@adatechnology/auth-keycloak 0.0.8 → 0.1.1

package/README.md

@@ -10,7 +10,8 @@ e um interceptor opcional. O módulo foi projetado para ser usado junto ao `@ada
 - `KeycloakModule` — módulo principal. Suporta `KeycloakModule.forRoot(config?)`.
 - `KEYCLOAK_CLIENT` — provider token para injetar o cliente Keycloak (`@Inject(KEYCLOAK_CLIENT)`).
 - `KEYCLOAK_HTTP_INTERCEPTOR` — provider token para injetar o interceptor (opcional).
-- `Roles` / `RolesGuard` — decorator e guard para autorização baseada em roles.
+- `BearerTokenGuard` — guard que valida o token Bearer via introspecção no Keycloak (401 em falha).
+- `Roles` / `RolesGuard` — decorator e guard para autorização baseada em roles (403 em falha).
 - `KeycloakError` — classe de erro tipada com `statusCode` e `details`.
 
 ### Instalação
@@ -128,6 +129,35 @@ Resultado no log:
 [MyController.getToken][InMemoryCacheProvider.set] → token cached
 ```
 
+### BearerTokenGuard — autenticação B2B via introspecção
+
+Valida que o header `Authorization: Bearer <token>` contém um token ativo chamando
+`POST /token/introspect` no Keycloak. Use sempre em conjunto com `RolesGuard` em rotas B2B.
+
+```ts
+import { Controller, Headers, Post, UseGuards } from "@nestjs/common";
+import { BearerTokenGuard, Roles, RolesGuard } from "@adatechnology/auth-keycloak";
+
+@Controller("orders")
+export class OrdersController {
+  @Post()
+  @Roles("manage-requests")
+  @UseGuards(BearerTokenGuard, RolesGuard)
+  create(@Headers("x-user-id") keycloakId: string) {}
+}
+```
+
+**Por que dois guards em sequência?**
+
+| Guard | Mecanismo | HTTP? | Falha |
+|---|---|---|---|
+| `BearerTokenGuard` | `POST /token/introspect` ao Keycloak | Sim | 401 — token inativo/expirado/forjado |
+| `RolesGuard` | Decode local do payload JWT | Não | 403 — permissão insuficiente |
+
+O `RolesGuard` sozinho **não é seguro** para autenticação: ele apenas decodifica o payload JWT
+sem verificar a assinatura, o que significa que um token forjado passaria. O `BearerTokenGuard`
+é quem garante autenticidade via introspecção.
+
 ### Autorização com @Roles
 
 ```ts

package/dist/index.d.ts

@@ -1,6 +1,7 @@
 import * as _nestjs_common from '@nestjs/common';
 import { DynamicModule, CanActivate, ExecutionContext } from '@nestjs/common';
 import { AxiosRequestConfig, AxiosInstance } from 'axios';
+import { LoggerProviderInterface } from '@adatechnology/logger';
 import { Reflector } from '@nestjs/core';
 
 /**
@@ -87,6 +88,32 @@ declare class KeycloakModule {
     static forRoot(config: KeycloakConfig, httpConfig?: AxiosRequestConfig | AxiosInstance): DynamicModule;
 }
 
+/**
+ * Guard that validates the Bearer token in the Authorization header via
+ * Keycloak token introspection (POST /token/introspect).
+ *
+ * Use together with RolesGuard for B2B (service-to-service) routes that trust
+ * an X-User-Id header injected by an upstream authenticated service:
+ *
+ * @example
+ * ```ts
+ * @Roles('manage-requests')
+ * @UseGuards(BearerTokenGuard, RolesGuard)
+ * async create(@Headers('x-user-id') keycloakId: string) {}
+ * ```
+ *
+ * Execution order:
+ *  1. BearerTokenGuard  — validates token is active (HTTP → Keycloak) → 401 on failure
+ *  2. RolesGuard        — checks roles from decoded JWT payload (local) → 403 on failure
+ */
+declare class BearerTokenGuard implements CanActivate {
+    private readonly keycloakClient?;
+    private readonly logger?;
+    constructor(keycloakClient?: KeycloakClientInterface, logger?: LoggerProviderInterface);
+    private log;
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
 declare const KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
 declare const KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
 declare const KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
@@ -110,6 +137,23 @@ type RolesOptions = {
  */
 declare function Roles(...args: Array<string | string[] | RolesOptions>): _nestjs_common.CustomDecorator<string>;
 
