KeycloakHttpInterceptor = __decorateClass([
-  (0, import_common2.Injectable)()
+  (0, import_common3.Injectable)()
 ], KeycloakHttpInterceptor);
 
 // src/roles.guard.ts
-var import_common4 = require("@nestjs/common");
+var import_common5 = require("@nestjs/common");
 var import_core = require("@nestjs/core");
 
 // src/roles.decorator.ts
-var import_common3 = require("@nestjs/common");
+var import_common4 = require("@nestjs/common");
 var ROLES_META_KEY = "roles";
 function Roles(...args) {
   let payload;
@@ -609,17 +765,11 @@ function Roles(...args) {
   }
   payload.mode = payload.mode ?? "any";
   payload.type = payload.type ?? "both";
-  return (0, import_common3.SetMetadata)(ROLES_META_KEY, payload);
+  return (0, import_common4.SetMetadata)(ROLES_META_KEY, payload);
 }
 
-// src/keycloak.token.ts
-var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
-
 // src/roles.guard.ts
-var import_shared = __toESM(require_dist());
+var import_shared2 = __toESM(require_dist());
 var RolesGuard = class {
   constructor(reflector, config) {
     this.reflector = reflector;
@@ -633,10 +783,10 @@ var RolesGuard = class {
     const authHeader = ((_a = req.headers) == null ? void 0 : _a.authorization) || ((_b = req.headers) == null ? void 0 : _b.Authorization);
     const token = authHeader ? String(authHeader).split(" ")[1] : (_c = req.query) == null ? void 0 : _c.token;
     if (!token)
-      throw new import_shared.BaseAppError({
+      throw new import_shared2.BaseAppError({
         message: "Authorization token not provided",
-        status: 403,
-        code: "FORBIDDEN_MISSING_TOKEN",
+        status: HTTP_STATUS.FORBIDDEN,
+        code: ROLES_ERROR_CODE.MISSING_TOKEN,
         context: {}
       });
     const payload = this.decodeJwtPayload(token);
@@ -663,10 +813,10 @@ var RolesGuard = class {
     const hasMatch = required.map((r) => availableRoles.has(r));
     const result = meta.mode === "all" ? hasMatch.every(Boolean) : hasMatch.some(Boolean);
     if (!result)
-      throw new import_shared.BaseAppError({
+      throw new import_shared2.BaseAppError({
         message: "Insufficient roles",
-        status: 403,
-        code: "FORBIDDEN_INSUFFICIENT_ROLES",
+        status: HTTP_STATUS.FORBIDDEN,
+        code: ROLES_ERROR_CODE.INSUFFICIENT_ROLES,
         context: { required }
       });
     return true;
@@ -686,10 +836,10 @@ var RolesGuard = class {
   }
 };
 RolesGuard = __decorateClass([
-  (0, import_common4.Injectable)(),
-  __decorateParam(0, (0, import_common4.Inject)(import_core.Reflector)),
-  __decorateParam(1, (0, import_common4.Optional)()),
-  __decorateParam(1, (0, import_common4.Inject)(KEYCLOAK_CONFIG))
+  (0, import_common5.Injectable)(),
+  __decorateParam(0, (0, import_common5.Inject)(import_core.Reflector)),
+  __decorateParam(1, (0, import_common5.Optional)()),
+  __decorateParam(1, (0, import_common5.Inject)(KEYCLOAK_CONFIG))
 ], RolesGuard);
 
 // src/keycloak.module.ts
@@ -699,7 +849,7 @@ var KeycloakModule = class {
       module: KeycloakModule,
       global: true,
       imports: [
-        import_http_client2.HttpModule.forRoot(
+        import_http_client3.HttpModule.forRoot(
           httpConfig || { baseURL: config.baseUrl, timeout: 5e3 },
           {
             logging: {
@@ -719,8 +869,8 @@ var KeycloakModule = class {
           useFactory: (cfg, httpProvider, logger, cacheProvider) => new KeycloakClient(cfg, httpProvider, logger, cacheProvider),
           inject: [
             KEYCLOAK_CONFIG,
-            import_http_client2.HTTP_PROVIDER,
-            { token: import_logger2.LOGGER_PROVIDER, optional: true },
+            import_http_client3.HTTP_PROVIDER,
+            { token: import_logger3.LOGGER_PROVIDER, optional: true },
             { token: import_cache3.CACHE_PROVIDER, optional: true }
           ]
         },
@@ -732,7 +882,8 @@ var KeycloakModule = class {
           provide: KEYCLOAK_HTTP_INTERCEPTOR,
           useFactory: () => new KeycloakHttpInterceptor()
         },
-        RolesGuard
+        RolesGuard,
+        BearerTokenGuard
       ],
       exports: [
         import_core2.Reflector,
@@ -740,16 +891,18 @@ var KeycloakModule = class {
         KEYCLOAK_PROVIDER,
         KEYCLOAK_HTTP_INTERCEPTOR,
         KEYCLOAK_CONFIG,
-        RolesGuard
+        RolesGuard,
+        BearerTokenGuard
       ]
     };
   }
 };
 KeycloakModule = __decorateClass([
-  (0, import_common5.Module)({})
+  (0, import_common6.Module)({})
 ], KeycloakModule);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  BearerTokenGuard,
   KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG,
   KEYCLOAK_HTTP_INTERCEPTOR,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adatechnology/auth-keycloak",
-  "version": "0.0.8",
+  "version": "0.1.0",
   "publishConfig": {
     "access": "public"
   },
@@ -11,9 +11,9 @@
     "dist"
   ],
   "dependencies": {
-    "@adatechnology/cache": "0.0.7",
-    "@adatechnology/http-client": "0.0.8",
-    "@adatechnology/logger": "0.0.6"
+    "@adatechnology/cache": "0.0.8",
+    "@adatechnology/http-client": "0.0.9",
+    "@adatechnology/logger": "0.0.7"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.16",