@monderks/nestjs-keycloak-auth 0.1.0

package/dist/keycloak-auth.service.d.ts

@@ -0,0 +1,16 @@
+import { KeycloakConfig, DecodedToken, TokenValidationResult, RefreshTokenResult } from './interfaces/keycloak-config.interface';
+export declare class KeycloakAuthService {
+    private config;
+    private readonly logger;
+    private readonly httpClient;
+    private publicKey;
+    constructor(config: KeycloakConfig);
+    validateToken(token: string): Promise<TokenValidationResult>;
+    getUserInfo(accessToken: string): Promise<DecodedToken>;
+    refreshToken(refreshToken: string): Promise<RefreshTokenResult>;
+    logout(refreshToken: string): Promise<boolean>;
+    hasRole(userId: string, roleName: string, clientId?: string): Promise<boolean>;
+    private loadPublicKey;
+    private getAdminToken;
+}
+//# sourceMappingURL=keycloak-auth.service.d.ts.map

package/dist/keycloak-auth.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-auth.service.d.ts","sourceRoot":"","sources":["../src/keycloak-auth.service.ts"],"names":[],"mappings":"AAIA,OAAO,EACH,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,kBAAkB,EACrB,MAAM,wCAAwC,CAAC;AAEhD,qBACa,mBAAmB;IAKW,OAAO,CAAC,MAAM;IAJrD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwC;IAC/D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAgB;IAC3C,OAAO,CAAC,SAAS,CAAoB;gBAEU,MAAM,EAAE,cAAc;IA0B/D,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAwD5D,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsBvD,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAiC/D,MAAM,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA4B9C,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;YA+BtE,aAAa;YAuBb,aAAa;CAM9B"}