+/**
+ * Guard that checks whether the current request has the required roles.
+ *
+ * Supports two auth paths transparently:
+ *
+ * 1. **Kong path** (user-facing, preferred):
+ *    Kong validates the token, removes Authorization, and injects:
+ *    - `X-User-Id`    — keycloak sub
+ *    - `X-User-Roles` — comma-separated realm roles
+ *    The guard reads roles from `X-User-Roles` header.
+ *
+ * 2. **B2B path** (service-to-service, e.g. BFF → API):
+ *    The caller sends a service account JWT in the Authorization header.
+ *    The guard decodes the JWT locally and reads `realm_access.roles`.
+ *
+ * Priority: Kong header → JWT fallback.
+ */
 declare class RolesGuard implements CanActivate {
     private readonly reflector;
     private readonly config?;
@@ -118,6 +162,104 @@ declare class RolesGuard implements CanActivate {
     private decodeJwtPayload;
 }
 
+/**
+ * B2B Guard — service-to-service routes (e.g. BFF → API, Worker → API).
+ *
+ * The caller must send a valid service account token (client_credentials)
+ * in the Authorization header. Delegates full token validation to
+ * BearerTokenGuard (Keycloak introspection).
+ *
+ * The caller is also expected to forward X-User-Id so the API knows which
+ * end-user context the call belongs to.
+ *
+ * Use for routes that are ONLY called by internal services, not by end users.
+ *
+ * @example
+ * ```ts
+ * @Post('internal/notify')
+ * @Roles('send-notifications')
+ * @UseGuards(B2BGuard, RolesGuard)
+ * async notify(@AuthUser() keycloakId: string) { ... }
+ * ```
+ */
+declare class B2BGuard implements CanActivate {
+    private readonly bearerTokenGuard;
+    constructor(bearerTokenGuard: BearerTokenGuard);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
+/**
+ * B2C Guard — user-facing routes via Kong.
+ *
+ * Kong validated the JWT (JWKS local), removed the Authorization header,
+ * and injected X-User-Id + X-User-Roles. This guard simply asserts those
+ * headers are present — it does NOT re-validate any token.
+ *
+ * Use for routes that are ONLY called by end users through Kong.
+ *
+ * @example
+ * ```ts
+ * @Get('me')
+ * @Roles('user-manager')
+ * @UseGuards(B2CGuard, RolesGuard)
+ * async getMe(@AuthUser() keycloakId: string) { ... }
+ * ```
+ */
+declare class B2CGuard implements CanActivate {
+    canActivate(context: ExecutionContext): boolean;
+}
+
+/**
+ * ApiAuthGuard — composite guard for routes that accept both paths.
+ *
+ * Detects which path the request is coming from and delegates accordingly:
+ *
+ * - **B2B path** (Authorization header present):
+ *   Service-to-service call (e.g. BFF → API). Delegates to B2BGuard,
+ *   which validates the service account token via BearerTokenGuard.
+ *
+ * - **B2C path** (X-User-Id header present, no Authorization):
+ *   User call routed by Kong. Delegates to B2CGuard,
+ *   which asserts Kong identity headers are present.
+ *
+ * Use when the same route must be reachable both from Kong (users) and
+ * from internal services (BFF, Worker). If the route is exclusive to one
+ * path, prefer B2BGuard or B2CGuard directly for explicit intent.
+ *
+ * @example
+ * ```ts
+ * @Get('me')
+ * @Roles('user-manager')
+ * @UseGuards(ApiAuthGuard, RolesGuard)
+ * async getMe(@AuthUser() keycloakId: string) { ... }
+ * ```
+ */
+declare class ApiAuthGuard implements CanActivate {
+    private readonly b2bGuard;
+    private readonly b2cGuard;
+    constructor(b2bGuard: B2BGuard, b2cGuard: B2CGuard);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
+/**
+ * Parameter decorator that extracts the authenticated user's Keycloak ID
+ * from the `X-User-Id` header injected by Kong after token validation.
+ *
+ * In the B2B path (service-to-service), the caller is responsible for
+ * forwarding the same header.
+ *
+ * @example
+ * ```ts
+ * @Get('me')
+ * @Roles('user-manager')
+ * @UseGuards(RolesGuard)
+ * async getMe(@AuthUser() keycloakId: string) {
+ *   return this.userService.getUserByKeycloakId(keycloakId);
+ * }
+ * ```
+ */
+declare const AuthUser: (...dataOrPipes: unknown[]) => ParameterDecorator;
+
 declare class KeycloakError extends Error {
     readonly statusCode?: number;
     readonly details?: unknown;
@@ -129,4 +271,4 @@ declare class KeycloakError extends Error {
     });
 }
 
