@pawells/nestjs-auth 1.0.0-dev.3052c75

package/build/admin/health/keycloak.health.d.ts

@@ -0,0 +1,13 @@
+import { ModuleRef } from '@nestjs/core';
+import { HealthIndicator, HealthIndicatorResult } from '@nestjs/terminus';
+import { KeycloakAdminService } from '../services/keycloak-admin.service.js';
+import type { KeycloakAdminConfig } from '../config/keycloak.config.js';
+import type { LazyModuleRefService } from '@pawells/nestjs-shared/common';
+export declare class KeycloakHealthIndicator extends HealthIndicator implements LazyModuleRefService {
+    readonly Module: ModuleRef;
+    get KeycloakAdminService(): KeycloakAdminService;
+    get Config(): KeycloakAdminConfig;
+    constructor(module: ModuleRef);
+    check(key: string): HealthIndicatorResult;
+}
+//# sourceMappingURL=keycloak.health.d.ts.map

package/build/admin/health/keycloak.health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.health.d.ts","sourceRoot":"","sources":["../../../src/admin/health/keycloak.health.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAC;AAG7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACxE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,qBACa,uBAAwB,SAAQ,eAAgB,YAAW,oBAAoB;IAC3F,SAAgB,MAAM,EAAE,SAAS,CAAC;IAElC,IAAW,oBAAoB,IAAI,oBAAoB,CAEtD;IAED,IAAW,MAAM,IAAI,mBAAmB,CAEvC;gBAEW,MAAM,EAAE,SAAS;IAKtB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,qBAAqB;CAqBhD"}

package/build/admin/health/keycloak.health.js

@@ -0,0 +1,54 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { HealthIndicator } from '@nestjs/terminus';
+import { KeycloakAdminService } from '../services/keycloak-admin.service.js';
+import { getErrorMessage } from '@pawells/nestjs-shared/common';
+import { KEYCLOAK_ADMIN_CONFIG_TOKEN } from '../keycloak.constants.js';
+let KeycloakHealthIndicator = class KeycloakHealthIndicator extends HealthIndicator {
+    Module;
+    get KeycloakAdminService() {
+        return this.Module.get(KeycloakAdminService);
+    }
+    get Config() {
+        return this.Module.get(KEYCLOAK_ADMIN_CONFIG_TOKEN, { strict: false });
+    }
+    constructor(module) {
+        super();
+        this.Module = module;
+    }
+    check(key) {
+        if (!this.Config.enabled) {
+            return this.getStatus(key, true, { enabled: false });
+        }
+        try {
+            const isAuthenticated = this.KeycloakAdminService.isAuthenticated();
+            const client = this.KeycloakAdminService.getClient();
+            return this.getStatus(key, isAuthenticated, {
+                authenticated: isAuthenticated,
+                baseUrl: this.Config.baseUrl,
+                realm: this.Config.realmName,
+                initialized: client !== null,
+            });
+        }
+        catch (error) {
+            return this.getStatus(key, false, {
+                error: getErrorMessage(error),
+            });
+        }
+    }
+};
+KeycloakHealthIndicator = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [ModuleRef])
+], KeycloakHealthIndicator);
+export { KeycloakHealthIndicator };
+//# sourceMappingURL=keycloak.health.js.map

package/build/admin/health/keycloak.health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.health.js","sourceRoot":"","sources":["../../../src/admin/health/keycloak.health.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,eAAe,EAAyB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAC;AAKhE,IAAM,uBAAuB,GAA7B,MAAM,uBAAwB,SAAQ,eAAe;IAC3C,MAAM,CAAY;IAElC,IAAW,oBAAoB;QAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAC9C,CAAC;IAED,IAAW,MAAM;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,YAAY,MAAiB;QAC5B,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAEM,KAAK,CAAC,GAAW;QACvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,eAAe,EAAE,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,CAAC;YAErD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE;gBAC3C,aAAa,EAAE,eAAe;gBAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;gBAC5B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;gBAC5B,WAAW,EAAE,MAAM,KAAK,IAAI;aAC5B,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,EAAE;gBACjC,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC;aAC7B,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;CACD,CAAA;AArCY,uBAAuB;IADnC,UAAU,EAAE;qCAYQ,SAAS;GAXjB,uBAAuB,CAqCnC"}

