@pawells/nestjs-auth 1.0.0-dev.3052c75

package/build/guards/jwt-auth.guard.d.ts

@@ -0,0 +1,52 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { KeycloakTokenValidationService } from '../keycloak/services/keycloak-token-validation.service.js';
+import type { KeycloakUser, KeycloakTokenClaims } from '../keycloak/keycloak.types.js';
+/**
+ * JWT Authentication Guard
+ *
+ * Validates Keycloak-issued JWT tokens on every request using KeycloakTokenValidationService.
+ * Extracts the token from the Authorization header (Bearer scheme), validates it,
+ * and attaches the authenticated user and claims to the request object.
+ *
+ * On successful validation, attaches:
+ * - `request.user` — KeycloakUser object with identity and roles
+ * - `request.keycloakClaims` — Raw token claims for advanced use cases
+ *
+ * Respects the `@Public()` decorator — routes marked as public bypass authentication entirely.
+ *
+ * @example
+ * ```typescript
+ * @UseGuards(JwtAuthGuard)
+ * @Controller('api')
+ * export class MyController {
+ *   @Get('profile')
+ *   getProfile(@CurrentUser() user: KeycloakUser) {
+ *     // user.id, user.roles, etc.
+ *     return user;
+ *   }
+ *
+ *   @Public()
+ *   @Get('health')
+ *   health() {
+ *     // No authentication required
+ *     return { status: 'ok' };
+ *   }
+ * }
+ * ```
+ */
+export declare class JwtAuthGuard implements CanActivate {
+    private readonly reflector;
+    private readonly tokenValidation;
+    constructor(reflector: Reflector, tokenValidation: KeycloakTokenValidationService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: KeycloakUser;
+            keycloakClaims?: KeycloakTokenClaims;
+        }
+    }
+}
+//# sourceMappingURL=jwt-auth.guard.d.ts.map

package/build/guards/jwt-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAqC,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,8BAA8B,EAAE,MAAM,2DAA2D,CAAC;AAG3G,OAAO,KAAK,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAEvF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,qBACa,YAAa,YAAW,WAAW;IAC/C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IAEtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAiC;gBAGhE,SAAS,EAAE,SAAS,EACpB,eAAe,EAAE,8BAA8B;IAMnC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CA8CrE;AAGD,OAAO,CAAC,MAAM,CAAC;IACd,UAAU,OAAO,CAAC;QACjB,UAAU,OAAO;YAChB,IAAI,CAAC,EAAE,YAAY,CAAC;YACpB,cAAc,CAAC,EAAE,mBAAmB,CAAC;SACrC;KACD;CACD"}

package/build/guards/jwt-auth.guard.js

@@ -0,0 +1,97 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { KeycloakTokenValidationService } from '../keycloak/services/keycloak-token-validation.service.js';
+import { IS_PUBLIC_KEY } from '../decorators/auth-decorators.js';
+import { ExtractRequestFromContext } from '../decorators/context-utils.js';
+/**
+ * JWT Authentication Guard
+ *
+ * Validates Keycloak-issued JWT tokens on every request using KeycloakTokenValidationService.
+ * Extracts the token from the Authorization header (Bearer scheme), validates it,
+ * and attaches the authenticated user and claims to the request object.
+ *
+ * On successful validation, attaches:
+ * - `request.user` — KeycloakUser object with identity and roles
+ * - `request.keycloakClaims` — Raw token claims for advanced use cases
+ *
+ * Respects the `@Public()` decorator — routes marked as public bypass authentication entirely.
+ *
+ * @example
+ * ```typescript
+ * @UseGuards(JwtAuthGuard)
+ * @Controller('api')
+ * export class MyController {
+ *   @Get('profile')
+ *   getProfile(@CurrentUser() user: KeycloakUser) {
+ *     // user.id, user.roles, etc.
+ *     return user;
+ *   }
+ *
+ *   @Public()
+ *   @Get('health')
+ *   health() {
+ *     // No authentication required
+ *     return { status: 'ok' };
+ *   }
+ * }
+ * ```
+ */
+let JwtAuthGuard = class JwtAuthGuard {
+    reflector;
+    tokenValidation;
+    constructor(reflector, tokenValidation) {
+        this.reflector = reflector;
+        this.tokenValidation = tokenValidation;
+    }
+    async canActivate(context) {
+        // Check for @Public() decorator — if true, allow access without authentication
+        const isPublic = this.reflector.getAllAndOverride(IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            return true;
+        }
+        // Extract request from context (supports HTTP, GraphQL, WebSocket)
+        const request = ExtractRequestFromContext(context);
+        // Extract token from Authorization header
+        const authHeader = request.headers?.authorization ?? request.headers?.Authorization;
+        if (!authHeader || typeof authHeader !== 'string') {
+            throw new UnauthorizedException('No authentication token provided');
+        }
+        // Strip "Bearer " prefix
+        const token = authHeader.replace(/^Bearer\s+/i, '');
+        if (!token) {
+            throw new UnauthorizedException('No authentication token provided');
+        }
+        // Validate token
+        const result = await this.tokenValidation.validateToken(token);
+        if (!result.valid) {
+            throw new UnauthorizedException(result.error ?? 'Invalid token');
+        }
+        // Extract user from claims and attach to request
+        if (!result.claims) {
+            throw new UnauthorizedException('Missing token claims');
+        }
+        const user = this.tokenValidation.extractUser(result.claims);
+        request.user = user;
+        request.keycloakClaims = result.claims;
+        return true;
+    }
+};
+JwtAuthGuard = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [Reflector,
+        KeycloakTokenValidationService])
+], JwtAuthGuard);
+export { JwtAuthGuard };
+//# sourceMappingURL=jwt-auth.guard.js.map