-export { KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };
+export { ApiAuthGuard, AuthUser, B2BGuard, B2CGuard, BearerTokenGuard, KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };

package/dist/index.js

@@ -68,7 +68,7 @@ var require_base_app_error = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.BaseAppError = void 0;
-    var BaseAppError2 = class extends Error {
+    var BaseAppError5 = class extends Error {
       code;
       status;
       context;
@@ -83,7 +83,7 @@ var require_base_app_error = __commonJS({
         (_a = capturable.captureStackTrace) == null ? void 0 : _a.call(capturable, this, this.constructor);
       }
     };
-    exports2.BaseAppError = BaseAppError2;
+    exports2.BaseAppError = BaseAppError5;
   }
 });
 
@@ -268,6 +268,11 @@ var require_dist = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  ApiAuthGuard: () => ApiAuthGuard,
+  AuthUser: () => AuthUser,
+  B2BGuard: () => B2BGuard,
+  B2CGuard: () => B2CGuard,
+  BearerTokenGuard: () => BearerTokenGuard,
   KEYCLOAK_CLIENT: () => KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG: () => KEYCLOAK_CONFIG,
   KEYCLOAK_HTTP_INTERCEPTOR: () => KEYCLOAK_HTTP_INTERCEPTOR,
@@ -280,16 +285,174 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/keycloak.module.ts
-var import_common5 = require("@nestjs/common");
+var import_common6 = require("@nestjs/common");
 var import_core2 = require("@nestjs/core");
-var import_http_client2 = require("@adatechnology/http-client");
-var import_logger2 = require("@adatechnology/logger");
+var import_http_client3 = require("@adatechnology/http-client");
+var import_logger3 = require("@adatechnology/logger");
 var import_cache3 = require("@adatechnology/cache");
 
