@monderks/nestjs-keycloak-auth 0.1.0

package/.eslintrc.js

@@ -0,0 +1,26 @@
+module.exports = {
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    project: 'tsconfig.json',
+    tsconfigRootDir: __dirname,
+    sourceType: 'module',
+  },
+  plugins: ['@typescript-eslint/eslint-plugin'],
+  extends: [
+    'plugin:@typescript-eslint/recommended',
+    'plugin:prettier/recommended',
+  ],
+  root: true,
+  env: {
+    node: true,
+    jest: true,
+  },
+  ignorePatterns: ['.eslintrc.js', 'dist/**/*'],
+  rules: {
+    '@typescript-eslint/interface-name-prefix': 'off',
+    '@typescript-eslint/explicit-function-return-type': 'off',
+    '@typescript-eslint/explicit-module-boundary-types': 'off',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+  },
+}; 

package/.prettierrc

@@ -0,0 +1,20 @@
+{
+    "arrowParens": "always",
+    "bracketSameLine": true,
+    "bracketSpacing": true,
+    "semi": true,
+    "singleQuote": true,
+    "jsxSingleQuote": false,
+    "quoteProps": "as-needed",
+    "trailingComma": "all",
+    "singleAttributePerLine": false,
+    "htmlWhitespaceSensitivity": "css",
+    "vueIndentScriptAndStyle": false,
+    "proseWrap": "preserve",
+    "insertPragma": false,
+    "printWidth": 120,
+    "requirePragma": false,
+    "tabWidth": 4,
+    "useTabs": false,
+    "embeddedLanguageFormatting": "auto"
+}