package/build/guards/jwt-auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.js","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAiC,UAAU,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,8BAA8B,EAAE,MAAM,2DAA2D,CAAC;AAC3G,OAAO,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AACjE,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAG3E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEI,IAAM,YAAY,GAAlB,MAAM,YAAY;IACP,SAAS,CAAY;IAErB,eAAe,CAAiC;IAEjE,YACC,SAAoB,EACpB,eAA+C;QAE/C,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACxC,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,OAAyB;QACjD,+EAA+E;QAC/E,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,aAAa,EAAE;YACzE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SAClB,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC;QACb,CAAC;QAED,mEAAmE;QACnE,MAAM,OAAO,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAEnD,0CAA0C;QAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,aAAa,IAAI,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC;QAEpF,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACnD,MAAM,IAAI,qBAAqB,CAAC,kCAAkC,CAAC,CAAC;QACrE,CAAC;QAED,yBAAyB;QACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAEpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,qBAAqB,CAAC,kCAAkC,CAAC,CAAC;QACrE,CAAC;QAED,iBAAiB;QACjB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE/D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACnB,MAAM,IAAI,qBAAqB,CAAC,MAAM,CAAC,KAAK,IAAI,eAAe,CAAC,CAAC;QAClE,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,IAAI,qBAAqB,CAAC,sBAAsB,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,IAAI,GAAiB,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;QACpB,OAAO,CAAC,cAAc,GAAG,MAAM,CAAC,MAA6B,CAAC;QAE9D,OAAO,IAAI,CAAC;IACb,CAAC;CACD,CAAA;AA3DY,YAAY;IADxB,UAAU,EAAE;qCAOA,SAAS;QACH,8BAA8B;GAPpC,YAAY,CA2DxB"}

package/build/guards/permission.guard.d.ts

@@ -0,0 +1,37 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/**
+ * Permission-based Authorization Guard
+ *
+ * Authorizes access based on user permissions specified by the `@Permissions()` decorator.
+ * Uses roles-as-permissions semantics: checks that the authenticated user has at least one
+ * role whose name matches a required permission string. Permission strings are matched directly
+ * against Keycloak role names (both realm-level and client-specific roles are checked).
+ *
+ * Uses OR logic — access is granted if the user has ANY of the required permissions (i.e., if
+ * any user role name matches any required permission string).
+ * If no permissions are specified via `@Permissions()`, access is allowed by default.
+ *
+ * Throws `UnauthorizedException` if the user is not authenticated (missing from request).
+ * Throws `ForbiddenException` if the user is authenticated but lacks all required permissions.
+ *
+ * @example
+ * ```typescript
+ * @UseGuards(JwtAuthGuard, PermissionGuard)
+ * @Controller('data')
+ * export class DataController {
+ *   @Permissions('read:data', 'write:data')
+ *   @Get(':id')
+ *   getData(@Param('id') id: string) {
+ *     // User must have a role named 'read:data' OR 'write:data' (roles-as-permissions)
+ *     return {};
+ *   }
+ * }
+ * ```
+ */
+export declare class PermissionGuard implements CanActivate {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+//# sourceMappingURL=permission.guard.d.ts.map