-// src/keycloak.client.ts
+// src/bearer-token.guard.ts
 var import_common = require("@nestjs/common");
-var import_http_client = require("@adatechnology/http-client");
 var import_logger = require("@adatechnology/logger");
+var import_http_client = require("@adatechnology/http-client");
+var import_shared = __toESM(require_dist());
+
+// src/keycloak.token.ts
+var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
+var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
+var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
+var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
+
+// package.json
+var package_default = {
+  name: "@adatechnology/auth-keycloak",
+  version: "0.1.1",
+  publishConfig: {
+    access: "public"
+  },
+  main: "dist/index.js",
+  module: "dist/index.mjs",
+  types: "dist/index.d.ts",
+  files: [
+    "dist"
+  ],
+  scripts: {
+    build: "rm -rf dist && tsup",
+    "build:watch": "tsup --watch",
+    check: "tsc -p tsconfig.json --noEmit",
+    test: 'echo "no tests"'
+  },
+  dependencies: {
+    "@adatechnology/cache": "workspace:*",
+    "@adatechnology/http-client": "workspace:*",
+    "@adatechnology/logger": "workspace:*"
+  },
+  peerDependencies: {
+    "@nestjs/common": "^11.0.16",
+    "@nestjs/core": "^11"
+  },
+  devDependencies: {
+    "@adatechnology/shared": "workspace:*",
+    "@esbuild-plugins/tsconfig-paths": "^0.1.2",
+    tsup: "^8.5.1",
+    typescript: "^5.2.0"
+  }
+};
+
+// src/keycloak.constants.ts
+var LIB_NAME = package_default.name;
+var LIB_VERSION = package_default.version;
+var TOKEN_CACHE_KEY = "keycloak:access_token";
+var LOG_CONTEXT = {
+  KEYCLOAK_CLIENT: "KeycloakClient",
+  BEARER_TOKEN_GUARD: "BearerTokenGuard"
+};
+var HTTP_STATUS = {
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403
+};
+var BEARER_ERROR_CODE = {
+  MISSING_TOKEN: "UNAUTHORIZED_MISSING_TOKEN",
+  KEYCLOAK_NOT_CONFIGURED: "UNAUTHORIZED_KEYCLOAK_NOT_CONFIGURED",
+  TOKEN_VALIDATION_FAILED: "UNAUTHORIZED_TOKEN_VALIDATION_FAILED",
+  INACTIVE_TOKEN: "UNAUTHORIZED_INACTIVE_TOKEN"
+};
+var ROLES_ERROR_CODE = {
+  MISSING_TOKEN: "FORBIDDEN_MISSING_TOKEN",
+  INSUFFICIENT_ROLES: "FORBIDDEN_INSUFFICIENT_ROLES"
+};
+
+// src/bearer-token.guard.ts
+var BearerTokenGuard = class {
+  constructor(keycloakClient, logger) {
+    this.keycloakClient = keycloakClient;
+    this.logger = logger;
+  }
+  log(level, message, libMethod, meta) {
+    if (!this.logger) return;
+    const loggerCtx = (0, import_logger.getContext)();
+    const httpCtx = (0, import_http_client.getHttpRequestContext)();
+    const logContext = loggerCtx == null ? void 0 : loggerCtx.logContext;
+    const requestId = (loggerCtx == null ? void 0 : loggerCtx.requestId) ?? (httpCtx == null ? void 0 : httpCtx.requestId);
+    const source = (logContext == null ? void 0 : logContext.className) && (logContext == null ? void 0 : logContext.methodName) ? `${logContext.className}.${logContext.methodName}` : (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
+    const payload = {
+      message,
+      context: LOG_CONTEXT.BEARER_TOKEN_GUARD,
+      lib: LIB_NAME,
+      libVersion: LIB_VERSION,
+      libMethod,
+      source,
+      requestId,
+      meta
+    };
+    if (level === "debug") this.logger.debug(payload);
+    else if (level === "info") this.logger.info(payload);
+    else if (level === "warn") this.logger.warn(payload);
+    else if (level === "error") this.logger.error(payload);
+  }
+  async canActivate(context) {
+    var _a, _b;
+    const method = "canActivate";
+    this.log("debug", `${method} - Start`, method);
+    const request = context.switchToHttp().getRequest();
+    const authorization = ((_a = request.headers) == null ? void 0 : _a.authorization) ?? ((_b = request.headers) == null ? void 0 : _b.Authorization);
+    if (!(authorization == null ? void 0 : authorization.startsWith("Bearer "))) {
+      this.log("warn", `${method} - Missing or invalid Authorization header`, method);
+      throw new import_shared.BaseAppError({
+        message: "Missing or invalid Authorization header",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.MISSING_TOKEN,
+        context: {}
+      });
+    }
+    if (!this.keycloakClient) {
+      this.log("error", `${method} - Keycloak client not configured`, method);
+      throw new import_shared.BaseAppError({
+        message: "Keycloak client not configured",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.KEYCLOAK_NOT_CONFIGURED,
+        context: {}
+      });
+    }
+    const token = authorization.slice(7);
+    let isValid;
+    try {
+      isValid = await this.keycloakClient.validateToken(token);
+    } catch (err) {
+      const detail = err instanceof Error ? err.message : String(err);
+      this.log("error", `${method} - Token validation failed`, method, { detail });
+      throw new import_shared.BaseAppError({
+        message: "Token validation failed",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.TOKEN_VALIDATION_FAILED,
+        context: { detail }
+      });
+    }
+    if (!isValid) {
+      this.log("warn", `${method} - Inactive or expired token`, method);
+      throw new import_shared.BaseAppError({
+        message: "Inactive or expired token",
+        status: HTTP_STATUS.UNAUTHORIZED,
+        code: BEARER_ERROR_CODE.INACTIVE_TOKEN,
+        context: {}
+      });
+    }
+    this.log("debug", `${method} - Token valid`, method);
+    return true;
+  }
+};
+BearerTokenGuard = __decorateClass([
+  (0, import_common.Injectable)(),
+  __decorateParam(0, (0, import_common.Optional)()),
+  __decorateParam(0, (0, import_common.Inject)(KEYCLOAK_CLIENT)),
+  __decorateParam(1, (0, import_common.Optional)()),
+  __decorateParam(1, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER))
+], BearerTokenGuard);
+
+// src/keycloak.client.ts
+var import_common2 = require("@nestjs/common");
+var import_http_client2 = require("@adatechnology/http-client");
+var import_logger2 = require("@adatechnology/logger");
 var import_cache = require("@adatechnology/cache");
 var import_cache2 = require("@adatechnology/cache");
 