package/README.md

@@ -0,0 +1,299 @@
+# Keycloak Auth Library
+
+Librería para validación de tokens Keycloak en NestJS cuando el frontend controla la autenticación.
+
+## Características
+
+- 🎫 Validación de tokens JWT desde frontend
+- 🔄 Renovación de tokens
+- 👤 Obtención de información de usuario
+- 🛡️ Guards de autorización con roles
+- 🏷️ Decoradores para obtener usuario actual
+- 🔧 Configuración flexible
+- 🌐 Optimizada para frontend (Next.js, React, etc.)
+
+## Instalación
+
+```bash
+npm install @monderks/keycloak-auth
+```
+
+## Configuración
+
+### Configuración Básica
+
+```typescript
+import { Module } from '@nestjs/common';
+import { KeycloakAuthModule } from '@monderks/keycloak-auth';
+
+@Module({
+  imports: [
+    KeycloakAuthModule.forRoot({
+      config: {
+        serverUrl: 'http://localhost:8080',
+        realm: 'my-realm',
+        clientId: 'my-client',
+        clientSecret: 'my-client-secret', // Necesario para refresh y logout
+        verifyTokenAudience: true,
+        verifyTokenIssuer: true,
+        tokenExpirationTolerance: 30, // segundos
+      },
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### Configuración Asíncrona
+
+```typescript
+import { Module } from '@nestjs/common';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+import { KeycloakAuthModule } from '@monderks/keycloak-auth';
+
+@Module({
+  imports: [
+    ConfigModule.forRoot(),
+    KeycloakAuthModule.forRootAsync({
+      useFactory: (configService: ConfigService) => ({
+        serverUrl: configService.get('KEYCLOAK_SERVER_URL'),
+        realm: configService.get('KEYCLOAK_REALM'),
+        clientId: configService.get('KEYCLOAK_CLIENT_ID'),
+        clientSecret: configService.get('KEYCLOAK_CLIENT_SECRET'),
+        verifyTokenAudience: true,
+        verifyTokenIssuer: true,
+      }),
+      inject: [ConfigService],
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+## ¿Cómo usar la librería?
+
+Esta librería **no expone controladores**. Solo provee servicios, guards y decoradores para que tú crees tus propios endpoints y lógica de negocio.
+
+### Ejemplo de uso en tu propio controlador
+
+```typescript
+import { Controller, Get, Post, Body, UseGuards } from '@nestjs/common';
+import { KeycloakAuthService, KeycloakAuthGuard, KeycloakAuth, CurrentUser } from '@monderks/keycloak-auth';
+import { DecodedToken } from '@monderks/keycloak-auth';
+
+@Controller('api/auth')
+export class AuthController {
+  constructor(private keycloakService: KeycloakAuthService) {}
+
+  @Post('validate')
+  async validateToken(@Body() body: { token: string }) {
+    return await this.keycloakService.validateToken(body.token);
+  }
+
+  @Get('protected')
+  @UseGuards(KeycloakAuthGuard)
+  @KeycloakAuth()
+  getProtectedData(@CurrentUser() user: DecodedToken) {
+    return {
+      message: 'Datos protegidos',
+      user,
+    };
+  }
+}
+```
+
+## Flujo de Autenticación
+
+### 1. Frontend (Next.js/React) - Login
+
+```typescript
+// Instalar keycloak-js
+// npm install keycloak-js
+
+import Keycloak from 'keycloak-js';
+
+// Configurar Keycloak
+const keycloak = new Keycloak({
+  url: 'http://localhost:8080',
+  realm: 'my-realm',
+  clientId: 'my-client'
+});
+
+// Inicializar y hacer login
+await keycloak.init({
+  onLoad: 'login-required'
+});
+
+// Obtener el token
+const token = keycloak.token;
+```
+
+### 2. Frontend - Enviar Requests al Backend
+
+```typescript
+// Endpoint protegido
+const response = await fetch('/api/auth/protected', {
+  headers: {
+    'Authorization': `Bearer ${token}`
+  }
+});
+
+// Validar token
+const validateResponse = await fetch('/api/auth/validate', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ token })
+});
+
+// Renovar token
+const refreshResponse = await fetch('/api/auth/refresh', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ refreshToken: keycloak.refreshToken })
+});
+
+// Logout
+const logoutResponse = await fetch('/api/auth/logout', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ refreshToken: keycloak.refreshToken })
+});
+```
+
+## Endpoints recomendados (tú los creas)
+
+- POST `/api/auth/validate` → Valida un token
+- POST `/api/auth/user-info` → Obtiene info del usuario
+- POST `/api/auth/refresh` → Renueva el token
+- POST `/api/auth/logout` → Logout
+- GET `/api/auth/protected` → Endpoint protegido
+- GET `/api/auth/admin` → Endpoint con roles
+- GET `/api/auth/public` → Endpoint público
+
+## API Reference
+
+### KeycloakAuthService
+
+#### Métodos de Validación
+- `validateToken(token: string): Promise<TokenValidationResult>`
+- `getUserInfo(accessToken: string): Promise<DecodedToken>`
+- `refreshToken(refreshToken: string): Promise<RefreshTokenResult>`
+- `logout(refreshToken: string): Promise<boolean>`
+- `hasRole(userId: string, roleName: string, clientId?: string): Promise<boolean>`
+
+### Decoradores
+
+- `@CurrentUser()` - Obtiene el usuario autenticado de la request
+- `@CurrentUser('sub')` - Obtiene una propiedad específica del usuario
+
+### Guards
+
+- `@KeycloakAuth()` - Protege rutas con validación de tokens
+- `@KeycloakAuth({ roles: ['admin'] })` - Requiere roles específicos
+- `@KeycloakAuth({ clientRoles: { 'client-id': ['role'] } })` - Requiere roles de cliente
+- `@KeycloakAuth({ optional: true })` - Permite acceso sin token
+
+## Variables de Entorno
+
+```env
+KEYCLOAK_SERVER_URL=http://localhost:8080
+KEYCLOAK_REALM=my-realm
+KEYCLOAK_CLIENT_ID=my-client
+KEYCLOAK_CLIENT_SECRET=my-client-secret
+```
+
+## Configuración Avanzada
+
+### Opciones de Configuración Completas
+
+```typescript
+const keycloakConfig = {
+  serverUrl: 'http://localhost:8080',
+  realm: 'my-realm',
+  clientId: 'my-client',
+  clientSecret: 'my-client-secret',
+  
+  // Clave pública del realm (opcional, se obtiene automáticamente)
+  publicKey: '-----BEGIN PUBLIC KEY-----...',
+  
+  // Opciones de validación
+  verifyTokenAudience: true,
+  verifyTokenIssuer: true,
+  tokenExpirationTolerance: 30, // segundos
+};
+```
+
+## Ejemplos de Uso
+
+### Middleware Personalizado
+
+```typescript
+@Injectable()
+export class KeycloakMiddleware implements NestMiddleware {
+  constructor(private keycloakService: KeycloakAuthService) {}
+
+  async use(req: Request, res: Response, next: Function) {
+    const token = req.headers.authorization?.replace('Bearer ', '');
+    
+    if (token) {
+      const validation = await this.keycloakService.validateToken(token);
+      if (validation.valid) {
+        req.user = validation.decoded;
+      }
+    }
+    
+    next();
+  }
+}
+```
+
+### Hook de React para Next.js
+
+```typescript
+// hooks/useKeycloak.ts
+import { useState, useEffect } from 'react';
+import Keycloak from 'keycloak-js';
+
+export const useKeycloak = () => {
+  const [keycloak, setKeycloak] = useState<Keycloak | null>(null);
+  const [authenticated, setAuthenticated] = useState(false);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    const kc = new Keycloak({
+      url: process.env.NEXT_PUBLIC_KEYCLOAK_URL,
+      realm: process.env.NEXT_PUBLIC_KEYCLOAK_REALM,
+      clientId: process.env.NEXT_PUBLIC_KEYCLOAK_CLIENT_ID,
+    });
+
+    kc.init({
+      onLoad: 'check-sso',
+      silentCheckSsoRedirectUri: window.location.origin + '/silent-check-sso.html',
+    }).then((auth) => {
+      setKeycloak(kc);
+      setAuthenticated(auth);
+      setLoading(false);
+    });
+  }, []);
+
+  return { keycloak, authenticated, loading };
+};
+```
+
+## Contribuir
+
+1. Fork el proyecto
+2. Crea una rama para tu feature (`git checkout -b feature/AmazingFeature`)
+3. Commit tus cambios (`git commit -m 'Add some AmazingFeature'`)
+4. Push a la rama (`git push origin feature/AmazingFeature`)
+5. Abre un Pull Request
+
+## Licencia
+
+Este proyecto está bajo la Licencia MIT - ver el archivo [LICENSE](LICENSE) para detalles.