package/build/guards/permission.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.guard.d.ts","sourceRoot":"","sources":["../../src/guards/permission.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAA6C,MAAM,gBAAgB,CAAC;AACtH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAKzC;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBACa,eAAgB,YAAW,WAAW;IAClD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;gBAE1B,SAAS,EAAE,SAAS;IAIzB,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAyBtD"}

package/build/guards/permission.guard.js

@@ -0,0 +1,73 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable, ForbiddenException, UnauthorizedException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ExtractRequestFromContext } from '../decorators/context-utils.js';
+import { PERMISSIONS_KEY } from '../decorators/auth-decorators.js';
+/**
+ * Permission-based Authorization Guard
+ *
+ * Authorizes access based on user permissions specified by the `@Permissions()` decorator.
+ * Uses roles-as-permissions semantics: checks that the authenticated user has at least one
+ * role whose name matches a required permission string. Permission strings are matched directly
+ * against Keycloak role names (both realm-level and client-specific roles are checked).
+ *
+ * Uses OR logic — access is granted if the user has ANY of the required permissions (i.e., if
+ * any user role name matches any required permission string).
+ * If no permissions are specified via `@Permissions()`, access is allowed by default.
+ *
+ * Throws `UnauthorizedException` if the user is not authenticated (missing from request).
+ * Throws `ForbiddenException` if the user is authenticated but lacks all required permissions.
+ *
+ * @example
+ * ```typescript
+ * @UseGuards(JwtAuthGuard, PermissionGuard)
+ * @Controller('data')
+ * export class DataController {
+ *   @Permissions('read:data', 'write:data')
+ *   @Get(':id')
+ *   getData(@Param('id') id: string) {
+ *     // User must have a role named 'read:data' OR 'write:data' (roles-as-permissions)
+ *     return {};
+ *   }
+ * }
+ * ```
+ */
+let PermissionGuard = class PermissionGuard {
+    reflector;
+    constructor(reflector) {
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        const requiredPermissions = this.reflector.getAllAndOverride(PERMISSIONS_KEY, [context.getHandler(), context.getClass()]);
+        if (!requiredPermissions || requiredPermissions.length === 0) {
+            // No permissions required, allow access
+            return true;
+        }
+        const request = ExtractRequestFromContext(context);
+        const user = request.user;
+        if (!user) {
+            throw new UnauthorizedException('User not authenticated');
+        }
+        // Check if user has any of the required permissions in realmRoles or clientRoles
+        const userRoles = [...user.realmRoles, ...user.clientRoles];
+        const hasRequiredPermission = requiredPermissions.some(permission => userRoles.includes(permission));
+        if (!hasRequiredPermission) {
+            throw new ForbiddenException('Insufficient permissions');
+        }
+        return true;
+    }
+};
+PermissionGuard = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [Reflector])
+], PermissionGuard);
+export { PermissionGuard };
+//# sourceMappingURL=permission.guard.js.map

package/build/guards/permission.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.guard.js","sourceRoot":"","sources":["../../src/guards/permission.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAiC,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACtH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAGnE;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEI,IAAM,eAAe,GAArB,MAAM,eAAe;IACV,SAAS,CAAY;IAEtC,YAAY,SAAoB;QAC/B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC5B,CAAC;IAEM,WAAW,CAAC,OAAyB;QAC3C,MAAM,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAW,eAAe,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAEpI,IAAI,CAAC,mBAAmB,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9D,wCAAwC;YACxC,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,OAAO,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAgC,CAAC;QAEtD,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,MAAM,IAAI,qBAAqB,CAAC,wBAAwB,CAAC,CAAC;QAC3D,CAAC;QAED,iFAAiF;QACjF,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,qBAAqB,GAAG,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;QAErG,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC5B,MAAM,IAAI,kBAAkB,CAAC,0BAA0B,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;CACD,CAAA;AAhCY,eAAe;IAD3B,UAAU,EAAE;qCAIW,SAAS;GAHpB,eAAe,CAgC3B"}

package/build/guards/role.guard.d.ts

@@ -0,0 +1,33 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/**
+ * Role-based Authorization Guard
+ *
+ * Authorizes access based on user roles specified by the `@Roles()` decorator.
+ * Checks both realm-level roles (`user.realmRoles`) and client-specific roles (`user.clientRoles`).
+ *
+ * Uses OR logic — access is granted if the user has ANY of the required roles.
+ * If no roles are specified via `@Roles()`, access is allowed by default.
+ *
+ * Throws `ForbiddenException` if the user lacks all required roles.
+ *
+ * @example
+ * ```typescript
+ * @UseGuards(JwtAuthGuard, RoleGuard)
+ * @Controller('admin')
+ * export class AdminController {
+ *   @Roles('admin', 'moderator')
+ *   @Get('users')
+ *   listUsers() {
+ *     // User must have 'admin' OR 'moderator' role
+ *     return [];
+ *   }
+ * }
+ * ```
+ */
+export declare class RoleGuard implements CanActivate {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+//# sourceMappingURL=role.guard.d.ts.map

