@pawells/nestjs-auth 1.0.0-dev.3052c75

package/build/keycloak/services/keycloak-token-validation.service.js

@@ -0,0 +1,243 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var KeycloakTokenValidationService_1;
+import { Injectable, Inject, Optional } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { AppLogger, getErrorMessage, escapeNewlines } from '@pawells/nestjs-shared/common';
+import { KEYCLOAK_MODULE_OPTIONS } from '../keycloak.constants.js';
+import { JwksCacheService } from './jwks-cache.service.js';
+const MS_PER_SECOND = 1000;
+/**
+ * Keycloak Token Validation Service
+ *
+ * Validates JWT tokens issued by Keycloak in two modes:
+ * - **Online mode (default)**: Calls Keycloak's token introspection endpoint to validate the token
+ *   (requires real-time network access to Keycloak)
+ * - **Offline mode**: Validates JWTs locally using JWKS (no network call; suitable for high-traffic scenarios)
+ *
+ * After successful validation, extracts user identity and roles from token claims.
+ *
+ * @example
+ * ```typescript
+ * // Online mode validation
+ * const result = await this.validationService.validateToken(token);
+ * if (result.valid) {
+ *   const user = this.validationService.extractUser(result.claims!);
+ * }
+ *
+ * // Offline mode uses JWKS-based verification (faster, no network call)
+ * ```
+ */
+let KeycloakTokenValidationService = KeycloakTokenValidationService_1 = class KeycloakTokenValidationService {
+    logger;
+    options;
+    jwtService;
+    jwksCacheService;
+    constructor(options, jwtService, jwksCacheService) {
+        this.options = options;
+        this.jwtService = jwtService;
+        this.jwksCacheService = jwksCacheService;
+        this.initializeLogger();
+    }
+    initializeLogger() {
+        try {
+            this.logger = new AppLogger(undefined, KeycloakTokenValidationService_1.name);
+        }
+        catch {
+            // Logger unavailable, fall back to console
+        }
+    }
+    /**
+     * Validate a JWT token issued by Keycloak
+     *
+     * Routes to the appropriate validation mode based on configuration:
+     * - **Online**: Calls the Keycloak introspection endpoint (requires network access)
+     * - **Offline**: Verifies JWT signature using cached JWKS (no network call)
+     *
+     * Both modes verify token expiration and audience/issuer claims.
+     *
+     * @param token - The JWT to validate (Bearer token without "Bearer " prefix)
+     * @returns Result object with validation status and optional claims on success, or error code on failure
+     * @returns `{ valid: true, claims: KeycloakTokenClaims }` on success
+     * @returns `{ valid: false, error: string }` on failure (includes error codes like 'token_expired', 'invalid_issuer', etc.)
+     *
+     * @example
+     * ```typescript
+     * const result = await this.validateToken(jwtToken);
+     * if (result.valid && result.claims) {
+     *   const user = this.extractUser(result.claims);
+     * }
+     * ```
+     */
+    async validateToken(token) {
+        try {
+            const isOfflineMode = this.options.validationMode === 'offline';
+            if (isOfflineMode) {
+                return await this.validateTokenOffline(token);
+            }
+            return await this.validateTokenOnline(token);
+        }
+        catch (error) {
+            const errorMessage = getErrorMessage(error);
+            this.log('warn', `Token validation failed unexpectedly: ${errorMessage}`);
+            return { valid: false, error: 'validation_error' };
+        }
+    }
+    async validateTokenOnline(token) {
+        try {
+            const introspectionUrl = `${this.options.authServerUrl}/realms/${this.options.realm}/protocol/openid-connect/token/introspect`;
+            const body = new URLSearchParams({
+                token,
+                token_type_hint: 'access_token',
+                client_id: this.options.clientId,
+                client_secret: this.options.clientSecret ?? '',
+            });
+            const response = await fetch(introspectionUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+                body: body.toString(),
+            });
+            if (!response.ok) {
+                this.log('warn', `Introspection request failed with status ${response.status}`);
+                return { valid: false, error: 'introspection_failed' };
+            }
+            const introspectionResult = await response.json();
+            if (introspectionResult.active !== true) {
+                return { valid: false, error: 'token_inactive' };
+            }
+            // Validate audience claim — must match our clientId
+            const audiences = Array.isArray(introspectionResult.aud)
+                ? introspectionResult.aud
+                : [introspectionResult.aud].filter(Boolean);