package/dist/decorators/current-user.decorator.d.ts

@@ -0,0 +1,3 @@
+import { DecodedToken } from '../interfaces/keycloak-config.interface';
+export declare const CurrentUser: (...dataOrPipes: (keyof DecodedToken | import("@nestjs/common").PipeTransform<any, any> | import("@nestjs/common").Type<import("@nestjs/common").PipeTransform<any, any>> | undefined)[]) => ParameterDecorator;
+//# sourceMappingURL=current-user.decorator.d.ts.map

package/dist/decorators/current-user.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/current-user.decorator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,yCAAyC,CAAC;AAEvE,eAAO,MAAM,WAAW,iNAOvB,CAAC"}

package/dist/decorators/current-user.decorator.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = void 0;
+const common_1 = require("@nestjs/common");
+exports.CurrentUser = (0, common_1.createParamDecorator)((data, ctx) => {
+    const request = ctx.switchToHttp().getRequest();
+    const user = request.user;
+    return data ? user?.[data] : user;
+});
+//# sourceMappingURL=current-user.decorator.js.map

package/dist/decorators/current-user.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.js","sourceRoot":"","sources":["../../src/decorators/current-user.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAAwE;AAG3D,QAAA,WAAW,GAAG,IAAA,6BAAoB,EAC7C,CAAC,IAAoC,EAAE,GAAqB,EAAsB,EAAE;IAClF,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAE1B,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACpC,CAAC,CACF,CAAC"}

