@adatechnology/auth-keycloak 0.1.0 → 0.1.1

package/dist/index.d.ts

@@ -137,6 +137,23 @@ type RolesOptions = {
  */
 declare function Roles(...args: Array<string | string[] | RolesOptions>): _nestjs_common.CustomDecorator<string>;
 
+/**
+ * Guard that checks whether the current request has the required roles.
+ *
+ * Supports two auth paths transparently:
+ *
+ * 1. **Kong path** (user-facing, preferred):
+ *    Kong validates the token, removes Authorization, and injects:
+ *    - `X-User-Id`    — keycloak sub
+ *    - `X-User-Roles` — comma-separated realm roles
+ *    The guard reads roles from `X-User-Roles` header.
+ *
+ * 2. **B2B path** (service-to-service, e.g. BFF → API):
+ *    The caller sends a service account JWT in the Authorization header.
+ *    The guard decodes the JWT locally and reads `realm_access.roles`.
+ *
+ * Priority: Kong header → JWT fallback.
+ */
 declare class RolesGuard implements CanActivate {
     private readonly reflector;
     private readonly config?;
@@ -145,6 +162,104 @@ declare class RolesGuard implements CanActivate {
     private decodeJwtPayload;
 }
 
+/**
+ * B2B Guard — service-to-service routes (e.g. BFF → API, Worker → API).
+ *
+ * The caller must send a valid service account token (client_credentials)
+ * in the Authorization header. Delegates full token validation to
+ * BearerTokenGuard (Keycloak introspection).
+ *
+ * The caller is also expected to forward X-User-Id so the API knows which
+ * end-user context the call belongs to.
+ *
+ * Use for routes that are ONLY called by internal services, not by end users.
+ *
+ * @example
+ * ```ts
+ * @Post('internal/notify')
+ * @Roles('send-notifications')
+ * @UseGuards(B2BGuard, RolesGuard)
+ * async notify(@AuthUser() keycloakId: string) { ... }
+ * ```
+ */
+declare class B2BGuard implements CanActivate {
+    private readonly bearerTokenGuard;
+    constructor(bearerTokenGuard: BearerTokenGuard);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
+/**
+ * B2C Guard — user-facing routes via Kong.
+ *
+ * Kong validated the JWT (JWKS local), removed the Authorization header,
+ * and injected X-User-Id + X-User-Roles. This guard simply asserts those
+ * headers are present — it does NOT re-validate any token.
+ *
+ * Use for routes that are ONLY called by end users through Kong.
+ *
+ * @example
+ * ```ts
+ * @Get('me')
+ * @Roles('user-manager')
+ * @UseGuards(B2CGuard, RolesGuard)
+ * async getMe(@AuthUser() keycloakId: string) { ... }
+ * ```
+ */
+declare class B2CGuard implements CanActivate {
+    canActivate(context: ExecutionContext): boolean;
+}
+
+/**
+ * ApiAuthGuard — composite guard for routes that accept both paths.
+ *
+ * Detects which path the request is coming from and delegates accordingly:
+ *
+ * - **B2B path** (Authorization header present):
+ *   Service-to-service call (e.g. BFF → API). Delegates to B2BGuard,
+ *   which validates the service account token via BearerTokenGuard.
+ *
+ * - **B2C path** (X-User-Id header present, no Authorization):
+ *   User call routed by Kong. Delegates to B2CGuard,
+ *   which asserts Kong identity headers are present.
+ *
+ * Use when the same route must be reachable both from Kong (users) and
+ * from internal services (BFF, Worker). If the route is exclusive to one
+ * path, prefer B2BGuard or B2CGuard directly for explicit intent.
+ *
+ * @example
+ * ```ts
+ * @Get('me')
+ * @Roles('user-manager')
+ * @UseGuards(ApiAuthGuard, RolesGuard)
+ * async getMe(@AuthUser() keycloakId: string) { ... }
+ * ```
+ */
+declare class ApiAuthGuard implements CanActivate {
+    private readonly b2bGuard;
+    private readonly b2cGuard;
+    constructor(b2bGuard: B2BGuard, b2cGuard: B2CGuard);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+
+/**
+ * Parameter decorator that extracts the authenticated user's Keycloak ID
+ * from the `X-User-Id` header injected by Kong after token validation.
+ *
+ * In the B2B path (service-to-service), the caller is responsible for
+ * forwarding the same header.
+ *
+ * @example
+ * ```ts
+ * @Get('me')
+ * @Roles('user-manager')
+ * @UseGuards(RolesGuard)
+ * async getMe(@AuthUser() keycloakId: string) {
+ *   return this.userService.getUserByKeycloakId(keycloakId);
+ * }
+ * ```
+ */
+declare const AuthUser: (...dataOrPipes: unknown[]) => ParameterDecorator;
+
 declare class KeycloakError extends Error {
     readonly statusCode?: number;
     readonly details?: unknown;
@@ -156,4 +271,4 @@ declare class KeycloakError extends Error {
     });
 }
 
