@dismissible/nestjs-jwt-auth-hook 0.0.1 → 0.0.2-canary.43c6bbd.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dismissible/nestjs-jwt-auth-hook",
-  "version": "0.0.1",
+  "version": "0.0.2-canary.43c6bbd.0",
   "description": "JWT authentication hook for Dismissible applications using OIDC well-known discovery",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
@@ -11,31 +11,43 @@
       "types": "./src/index.d.ts"
     }
   },
+  "files": [
+    "src",
+    "README.md"
+  ],
   "dependencies": {
-    "jwks-rsa": "^3.1.0",
-    "jsonwebtoken": "^9.0.0"
+    "@nestjs/axios": "^4.0.1",
+    "@dismissible/nestjs-dismissible-hooks": "^0.0.2-canary.43c6bbd.0",
+    "@dismissible/nestjs-dismissible-request": "^0.0.2-canary.43c6bbd.0",
+    "@dismissible/nestjs-logger": "^0.0.2-canary.43c6bbd.0",
+    "@dismissible/nestjs-validation": "^0.0.2-canary.43c6bbd.0",
+    "jwks-rsa": "^3.2.0",
+    "jsonwebtoken": "^9.0.3"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.10"
   },
   "peerDependencies": {
-    "@nestjs/axios": "^4.0.0",
     "@nestjs/common": "^11.0.0",
     "@nestjs/core": "^11.0.0",
-    "@dismissible/nestjs-dismissible": "*",
-    "@dismissible/nestjs-logger": "*"
+    "class-validator": "^0.14.0",
+    "class-transformer": "^0.5.0",
+    "rxjs": "^7.8.2"
   },
   "peerDependenciesMeta": {
-    "@nestjs/axios": {
-      "optional": false
-    },
     "@nestjs/common": {
       "optional": false
     },
     "@nestjs/core": {
       "optional": false
     },
-    "@dismissible/nestjs-dismissible": {
+    "class-validator": {
       "optional": false
     },
-    "@dismissible/nestjs-logger": {
+    "class-transformer": {
+      "optional": false
+    },
+    "rxjs": {
       "optional": false
     }
   },
@@ -56,5 +68,6 @@
   },
   "publishConfig": {
     "access": "public"
-  }
-}
+  },
+  "type": "commonjs"
+}

package/src/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./jwt-auth-hook.config"), exports);
+tslib_1.__exportStar(require("./jwt-auth-hook.module"), exports);
+tslib_1.__exportStar(require("./jwt-auth.hook"), exports);
+tslib_1.__exportStar(require("./jwt-auth.service"), exports);
+//# sourceMappingURL=index.js.map

package/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/index.ts"],"names":[],"mappings":";;;AAAA,iEAAuC;AACvC,iEAAuC;AACvC,0DAAgC;AAChC,6DAAmC"}

package/src/jwt-auth-hook.config.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Injection token for JWT auth hook configuration.
+ */
+export declare const JWT_AUTH_HOOK_CONFIG: unique symbol;
+/**
+ * Configuration options for JWT authentication hook.
+ */
+export declare class JwtAuthHookConfig {
+    readonly enabled: boolean;
+    /**
+     * The OpenID Connect well-known URL (e.g., https://auth.example.com/.well-known/openid-configuration).
+     * The JWKS URI will be fetched from this endpoint.
+     */
+    readonly wellKnownUrl: string;
+    /**
+     * Optional: Expected issuer claim (iss) to validate.
+     * If not provided, issuer validation is skipped.
+     */
+    readonly issuer?: string;
+    /**
+     * Optional: Expected audience claim (aud) to validate.
+     * If not provided, audience validation is skipped.
+     */
+    readonly audience?: string;
+    /**
+     * Optional: Allowed algorithms for JWT verification.
+     * Defaults to ['RS256'].
+     */
+    readonly algorithms?: string[];
+    /**
+     * Optional: Cache duration in milliseconds for JWKS.
+     * Defaults to 600000 (10 minutes).
+     */
+    readonly jwksCacheDuration?: number;
+    /**
+     * Optional: Request timeout in milliseconds.
+     * Defaults to 30000 (30 seconds).
+     */
+    readonly requestTimeout?: number;
+    /**
+     * Optional: Hook priority (lower numbers run first).
+     * Defaults to -100 (runs early for authentication).
+     */
+    readonly priority?: number;
+    /**
+     * Optional: Verify that the userId parameter matches the JWT subject (sub) claim.
+     * Defaults to true for security. Set to false for service-to-service scenarios.
+     */
+    readonly verifyUserIdMatch?: boolean;
+}