package/dist/keycloak-auth.service.js

@@ -0,0 +1,231 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var KeycloakAuthService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakAuthService = void 0;
+const common_1 = require("@nestjs/common");
+const axios_1 = __importDefault(require("axios"));
+const jwt = __importStar(require("jsonwebtoken"));
+const jose_1 = require("jose");
+let KeycloakAuthService = KeycloakAuthService_1 = class KeycloakAuthService {
+    constructor(config) {
+        this.config = config;
+        this.logger = new common_1.Logger(KeycloakAuthService_1.name);
+        this.publicKey = null;
+        this.httpClient = axios_1.default.create({
+            baseURL: config.serverUrl,
+            timeout: 10000,
+        });
+        this.httpClient.interceptors.request.use((config) => {
+            this.logger.debug(`Request: ${config.method?.toUpperCase()} ${config.url}`);
+            return config;
+        });
+        this.httpClient.interceptors.response.use((response) => {
+            this.logger.debug(`Response: ${response.status} ${response.config.url}`);
+            return response;
+        }, (error) => {
+            this.logger.error(`Error: ${error.response?.status} ${error.config?.url} - ${error.message}`);
+            return Promise.reject(error);
+        });
+    }
+    async validateToken(token) {
+        try {
+            const decoded = jwt.decode(token);
+            if (!decoded) {
+                return { valid: false, error: 'Token inválido' };
+            }
+            const now = Math.floor(Date.now() / 1000);
+            const tolerance = this.config.tokenExpirationTolerance || 0;
+            if (decoded.exp && decoded.exp < now - tolerance) {
+                return { valid: false, expired: true, error: 'Token expirado' };
+            }
+            if (!this.publicKey) {
+                await this.loadPublicKey(token);
+            }
+            if (this.publicKey) {
+                try {
+                    const jwk = this.publicKey;
+                    const keyLike = await (0, jose_1.importJWK)(jwk, 'RS256');
+                    const jwtOptions = {};
+                    if (this.config.verifyTokenIssuer) {
+                        jwtOptions.issuer = `${this.config.serverUrl}/realms/${this.config.realm}`;
+                    }
+                    if (this.config.verifyTokenAudience) {
+                        jwtOptions.audience = this.config.clientId;
+                    }
+                    await (0, jose_1.jwtVerify)(token, keyLike, jwtOptions);
+                }
+                catch (verifyError) {
+                    return {
+                        valid: false,
+                        invalidSignature: true,
+                        error: 'Firma del token inválida: ' + verifyError,
+                        decoded,
+                    };
+                }
+            }
+            return { valid: true, decoded };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Error desconocido';
+            this.logger.error(`Error validando token: ${errorMessage}`);
+            return { valid: false, error: errorMessage };
+        }
+    }
+    async getUserInfo(accessToken) {
+        try {
+            const response = await this.httpClient.get(`/realms/${this.config.realm}/protocol/openid-connect/userinfo`, {
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                },
+            });
+            return response.data;
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Error desconocido';
+            this.logger.error(`Error obteniendo información del usuario: ${errorMessage}`);
+            throw new Error('No se pudo obtener información del usuario');
+        }
+    }
+    async refreshToken(refreshToken) {
+        try {
+            const params = new URLSearchParams({
+                grant_type: 'refresh_token',
+                client_id: this.config.clientId,
+                refresh_token: refreshToken,
+            });
+            if (this.config.clientSecret) {
+                params.append('client_secret', this.config.clientSecret);
+            }
+            const response = await this.httpClient.post(`/realms/${this.config.realm}/protocol/openid-connect/token`, params, {
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+            });
+            return { success: true, token: response.data };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Error desconocido';
+            this.logger.error(`Error renovando token: ${errorMessage}`);
+            return { success: false, error: errorMessage };
+        }
+    }
+    async logout(refreshToken) {
+        try {
+            const params = new URLSearchParams({
+                client_id: this.config.clientId,
+                refresh_token: refreshToken,
+            });
+            if (this.config.clientSecret) {
+                params.append('client_secret', this.config.clientSecret);
+            }
+            await this.httpClient.post(`/realms/${this.config.realm}/protocol/openid-connect/logout`, params, {
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+            });
+            return true;
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Error desconocido';
+            this.logger.error(`Error en logout: ${errorMessage}`);
+            return false;
+        }
+    }
+    async hasRole(userId, roleName, clientId) {
+        try {
+            const response = await this.httpClient.get(`/admin/realms/${this.config.realm}/users/${userId}/role-mappings`, {
+                headers: {
+                    Authorization: `Bearer ${await this.getAdminToken()}`,
+                },
+            });
+            const realmRoles = response.data.realmMappings || [];
+            const clientRoles = response.data.clientMappings || {};
+            if (clientId) {
+                const clientRoleMappings = clientRoles[clientId]?.mappings || [];
+                return clientRoleMappings.some((role) => role.name === roleName);
+            }
+            else {
+                return realmRoles.some((role) => role.name === roleName);
+            }
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Error desconocido';
+            this.logger.error(`Error verificando rol: ${errorMessage}`);
+            return false;
+        }
+    }
+    async loadPublicKey(token) {
+        try {
+            const response = await this.httpClient.get(`/realms/${this.config.realm}/protocol/openid-connect/certs`);
+            const keys = response.data.keys;
+            const decodedHeader = JSON.parse(Buffer.from(token.split('.')[0], 'base64').toString());
+            const kid = decodedHeader.kid;
+            const matchingKey = keys.find((k) => k.kid === kid);
+            if (!matchingKey)
+                throw new Error(`No se encontró clave con kid: ${kid}`);
+            this.publicKey = matchingKey;
+        }
+        catch (error) {
+            this.logger.error(`Error cargando clave pública: ${error instanceof Error ? error.message : 'Error desconocido'}`);
+            throw new Error('No se pudo cargar la clave pública del realm');
+        }
+    }
+    async getAdminToken() {
+        throw new Error('Credenciales de administrador no configuradas');
+    }
+};
+exports.KeycloakAuthService = KeycloakAuthService;
+exports.KeycloakAuthService = KeycloakAuthService = KeycloakAuthService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)('KEYCLOAK_CONFIG')),
+    __metadata("design:paramtypes", [Object])
+], KeycloakAuthService);
+//# sourceMappingURL=keycloak-auth.service.js.map