package/dist/guards/keycloak-auth.guard.d.ts

@@ -0,0 +1,18 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { KeycloakAuthService } from '../keycloak-auth.service';
+export interface KeycloakAuthOptions {
+    roles?: string[];
+    clientRoles?: Record<string, string[]>;
+    requireAllRoles?: boolean;
+    optional?: boolean;
+}
+export declare const KEYCLOAK_AUTH_KEY = "keycloak_auth";
+export declare const KeycloakAuth: (options?: KeycloakAuthOptions) => (target: any, propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+export declare class KeycloakAuthGuard implements CanActivate {
+    private reflector;
+    private keycloakService;
+    constructor(reflector: Reflector, keycloakService: KeycloakAuthService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=keycloak-auth.guard.d.ts.map

package/dist/guards/keycloak-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/keycloak-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAyB,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAE/D,MAAM,WAAW,mBAAmB;IAChC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACvC,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,eAAO,MAAM,iBAAiB,kBAAkB,CAAC;AAEjD,eAAO,MAAM,YAAY,GAAI,UAAS,mBAAwB,MAClD,QAAQ,GAAG,EAAE,aAAa,MAAM,EAAE,YAAY,kBAAkB,uBAI3E,CAAC;AAEF,qBACa,iBAAkB,YAAW,WAAW;IAE7C,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,eAAe;gBADf,SAAS,EAAE,SAAS,EACpB,eAAe,EAAE,mBAAmB;IAG1C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAiEjE"}

package/dist/guards/keycloak-auth.guard.js

@@ -0,0 +1,81 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakAuthGuard = exports.KeycloakAuth = exports.KEYCLOAK_AUTH_KEY = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const keycloak_auth_service_1 = require("../keycloak-auth.service");
+exports.KEYCLOAK_AUTH_KEY = 'keycloak_auth';
+const KeycloakAuth = (options = {}) => {
+    return (target, propertyKey, descriptor) => {
+        Reflect.defineMetadata(exports.KEYCLOAK_AUTH_KEY, options, descriptor.value);
+        return descriptor;
+    };
+};
+exports.KeycloakAuth = KeycloakAuth;
+let KeycloakAuthGuard = class KeycloakAuthGuard {
+    constructor(reflector, keycloakService) {
+        this.reflector = reflector;
+        this.keycloakService = keycloakService;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const options = this.reflector.getAllAndOverride(exports.KEYCLOAK_AUTH_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        const authHeader = request.headers.authorization;
+        if (options?.optional && (!authHeader || !authHeader.startsWith('Bearer '))) {
+            return true;
+        }
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            throw new common_1.UnauthorizedException('Token de autorización requerido');
+        }
+        const token = authHeader.substring(7);
+        const validationResult = await this.keycloakService.validateToken(token);
+        if (!validationResult.valid) {
+            throw new common_1.UnauthorizedException(validationResult.error || 'Token inválido');
+        }
+        request.user = validationResult.decoded;
+        if (!options || (!options.roles && !options.clientRoles)) {
+            return true;
+        }
+        if (options.roles && options.roles.length > 0) {
+            const userRoles = validationResult.decoded?.realm_access?.roles || [];
+            const hasRealmRole = options.requireAllRoles
+                ? options.roles.every((role) => userRoles.includes(role))
+                : options.roles.some((role) => userRoles.includes(role));
+            if (!hasRealmRole) {
+                throw new common_1.UnauthorizedException('Roles insuficientes');
+            }
+        }
+        if (options.clientRoles) {
+            const userClientRoles = validationResult.decoded?.resource_access || {};
+            for (const [clientId, requiredRoles] of Object.entries(options.clientRoles)) {
+                const userRoles = userClientRoles[clientId]?.roles || [];
+                const hasClientRole = options.requireAllRoles
+                    ? requiredRoles.every((role) => userRoles.includes(role))
+                    : requiredRoles.some((role) => userRoles.includes(role));
+                if (!hasClientRole) {
+                    throw new common_1.UnauthorizedException(`Roles insuficientes para el cliente ${clientId}`);
+                }
+            }
+        }
+        return true;
+    }
+};
+exports.KeycloakAuthGuard = KeycloakAuthGuard;
+exports.KeycloakAuthGuard = KeycloakAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector,
+        keycloak_auth_service_1.KeycloakAuthService])
+], KeycloakAuthGuard);
+//# sourceMappingURL=keycloak-auth.guard.js.map