package/src/jwt-auth-hook.config.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthHookConfig = exports.JWT_AUTH_HOOK_CONFIG = void 0;
+const tslib_1 = require("tslib");
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+const nestjs_validation_1 = require("@dismissible/nestjs-validation");
+/**
+ * Injection token for JWT auth hook configuration.
+ */
+exports.JWT_AUTH_HOOK_CONFIG = Symbol('JWT_AUTH_HOOK_CONFIG');
+/**
+ * Configuration options for JWT authentication hook.
+ */
+class JwtAuthHookConfig {
+}
+exports.JwtAuthHookConfig = JwtAuthHookConfig;
+tslib_1.__decorate([
+    (0, class_validator_1.IsBoolean)(),
+    (0, nestjs_validation_1.TransformBoolean)(),
+    tslib_1.__metadata("design:type", Boolean)
+], JwtAuthHookConfig.prototype, "enabled", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.ValidateIf)((o) => o.enabled === true),
+    (0, class_validator_1.IsUrl)(),
+    tslib_1.__metadata("design:type", String)
+], JwtAuthHookConfig.prototype, "wellKnownUrl", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    tslib_1.__metadata("design:type", String)
+], JwtAuthHookConfig.prototype, "issuer", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    tslib_1.__metadata("design:type", String)
+], JwtAuthHookConfig.prototype, "audience", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsArray)(),
+    (0, class_validator_1.IsString)({ each: true }),
+    tslib_1.__metadata("design:type", Array)
+], JwtAuthHookConfig.prototype, "algorithms", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], JwtAuthHookConfig.prototype, "jwksCacheDuration", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], JwtAuthHookConfig.prototype, "requestTimeout", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], JwtAuthHookConfig.prototype, "priority", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)(),
+    (0, nestjs_validation_1.TransformBoolean)(true) // Default to true if not provided
+    ,
+    tslib_1.__metadata("design:type", Boolean)
+], JwtAuthHookConfig.prototype, "verifyUserIdMatch", void 0);
+//# sourceMappingURL=jwt-auth-hook.config.js.map

package/src/jwt-auth-hook.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth-hook.config.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth-hook.config.ts"],"names":[],"mappings":";;;;AAAA,qDAQyB;AACzB,yDAAyC;AACzC,sEAAkE;AAElE;;GAEG;AACU,QAAA,oBAAoB,GAAG,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAEnE;;GAEG;AACH,MAAa,iBAAiB;CAyE7B;AAzED,8CAyEC;AAtEiB;IAFf,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,GAAE;;kDACe;AAQlB;IAFf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC;IACrC,IAAA,uBAAK,GAAE;;uDAC8B;AAQtB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;iDACqB;AAQhB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;mDACuB;AASlB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,GAAE;IACT,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;;qDACa;AAStB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;4DACwB;AAS3B;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;yDACqB;AASxB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;mDACe;AASlB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,kCAAkC;;;4DACd"}

package/src/jwt-auth-hook.module.d.ts

@@ -0,0 +1,41 @@
+import { DynamicModule, InjectionToken } from '@nestjs/common';
+import { JwtAuthHookConfig } from './jwt-auth-hook.config';
+/**
+ * Async module options for JWT auth hook.
+ */
+export interface IJwtAuthHookModuleAsyncOptions {
+    useFactory: (...args: unknown[]) => JwtAuthHookConfig | Promise<JwtAuthHookConfig>;
+    inject?: InjectionToken[];
+}
+/**
+ * Module that provides JWT authentication hook for Dismissible.
+ *
+ * @example
+ * ```typescript
+ * import { DismissibleModule } from '@dismissible/nestjs-dismissible';
+ * import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
+ *
+ * @Module({
+ *   imports: [
+ *     JwtAuthHookModule.forRoot({
+ *       wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
+ *       issuer: 'https://auth.example.com',
+ *       audience: 'my-api',
+ *     }),
+ *     DismissibleModule.forRoot({
+ *       hooks: [JwtAuthHook],
+ *       // ... other options
+ *     }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+export declare class JwtAuthHookModule {
+    static forRoot(config: JwtAuthHookConfig): DynamicModule;
+    /**
+     * Create module with async configuration.
+     * Useful when config values come from environment or other async sources.
+     */
+    static forRootAsync(options: IJwtAuthHookModuleAsyncOptions): DynamicModule;
+}