-export { BearerTokenGuard, KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };
+export { ApiAuthGuard, AuthUser, B2BGuard, B2CGuard, BearerTokenGuard, KEYCLOAK_CLIENT, KEYCLOAK_CONFIG, KEYCLOAK_HTTP_INTERCEPTOR, KEYCLOAK_PROVIDER, type KeycloakClientInterface, type KeycloakConfig, KeycloakError, KeycloakModule, type KeycloakProviderInterface, type KeycloakTokenResponse, Roles, RolesGuard };

package/dist/index.js

@@ -68,7 +68,7 @@ var require_base_app_error = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.BaseAppError = void 0;
-    var BaseAppError3 = class extends Error {
+    var BaseAppError5 = class extends Error {
       code;
       status;
       context;
@@ -83,7 +83,7 @@ var require_base_app_error = __commonJS({
         (_a = capturable.captureStackTrace) == null ? void 0 : _a.call(capturable, this, this.constructor);
       }
     };
-    exports2.BaseAppError = BaseAppError3;
+    exports2.BaseAppError = BaseAppError5;
   }
 });
 
@@ -268,6 +268,10 @@ var require_dist = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  ApiAuthGuard: () => ApiAuthGuard,
+  AuthUser: () => AuthUser,
+  B2BGuard: () => B2BGuard,
+  B2CGuard: () => B2CGuard,
   BearerTokenGuard: () => BearerTokenGuard,
   KEYCLOAK_CLIENT: () => KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG: () => KEYCLOAK_CONFIG,
@@ -302,7 +306,7 @@ var KEYCLOAK_PROVIDER = "KEYCLOAK_PROVIDER";
 // package.json
 var package_default = {
   name: "@adatechnology/auth-keycloak",
-  version: "0.1.0",
+  version: "0.1.1",
   publishConfig: {
     access: "public"
   },
@@ -776,49 +780,54 @@ var RolesGuard = class {
     this.config = config;
   }
   canActivate(context) {
-    var _a, _b, _c, _d, _e, _f, _g, _h;
+    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j;
     const meta = this.reflector.get(ROLES_META_KEY, context.getHandler()) || this.reflector.get(ROLES_META_KEY, context.getClass());
     if (!meta || !meta.roles || meta.roles.length === 0) return true;
     const req = context.switchToHttp().getRequest();
-    const authHeader = ((_a = req.headers) == null ? void 0 : _a.authorization) || ((_b = req.headers) == null ? void 0 : _b.Authorization);
-    const token = authHeader ? String(authHeader).split(" ")[1] : (_c = req.query) == null ? void 0 : _c.token;
-    if (!token)
-      throw new import_shared2.BaseAppError({
-        message: "Authorization token not provided",
-        status: HTTP_STATUS.FORBIDDEN,
-        code: ROLES_ERROR_CODE.MISSING_TOKEN,
-        context: {}
-      });
-    const payload = this.decodeJwtPayload(token);
+    const required = meta.roles;
     const availableRoles = /* @__PURE__ */ new Set();
-    if (((_d = payload == null ? void 0 : payload.realm_access) == null ? void 0 : _d.roles) && Array.isArray(payload.realm_access.roles)) {
-      payload.realm_access.roles.forEach((r) => availableRoles.add(r));
-    }
-    const clientId = (_f = (_e = this.config) == null ? void 0 : _e.credentials) == null ? void 0 : _f.clientId;
-    if (clientId && ((_h = (_g = payload == null ? void 0 : payload.resource_access) == null ? void 0 : _g[clientId]) == null ? void 0 : _h.roles)) {