package/build/admin/index.d.ts

@@ -0,0 +1,10 @@
+export { KeycloakAdminModule } from './keycloak-admin.module.js';
+export { KeycloakAdminService } from './services/keycloak-admin.service.js';
+export { KeycloakHealthIndicator } from './health/keycloak.health.js';
+export type { KeycloakAdminConfig } from './config/keycloak.config.js';
+export { KeycloakAdminDefaults, validateKeycloakAdminConfig } from './config/keycloak.defaults.js';
+export { KEYCLOAK_ADMIN_CONFIG_TOKEN } from './keycloak.constants.js';
+export type { KeycloakAdminScope } from './permissions/index.js';
+export { KEYCLOAK_DEFAULT_SCOPES, KEYCLOAK_ALL_SCOPES, KeycloakAdminScopeError } from './permissions/index.js';
+export * from './client/index.js';
+//# sourceMappingURL=index.d.ts.map

package/build/admin/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AACnG,OAAO,EAAE,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAGtE,YAAY,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAG/G,cAAc,mBAAmB,CAAC"}

package/build/admin/index.js

@@ -0,0 +1,9 @@
+export { KeycloakAdminModule } from './keycloak-admin.module.js';
+export { KeycloakAdminService } from './services/keycloak-admin.service.js';
+export { KeycloakHealthIndicator } from './health/keycloak.health.js';
+export { KeycloakAdminDefaults, validateKeycloakAdminConfig } from './config/keycloak.defaults.js';
+export { KEYCLOAK_ADMIN_CONFIG_TOKEN } from './keycloak.constants.js';
+export { KEYCLOAK_DEFAULT_SCOPES, KEYCLOAK_ALL_SCOPES, KeycloakAdminScopeError } from './permissions/index.js';
+// Keycloak Client exports
+export * from './client/index.js';
+//# sourceMappingURL=index.js.map

package/build/admin/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AAEtE,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AACnG,OAAO,EAAE,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAItE,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAE/G,0BAA0B;AAC1B,cAAc,mBAAmB,CAAC"}

package/build/admin/keycloak-admin.interfaces.d.ts

@@ -0,0 +1,45 @@
+import { ModuleMetadata } from '@nestjs/common';
+import type { InjectionToken, OptionalFactoryDependency } from '@nestjs/common';
+import type { KeycloakAdminConfig } from './config/keycloak.config.js';
+/**
+ * Async options for KeycloakAdminModule configuration.
+ *
+ * Used to defer KeycloakAdminModule setup until runtime dependencies are available.
+ * Supports factory functions that return configuration synchronously or asynchronously.
+ *
+ * @example
+ * ```typescript
+ * KeycloakAdminModule.forRootAsync({
+ *   imports: [ConfigModule],
+ *   inject: [ConfigService],
+ *   useFactory: (config: ConfigService) => ({
+ *     enabled: config.get('KEYCLOAK_ADMIN_ENABLED') === 'true',
+ *     baseUrl: config.get('KEYCLOAK_BASE_URL'),
+ *     realmName: config.get('KEYCLOAK_REALM'),
+ *     credentials: {
+ *       type: 'clientCredentials',
+ *       clientId: config.get('KEYCLOAK_ADMIN_CLIENT_ID'),
+ *       clientSecret: config.get('KEYCLOAK_ADMIN_CLIENT_SECRET'),
+ *     },
+ *   }),
+ * })
+ * ```
+ */
+export interface KeycloakAdminModuleAsyncOptions {
+    /**
+     * Modules to import for dependency resolution.
+     * Typically includes {@link ConfigModule} if reading from environment.
+     */
+    imports?: ModuleMetadata['imports'];
+    /**
+     * Factory function that returns KeycloakAdminConfig (sync or async).
+     * Receives injected dependencies as arguments.
+     */
+    useFactory: (...args: unknown[]) => Promise<KeycloakAdminConfig> | KeycloakAdminConfig;
+    /**
+     * Array of providers to inject into the factory function.
+     * Common values: {@link ConfigService}, custom services, etc.
+     */
+    inject?: Array<InjectionToken | OptionalFactoryDependency>;
+}
+//# sourceMappingURL=keycloak-admin.interfaces.d.ts.map

package/build/admin/keycloak-admin.interfaces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.interfaces.d.ts","sourceRoot":"","sources":["../../src/admin/keycloak-admin.interfaces.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,KAAK,EAAE,cAAc,EAAE,yBAAyB,EAAE,MAAM,gBAAgB,CAAC;AAChF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAEvE;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,+BAA+B;IAC/C;;;OAGG;IACH,OAAO,CAAC,EAAE,cAAc,CAAC,SAAS,CAAC,CAAC;IAEpC;;;OAGG;IACH,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,mBAAmB,CAAC,GAAG,mBAAmB,CAAC;IAEvF;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC,cAAc,GAAG,yBAAyB,CAAC,CAAC;CAC3D"}