package/dist/guards/keycloak-auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-auth.guard.js","sourceRoot":"","sources":["../../src/guards/keycloak-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAAkG;AAClG,uCAAyC;AACzC,oEAA+D;AASlD,QAAA,iBAAiB,GAAG,eAAe,CAAC;AAE1C,MAAM,YAAY,GAAG,CAAC,UAA+B,EAAE,EAAE,EAAE;IAC9D,OAAO,CAAC,MAAW,EAAE,WAAmB,EAAE,UAA8B,EAAE,EAAE;QACxE,OAAO,CAAC,cAAc,CAAC,yBAAiB,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;QACrE,OAAO,UAAU,CAAC;IACtB,CAAC,CAAC;AACN,CAAC,CAAC;AALW,QAAA,YAAY,gBAKvB;AAGK,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC1B,YACY,SAAoB,EACpB,eAAoC;QADpC,cAAS,GAAT,SAAS,CAAW;QACpB,oBAAe,GAAf,eAAe,CAAqB;IAC7C,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACvC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAsB,yBAAiB,EAAE;YACrF,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACrB,CAAC,CAAC;QAGH,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAGjD,IAAI,OAAO,EAAE,QAAQ,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAC1E,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAGtC,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QACzE,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;YAC1B,MAAM,IAAI,8BAAqB,CAAC,gBAAgB,CAAC,KAAK,IAAI,gBAAgB,CAAC,CAAC;QAChF,CAAC;QAGD,OAAO,CAAC,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC;QAGxC,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QAChB,CAAC;QAGD,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,EAAE,YAAY,EAAE,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,YAAY,GAAG,OAAO,CAAC,eAAe;gBACxC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACzD,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAE7D,IAAI,CAAC,YAAY,EAAE,CAAC;gBAChB,MAAM,IAAI,8BAAqB,CAAC,qBAAqB,CAAC,CAAC;YAC3D,CAAC;QACL,CAAC;QAGD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,EAAE,eAAe,IAAI,EAAE,CAAC;YAExE,KAAK,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC1E,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;gBACzD,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe;oBACzC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACzD,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;gBAE7D,IAAI,CAAC,aAAa,EAAE,CAAC;oBACjB,MAAM,IAAI,8BAAqB,CAAC,uCAAuC,QAAQ,EAAE,CAAC,CAAC;gBACvF,CAAC;YACL,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;CACJ,CAAA;AAvEY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,mBAAU,GAAE;qCAGc,gBAAS;QACH,2CAAmB;GAHvC,iBAAiB,CAuE7B"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { KeycloakAuthModule } from './keycloak-auth.module';
+export { KeycloakAuthService } from './keycloak-auth.service';
+export { KeycloakAuthGuard, KeycloakAuth } from './guards/keycloak-auth.guard';
+export { CurrentUser } from './decorators/current-user.decorator';
+export * from './interfaces/keycloak-config.interface';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAG5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAG9D,OAAO,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAG/E,OAAO,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGlE,cAAc,wCAAwC,CAAC"}