package/dist/keycloak-auth.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-auth.service.js","sourceRoot":"","sources":["../src/keycloak-auth.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA4D;AAC5D,kDAA6C;AAC7C,kDAAoC;AACpC,+BAAiD;AAS1C,IAAM,mBAAmB,2BAAzB,MAAM,mBAAmB;IAK5B,YAAuC,MAA8B;QAAtB,WAAM,GAAN,MAAM,CAAgB;QAJpD,WAAM,GAAG,IAAI,eAAM,CAAC,qBAAmB,CAAC,IAAI,CAAC,CAAC;QAEvD,cAAS,GAAe,IAAI,CAAC;QAGjC,IAAI,CAAC,UAAU,GAAG,eAAK,CAAC,MAAM,CAAC;YAC3B,OAAO,EAAE,MAAM,CAAC,SAAS;YACzB,OAAO,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE;YAChD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;YAC5E,OAAO,MAAM,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CACrC,CAAC,QAAQ,EAAE,EAAE;YACT,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;YACzE,OAAO,QAAQ,CAAC;QACpB,CAAC,EACD,CAAC,KAAK,EAAE,EAAE;YACN,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,KAAK,CAAC,QAAQ,EAAE,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9F,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC,CACJ,CAAC;IACN,CAAC;IAKD,KAAK,CAAC,aAAa,CAAC,KAAa;QAC7B,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAiB,CAAC;YAElD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;YACrD,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,wBAAwB,IAAI,CAAC,CAAC;YAE5D,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,GAAG,SAAS,EAAE,CAAC;gBAC/C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;YACpE,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBAClB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YAED,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjB,IAAI,CAAC;oBACD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAgB,CAAC;oBAClC,MAAM,OAAO,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,EAAE,OAAO,CAAC,CAAC;oBAE9C,MAAM,UAAU,GAAoC,EAAE,CAAC;oBAEvD,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;wBAChC,UAAU,CAAC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,WAAW,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBAC/E,CAAC;oBAED,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;wBAClC,UAAU,CAAC,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC/C,CAAC;oBAED,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;gBAChD,CAAC;gBAAC,OAAO,WAAW,EAAE,CAAC;oBACnB,OAAO;wBACH,KAAK,EAAE,KAAK;wBACZ,gBAAgB,EAAE,IAAI;wBACtB,KAAK,EAAE,4BAA4B,GAAG,WAAW;wBACjD,OAAO;qBACV,CAAC;gBACN,CAAC;YACL,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;QACjD,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,WAAW,CAAC,WAAmB;QACjC,IAAI,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACtC,WAAW,IAAI,CAAC,MAAM,CAAC,KAAK,mCAAmC,EAC/D;gBACI,OAAO,EAAE;oBACL,aAAa,EAAE,UAAU,WAAW,EAAE;iBACzC;aACJ,CACJ,CAAC;YAEF,OAAO,QAAQ,CAAC,IAAI,CAAC;QACzB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,YAAY,EAAE,CAAC,CAAC;YAC/E,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAClE,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,YAAY,CAAC,YAAoB;QACnC,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBAC/B,UAAU,EAAE,eAAe;gBAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,YAAY;aAC9B,CAAC,CAAC;YAEH,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBAC3B,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CACvC,WAAW,IAAI,CAAC,MAAM,CAAC,KAAK,gCAAgC,EAC5D,MAAM,EACN;gBACI,OAAO,EAAE;oBACL,cAAc,EAAE,mCAAmC;iBACtD;aACJ,CACJ,CAAC;YAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;QACnD,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,MAAM,CAAC,YAAoB;QAC7B,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBAC/B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,YAAY;aAC9B,CAAC,CAAC;YAEH,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBAC3B,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,CAAC;YAED,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,KAAK,iCAAiC,EAAE,MAAM,EAAE;gBAC9F,OAAO,EAAE;oBACL,cAAc,EAAE,mCAAmC;iBACtD;aACJ,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,YAAY,EAAE,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,OAAO,CAAC,MAAc,EAAE,QAAgB,EAAE,QAAiB;QAC7D,IAAI,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACtC,iBAAiB,IAAI,CAAC,MAAM,CAAC,KAAK,UAAU,MAAM,gBAAgB,EAClE;gBACI,OAAO,EAAE;oBACL,aAAa,EAAE,UAAU,MAAM,IAAI,CAAC,aAAa,EAAE,EAAE;iBACxD;aACJ,CACJ,CAAC;YAEF,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;YAEvD,IAAI,QAAQ,EAAE,CAAC;gBACX,MAAM,kBAAkB,GAAG,WAAW,CAAC,QAAQ,CAAC,EAAE,QAAQ,IAAI,EAAE,CAAC;gBACjE,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;YAC1E,CAAC;iBAAM,CAAC;gBACJ,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;YAClE,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAKO,KAAK,CAAC,aAAa,CAAC,KAAa;QACrC,IAAI,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,KAAK,gCAAgC,CAAC,CAAC;YAEzG,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;YAChC,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxF,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC;YAE9B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,WAAW;gBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;YAE1E,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAClG,CAAC;YACF,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QACpE,CAAC;IACL,CAAC;IAKO,KAAK,CAAC,aAAa;QAIvB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACrE,CAAC;CACJ,CAAA;AAtOY,kDAAmB;8BAAnB,mBAAmB;IAD/B,IAAA,mBAAU,GAAE;IAMI,WAAA,IAAA,eAAM,EAAC,iBAAiB,CAAC,CAAA;;GAL7B,mBAAmB,CAsO/B"}