package/build/admin/keycloak-admin.interfaces.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=keycloak-admin.interfaces.js.map

package/build/admin/keycloak-admin.interfaces.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.interfaces.js","sourceRoot":"","sources":["../../src/admin/keycloak-admin.interfaces.ts"],"names":[],"mappings":""}

package/build/admin/keycloak-admin.module.d.ts

@@ -0,0 +1,23 @@
+import { DynamicModule } from '@nestjs/common';
+import type { KeycloakAdminConfig } from './config/keycloak.config.js';
+import type { KeycloakAdminModuleAsyncOptions } from './keycloak-admin.interfaces.js';
+/**
+ * Keycloak Admin module for managing users, roles, and groups.
+ * Provides Admin API client with configurable authentication methods.
+ */
+export declare class KeycloakAdminModule {
+    /**
+     * Create Keycloak admin module with static configuration
+     * @param config Partial Keycloak admin configuration
+     * @returns Dynamic module configuration
+     * @throws Error if Keycloak is enabled but credentials are missing
+     */
+    static forRoot(config?: Partial<KeycloakAdminConfig>): DynamicModule;
+    /**
+     * Create Keycloak admin module with asynchronous configuration
+     * @param options Async factory configuration
+     * @returns Dynamic module configuration
+     */
+    static forRootAsync(options: KeycloakAdminModuleAsyncOptions): DynamicModule;
+}
+//# sourceMappingURL=keycloak-admin.module.d.ts.map

package/build/admin/keycloak-admin.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.module.d.ts","sourceRoot":"","sources":["../../src/admin/keycloak-admin.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,aAAa,EAAU,MAAM,gBAAgB,CAAC;AAK/D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAEvE,OAAO,KAAK,EAAE,+BAA+B,EAAE,MAAM,gCAAgC,CAAC;AAEtF;;;GAGG;AACH,qBAEa,mBAAmB;IAC/B;;;;;OAKG;WACW,OAAO,CAAC,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GAAG,aAAa;IAiC/E;;;;OAIG;WACW,YAAY,CAAC,OAAO,EAAE,+BAA+B,GAAG,aAAa;CAmCnF"}

package/build/admin/keycloak-admin.module.js

@@ -0,0 +1,101 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var KeycloakAdminModule_1;
+import { Module, Global } from '@nestjs/common';
+import { CommonModule } from '@pawells/nestjs-shared/common';
+import { KeycloakAdminService } from './services/keycloak-admin.service.js';
+import { KeycloakHealthIndicator } from './health/keycloak.health.js';
+import { KEYCLOAK_ADMIN_CONFIG_TOKEN } from './keycloak.constants.js';
+import { KeycloakAdminDefaults, validateKeycloakAdminConfig } from './config/keycloak.defaults.js';
+/**
+ * Keycloak Admin module for managing users, roles, and groups.
+ * Provides Admin API client with configurable authentication methods.
+ */
+let KeycloakAdminModule = KeycloakAdminModule_1 = class KeycloakAdminModule {
+    /**
+     * Create Keycloak admin module with static configuration
+     * @param config Partial Keycloak admin configuration
+     * @returns Dynamic module configuration
+     * @throws Error if Keycloak is enabled but credentials are missing
+     */
+    static forRoot(config = {}) {
+        const mergedConfig = { ...KeycloakAdminDefaults, ...config };
+        validateKeycloakAdminConfig(mergedConfig);
+        // Validate that credentials are provided if Keycloak is enabled
+        if (mergedConfig.enabled && mergedConfig.credentials) {
+            const creds = mergedConfig.credentials;
+            if (creds.type === 'password') {
+                if (!creds.username || !creds.password) {
+                    throw new Error('Keycloak enabled but username/password credentials are empty. Set KEYCLOAK_USERNAME and KEYCLOAK_PASSWORD environment variables.');
+                }
+            }
+            else if (creds.type === 'clientCredentials') {
+                if (!creds.clientId || !creds.clientSecret) {
+                    throw new Error('Keycloak enabled but clientId/clientSecret credentials are empty. Set KEYCLOAK_CLIENT_ID and KEYCLOAK_CLIENT_SECRET environment variables.');
+                }
+            }
+        }
+        return {
+            module: KeycloakAdminModule_1,
+            imports: [CommonModule],
+            providers: [
+                {
+                    provide: KEYCLOAK_ADMIN_CONFIG_TOKEN,
+                    useValue: mergedConfig,
+                },
+                KeycloakAdminService,
+                KeycloakHealthIndicator,
+            ],
+            exports: [KeycloakAdminService, KeycloakHealthIndicator],
+        };
+    }
+    /**
+     * Create Keycloak admin module with asynchronous configuration
+     * @param options Async factory configuration
+     * @returns Dynamic module configuration
+     */
+    static forRootAsync(options) {
+        return {
+            module: KeycloakAdminModule_1,
+            imports: [CommonModule, ...(options.imports ?? [])],
+            providers: [
+                {
+                    provide: KEYCLOAK_ADMIN_CONFIG_TOKEN,
+                    useFactory: async (...args) => {
+                        const config = await options.useFactory(...args);
+                        validateKeycloakAdminConfig(config);
+                        // Validate that credentials are provided if Keycloak is enabled
+                        if (config.enabled && config.credentials) {
+                            const creds = config.credentials;
+                            if (creds.type === 'password') {
+                                if (!creds.username || !creds.password) {
+                                    throw new Error('Keycloak enabled but username/password credentials are empty. Set KEYCLOAK_USERNAME and KEYCLOAK_PASSWORD environment variables.');
+                                }
+                            }
+                            else if (creds.type === 'clientCredentials') {
+                                if (!creds.clientId || !creds.clientSecret) {
+                                    throw new Error('Keycloak enabled but clientId/clientSecret credentials are empty. Set KEYCLOAK_CLIENT_ID and KEYCLOAK_CLIENT_SECRET environment variables.');
+                                }
+                            }
+                        }
+                        return config;
+                    },
+                    inject: options.inject ?? [],
+                },
+                KeycloakAdminService,
+                KeycloakHealthIndicator,
+            ],
+            exports: [KeycloakAdminService, KeycloakHealthIndicator],
+        };
+    }
+};
+KeycloakAdminModule = KeycloakAdminModule_1 = __decorate([
+    Global(),
+    Module({})
+], KeycloakAdminModule);
+export { KeycloakAdminModule };
+//# sourceMappingURL=keycloak-admin.module.js.map