package/src/jwt-auth-hook.module.js

@@ -0,0 +1,78 @@
+"use strict";
+var JwtAuthHookModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthHookModule = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const axios_1 = require("@nestjs/axios");
+const jwt_auth_hook_1 = require("./jwt-auth.hook");
+const jwt_auth_service_1 = require("./jwt-auth.service");
+const jwt_auth_hook_config_1 = require("./jwt-auth-hook.config");
+/**
+ * Module that provides JWT authentication hook for Dismissible.
+ *
+ * @example
+ * ```typescript
+ * import { DismissibleModule } from '@dismissible/nestjs-dismissible';
+ * import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
+ *
+ * @Module({
+ *   imports: [
+ *     JwtAuthHookModule.forRoot({
+ *       wellKnownUrl: 'https://auth.example.com/.well-known/openid-configuration',
+ *       issuer: 'https://auth.example.com',
+ *       audience: 'my-api',
+ *     }),
+ *     DismissibleModule.forRoot({
+ *       hooks: [JwtAuthHook],
+ *       // ... other options
+ *     }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+let JwtAuthHookModule = JwtAuthHookModule_1 = class JwtAuthHookModule {
+    static forRoot(config) {
+        return {
+            module: JwtAuthHookModule_1,
+            imports: [axios_1.HttpModule],
+            providers: [
+                {
+                    provide: jwt_auth_hook_config_1.JWT_AUTH_HOOK_CONFIG,
+                    useValue: config,
+                },
+                jwt_auth_service_1.JwtAuthService,
+                jwt_auth_hook_1.JwtAuthHook,
+            ],
+            exports: [jwt_auth_hook_1.JwtAuthHook, jwt_auth_service_1.JwtAuthService, jwt_auth_hook_config_1.JWT_AUTH_HOOK_CONFIG],
+            global: true,
+        };
+    }
+    /**
+     * Create module with async configuration.
+     * Useful when config values come from environment or other async sources.
+     */
+    static forRootAsync(options) {
+        return {
+            module: JwtAuthHookModule_1,
+            imports: [axios_1.HttpModule],
+            providers: [
+                {
+                    provide: jwt_auth_hook_config_1.JWT_AUTH_HOOK_CONFIG,
+                    useFactory: options.useFactory,
+                    inject: options.inject ?? [],
+                },
+                jwt_auth_service_1.JwtAuthService,
+                jwt_auth_hook_1.JwtAuthHook,
+            ],
+            exports: [jwt_auth_hook_1.JwtAuthHook, jwt_auth_service_1.JwtAuthService, jwt_auth_hook_config_1.JWT_AUTH_HOOK_CONFIG],
+            global: true,
+        };
+    }
+};
+exports.JwtAuthHookModule = JwtAuthHookModule;
+exports.JwtAuthHookModule = JwtAuthHookModule = JwtAuthHookModule_1 = tslib_1.__decorate([
+    (0, common_1.Module)({})
+], JwtAuthHookModule);
+//# sourceMappingURL=jwt-auth-hook.module.js.map