package/examples/frontend-controlled-auth.ts

@@ -0,0 +1,96 @@
+import { Module } from '@nestjs/common';
+import { KeycloakAuthModule } from '../src';
+
+// Configuración para validación de tokens (frontend controla login)
+const keycloakConfig = {
+  serverUrl: 'http://localhost:8080',
+  realm: 'my-realm',
+  clientId: 'my-client',
+  clientSecret: 'my-client-secret', // Necesario para refresh y logout
+  verifyTokenAudience: true,
+  verifyTokenIssuer: true,
+  tokenExpirationTolerance: 30, // segundos
+};
+
+@Module({
+  imports: [
+    KeycloakAuthModule.forRoot({
+      config: keycloakConfig,
+    }),
+  ],
+})
+export class AppModule {}
+
+// Ejemplo de uso en Next.js frontend
+export const nextjsExample = `
+// En tu aplicación Next.js, el flujo sería así:
+
+// 1. Instalar keycloak-js
+// npm install keycloak-js
+
+// 2. Configurar Keycloak en el frontend
+import Keycloak from 'keycloak-js';
+
+const keycloak = new Keycloak({
+  url: 'http://localhost:8080',
+  realm: 'my-realm',
+  clientId: 'my-client'
+});
+
+// 3. Inicializar y hacer login
+await keycloak.init({
+  onLoad: 'login-required'
+});
+
+// 4. Obtener el token
+const token = keycloak.token;
+
+// 5. Enviar requests al backend con el token
+const response = await fetch('/api/auth/protected', {
+  headers: {
+    'Authorization': \`Bearer \${token}\`
+  }
+});
+
+// 6. Para validar el token en el backend
+const validateResponse = await fetch('/api/auth/validate', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ token })
+});
+
+// 7. Para renovar el token
+const refreshResponse = await fetch('/api/auth/refresh', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ refreshToken: keycloak.refreshToken })
+});
+
+// 8. Para logout
+const logoutResponse = await fetch('/api/auth/logout', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({ refreshToken: keycloak.refreshToken })
+});
+`;
+
+// Ejemplo de controlador personalizado
+export class CustomControllerExample {
+  constructor(private keycloakService: any) {}
+
+  // Endpoint que solo valida el token
+  async validateTokenFromFrontend(token: string) {
+    return await this.keycloakService.validateToken(token);
+  }
+
+  // Endpoint que obtiene información del usuario
+  async getUserFromToken(token: string) {
+    return await this.keycloakService.getUserInfo(token);
+  }
+} 

package/jest.config.js

@@ -0,0 +1,14 @@
+module.exports = {
+  moduleFileExtensions: ['js', 'json', 'ts'],
+  rootDir: 'src',
+  testRegex: '.*\\.spec\\.ts$',
+  transform: {
+    '^.+\\.(t|j)s$': 'ts-jest',
+  },
+  collectCoverageFrom: ['**/*.(t|j)s'],
+  coverageDirectory: '../coverage',
+  testEnvironment: 'node',
+  moduleNameMapping: {
+    '^@/(.*)$': '<rootDir>/$1',
+  },
+}; 