package/dist/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = exports.KeycloakAuth = exports.KeycloakAuthGuard = exports.KeycloakAuthService = exports.KeycloakAuthModule = void 0;
+var keycloak_auth_module_1 = require("./keycloak-auth.module");
+Object.defineProperty(exports, "KeycloakAuthModule", { enumerable: true, get: function () { return keycloak_auth_module_1.KeycloakAuthModule; } });
+var keycloak_auth_service_1 = require("./keycloak-auth.service");
+Object.defineProperty(exports, "KeycloakAuthService", { enumerable: true, get: function () { return keycloak_auth_service_1.KeycloakAuthService; } });
+var keycloak_auth_guard_1 = require("./guards/keycloak-auth.guard");
+Object.defineProperty(exports, "KeycloakAuthGuard", { enumerable: true, get: function () { return keycloak_auth_guard_1.KeycloakAuthGuard; } });
+Object.defineProperty(exports, "KeycloakAuth", { enumerable: true, get: function () { return keycloak_auth_guard_1.KeycloakAuth; } });
+var current_user_decorator_1 = require("./decorators/current-user.decorator");
+Object.defineProperty(exports, "CurrentUser", { enumerable: true, get: function () { return current_user_decorator_1.CurrentUser; } });
+__exportStar(require("./interfaces/keycloak-config.interface"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AACA,+DAA4D;AAAnD,0HAAA,kBAAkB,OAAA;AAG3B,iEAA8D;AAArD,4HAAA,mBAAmB,OAAA;AAG5B,oEAA+E;AAAtE,wHAAA,iBAAiB,OAAA;AAAE,mHAAA,YAAY,OAAA;AAGxC,8EAAkE;AAAzD,qHAAA,WAAW,OAAA;AAGpB,yEAAuD"}

package/dist/interfaces/keycloak-config.interface.d.ts

@@ -0,0 +1,56 @@
+export interface KeycloakConfig {
+    serverUrl: string;
+    realm: string;
+    clientId: string;
+    clientSecret?: string;
+    publicKey?: string;
+    verifyTokenAudience?: boolean;
+    verifyTokenIssuer?: boolean;
+    tokenExpirationTolerance?: number;
+}
+export interface DecodedToken {
+    sub: string;
+    iss: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    jti?: string;
+    azp?: string;
+    scope?: string;
+    realm_access?: {
+        roles: string[];
+    };
+    resource_access?: {
+        [clientId: string]: {
+            roles: string[];
+        };
+    };
+    preferred_username?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+}
+export interface TokenValidationResult {
+    valid: boolean;
+    decoded?: DecodedToken;
+    error?: string;
+    expired?: boolean;
+    invalidSignature?: boolean;
+    invalidAudience?: boolean;
+    invalidIssuer?: boolean;
+}
+export interface RefreshTokenResult {
+    success: boolean;
+    token?: {
+        access_token: string;
+        refresh_token?: string;
+        token_type: string;
+        expires_in: number;
+        scope?: string;
+        id_token?: string;
+    };
+    error?: string;
+}
+//# sourceMappingURL=keycloak-config.interface.d.ts.map

package/dist/interfaces/keycloak-config.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-config.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/keycloak-config.interface.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,CAAC;CACnC;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE;QACb,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;IACF,eAAe,CAAC,EAAE;QAChB,CAAC,QAAQ,EAAE,MAAM,GAAG;YAClB,KAAK,EAAE,MAAM,EAAE,CAAC;SACjB,CAAC;KACH,CAAC;IACF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE;QACN,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB"}

package/dist/interfaces/keycloak-config.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=keycloak-config.interface.js.map

package/dist/interfaces/keycloak-config.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-config.interface.js","sourceRoot":"","sources":["../../src/interfaces/keycloak-config.interface.ts"],"names":[],"mappings":""}

package/dist/keycloak-auth.module.d.ts

@@ -0,0 +1,5 @@
+import { DynamicModule } from '@nestjs/common';
+export declare class KeycloakAuthModule {
+    static forRootFromEnv(): DynamicModule;
+}
+//# sourceMappingURL=keycloak-auth.module.d.ts.map

package/dist/keycloak-auth.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-auth.module.d.ts","sourceRoot":"","sources":["../src/keycloak-auth.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAMvD,qBACa,kBAAkB;IAC3B,MAAM,CAAC,cAAc,IAAI,aAAa;CAuBzC"}