package/src/jwt-auth-hook.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth-hook.module.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth-hook.module.ts"],"names":[],"mappings":";;;;;AAAA,2CAAuE;AACvE,yCAA2C;AAC3C,mDAA8C;AAC9C,yDAAoD;AACpD,iEAAiF;AAUjF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEI,IAAM,iBAAiB,yBAAvB,MAAM,iBAAiB;IAC5B,MAAM,CAAC,OAAO,CAAC,MAAyB;QACtC,OAAO;YACL,MAAM,EAAE,mBAAiB;YACzB,OAAO,EAAE,CAAC,kBAAU,CAAC;YACrB,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,2CAAoB;oBAC7B,QAAQ,EAAE,MAAM;iBACjB;gBACD,iCAAc;gBACd,2BAAW;aACZ;YACD,OAAO,EAAE,CAAC,2BAAW,EAAE,iCAAc,EAAE,2CAAoB,CAAC;YAC5D,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,OAAuC;QACzD,OAAO;YACL,MAAM,EAAE,mBAAiB;YACzB,OAAO,EAAE,CAAC,kBAAU,CAAC;YACrB,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,2CAAoB;oBAC7B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;iBAC7B;gBACD,iCAAc;gBACd,2BAAW;aACZ;YACD,OAAO,EAAE,CAAC,2BAAW,EAAE,iCAAc,EAAE,2CAAoB,CAAC;YAC5D,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;CACF,CAAA;AAvCY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,iBAAiB,CAuC7B"}

package/src/jwt-auth.hook.d.ts

@@ -0,0 +1,21 @@
+import { IDismissibleLifecycleHook, IHookResult } from '@dismissible/nestjs-dismissible-hooks';
+import { IRequestContext } from '@dismissible/nestjs-dismissible-request';
+import { IDismissibleLogger } from '@dismissible/nestjs-logger';
+import { JwtAuthService } from './jwt-auth.service';
+import { JwtAuthHookConfig } from './jwt-auth-hook.config';
+/**
+ * JWT authentication hook that validates bearer tokens on every request.
+ * This hook runs during the pre-request phase and rejects unauthorized requests.
+ */
+export declare class JwtAuthHook implements IDismissibleLifecycleHook {
+    private readonly jwtAuthService;
+    private readonly config;
+    private readonly logger;
+    readonly priority: number;
+    constructor(jwtAuthService: JwtAuthService, config: JwtAuthHookConfig, logger: IDismissibleLogger);
+    /**
+     * Validates the JWT bearer token from the Authorization header.
+     * Runs before any dismissible operation.
+     */
+    onBeforeRequest(itemId: string, userId: string, context?: IRequestContext): Promise<IHookResult>;
+}

package/src/jwt-auth.hook.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthHook = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const nestjs_logger_1 = require("@dismissible/nestjs-logger");
+const jwt_auth_service_1 = require("./jwt-auth.service");
+const jwt_auth_hook_config_1 = require("./jwt-auth-hook.config");
+/**
+ * JWT authentication hook that validates bearer tokens on every request.
+ * This hook runs during the pre-request phase and rejects unauthorized requests.
+ */
+let JwtAuthHook = class JwtAuthHook {
+    constructor(jwtAuthService, config, logger) {
+        this.jwtAuthService = jwtAuthService;
+        this.config = config;
+        this.logger = logger;
+        this.priority = config.priority ?? -100;
+    }
+    /**
+     * Validates the JWT bearer token from the Authorization header.
+     * Runs before any dismissible operation.
+     */
+    async onBeforeRequest(itemId, userId, context) {
+        if (!this.config.enabled) {
+            return { proceed: true };
+        }
+        const authorizationHeader = context?.headers['authorization'];
+        const token = this.jwtAuthService.extractBearerToken(authorizationHeader);
+        if (!token) {
+            this.logger.debug('JWT auth hook: No bearer token provided', {
+                itemId,
+                userId,
+                requestId: context?.requestId,
+            });
+            throw new common_1.UnauthorizedException('Missing or invalid bearer token');
+        }
+        const result = await this.jwtAuthService.validateToken(token);
+        if (!result.valid) {
+            this.logger.debug('JWT auth hook: Token validation failed', {
+                itemId,
+                userId,
+                requestId: context?.requestId,
+                error: result.error,
+            });
+            throw new common_1.UnauthorizedException(result.error);
+        }
+        const verifyUserIdMatch = this.config.verifyUserIdMatch ?? true;
+        if (verifyUserIdMatch && result.payload?.sub) {
+            if (result.payload.sub !== userId) {
+                this.logger.debug('JWT auth hook: User ID mismatch', {
+                    itemId,
+                    userId,
+                    requestId: context?.requestId,
+                    tokenSubject: result.payload.sub,
+                });
+                throw new common_1.ForbiddenException('User ID in request does not match authenticated user');
+            }
+        }
+        this.logger.debug('JWT auth hook: Token validated successfully', {
+            itemId,
+            userId,
+            requestId: context?.requestId,
+            subject: result.payload?.sub,
+        });
+        return {
+            proceed: true,
+        };
+    }
+};
+exports.JwtAuthHook = JwtAuthHook;
+exports.JwtAuthHook = JwtAuthHook = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__param(1, (0, common_1.Inject)(jwt_auth_hook_config_1.JWT_AUTH_HOOK_CONFIG)),
+    tslib_1.__param(2, (0, common_1.Inject)(nestjs_logger_1.DISMISSIBLE_LOGGER)),
+    tslib_1.__metadata("design:paramtypes", [jwt_auth_service_1.JwtAuthService,
+        jwt_auth_hook_config_1.JwtAuthHookConfig, Object])
+], JwtAuthHook);
+//# sourceMappingURL=jwt-auth.hook.js.map