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@monderks/nestjs-keycloak-auth",
+  "version": "0.1.0",
+  "description": "Librería para validación de tokens Keycloak en NestJS (frontend controla login)",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "jest",
+    "lint": "eslint src/**/*.ts",
+    "format": "prettier --write src/**/*.ts",
+    "prepare": "npm run build",
+    "publish": "npm publish --access public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/AlejoClifton/nestjs-keycloak-auth.git"
+  },
+  "keywords": [
+    "keycloak",
+    "authentication",
+    "nestjs",
+    "jwt",
+    "token-validation",
+    "frontend-auth"
+  ],
+  "author": "Alejo Tomás Clifton Goldney",
+  "license": "MIT",
+  "dependencies": {
+    "@nestjs/common": "^11.1.3",
+    "@nestjs/config": "^4.0.2",
+    "@nestjs/core": "^11.1.3",
+    "axios": "^1.10.0",
+    "jose": "^6.0.11",
+    "jsonwebtoken": "^9.0.2"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^24.0.4",
+    "@typescript-eslint/eslint-plugin": "^8.35.0",
+    "@typescript-eslint/parser": "^8.35.0",
+    "eslint": "^9.29.0",
+    "jest": "^30.0.2",
+    "prettier": "^3.6.0",
+    "typescript": "^5.8.3"
+  },
+  "peerDependencies": {
+    "@nestjs/common": "^11.1.3",
+    "@nestjs/core": "^11.1.3"
+  }
+}

package/src/decorators/current-user.decorator.ts

@@ -0,0 +1,11 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+import { DecodedToken } from '../interfaces/keycloak-config.interface';
+
+export const CurrentUser = createParamDecorator(
+  (data: keyof DecodedToken | undefined, ctx: ExecutionContext): DecodedToken | any => {
+    const request = ctx.switchToHttp().getRequest();
+    const user = request.user;
+
+    return data ? user?.[data] : user;
+  },
+); 

package/src/guards/keycloak-auth.guard.ts

@@ -0,0 +1,93 @@
+import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { KeycloakAuthService } from '../keycloak-auth.service';
+
+export interface KeycloakAuthOptions {
+    roles?: string[];
+    clientRoles?: Record<string, string[]>;
+    requireAllRoles?: boolean;
+    optional?: boolean; // Si es true, permite acceso sin token
+}
+
+export const KEYCLOAK_AUTH_KEY = 'keycloak_auth';
+
+export const KeycloakAuth = (options: KeycloakAuthOptions = {}) => {
+    return (target: any, propertyKey: string, descriptor: PropertyDescriptor) => {
+        Reflect.defineMetadata(KEYCLOAK_AUTH_KEY, options, descriptor.value);
+        return descriptor;
+    };
+};
+
+@Injectable()
+export class KeycloakAuthGuard implements CanActivate {
+    constructor(
+        private reflector: Reflector,
+        private keycloakService: KeycloakAuthService,
+    ) {}
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const request = context.switchToHttp().getRequest();
+        const options = this.reflector.getAllAndOverride<KeycloakAuthOptions>(KEYCLOAK_AUTH_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+
+        // Extraer el token del header Authorization
+        const authHeader = request.headers.authorization;
+
+        // Si es opcional y no hay token, permitir acceso
+        if (options?.optional && (!authHeader || !authHeader.startsWith('Bearer '))) {
+            return true;
+        }
+
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            throw new UnauthorizedException('Token de autorización requerido');
+        }
+
+        const token = authHeader.substring(7);
+
+        // Validar el token
+        const validationResult = await this.keycloakService.validateToken(token);
+        if (!validationResult.valid) {
+            throw new UnauthorizedException(validationResult.error || 'Token inválido');
+        }
+
+        // Agregar el usuario decodificado a la request
+        request.user = validationResult.decoded;
+
+        // Si no hay opciones de roles, solo validar que el token sea válido
+        if (!options || (!options.roles && !options.clientRoles)) {
+            return true;
+        }
+
+        // Verificar roles del realm
+        if (options.roles && options.roles.length > 0) {
+            const userRoles = validationResult.decoded?.realm_access?.roles || [];
+            const hasRealmRole = options.requireAllRoles
+                ? options.roles.every((role) => userRoles.includes(role))
+                : options.roles.some((role) => userRoles.includes(role));
+
+            if (!hasRealmRole) {
+                throw new UnauthorizedException('Roles insuficientes');
+            }
+        }
+
+        // Verificar roles de cliente
+        if (options.clientRoles) {
+            const userClientRoles = validationResult.decoded?.resource_access || {};
+
+            for (const [clientId, requiredRoles] of Object.entries(options.clientRoles)) {
+                const userRoles = userClientRoles[clientId]?.roles || [];
+                const hasClientRole = options.requireAllRoles
+                    ? requiredRoles.every((role) => userRoles.includes(role))
+                    : requiredRoles.some((role) => userRoles.includes(role));
+
+                if (!hasClientRole) {
+                    throw new UnauthorizedException(`Roles insuficientes para el cliente ${clientId}`);
+                }
+            }
+        }
+
+        return true;
+    }
+}