-      payload.resource_access[clientId].roles.forEach(
-        (r) => availableRoles.add(r)
-      );
-    }
-    if (meta.type === "both" && (payload == null ? void 0 : payload.resource_access)) {
-      Object.values(payload.resource_access).forEach((entry) => {
-        if ((entry == null ? void 0 : entry.roles) && Array.isArray(entry.roles)) {
-          entry.roles.forEach(
-            (r) => availableRoles.add(r)
-          );
-        }
-      });
+    const kongRolesHeader = ((_a = req.headers) == null ? void 0 : _a["x-user-roles"]) || ((_b = req.headers) == null ? void 0 : _b["X-User-Roles"]);
+    if (kongRolesHeader) {
+      kongRolesHeader.split(",").map((r) => r.trim()).filter(Boolean).forEach((r) => availableRoles.add(r));
+    } else {
+      const authHeader = ((_c = req.headers) == null ? void 0 : _c.authorization) || ((_d = req.headers) == null ? void 0 : _d.Authorization);
+      const token = authHeader ? String(authHeader).split(" ")[1] : (_e = req.query) == null ? void 0 : _e.token;
+      if (!token) {
+        throw new import_shared2.BaseAppError({
+          message: "Authorization token not provided",
+          status: HTTP_STATUS.FORBIDDEN,
+          code: ROLES_ERROR_CODE.MISSING_TOKEN,
+          context: {}
+        });
+      }
+      const payload = this.decodeJwtPayload(token);
+      if (((_f = payload == null ? void 0 : payload.realm_access) == null ? void 0 : _f.roles) && Array.isArray(payload.realm_access.roles)) {
+        payload.realm_access.roles.forEach((r) => availableRoles.add(r));
+      }
+      const clientId = (_h = (_g = this.config) == null ? void 0 : _g.credentials) == null ? void 0 : _h.clientId;
+      if (clientId && ((_j = (_i = payload == null ? void 0 : payload.resource_access) == null ? void 0 : _i[clientId]) == null ? void 0 : _j.roles)) {
+        payload.resource_access[clientId].roles.forEach(
+          (r) => availableRoles.add(r)
+        );
+      }
+      if (meta.type === "both" && (payload == null ? void 0 : payload.resource_access)) {
+        Object.values(payload.resource_access).forEach((entry) => {
+          if ((entry == null ? void 0 : entry.roles) && Array.isArray(entry.roles)) {
+            entry.roles.forEach((r) => availableRoles.add(r));
+          }
+        });
+      }
     }
-    const required = meta.roles || [];
     const hasMatch = required.map((r) => availableRoles.has(r));
     const result = meta.mode === "all" ? hasMatch.every(Boolean) : hasMatch.some(Boolean);
-    if (!result)
+    if (!result) {
       throw new import_shared2.BaseAppError({
         message: "Insufficient roles",
         status: HTTP_STATUS.FORBIDDEN,
         code: ROLES_ERROR_CODE.INSUFFICIENT_ROLES,
         context: { required }
       });
+    }
     return true;
   }
   decodeJwtPayload(token) {
@@ -830,7 +839,7 @@ var RolesGuard = class {
       if (!BufferCtor) return {};
       const decoded = BufferCtor.from(payload, "base64").toString("utf8");
       return JSON.parse(decoded);
-    } catch (e) {
+    } catch {
       return {};
     }
   }
@@ -900,8 +909,89 @@ var KeycloakModule = class {
 KeycloakModule = __decorateClass([
   (0, import_common6.Module)({})
 ], KeycloakModule);