package/src/jwt-auth.hook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.hook.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth.hook.ts"],"names":[],"mappings":";;;;AAAA,2CAA+F;AAG/F,8DAAoF;AACpF,yDAAoD;AACpD,iEAAiF;AAEjF;;;GAGG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAGtB,YACmB,cAA8B,EAE9B,MAAyB,EAEzB,MAA0B;QAJ1B,mBAAc,GAAd,cAAc,CAAgB;QAE9B,WAAM,GAAN,MAAM,CAAmB;QAEzB,WAAM,GAAN,MAAM,CAAoB;QAE3C,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,MAAc,EACd,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,mBAAmB,GAAG,OAAO,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAE9D,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;QAE1E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;gBAC3D,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;aAC9B,CAAC,CAAC;YAEH,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE9D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;gBAC1D,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC,CAAC;YAEH,MAAM,IAAI,8BAAqB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,IAAI,CAAC;QAChE,IAAI,iBAAiB,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC;YAC7C,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;oBACnD,MAAM;oBACN,MAAM;oBACN,SAAS,EAAE,OAAO,EAAE,SAAS;oBAC7B,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;iBACjC,CAAC,CAAC;gBAEH,MAAM,IAAI,2BAAkB,CAAC,sDAAsD,CAAC,CAAC;YACvF,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;YAC/D,MAAM;YACN,MAAM;YACN,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,GAAG;SAC7B,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;CACF,CAAA;AA9EY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;IAMR,mBAAA,IAAA,eAAM,EAAC,2CAAoB,CAAC,CAAA;IAE5B,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHM,iCAAc;QAEtB,wCAAiB;GANjC,WAAW,CA8EvB"}

package/src/jwt-auth.service.d.ts

@@ -0,0 +1,47 @@
+import { OnModuleInit } from '@nestjs/common';
+import { HttpService } from '@nestjs/axios';
+import { JwtAuthHookConfig } from './jwt-auth-hook.config';
+import { IDismissibleLogger } from '@dismissible/nestjs-logger';
+/**
+ * Decoded JWT payload.
+ */
+export interface IJwtPayload {
+    sub?: string;
+    iss?: string;
+    aud?: string | string[];
+    exp?: number;
+    iat?: number;
+    [key: string]: unknown;
+}
+/**
+ * Result of JWT validation.
+ */
+export interface IJwtValidationResult {
+    valid: boolean;
+    payload?: IJwtPayload;
+    error?: string;
+}
+/**
+ * Service responsible for JWT validation using JWKS.
+ */
+export declare class JwtAuthService implements OnModuleInit {
+    private readonly httpService;
+    private readonly config;
+    private readonly logger;
+    private jwksClient;
+    private jwksUri;
+    constructor(httpService: HttpService, config: JwtAuthHookConfig, logger: IDismissibleLogger);
+    onModuleInit(): Promise<void>;
+    /**
+     * Initialize the JWKS client by fetching the well-known configuration.
+     */
+    initializeJwksClient(): Promise<void>;
+    /**
+     * Extract the bearer token from the Authorization header.
+     */
+    extractBearerToken(authorizationHeader: string | undefined): string | null;
+    /**
+     * Validate a JWT token.
+     */
+    validateToken(token: string): Promise<IJwtValidationResult>;
+}