+            if (!audiences.includes(this.options.clientId)) {
+                return { valid: false, error: 'invalid_audience' };
+            }
+            return { valid: true, claims: introspectionResult };
+        }
+        catch (error) {
+            const errorMessage = getErrorMessage(error);
+            this.log('warn', `Introspection error: ${errorMessage}`);
+            return { valid: false, error: 'introspection_failed' };
+        }
+    }
+    async validateTokenOffline(token) {
+        try {
+            if (!this.jwksCacheService) {
+                return { valid: false, error: 'offline_mode_not_available' };
+            }
+            // Decode header to get kid
+            const decoded = this.jwtService.decode(token, { complete: true });
+            if (!decoded?.header?.kid) {
+                return { valid: false, error: 'missing_kid' };
+            }
+            // Get public key from cache
+            let publicKey;
+            try {
+                publicKey = await this.jwksCacheService.getKey(decoded.header.kid);
+            }
+            catch (error) {
+                const errorMessage = getErrorMessage(error);
+                this.log('warn', `Failed to get signing key: ${errorMessage}`);
+                return { valid: false, error: 'unknown_signing_key' };
+            }
+            // Verify JWT
+            let claims;
+            try {
+                claims = this.jwtService.verify(token, {
+                    publicKey,
+                    algorithms: ['RS256'],
+                });
+            }
+            catch (error) {
+                const errorMessage = getErrorMessage(error);
+                this.log('warn', `JWT verification failed: ${errorMessage}`);
+                return { valid: false, error: 'jwt_verification_failed' };
+            }
+            // Validate claims
+            const now = Math.floor(Date.now() / MS_PER_SECOND);
+            if (claims.exp <= now) {
+                return { valid: false, error: 'token_expired' };
+            }
+            const expectedIssuer = this.options.issuer ?? this.options.authServerUrl;
+            if (claims.iss !== expectedIssuer) {
+                this.log('warn', `Issuer mismatch: expected ${escapeNewlines(expectedIssuer)}, got ${escapeNewlines(claims.iss)}`);
+                return { valid: false, error: 'invalid_issuer' };
+            }
+            const audience = Array.isArray(claims.aud) ? claims.aud : [claims.aud];
+            if (!audience.includes(this.options.clientId)) {
+                this.log('warn', `Audience mismatch: clientId ${this.options.clientId} not in ${escapeNewlines(audience.join(','))}`);
+                return { valid: false, error: 'invalid_audience' };
+            }
+            return { valid: true, claims };
+        }
+        catch (error) {
+            const errorMessage = getErrorMessage(error);
+            this.log('warn', `Offline validation error: ${errorMessage}`);
+            return { valid: false, error: 'validation_failed' };
+        }
+    }
+    /**
+     * Extract user identity and roles from validated token claims
+     *
+     * Maps Keycloak token claims to a simplified `KeycloakUser` object.
+     * Extracts both realm-level roles (`realm_access.roles`) and client-specific roles
+     * (`resource_access[clientId].roles`).
+     *
+     * @param claims - The validated Keycloak token claims
+     * @returns User object with ID, email, username, name, and both realm and client roles
+     *
+     * @example
+     * ```typescript
+     * const user = this.extractUser(claims);
+     * // {
+     * //   id: 'user-uuid',
+     * //   email: 'user@example.com',
+     * //   username: 'john_doe',
+     * //   name: 'John Doe',
+     * //   realmRoles: ['admin', 'user'],
+     * //   clientRoles: ['read', 'write']
+     * // }
+     * ```
+     */
+    extractUser(claims) {
+        return {
+            id: claims.sub,
+            email: claims.email,
+            username: claims.preferred_username,
+            name: claims.name,
+            realmRoles: claims.realm_access?.roles ?? [],
+            clientRoles: claims.resource_access?.[this.options.clientId]?.roles ?? [],
+        };
+    }
+    log(level, message) {
+        if (this.logger) {
+            if (level === 'warn') {
+                this.logger.warn(message);
+            }
+            else {
+                this.logger.info(message);
+            }
+        }
+    }
+};
+KeycloakTokenValidationService = KeycloakTokenValidationService_1 = __decorate([
+    Injectable(),
+    __param(0, Inject(KEYCLOAK_MODULE_OPTIONS)),
+    __param(2, Optional()),
+    __metadata("design:paramtypes", [Object, JwtService,
+        JwksCacheService])
+], KeycloakTokenValidationService);
+export { KeycloakTokenValidationService };
+//# sourceMappingURL=keycloak-token-validation.service.js.map