@@ -309,9 +472,6 @@ var KeycloakError = class _KeycloakError extends Error {
 };
 
 // src/keycloak.client.ts
-var LIB_NAME = "@adatechnology/auth-keycloak";
-var LIB_VERSION = "0.0.7";
-var TOKEN_CACHE_KEY = "keycloak:access_token";
 function extractErrorInfo(err) {
   var _a, _b, _c, _d, _e;
   const statusCode = (err == null ? void 0 : err.status) ?? ((_a = err == null ? void 0 : err.response) == null ? void 0 : _a.status);
@@ -347,14 +507,14 @@ var KeycloakClient = class {
   tokenPromise = null;
   log(level, message, libMethod, meta) {
     if (!this.logger) return;
-    const loggerCtx = (0, import_logger.getContext)();
-    const httpCtx = (0, import_http_client.getHttpRequestContext)();
+    const loggerCtx = (0, import_logger2.getContext)();
+    const httpCtx = (0, import_http_client2.getHttpRequestContext)();
     const logContext = loggerCtx == null ? void 0 : loggerCtx.logContext;
     const requestId = (loggerCtx == null ? void 0 : loggerCtx.requestId) ?? (httpCtx == null ? void 0 : httpCtx.requestId);
     const source = (logContext == null ? void 0 : logContext.className) && (logContext == null ? void 0 : logContext.methodName) ? `${logContext.className}.${logContext.methodName}` : (httpCtx == null ? void 0 : httpCtx.className) && (httpCtx == null ? void 0 : httpCtx.methodName) ? `${httpCtx.className}.${httpCtx.methodName}` : void 0;
     const payload = {
       message,
-      context: "KeycloakClient",
+      context: LOG_CONTEXT.KEYCLOAK_CLIENT,
       lib: LIB_NAME,
       libVersion: LIB_VERSION,
       libMethod,
@@ -413,7 +573,7 @@ var KeycloakClient = class {
         data: body,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("info", `${method} - Success for user: ${username}`, method);
@@ -451,7 +611,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("debug", `${method} - Success`, method);
@@ -483,7 +643,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       const ttlSeconds = this.config.tokenCacheTtl ? Math.floor(this.config.tokenCacheTtl / 1e3) : response.data.expires_in - 60;
@@ -517,7 +677,7 @@ var KeycloakClient = class {
         data,
         config: {
           headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       const active = ((_a = response.data) == null ? void 0 : _a.active) === true;
@@ -542,7 +702,7 @@ var KeycloakClient = class {
         url: userInfoUrl,
         config: {
           headers: { Authorization: `Bearer ${token}` },
-          logContext: { className: "KeycloakClient", methodName: method }
+          logContext: { className: LOG_CONTEXT.KEYCLOAK_CLIENT, methodName: method }
         }
       });
       this.log("debug", `${method} - Success`, method);
@@ -566,16 +726,16 @@ var KeycloakClient = class {
   }
 };
 KeycloakClient = __decorateClass([
-  (0, import_common.Injectable)(),
-  __decorateParam(1, (0, import_common.Inject)(import_http_client.HTTP_PROVIDER)),
-  __decorateParam(2, (0, import_common.Optional)()),
-  __decorateParam(2, (0, import_common.Inject)(import_logger.LOGGER_PROVIDER)),
-  __decorateParam(3, (0, import_common.Optional)()),
-  __decorateParam(3, (0, import_common.Inject)(import_cache2.CACHE_PROVIDER))
+  (0, import_common2.Injectable)(),
+  __decorateParam(1, (0, import_common2.Inject)(import_http_client2.HTTP_PROVIDER)),
+  __decorateParam(2, (0, import_common2.Optional)()),
+  __decorateParam(2, (0, import_common2.Inject)(import_logger2.LOGGER_PROVIDER)),
+  __decorateParam(3, (0, import_common2.Optional)()),
+  __decorateParam(3, (0, import_common2.Inject)(import_cache2.CACHE_PROVIDER))
 ], KeycloakClient);
 
 // src/keycloak.http.interceptor.ts
-var import_common2 = require("@nestjs/common");
+var import_common3 = require("@nestjs/common");
 var KeycloakHttpInterceptor = class {
   constructor() {
   }
@@ -587,15 +747,15 @@ var KeycloakHttpInterceptor = class {
   }
 };
 KeycloakHttpInterceptor = __decorateClass([
-  (0, import_common2.Injectable)()
+  (0, import_common3.Injectable)()
 ], KeycloakHttpInterceptor);
 