package/build/guards/role.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.guard.d.ts","sourceRoot":"","sources":["../../src/guards/role.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAA6C,MAAM,gBAAgB,CAAC;AACtH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAKzC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBACa,SAAU,YAAW,WAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;gBAE1B,SAAS,EAAE,SAAS;IAIzB,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAyBtD"}

package/build/guards/role.guard.js

@@ -0,0 +1,69 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable, ForbiddenException, UnauthorizedException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ExtractRequestFromContext } from '../decorators/context-utils.js';
+import { ROLES_KEY } from '../decorators/auth-decorators.js';
+/**
+ * Role-based Authorization Guard
+ *
+ * Authorizes access based on user roles specified by the `@Roles()` decorator.
+ * Checks both realm-level roles (`user.realmRoles`) and client-specific roles (`user.clientRoles`).
+ *
+ * Uses OR logic — access is granted if the user has ANY of the required roles.
+ * If no roles are specified via `@Roles()`, access is allowed by default.
+ *
+ * Throws `ForbiddenException` if the user lacks all required roles.
+ *
+ * @example
+ * ```typescript
+ * @UseGuards(JwtAuthGuard, RoleGuard)
+ * @Controller('admin')
+ * export class AdminController {
+ *   @Roles('admin', 'moderator')
+ *   @Get('users')
+ *   listUsers() {
+ *     // User must have 'admin' OR 'moderator' role
+ *     return [];
+ *   }
+ * }
+ * ```
+ */
+let RoleGuard = class RoleGuard {
+    reflector;
+    constructor(reflector) {
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        const requiredRoles = this.reflector.getAllAndOverride(ROLES_KEY, [context.getHandler(), context.getClass()]);
+        if (!requiredRoles || requiredRoles.length === 0) {
+            // No roles required, allow access
+            return true;
+        }
+        const request = ExtractRequestFromContext(context);
+        const user = request.user;
+        if (!user) {
+            throw new UnauthorizedException('User not authenticated');
+        }
+        // Check if user has any of the required roles in realmRoles or clientRoles
+        const userRoles = [...user.realmRoles, ...user.clientRoles];
+        const hasRequiredRole = requiredRoles.some(role => userRoles.includes(role));
+        if (!hasRequiredRole) {
+            throw new ForbiddenException('Insufficient permissions');
+        }
+        return true;
+    }
+};
+RoleGuard = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [Reflector])
+], RoleGuard);
+export { RoleGuard };
+//# sourceMappingURL=role.guard.js.map

package/build/guards/role.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.guard.js","sourceRoot":"","sources":["../../src/guards/role.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAiC,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACtH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,kCAAkC,CAAC;AAG7D;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEI,IAAM,SAAS,GAAf,MAAM,SAAS;IACJ,SAAS,CAAY;IAEtC,YAAY,SAAoB;QAC/B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC5B,CAAC;IAEM,WAAW,CAAC,OAAyB;QAC3C,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAW,SAAS,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAExH,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClD,kCAAkC;YAClC,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,OAAO,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAgC,CAAC;QAEtD,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,MAAM,IAAI,qBAAqB,CAAC,wBAAwB,CAAC,CAAC;QAC3D,CAAC;QAED,2EAA2E;QAC3E,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,eAAe,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7E,IAAI,CAAC,eAAe,EAAE,CAAC;YACtB,MAAM,IAAI,kBAAkB,CAAC,0BAA0B,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;CACD,CAAA;AAhCY,SAAS;IADrB,UAAU,EAAE;qCAIW,SAAS;GAHpB,SAAS,CAgCrB"}