package/build/keycloak/services/keycloak-token-validation.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-token-validation.service.js","sourceRoot":"","sources":["../../../src/keycloak/services/keycloak-token-validation.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC3F,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAEnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAQ3D,MAAM,aAAa,GAAG,IAAI,CAAC;AAE3B;;;;;;;;;;;;;;;;;;;;GAoBG;AAEI,IAAM,8BAA8B,sCAApC,MAAM,8BAA8B;IAClC,MAAM,CAAa;IAEV,OAAO,CAAwB;IAE/B,UAAU,CAAa;IAEvB,gBAAgB,CAAoB;IAErD,YACkC,OAA8B,EAC/D,UAAsB,EACV,gBAAmC;QAE/C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;QACzC,IAAI,CAAC,gBAAgB,EAAE,CAAC;IACzB,CAAC;IAEO,gBAAgB;QACvB,IAAI,CAAC;YACJ,IAAI,CAAC,MAAM,GAAG,IAAI,SAAS,CAAC,SAAS,EAAE,gCAA8B,CAAC,IAAI,CAAC,CAAC;QAC7E,CAAC;QAAC,MAAM,CAAC;YACR,2CAA2C;QAC5C,CAAC;IACF,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACI,KAAK,CAAC,aAAa,CAAC,KAAa;QACvC,IAAI,CAAC;YACJ,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS,CAAC;YAEhE,IAAI,aAAa,EAAE,CAAC;gBACnB,OAAO,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;YAC/C,CAAC;YACD,OAAO,MAAM,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,yCAAyC,YAAY,EAAE,CAAC,CAAC;YAC1E,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;QACpD,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,KAAa;QAC9C,IAAI,CAAC;YACJ,MAAM,gBAAgB,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,WAAW,IAAI,CAAC,OAAO,CAAC,KAAK,2CAA2C,CAAC;YAE/H,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAChC,KAAK;gBACL,eAAe,EAAE,cAAc;gBAC/B,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ;gBAChC,aAAa,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE;aAC9C,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;gBAC9C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACR,cAAc,EAAE,mCAAmC;iBACnD;gBACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;aACrB,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAClB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBAChF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YACxD,CAAC;YAED,MAAM,mBAAmB,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YAElD,IAAI,mBAAmB,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;gBACzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;YAClD,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC;gBACvD,CAAC,CAAC,mBAAmB,CAAC,GAAG;gBACzB,CAAC,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC7C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;YACpD,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,mBAA0C,EAAE,CAAC;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,wBAAwB,YAAY,EAAE,CAAC,CAAC;YACzD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;QACxD,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,KAAa;QAC/C,IAAI,CAAC;YACJ,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;YAC9D,CAAC;YAED,2BAA2B;YAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAGxD,CAAC;YAET,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;YAC/C,CAAC;YAED,4BAA4B;YAC5B,IAAI,SAAiB,CAAC;YACtB,IAAI,CAAC;gBACJ,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACpE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;gBAC5C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,8BAA8B,YAAY,EAAE,CAAC,CAAC;gBAC/D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YACvD,CAAC;YAED,aAAa;YACb,IAAI,MAA2B,CAAC;YAChC,IAAI,CAAC;gBACJ,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE;oBACtC,SAAS;oBACT,UAAU,EAAE,CAAC,OAAO,CAAC;iBACrB,CAAwB,CAAC;YAC3B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;gBAC5C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,4BAA4B,YAAY,EAAE,CAAC,CAAC;gBAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;YAC3D,CAAC;YAED,kBAAkB;YAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,CAAC;YACnD,IAAI,MAAM,CAAC,GAAG,IAAI,GAAG,EAAE,CAAC;gBACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;YACjD,CAAC;YAED,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;YACzE,IAAI,MAAM,CAAC,GAAG,KAAK,cAAc,EAAE,CAAC;gBACnC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,6BAA6B,cAAc,CAAC,cAAc,CAAC,SAAS,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACnH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;YAClD,CAAC;YAED,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,+BAA+B,IAAI,CAAC,OAAO,CAAC,QAAQ,WAAW,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;gBACtH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;YACpD,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,6BAA6B,YAAY,EAAE,CAAC,CAAC;YAC9D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACrD,CAAC;IACF,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACI,WAAW,CAAC,MAA2B;QAC7C,OAAO;YACN,EAAE,EAAE,MAAM,CAAC,GAAG;YACd,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,kBAAkB;YACnC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,YAAY,EAAE,KAAK,IAAI,EAAE;YAC5C,WAAW,EAAE,MAAM,CAAC,eAAe,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,IAAI,EAAE;SACzE,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,KAAsB,EAAE,OAAe;QAClD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACP,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,CAAC;QACF,CAAC;IACF,CAAC;CACD,CAAA;AA3NY,8BAA8B;IAD1C,UAAU,EAAE;IAWV,WAAA,MAAM,CAAC,uBAAuB,CAAC,CAAA;IAE/B,WAAA,QAAQ,EAAE,CAAA;6CADC,UAAU;QACS,gBAAgB;GAZpC,8BAA8B,CA2N1C"}