+
+// src/b2b.guard.ts
+var import_common7 = require("@nestjs/common");
+var B2BGuard = class {
+  constructor(bearerTokenGuard) {
+    this.bearerTokenGuard = bearerTokenGuard;
+  }
+  canActivate(context) {
+    return Promise.resolve(this.bearerTokenGuard.canActivate(context));
+  }
+};
+B2BGuard = __decorateClass([
+  (0, import_common7.Injectable)()
+], B2BGuard);
+
+// src/b2c.guard.ts
+var import_common8 = require("@nestjs/common");
+var import_shared3 = __toESM(require_dist());
+var B2CGuard = class {
+  canActivate(context) {
+    var _a, _b;
+    const request = context.switchToHttp().getRequest();
+    const userId = ((_a = request.headers) == null ? void 0 : _a["x-user-id"]) ?? ((_b = request.headers) == null ? void 0 : _b["X-User-Id"]);
+    if (userId) return true;
+    throw new import_shared3.BaseAppError({
+      message: "Missing Kong identity headers (X-User-Id). Route requires user authentication via Kong.",
+      status: HTTP_STATUS.UNAUTHORIZED,
+      code: BEARER_ERROR_CODE.MISSING_TOKEN,
+      context: {}
+    });
+  }
+};
+B2CGuard = __decorateClass([
+  (0, import_common8.Injectable)()
+], B2CGuard);
+
+// src/api-auth.guard.ts
+var import_common9 = require("@nestjs/common");
+var import_shared4 = __toESM(require_dist());
+var ApiAuthGuard = class {
+  constructor(b2bGuard, b2cGuard) {
+    this.b2bGuard = b2bGuard;
+    this.b2cGuard = b2cGuard;
+  }
+  async canActivate(context) {
+    var _a, _b, _c, _d;
+    const request = context.switchToHttp().getRequest();
+    const authHeader = ((_a = request.headers) == null ? void 0 : _a.authorization) ?? ((_b = request.headers) == null ? void 0 : _b.Authorization);
+    if (authHeader == null ? void 0 : authHeader.toLowerCase().startsWith("bearer ")) {
+      return this.b2bGuard.canActivate(context);
+    }
+    const userId = ((_c = request.headers) == null ? void 0 : _c["x-user-id"]) ?? ((_d = request.headers) == null ? void 0 : _d["X-User-Id"]);
+    if (userId) {
+      return this.b2cGuard.canActivate(context);
+    }
+    throw new import_shared4.BaseAppError({
+      message: "Unauthorized: missing Authorization header (B2B) or Kong identity headers (B2C)",
+      status: HTTP_STATUS.UNAUTHORIZED,
+      code: BEARER_ERROR_CODE.MISSING_TOKEN,
+      context: {}
+    });
+  }
+};
+ApiAuthGuard = __decorateClass([
+  (0, import_common9.Injectable)()
+], ApiAuthGuard);
+
+// src/auth-user.decorator.ts
+var import_common10 = require("@nestjs/common");
+var AuthUser = (0, import_common10.createParamDecorator)(
+  (_data, ctx) => {
+    var _a, _b;
+    const request = ctx.switchToHttp().getRequest();
+    const raw = ((_a = request.headers) == null ? void 0 : _a["x-user-id"]) ?? ((_b = request.headers) == null ? void 0 : _b["X-User-Id"]);
+    return Array.isArray(raw) ? raw[0] : raw ?? "";
+  }
+);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ApiAuthGuard,
+  AuthUser,
+  B2BGuard,
+  B2CGuard,
   BearerTokenGuard,
   KEYCLOAK_CLIENT,
   KEYCLOAK_CONFIG,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adatechnology/auth-keycloak",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "publishConfig": {
     "access": "public"
   },