package/build/index.d.ts

@@ -0,0 +1,92 @@
+/**
+ * @packageDocumentation
+ *
+ * Keycloak integration library for NestJS resource servers. Provides token validation,
+ * role and permission guards, authentication decorators, and a typed Admin REST API client.
+ *
+ * ## Key Features
+ *
+ * - **Token Validation**: Online introspection (default) detects revoked tokens immediately;
+ *   offline JWKS mode validates signatures locally without network hops
+ * - **Guards & Decorators**: `@Public()`, `@Auth()`, `@Roles()`, `@Permissions()`, `@CurrentUser()`,
+ *   and `@AuthToken()` for HTTP routes; GraphQL-specific variants for resolvers
+ * - **Admin REST API Client**: Typed service for user management, role/group administration,
+ *   federated identity linking, and event polling
+ * - **Security Defaults**: Introspection by default, CORS localhost validation, path normalization
+ *   for metrics cardinality control
+ *
+ * ## Quick Start
+ *
+ * ```typescript
+ * import { Module } from '@nestjs/common';
+ * import { APP_GUARD } from '@nestjs/core';
+ * import { ConfigModule, ConfigService } from '@nestjs/config';
+ * import { KeycloakModule, JwtAuthGuard } from '@pawells/nestjs-auth';
+ *
+ * @Module({
+ *   imports: [
+ *     KeycloakModule.forRootAsync({
+ *       imports: [ConfigModule],
+ *       inject: [ConfigService],
+ *       useFactory: (config: ConfigService) => ({
+ *         authServerUrl: config.get('KEYCLOAK_AUTH_SERVER_URL'),
+ *         realm: config.get('KEYCLOAK_REALM'),
+ *         clientId: config.get('KEYCLOAK_CLIENT_ID'),
+ *         clientSecret: config.get('KEYCLOAK_CLIENT_SECRET'),
+ *       }),
+ *     }),
+ *   ],
+ *   providers: [
+ *     {
+ *       provide: APP_GUARD,
+ *       useClass: JwtAuthGuard,
+ *     },
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ *
+ * @see {@link KeycloakModule} for token validation configuration
+ * @see {@link KeycloakAdminModule} for admin API setup
+ * @see {@link JwtAuthGuard} for authentication enforcement
+ */
+export { KeycloakModule } from './keycloak/keycloak.module.js';
+export { KeycloakTokenValidationService } from './keycloak/services/keycloak-token-validation.service.js';
+export { JwksCacheService } from './keycloak/services/jwks-cache.service.js';
+export type { TokenValidationResult } from './keycloak/services/keycloak-token-validation.service.js';
+export type { KeycloakModuleOptions, KeycloakTokenClaims, KeycloakUser } from './keycloak/keycloak.types.js';
+export type { KeycloakModuleAsyncOptions } from './keycloak/keycloak.interfaces.js';
+export { KEYCLOAK_MODULE_OPTIONS } from './keycloak/keycloak.constants.js';
+export { KeycloakAdminModule } from './admin/keycloak-admin.module.js';
+export { KeycloakAdminService } from './admin/services/keycloak-admin.service.js';
+export { KeycloakHealthIndicator } from './admin/health/keycloak.health.js';
+export type { KeycloakAdminConfig } from './admin/config/keycloak.config.js';
+export type { KeycloakAdminModuleAsyncOptions } from './admin/keycloak-admin.interfaces.js';
+export { KeycloakAdminDefaults, validateKeycloakAdminConfig } from './admin/config/keycloak.defaults.js';
+export { KEYCLOAK_ADMIN_CONFIG_TOKEN } from './admin/keycloak.constants.js';
+export type { KeycloakAdminScope } from './admin/permissions/keycloak-admin.permissions.js';
+export { KEYCLOAK_DEFAULT_SCOPES, KEYCLOAK_ALL_SCOPES, KeycloakAdminScopeError } from './admin/permissions/keycloak-admin.permissions.js';
+export { KeycloakClient } from './admin/client/client.js';
+export { BaseService } from './admin/client/services/base-service.js';
+export { RealmService } from './admin/client/services/realm.service.js';
+export { UserService } from './admin/client/services/user.service.js';
+export { ClientService } from './admin/client/services/client.service.js';
+export { RoleService } from './admin/client/services/role.service.js';
+export { GroupService } from './admin/client/services/group.service.js';
+export { IdentityProviderService } from './admin/client/services/identity-provider.service.js';
+export { AuthenticationService } from './admin/client/services/authentication.service.js';
+export { FederatedIdentityService } from './admin/client/services/federated-identity.service.js';
+export type { FederatedIdentityLink } from './admin/client/services/federated-identity.service.js';
+export { EventService } from './admin/client/services/event.service.js';
+export type { KeycloakClientConfig } from './admin/client/types/config.types.js';
+export type { AdminEventQuery, AccessEventQuery, KeycloakAdminEvent, KeycloakAccessEvent } from './admin/client/types/event.types.js';
+export { KeycloakClientError, AuthenticationError, AuthorizationError, NotFoundError, ValidationError, RateLimitError, TimeoutError, NetworkError, ConflictError, } from './admin/client/errors/base-error.js';
+export { withRetry } from './admin/client/utils/retry.js';
+export { JwtAuthGuard } from './guards/jwt-auth.guard.js';
+export { RoleGuard } from './guards/role.guard.js';
+export { PermissionGuard } from './guards/permission.guard.js';
+export { Auth, Public, Roles, Permissions, CurrentUser, AuthToken, IS_PUBLIC_KEY, ROLES_KEY, PERMISSIONS_KEY, detectContextType, extractRequestFromContext, extractUserFromContext, extractAuthTokenFromContext, } from './decorators/auth-decorators.js';
+export type { ContextOptions } from './decorators/auth-decorators.js';
+export { GraphQLPublic, GraphQLAuth, GraphQLRoles, GraphQLCurrentUser, GraphQLAuthToken, GraphQLContextParam, GraphQLUser, } from './decorators/graphql-auth-decorators.js';
+export { ExtractRequestFromContext, ExtractUserFromContext, ExtractAuthTokenFromContext, DetectContextType } from './decorators/context-utils.js';
+//# sourceMappingURL=index.d.ts.map