package/build/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@pawells/nestjs-auth",
+  "displayName": "@pawells/nestjs-auth",
+  "version": "1.0.0-dev.3052c75",
+  "description": "NestJS Keycloak integration library — token validation, admin API, and federated identity",
+  "type": "module",
+  "main": "./build/index.js",
+  "types": "./build/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./build/index.d.ts",
+      "import": "./build/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc --project tsconfig.build.json",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/",
+    "lint:fix": "eslint src/ --fix",
+    "test": "vitest run",
+    "test:coverage": "vitest --coverage",
+    "pipeline": "yarn typecheck && yarn lint && yarn test && yarn build"
+  },
+  "peerDependencies": {
+    "@nestjs/common": ">=10.0.0",
+    "@nestjs/config": ">=3.0.0",
+    "@nestjs/core": ">=10.0.0",
+    "@nestjs/graphql": ">=12.0.0",
+    "@nestjs/jwt": ">=10.0.0",
+    "@nestjs/terminus": ">=10.0.0",
+    "@nestjs/throttler": ">=5.0.0",
+    "@opentelemetry/api": ">=1.0.0",
+    "class-transformer": ">=0.5.0",
+    "class-validator": ">=0.14.0",
+    "compression": ">=1.0.0",
+    "csrf-csrf": ">=3.0.0",
+    "express": ">=4.0.0",
+    "helmet": ">=7.0.0",
+    "joi": ">=17.0.0",
+    "jwks-rsa": ">=3.0.0",
+    "prom-client": ">=15.0.0",
+    "rxjs": ">=7.0.0",
+    "xss": ">=1.0.0"
+  },
+  "peerDependenciesMeta": {
+    "jwks-rsa": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@pawells/nestjs-shared": "^1.0.0"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "packageManager": "yarn@4.12.0",
+  "author": "Aaron Wells <69355326+PhillipAWells@users.noreply.github.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PhillipAWells/nestjs-common"
+  },
+  "files": [
+    "build/",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "module": "./index.js"
+}

package/package.json

@@ -0,0 +1,93 @@
+{
+  "name": "@pawells/nestjs-auth",
+  "displayName": "@pawells/nestjs-auth",
+  "version": "1.0.0-dev.3052c75",
+  "description": "NestJS Keycloak integration library — token validation, admin API, and federated identity",
+  "type": "module",
+  "main": "./build/index.js",
+  "types": "./build/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./build/index.d.ts",
+      "import": "./build/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc --project tsconfig.build.json",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/",
+    "lint:fix": "eslint src/ --fix",
+    "test": "vitest run",
+    "test:coverage": "vitest --coverage",
+    "pipeline": "yarn typecheck && yarn lint && yarn test && yarn build"
+  },
+  "peerDependencies": {
+    "@nestjs/common": ">=10.0.0",
+    "@nestjs/config": ">=3.0.0",
+    "@nestjs/core": ">=10.0.0",
+    "@nestjs/graphql": ">=12.0.0",
+    "@nestjs/jwt": ">=10.0.0",
+    "@nestjs/terminus": ">=10.0.0",
+    "@nestjs/throttler": ">=5.0.0",
+    "@opentelemetry/api": ">=1.0.0",
+    "class-transformer": ">=0.5.0",
+    "class-validator": ">=0.14.0",
+    "compression": ">=1.0.0",
+    "csrf-csrf": ">=3.0.0",
+    "express": ">=4.0.0",
+    "helmet": ">=7.0.0",
+    "joi": ">=17.0.0",
+    "jwks-rsa": ">=3.0.0",
+    "prom-client": ">=15.0.0",
+    "rxjs": ">=7.0.0",
+    "xss": ">=1.0.0"
+  },
+  "peerDependenciesMeta": {
+    "jwks-rsa": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@pawells/nestjs-shared": "^1.0.0"
+  },
+  "devDependencies": {
+    "@nestjs/common": "^11.0.0",
+    "@nestjs/config": "^3.3.0",
+    "@nestjs/core": "^11.0.0",
+    "@nestjs/graphql": "^12.2.0",
+    "@nestjs/jwt": "^10.2.0",
+    "@nestjs/terminus": "^10.2.3",
+    "@nestjs/throttler": "^6.4.0",
+    "@opentelemetry/api": "^1.9.0",
+    "class-transformer": "^0.5.1",
+    "class-validator": "^0.14.1",
+    "compression": "^1.7.4",
+    "csrf-csrf": "^3.2.0",
+    "express": "^4.21.0",
+    "graphql": "^16.9.0",
+    "helmet": "^8.0.0",
+    "joi": "^17.13.0",
+    "prom-client": "^15.1.0",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.0",
+    "xss": "^1.0.15"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "packageManager": "yarn@4.12.0",
+  "author": "Aaron Wells <69355326+PhillipAWells@users.noreply.github.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PhillipAWells/nestjs-common"
+  },
+  "files": [
+    "build/",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  }
+}