package/src/jwt-auth.service.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const axios_1 = require("@nestjs/axios");
+const jwks_rsa_1 = require("jwks-rsa");
+const jwt = tslib_1.__importStar(require("jsonwebtoken"));
+const rxjs_1 = require("rxjs");
+const jwt_auth_hook_config_1 = require("./jwt-auth-hook.config");
+const nestjs_logger_1 = require("@dismissible/nestjs-logger");
+/**
+ * Service responsible for JWT validation using JWKS.
+ */
+let JwtAuthService = class JwtAuthService {
+    constructor(httpService, config, logger) {
+        this.httpService = httpService;
+        this.config = config;
+        this.logger = logger;
+        this.jwksClient = null;
+        this.jwksUri = null;
+    }
+    async onModuleInit() {
+        if (this.config.enabled) {
+            await this.initializeJwksClient();
+        }
+    }
+    /**
+     * Initialize the JWKS client by fetching the well-known configuration.
+     */
+    async initializeJwksClient() {
+        try {
+            this.logger.debug('Fetching OpenID configuration', {
+                wellKnownUrl: this.config.wellKnownUrl,
+            });
+            const response = await (0, rxjs_1.firstValueFrom)(this.httpService.get(this.config.wellKnownUrl, {
+                timeout: this.config.requestTimeout ?? 30000,
+            }));
+            const openIdConfig = response.data;
+            if (!openIdConfig.jwks_uri) {
+                throw new Error('No jwks_uri found in OpenID configuration');
+            }
+            this.jwksUri = openIdConfig.jwks_uri;
+            this.jwksClient = new jwks_rsa_1.JwksClient({
+                jwksUri: this.jwksUri,
+                cache: true,
+                cacheMaxAge: this.config.jwksCacheDuration ?? 600000,
+                timeout: this.config.requestTimeout ?? 30000,
+            });
+            this.logger.info('JWKS client initialized successfully', {
+                jwksUri: this.jwksUri,
+            });
+        }
+        catch (error) {
+            this.logger.error('Failed to initialize JWKS client', error instanceof Error ? error : new Error(String(error)), { wellKnownUrl: this.config.wellKnownUrl });
+            throw error;
+        }
+    }
+    /**
+     * Extract the bearer token from the Authorization header.
+     */
+    extractBearerToken(authorizationHeader) {
+        if (!authorizationHeader) {
+            return null;
+        }
+        const parts = authorizationHeader.split(' ');
+        if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+            return null;
+        }
+        return parts[1];
+    }
+    /**
+     * Validate a JWT token.
+     */
+    async validateToken(token) {
+        if (!this.jwksClient) {
+            return {
+                valid: false,
+                error: 'JWKS client not initialized',
+            };
+        }
+        try {
+            const decoded = jwt.decode(token, { complete: true });
+            if (!decoded || typeof decoded === 'string') {
+                return {
+                    valid: false,
+                    error: 'Invalid token format',
+                };
+            }
+            const kid = decoded.header.kid;
+            if (!kid) {
+                return {
+                    valid: false,
+                    error: 'Token missing key ID (kid)',
+                };
+            }
+            let signingKey;
+            try {
+                signingKey = await this.jwksClient.getSigningKey(kid);
+            }
+            catch {
+                return {
+                    valid: false,
+                    error: 'Unable to find signing key',
+                };
+            }
+            const publicKey = signingKey.getPublicKey();
+            const verifyOptions = {
+                algorithms: this.config.algorithms ?? ['RS256'],
+            };
+            if (this.config.issuer) {
+                verifyOptions.issuer = this.config.issuer;
+            }
+            if (this.config.audience) {
+                verifyOptions.audience = this.config.audience;
+            }
+            const payload = jwt.verify(token, publicKey, verifyOptions);
+            return {
+                valid: true,
+                payload,
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            this.logger.debug('Token validation failed', {
+                error: errorMessage,
+            });
+            return {
+                valid: false,
+                error: errorMessage,
+            };
+        }
+    }
+};
+exports.JwtAuthService = JwtAuthService;
+exports.JwtAuthService = JwtAuthService = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__param(1, (0, common_1.Inject)(jwt_auth_hook_config_1.JWT_AUTH_HOOK_CONFIG)),
+    tslib_1.__param(2, (0, common_1.Inject)(nestjs_logger_1.DISMISSIBLE_LOGGER)),
+    tslib_1.__metadata("design:paramtypes", [axios_1.HttpService,
+        jwt_auth_hook_config_1.JwtAuthHookConfig, Object])
+], JwtAuthService);
+//# sourceMappingURL=jwt-auth.service.js.map