 // src/roles.guard.ts
-var import_common4 = require("@nestjs/common");
+var import_common5 = require("@nestjs/common");
 var import_core = require("@nestjs/core");
 
 // src/roles.decorator.ts
-var import_common3 = require("@nestjs/common");
+var import_common4 = require("@nestjs/common");
 var ROLES_META_KEY = "roles";
 function Roles(...args) {
   let payload;
@@ -609,66 +769,65 @@ function Roles(...args) {
   }
   payload.mode = payload.mode ?? "any";
   payload.type = payload.type ?? "both";
-  return (0, import_common3.SetMetadata)(ROLES_META_KEY, payload);
+  return (0, import_common4.SetMetadata)(ROLES_META_KEY, payload);
 }
 
-// src/keycloak.token.ts
-var KEYCLOAK_CONFIG = "KEYCLOAK_CONFIG";
-var KEYCLOAK_CLIENT = "KEYCLOAK_CLIENT";
-var KEYCLOAK_HTTP_INTERCEPTOR = "KEYCLOAK_HTTP_INTERCEPTOR";
-var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
-
 // src/roles.guard.ts
-var import_shared = __toESM(require_dist());
+var import_shared2 = __toESM(require_dist());
 var RolesGuard = class {
   constructor(reflector, config) {
     this.reflector = reflector;
     this.config = config;
   }
   canActivate(context) {
-    var _a, _b, _c, _d, _e, _f, _g, _h;
+    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j;
     const meta = this.reflector.get(ROLES_META_KEY, context.getHandler()) || this.reflector.get(ROLES_META_KEY, context.getClass());
     if (!meta || !meta.roles || meta.roles.length === 0) return true;
     const req = context.switchToHttp().getRequest();
-    const authHeader = ((_a = req.headers) == null ? void 0 : _a.authorization) || ((_b = req.headers) == null ? void 0 : _b.Authorization);
-    const token = authHeader ? String(authHeader).split(" ")[1] : (_c = req.query) == null ? void 0 : _c.token;
-    if (!token)
-      throw new import_shared.BaseAppError({
-        message: "Authorization token not provided",
-        status: 403,
-        code: "FORBIDDEN_MISSING_TOKEN",
-        context: {}
-      });
-    const payload = this.decodeJwtPayload(token);
+    const required = meta.roles;
     const availableRoles = /* @__PURE__ */ new Set();
-    if (((_d = payload == null ? void 0 : payload.realm_access) == null ? void 0 : _d.roles) && Array.isArray(payload.realm_access.roles)) {
-      payload.realm_access.roles.forEach((r) => availableRoles.add(r));
-    }
-    const clientId = (_f = (_e = this.config) == null ? void 0 : _e.credentials) == null ? void 0 : _f.clientId;
-    if (clientId && ((_h = (_g = payload == null ? void 0 : payload.resource_access) == null ? void 0 : _g[clientId]) == null ? void 0 : _h.roles)) {
-      payload.resource_access[clientId].roles.forEach(
-        (r) => availableRoles.add(r)
-      );
-    }
-    if (meta.type === "both" && (payload == null ? void 0 : payload.resource_access)) {
-      Object.values(payload.resource_access).forEach((entry) => {
-        if ((entry == null ? void 0 : entry.roles) && Array.isArray(entry.roles)) {
-          entry.roles.forEach(
-            (r) => availableRoles.add(r)
-          );
-        }
-      });
+    const kongRolesHeader = ((_a = req.headers) == null ? void 0 : _a["x-user-roles"]) || ((_b = req.headers) == null ? void 0 : _b["X-User-Roles"]);