package/build/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAKH,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,8BAA8B,EAAE,MAAM,0DAA0D,CAAC;AAC1G,OAAO,EAAE,gBAAgB,EAAE,MAAM,2CAA2C,CAAC;AAC7E,YAAY,EAAE,qBAAqB,EAAE,MAAM,0DAA0D,CAAC;AACtG,YAAY,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC7G,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAK3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,4CAA4C,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAC5E,YAAY,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AAC7E,YAAY,EAAE,+BAA+B,EAAE,MAAM,sCAAsC,CAAC;AAC5F,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,qCAAqC,CAAC;AACzG,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG5E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mDAAmD,CAAC;AAC5F,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,mDAAmD,CAAC;AAG1I,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAG1D,OAAO,EAAE,WAAW,EAAE,MAAM,yCAAyC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,0CAA0C,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,yCAAyC,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,2CAA2C,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,yCAAyC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,0CAA0C,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,sDAAsD,CAAC;AAC/F,OAAO,EAAE,qBAAqB,EAAE,MAAM,mDAAmD,CAAC;AAC1F,OAAO,EAAE,wBAAwB,EAAE,MAAM,uDAAuD,CAAC;AACjG,YAAY,EAAE,qBAAqB,EAAE,MAAM,uDAAuD,CAAC;AACnG,OAAO,EAAE,YAAY,EAAE,MAAM,0CAA0C,CAAC;AAGxE,YAAY,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,qCAAqC,CAAC;AAGtI,OAAO,EACN,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,aAAa,GACb,MAAM,qCAAqC,CAAC;AAG7C,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAK1D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAK/D,OAAO,EACN,IAAI,EACJ,MAAM,EACN,KAAK,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,aAAa,EACb,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,EACtB,2BAA2B,GAC3B,MAAM,iCAAiC,CAAC;AAEzC,YAAY,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AAEtE,OAAO,EACN,aAAa,EACb,WAAW,EACX,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,WAAW,GACX,MAAM,yCAAyC,CAAC;AAEjD,OAAO,EAAE,yBAAyB,EAAE,sBAAsB,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC"}