package/dist/keycloak-auth.module.js

@@ -0,0 +1,44 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var KeycloakAuthModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakAuthModule = void 0;
+const common_1 = require("@nestjs/common");
+const config_1 = require("@nestjs/config");
+const keycloak_auth_service_1 = require("./keycloak-auth.service");
+const keycloak_auth_guard_1 = require("./guards/keycloak-auth.guard");
+let KeycloakAuthModule = KeycloakAuthModule_1 = class KeycloakAuthModule {
+    static forRootFromEnv() {
+        return {
+            module: KeycloakAuthModule_1,
+            imports: [config_1.ConfigModule],
+            providers: [
+                {
+                    provide: 'KEYCLOAK_CONFIG',
+                    useFactory: (configService) => ({
+                        serverUrl: configService.get('KEYCLOAK_SERVER_URL', 'http://localhost:8080'),
+                        realm: configService.get('KEYCLOAK_REALM', 'my-realm'),
+                        clientId: configService.get('KEYCLOAK_CLIENT_ID', 'backend'),
+                        clientSecret: configService.get('KEYCLOAK_CLIENT_SECRET'),
+                        verifyTokenIssuer: configService.get('KEYCLOAK_VERIFY_ISSUER', 'true') === 'true',
+                        verifyTokenAudience: configService.get('KEYCLOAK_VERIFY_AUDIENCE', 'true') === 'true',
+                    }),
+                    inject: [config_1.ConfigService],
+                },
+                keycloak_auth_service_1.KeycloakAuthService,
+                keycloak_auth_guard_1.KeycloakAuthGuard,
+            ],
+            exports: [keycloak_auth_service_1.KeycloakAuthService, keycloak_auth_guard_1.KeycloakAuthGuard],
+        };
+    }
+};
+exports.KeycloakAuthModule = KeycloakAuthModule;
+exports.KeycloakAuthModule = KeycloakAuthModule = KeycloakAuthModule_1 = __decorate([
+    (0, common_1.Module)({})
+], KeycloakAuthModule);
+//# sourceMappingURL=keycloak-auth.module.js.map

package/dist/keycloak-auth.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-auth.module.js","sourceRoot":"","sources":["../src/keycloak-auth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAuD;AACvD,2CAA6D;AAE7D,mEAA8D;AAC9D,sEAAiE;AAG1D,IAAM,kBAAkB,0BAAxB,MAAM,kBAAkB;IAC3B,MAAM,CAAC,cAAc;QACjB,OAAO;YACH,MAAM,EAAE,oBAAkB;YAC1B,OAAO,EAAE,CAAC,qBAAY,CAAC;YACvB,SAAS,EAAE;gBACP;oBACI,OAAO,EAAE,iBAAiB;oBAC1B,UAAU,EAAE,CAAC,aAA4B,EAAkB,EAAE,CAAC,CAAC;wBAC3D,SAAS,EAAE,aAAa,CAAC,GAAG,CAAS,qBAAqB,EAAE,uBAAuB,CAAC;wBACpF,KAAK,EAAE,aAAa,CAAC,GAAG,CAAS,gBAAgB,EAAE,UAAU,CAAC;wBAC9D,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAS,oBAAoB,EAAE,SAAS,CAAC;wBACpE,YAAY,EAAE,aAAa,CAAC,GAAG,CAAS,wBAAwB,CAAC;wBACjE,iBAAiB,EAAE,aAAa,CAAC,GAAG,CAAS,wBAAwB,EAAE,MAAM,CAAC,KAAK,MAAM;wBACzF,mBAAmB,EAAE,aAAa,CAAC,GAAG,CAAS,0BAA0B,EAAE,MAAM,CAAC,KAAK,MAAM;qBAChG,CAAC;oBACF,MAAM,EAAE,CAAC,sBAAa,CAAC;iBAC1B;gBACD,2CAAmB;gBACnB,uCAAiB;aACpB;YACD,OAAO,EAAE,CAAC,2CAAmB,EAAE,uCAAiB,CAAC;SACpD,CAAC;IACN,CAAC;CACJ,CAAA;AAxBY,gDAAkB;6BAAlB,kBAAkB;IAD9B,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,kBAAkB,CAwB9B"}