+    if (kongRolesHeader) {
+      kongRolesHeader.split(",").map((r) => r.trim()).filter(Boolean).forEach((r) => availableRoles.add(r));
+    } else {
+      const authHeader = ((_c = req.headers) == null ? void 0 : _c.authorization) || ((_d = req.headers) == null ? void 0 : _d.Authorization);
+      const token = authHeader ? String(authHeader).split(" ")[1] : (_e = req.query) == null ? void 0 : _e.token;
+      if (!token) {
+        throw new import_shared2.BaseAppError({
+          message: "Authorization token not provided",
+          status: HTTP_STATUS.FORBIDDEN,
+          code: ROLES_ERROR_CODE.MISSING_TOKEN,
+          context: {}
+        });
+      }
+      const payload = this.decodeJwtPayload(token);
+      if (((_f = payload == null ? void 0 : payload.realm_access) == null ? void 0 : _f.roles) && Array.isArray(payload.realm_access.roles)) {
+        payload.realm_access.roles.forEach((r) => availableRoles.add(r));
+      }
+      const clientId = (_h = (_g = this.config) == null ? void 0 : _g.credentials) == null ? void 0 : _h.clientId;
+      if (clientId && ((_j = (_i = payload == null ? void 0 : payload.resource_access) == null ? void 0 : _i[clientId]) == null ? void 0 : _j.roles)) {
+        payload.resource_access[clientId].roles.forEach(
+          (r) => availableRoles.add(r)
+        );
+      }
+      if (meta.type === "both" && (payload == null ? void 0 : payload.resource_access)) {
+        Object.values(payload.resource_access).forEach((entry) => {
+          if ((entry == null ? void 0 : entry.roles) && Array.isArray(entry.roles)) {
+            entry.roles.forEach((r) => availableRoles.add(r));
+          }
+        });
+      }
     }
-    const required = meta.roles || [];
     const hasMatch = required.map((r) => availableRoles.has(r));
     const result = meta.mode === "all" ? hasMatch.every(Boolean) : hasMatch.some(Boolean);
-    if (!result)
-      throw new import_shared.BaseAppError({
+    if (!result) {
+      throw new import_shared2.BaseAppError({
         message: "Insufficient roles",
-        status: 403,
-        code: "FORBIDDEN_INSUFFICIENT_ROLES",
+        status: HTTP_STATUS.FORBIDDEN,
+        code: ROLES_ERROR_CODE.INSUFFICIENT_ROLES,
         context: { required }
       });
+    }
     return true;
   }
   decodeJwtPayload(token) {
@@ -680,16 +839,16 @@ var RolesGuard = class {
       if (!BufferCtor) return {};
       const decoded = BufferCtor.from(payload, "base64").toString("utf8");
       return JSON.parse(decoded);
-    } catch (e) {
+    } catch {
       return {};
     }
   }
 };
 RolesGuard = __decorateClass([
-  (0, import_common4.Injectable)(),
-  __decorateParam(0, (0, import_common4.Inject)(import_core.Reflector)),
-  __decorateParam(1, (0, import_common4.Optional)()),
-  __decorateParam(1, (0, import_common4.Inject)(KEYCLOAK_CONFIG))
+  (0, import_common5.Injectable)(),
+  __decorateParam(0, (0, import_common5.Inject)(import_core.Reflector)),
+  __decorateParam(1, (0, import_common5.Optional)()),
+  __decorateParam(1, (0, import_common5.Inject)(KEYCLOAK_CONFIG))
 ], RolesGuard);
 