package/build/index.js

@@ -0,0 +1,98 @@
+/**
+ * @packageDocumentation
+ *
+ * Keycloak integration library for NestJS resource servers. Provides token validation,
+ * role and permission guards, authentication decorators, and a typed Admin REST API client.
+ *
+ * ## Key Features
+ *
+ * - **Token Validation**: Online introspection (default) detects revoked tokens immediately;
+ *   offline JWKS mode validates signatures locally without network hops
+ * - **Guards & Decorators**: `@Public()`, `@Auth()`, `@Roles()`, `@Permissions()`, `@CurrentUser()`,
+ *   and `@AuthToken()` for HTTP routes; GraphQL-specific variants for resolvers
+ * - **Admin REST API Client**: Typed service for user management, role/group administration,
+ *   federated identity linking, and event polling
+ * - **Security Defaults**: Introspection by default, CORS localhost validation, path normalization
+ *   for metrics cardinality control
+ *
+ * ## Quick Start
+ *
+ * ```typescript
+ * import { Module } from '@nestjs/common';
+ * import { APP_GUARD } from '@nestjs/core';
+ * import { ConfigModule, ConfigService } from '@nestjs/config';
+ * import { KeycloakModule, JwtAuthGuard } from '@pawells/nestjs-auth';
+ *
+ * @Module({
+ *   imports: [
+ *     KeycloakModule.forRootAsync({
+ *       imports: [ConfigModule],
+ *       inject: [ConfigService],
+ *       useFactory: (config: ConfigService) => ({
+ *         authServerUrl: config.get('KEYCLOAK_AUTH_SERVER_URL'),
+ *         realm: config.get('KEYCLOAK_REALM'),
+ *         clientId: config.get('KEYCLOAK_CLIENT_ID'),
+ *         clientSecret: config.get('KEYCLOAK_CLIENT_SECRET'),
+ *       }),
+ *     }),
+ *   ],
+ *   providers: [
+ *     {
+ *       provide: APP_GUARD,
+ *       useClass: JwtAuthGuard,
+ *     },
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ *
+ * @see {@link KeycloakModule} for token validation configuration
+ * @see {@link KeycloakAdminModule} for admin API setup
+ * @see {@link JwtAuthGuard} for authentication enforcement
+ */
+// ============================================================================
+// Keycloak Module — Token Validation and JWT Authentication
+// ============================================================================
+export { KeycloakModule } from './keycloak/keycloak.module.js';
+export { KeycloakTokenValidationService } from './keycloak/services/keycloak-token-validation.service.js';
+export { JwksCacheService } from './keycloak/services/jwks-cache.service.js';
+export { KEYCLOAK_MODULE_OPTIONS } from './keycloak/keycloak.constants.js';
+// ============================================================================
+// Keycloak Admin Module — Admin REST API
+// ============================================================================
+export { KeycloakAdminModule } from './admin/keycloak-admin.module.js';
+export { KeycloakAdminService } from './admin/services/keycloak-admin.service.js';
+export { KeycloakHealthIndicator } from './admin/health/keycloak.health.js';
+export { KeycloakAdminDefaults, validateKeycloakAdminConfig } from './admin/config/keycloak.defaults.js';
+export { KEYCLOAK_ADMIN_CONFIG_TOKEN } from './admin/keycloak.constants.js';
+export { KEYCLOAK_DEFAULT_SCOPES, KEYCLOAK_ALL_SCOPES, KeycloakAdminScopeError } from './admin/permissions/keycloak-admin.permissions.js';
+// Keycloak Admin Client
+export { KeycloakClient } from './admin/client/client.js';
+// Keycloak Admin Services
+export { BaseService } from './admin/client/services/base-service.js';
+export { RealmService } from './admin/client/services/realm.service.js';
+export { UserService } from './admin/client/services/user.service.js';
+export { ClientService } from './admin/client/services/client.service.js';
+export { RoleService } from './admin/client/services/role.service.js';
+export { GroupService } from './admin/client/services/group.service.js';
+export { IdentityProviderService } from './admin/client/services/identity-provider.service.js';
+export { AuthenticationService } from './admin/client/services/authentication.service.js';
+export { FederatedIdentityService } from './admin/client/services/federated-identity.service.js';
+export { EventService } from './admin/client/services/event.service.js';
+// Keycloak Admin Errors
+export { KeycloakClientError, AuthenticationError, AuthorizationError, NotFoundError, ValidationError, RateLimitError, TimeoutError, NetworkError, ConflictError, } from './admin/client/errors/base-error.js';
+// Keycloak Admin Utils
+export { withRetry } from './admin/client/utils/retry.js';
+// ============================================================================
+// Guards — Authorization and JWT
+// ============================================================================
+export { JwtAuthGuard } from './guards/jwt-auth.guard.js';
+export { RoleGuard } from './guards/role.guard.js';
+export { PermissionGuard } from './guards/permission.guard.js';
+// ============================================================================
+// Decorators — Auth Context and Metadata
+// ============================================================================
+export { Auth, Public, Roles, Permissions, CurrentUser, AuthToken, IS_PUBLIC_KEY, ROLES_KEY, PERMISSIONS_KEY, detectContextType, extractRequestFromContext, extractUserFromContext, extractAuthTokenFromContext, } from './decorators/auth-decorators.js';
+export { GraphQLPublic, GraphQLAuth, GraphQLRoles, GraphQLCurrentUser, GraphQLAuthToken, GraphQLContextParam, GraphQLUser, } from './decorators/graphql-auth-decorators.js';
+export { ExtractRequestFromContext, ExtractUserFromContext, ExtractAuthTokenFromContext, DetectContextType } from './decorators/context-utils.js';
+//# sourceMappingURL=index.js.map