package/src/jwt-auth.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.service.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth.service.ts"],"names":[],"mappings":";;;;AAAA,2CAAkE;AAClE,yCAA4C;AAC5C,uCAAkD;AAClD,0DAAoC;AACpC,+BAAsC;AACtC,iEAAiF;AACjF,8DAAoF;AAuBpF;;GAEG;AAEI,IAAM,cAAc,GAApB,MAAM,cAAc;IAIzB,YACmB,WAAwB,EAEzC,MAA0C,EAE1C,MAA2C;QAJ1B,gBAAW,GAAX,WAAW,CAAa;QAExB,WAAM,GAAN,MAAM,CAAmB;QAEzB,WAAM,GAAN,MAAM,CAAoB;QARrC,eAAU,GAAsB,IAAI,CAAC;QACrC,YAAO,GAAkB,IAAI,CAAC;IAQnC,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB;QACxB,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;gBACjD,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;aACvC,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,IAAA,qBAAc,EACnC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAwB,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE;gBACpE,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CACH,CAAC;YAEF,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;YAEnC,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC/D,CAAC;YAED,IAAI,CAAC,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC;YAErC,IAAI,CAAC,UAAU,GAAG,IAAI,qBAAU,CAAC;gBAC/B,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,MAAM;gBACpD,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE;gBACvD,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,kCAAkC,EAClC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EACzD,EAAE,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAC3C,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,mBAAuC;QACxD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,6BAA6B;aACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YAEtD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,sBAAsB;iBAC9B,CAAC;YACJ,CAAC;YAED,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;YAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,4BAA4B;iBACpC,CAAC;YACJ,CAAC;YAED,IAAI,UAAsB,CAAC;YAC3B,IAAI,CAAC;gBACH,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,4BAA4B;iBACpC,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC;YAE5C,MAAM,aAAa,GAAsB;gBACvC,UAAU,EAAG,IAAI,CAAC,MAAM,CAAC,UAA8B,IAAI,CAAC,OAAO,CAAC;aACrE,CAAC;YAEF,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvB,aAAa,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YAC5C,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACzB,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;YAChD,CAAC;YAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,aAAa,CAAgB,CAAC;YAE3E,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,OAAO;aACR,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE5E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBAC3C,KAAK,EAAE,YAAY;aACpB,CAAC,CAAC;YAEH,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,YAAY;aACpB,CAAC;QACJ,CAAC;IACH,CAAC;CACF,CAAA;AArJY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAU,GAAE;IAOR,mBAAA,IAAA,eAAM,EAAC,2CAAoB,CAAC,CAAA;IAE5B,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHG,mBAAW;QAEhB,wCAAiB;GAPjC,cAAc,CAqJ1B"}

package/jest.config.ts

@@ -1,27 +0,0 @@
-export default {
-  displayName: 'jwt-auth-hook',
-  preset: '../../jest.preset.js',
-  testEnvironment: 'node',
-  transform: {
-    '^.+\\.[tj]s$': ['ts-jest', { tsconfig: '<rootDir>/tsconfig.json' }],
-  },
-  moduleFileExtensions: ['ts', 'js', 'html'],
-  coverageDirectory: '../../coverage/libs/jwt-auth-hook',
-  collectCoverageFrom: [
-    'src/**/*.ts',
-    '!src/**/*.spec.ts',
-    '!src/**/*.interface.ts',
-    '!src/**/*.dto.ts',
-    '!src/**/*.enum.ts',
-    '!src/**/index.ts',
-    '!src/**/*.module.ts',
-  ],
-  coverageThreshold: {
-    global: {
-      branches: 80,
-      functions: 80,
-      lines: 80,
-      statements: 80,
-    },
-  },
-};