 // src/keycloak.module.ts
@@ -699,7 +858,7 @@ var KeycloakModule = class {
       module: KeycloakModule,
       global: true,
       imports: [
-        import_http_client2.HttpModule.forRoot(
+        import_http_client3.HttpModule.forRoot(
           httpConfig || { baseURL: config.baseUrl, timeout: 5e3 },
           {
             logging: {
@@ -719,8 +878,8 @@ var KeycloakModule = class {
           useFactory: (cfg, httpProvider, logger, cacheProvider) => new KeycloakClient(cfg, httpProvider, logger, cacheProvider),
           inject: [
             KEYCLOAK_CONFIG,
-            import_http_client2.HTTP_PROVIDER,
-            { token: import_logger2.LOGGER_PROVIDER, optional: true },
+            import_http_client3.HTTP_PROVIDER,
+            { token: import_logger3.LOGGER_PROVIDER, optional: true },
             { token: import_cache3.CACHE_PROVIDER, optional: true }
           ]
         },
@@ -732,7 +891,8 @@ var KeycloakModule = class {
           provide: KEYCLOAK_HTTP_INTERCEPTOR,
           useFactory: () => new KeycloakHttpInterceptor()
         },
-        RolesGuard
+        RolesGuard,
+        BearerTokenGuard
       ],
       exports: [
         import_core2.Reflector,
@@ -740,16 +900,99 @@ var KeycloakModule = class {
         KEYCLOAK_PROVIDER,
         KEYCLOAK_HTTP_INTERCEPTOR,
         KEYCLOAK_CONFIG,
-        RolesGuard
+        RolesGuard,
+        BearerTokenGuard
       ]
     };
   }
 };
 KeycloakModule = __decorateClass([
-  (0, import_common5.Module)({})
+  (0, import_common6.Module)({})
 ], KeycloakModule);
+
+// src/b2b.guard.ts
+var import_common7 = require("@nestjs/common");
+var B2BGuard = class {
+  constructor(bearerTokenGuard) {
+    this.bearerTokenGuard = bearerTokenGuard;
+  }
+  canActivate(context) {
+    return Promise.resolve(this.bearerTokenGuard.canActivate(context));
+  }
+};
+B2BGuard = __decorateClass([
+  (0, import_common7.Injectable)()
+], B2BGuard);
+
+// src/b2c.guard.ts
+var import_common8 = require("@nestjs/common");
+var import_shared3 = __toESM(require_dist());
+var B2CGuard = class {
+  canActivate(context) {
+    var _a, _b;
+    const request = context.switchToHttp().getRequest();
+    const userId = ((_a = request.headers) == null ? void 0 : _a["x-user-id"]) ?? ((_b = request.headers) == null ? void 0 : _b["X-User-Id"]);
+    if (userId) return true;
+    throw new import_shared3.BaseAppError({
+      message: "Missing Kong identity headers (X-User-Id). Route requires user authentication via Kong.",
+      status: HTTP_STATUS.UNAUTHORIZED,
+      code: BEARER_ERROR_CODE.MISSING_TOKEN,
+      context: {}
+    });
+  }
+};
+B2CGuard = __decorateClass([
+  (0, import_common8.Injectable)()
+], B2CGuard);
+
+// src/api-auth.guard.ts
+var import_common9 = require("@nestjs/common");
+var import_shared4 = __toESM(require_dist());
+var ApiAuthGuard = class {
+  constructor(b2bGuard, b2cGuard) {
+    this.b2bGuard = b2bGuard;
+    this.b2cGuard = b2cGuard;
+  }
+  async canActivate(context) {
+    var _a, _b, _c, _d;
+    const request = context.switchToHttp().getRequest();
+    const authHeader = ((_a = request.headers) == null ? void 0 : _a.authorization) ?? ((_b = request.headers) == null ? void 0 : _b.Authorization);
+    if (authHeader == null ? void 0 : authHeader.toLowerCase().startsWith("bearer ")) {
+      return this.b2bGuard.canActivate(context);
+    }
+    const userId = ((_c = request.headers) == null ? void 0 : _c["x-user-id"]) ?? ((_d = request.headers) == null ? void 0 : _d["X-User-Id"]);
+    if (userId) {
+      return this.b2cGuard.canActivate(context);
+    }
+    throw new import_shared4.BaseAppError({
+      message: "Unauthorized: missing Authorization header (B2B) or Kong identity headers (B2C)",
+      status: HTTP_STATUS.UNAUTHORIZED,
+      code: BEARER_ERROR_CODE.MISSING_TOKEN,
+      context: {}
+    });
+  }
+};
+ApiAuthGuard = __decorateClass([
+  (0, import_common9.Injectable)()
+], ApiAuthGuard);
+
+// src/auth-user.decorator.ts
+var import_common10 = require("@nestjs/common");
+var AuthUser = (0, import_common10.createParamDecorator)(
+  (_data, ctx) => {
+    var _a, _b;
+    const request = ctx.switchToHttp().getRequest();
+    const raw = ((_a = request.headers) == null ? void 0 : _a["x-user-id"]) ?? ((_b = request.headers) == null ? void 0 : _b["X-User-Id"]);
+    return Array.isArray(raw) ? raw[0] : raw ?? "";
+  }
+);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ApiAuthGuard,
+  AuthUser,
+  B2BGuard,
+  B2CGuard,
+  BearerTokenGuard,
   KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG,
   KEYCLOAK_HTTP_INTERCEPTOR,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adatechnology/auth-keycloak",
-  "version": "0.0.8",
+  "version": "0.1.1",
   "publishConfig": {
     "access": "public"
   },
@@ -11,9 +11,9 @@
     "dist"
   ],
   "dependencies": {
-    "@adatechnology/cache": "0.0.7",
-    "@adatechnology/http-client": "0.0.8",
-    "@adatechnology/logger": "0.0.6"
+    "@adatechnology/cache": "0.0.8",
+    "@adatechnology/http-client": "0.0.9",
+    "@adatechnology/logger": "0.0.7"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.16",