package/build/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH,+EAA+E;AAC/E,4DAA4D;AAC5D,+EAA+E;AAC/E,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,8BAA8B,EAAE,MAAM,0DAA0D,CAAC;AAC1G,OAAO,EAAE,gBAAgB,EAAE,MAAM,2CAA2C,CAAC;AAI7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAE3E,+EAA+E;AAC/E,yCAAyC;AACzC,+EAA+E;AAC/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,4CAA4C,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAG5E,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,qCAAqC,CAAC;AACzG,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAI5E,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,mDAAmD,CAAC;AAE1I,wBAAwB;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,0BAA0B;AAC1B,OAAO,EAAE,WAAW,EAAE,MAAM,yCAAyC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,0CAA0C,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,yCAAyC,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,2CAA2C,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,yCAAyC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,0CAA0C,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,sDAAsD,CAAC;AAC/F,OAAO,EAAE,qBAAqB,EAAE,MAAM,mDAAmD,CAAC;AAC1F,OAAO,EAAE,wBAAwB,EAAE,MAAM,uDAAuD,CAAC;AAEjG,OAAO,EAAE,YAAY,EAAE,MAAM,0CAA0C,CAAC;AAMxE,wBAAwB;AACxB,OAAO,EACN,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,aAAa,GACb,MAAM,qCAAqC,CAAC;AAE7C,uBAAuB;AACvB,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAE1D,+EAA+E;AAC/E,iCAAiC;AACjC,+EAA+E;AAC/E,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAE/D,+EAA+E;AAC/E,yCAAyC;AACzC,+EAA+E;AAC/E,OAAO,EACN,IAAI,EACJ,MAAM,EACN,KAAK,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,aAAa,EACb,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,EACtB,2BAA2B,GAC3B,MAAM,iCAAiC,CAAC;AAIzC,OAAO,EACN,aAAa,EACb,WAAW,EACX,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,WAAW,GACX,MAAM,yCAAyC,CAAC;AAEjD,OAAO,EAAE,yBAAyB,EAAE,sBAAsB,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC"}

package/build/keycloak/index.d.ts

@@ -0,0 +1,7 @@
+export { KeycloakModule } from './keycloak.module.js';
+export { KeycloakTokenValidationService } from './services/keycloak-token-validation.service.js';
+export { JwksCacheService } from './services/jwks-cache.service.js';
+export type { TokenValidationResult } from './services/keycloak-token-validation.service.js';
+export type { KeycloakModuleOptions, KeycloakTokenClaims, KeycloakUser } from './keycloak.types.js';
+export { KEYCLOAK_MODULE_OPTIONS } from './keycloak.constants.js';
+//# sourceMappingURL=index.d.ts.map

package/build/keycloak/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/keycloak/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,8BAA8B,EAAE,MAAM,iDAAiD,CAAC;AACjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,YAAY,EAAE,qBAAqB,EAAE,MAAM,iDAAiD,CAAC;AAC7F,YAAY,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC"}

package/build/keycloak/index.js

@@ -0,0 +1,5 @@
+export { KeycloakModule } from './keycloak.module.js';
+export { KeycloakTokenValidationService } from './services/keycloak-token-validation.service.js';
+export { JwksCacheService } from './services/jwks-cache.service.js';
+export { KEYCLOAK_MODULE_OPTIONS } from './keycloak.constants.js';
+//# sourceMappingURL=index.js.map

package/build/keycloak/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/keycloak/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,8BAA8B,EAAE,MAAM,iDAAiD,CAAC;AACjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAGpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC"}

package/build/keycloak/keycloak.constants.d.ts

@@ -0,0 +1,2 @@
+export declare const KEYCLOAK_MODULE_OPTIONS: unique symbol;
+//# sourceMappingURL=keycloak.constants.d.ts.map

package/build/keycloak/keycloak.constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.constants.d.ts","sourceRoot":"","sources":["../../src/keycloak/keycloak.constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,uBAAuB,eAAoC,CAAC"}

package/build/keycloak/keycloak.constants.js

@@ -0,0 +1,2 @@
+export const KEYCLOAK_MODULE_OPTIONS = Symbol('KEYCLOAK_MODULE_OPTIONS');
+//# sourceMappingURL=keycloak.constants.js.map

package/build/keycloak/keycloak.constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.constants.js","sourceRoot":"","sources":["../../src/keycloak/keycloak.constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,uBAAuB,GAAG,MAAM,CAAC,yBAAyB,CAAC,CAAC"}