package/src/index.ts

@@ -0,0 +1,14 @@
+// Módulo principal
+export { KeycloakAuthModule } from './keycloak-auth.module';
+
+// Servicio principal
+export { KeycloakAuthService } from './keycloak-auth.service';
+
+// Guard de autenticación
+export { KeycloakAuthGuard, KeycloakAuth } from './guards/keycloak-auth.guard';
+
+// Decorador para obtener usuario actual
+export { CurrentUser } from './decorators/current-user.decorator';
+
+// Interfaces y tipos
+export * from './interfaces/keycloak-config.interface';

package/src/interfaces/keycloak-config.interface.ts

@@ -0,0 +1,58 @@
+export interface KeycloakConfig {
+  serverUrl: string; // http://localhost:8080
+  realm: string; // the-name-of-the-realm
+  clientId: string; // the-name-of-the-client
+  clientSecret?: string; // opcional para clientes públicos
+  publicKey?: string; // clave pública del realm para validar JWT
+  verifyTokenAudience?: boolean; // verificar audience del token
+  verifyTokenIssuer?: boolean; // verificar issuer del token
+  tokenExpirationTolerance?: number; // tolerancia en segundos para expiración
+}
+
+export interface DecodedToken {
+  sub: string; // subject (user ID)
+  iss: string; // issuer
+  aud: string | string[]; // audience
+  exp: number; // expiration time
+  iat: number; // issued at
+  jti?: string; // JWT ID
+  azp?: string; // authorized party
+  scope?: string; // scopes
+  realm_access?: {
+    roles: string[];
+  };
+  resource_access?: {
+    [clientId: string]: {
+      roles: string[];
+    };
+  };
+  preferred_username?: string;
+  email?: string;
+  email_verified?: boolean;
+  name?: string;
+  given_name?: string;
+  family_name?: string;
+}
+
+export interface TokenValidationResult {
+  valid: boolean;
+  decoded?: DecodedToken;
+  error?: string;
+  expired?: boolean;
+  invalidSignature?: boolean;
+  invalidAudience?: boolean;
+  invalidIssuer?: boolean;
+}
+
+export interface RefreshTokenResult {
+  success: boolean;
+  token?: {
+    access_token: string;
+    refresh_token?: string;
+    token_type: string;
+    expires_in: number;
+    scope?: string;
+    id_token?: string;
+  };
+  error?: string;
+} 

package/src/keycloak-auth.module.ts

@@ -0,0 +1,32 @@
+import { Module, DynamicModule } from '@nestjs/common';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+import { KeycloakConfig } from './interfaces/keycloak-config.interface';
+import { KeycloakAuthService } from './keycloak-auth.service';
+import { KeycloakAuthGuard } from './guards/keycloak-auth.guard';
+
+@Module({})
+export class KeycloakAuthModule {
+    static forRootFromEnv(): DynamicModule {
+        return {
+            module: KeycloakAuthModule,
+            imports: [ConfigModule],
+            providers: [
+                {
+                    provide: 'KEYCLOAK_CONFIG',
+                    useFactory: (configService: ConfigService): KeycloakConfig => ({
+                        serverUrl: configService.get<string>('KEYCLOAK_SERVER_URL', 'http://localhost:8080'),
+                        realm: configService.get<string>('KEYCLOAK_REALM', 'my-realm'),
+                        clientId: configService.get<string>('KEYCLOAK_CLIENT_ID', 'backend'),
+                        clientSecret: configService.get<string>('KEYCLOAK_CLIENT_SECRET'),
+                        verifyTokenIssuer: configService.get<string>('KEYCLOAK_VERIFY_ISSUER', 'true') === 'true',
+                        verifyTokenAudience: configService.get<string>('KEYCLOAK_VERIFY_AUDIENCE', 'true') === 'true',
+                    }),
+                    inject: [ConfigService],
+                },
+                KeycloakAuthService,
+                KeycloakAuthGuard,
+            ],
+            exports: [KeycloakAuthService, KeycloakAuthGuard],
+        };
+    }
+}