package/build/admin/keycloak-admin.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.module.js","sourceRoot":"","sources":["../../src/admin/keycloak-admin.module.ts"],"names":[],"mappings":";;;;;;;AAAA,OAAO,EAAE,MAAM,EAAiB,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,OAAO,EAAE,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAEtE,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAGnG;;;GAGG;AAGI,IAAM,mBAAmB,2BAAzB,MAAM,mBAAmB;IAC/B;;;;;OAKG;IACI,MAAM,CAAC,OAAO,CAAC,SAAuC,EAAE;QAC9D,MAAM,YAAY,GAAG,EAAE,GAAG,qBAAqB,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7D,2BAA2B,CAAC,YAAY,CAAC,CAAC;QAE1C,gEAAgE;QAChE,IAAI,YAAY,CAAC,OAAO,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;YACtD,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC;YACvC,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC/B,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CAAC,kIAAkI,CAAC,CAAC;gBACrJ,CAAC;YACF,CAAC;iBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBAC/C,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;oBAC5C,MAAM,IAAI,KAAK,CAAC,4IAA4I,CAAC,CAAC;gBAC/J,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO;YACN,MAAM,EAAE,qBAAmB;YAC3B,OAAO,EAAE,CAAC,YAAY,CAAC;YACvB,SAAS,EAAE;gBACV;oBACC,OAAO,EAAE,2BAA2B;oBACpC,QAAQ,EAAE,YAAY;iBACtB;gBACD,oBAAoB;gBACpB,uBAAuB;aACvB;YACD,OAAO,EAAE,CAAC,oBAAoB,EAAE,uBAAuB,CAAC;SACxD,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,MAAM,CAAC,YAAY,CAAC,OAAwC;QAClE,OAAO;YACN,MAAM,EAAE,qBAAmB;YAC3B,OAAO,EAAE,CAAC,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YACnD,SAAS,EAAE;gBACV;oBACC,OAAO,EAAE,2BAA2B;oBACpC,UAAU,EAAE,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;wBACxC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;wBACjD,2BAA2B,CAAC,MAAM,CAAC,CAAC;wBAEpC,gEAAgE;wBAChE,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;4BAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC;4BACjC,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gCAC/B,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;oCACxC,MAAM,IAAI,KAAK,CAAC,kIAAkI,CAAC,CAAC;gCACrJ,CAAC;4BACF,CAAC;iCAAM,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gCAC/C,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;oCAC5C,MAAM,IAAI,KAAK,CAAC,4IAA4I,CAAC,CAAC;gCAC/J,CAAC;4BACF,CAAC;wBACF,CAAC;wBAED,OAAO,MAAM,CAAC;oBACf,CAAC;oBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;iBAC5B;gBACD,oBAAoB;gBACpB,uBAAuB;aACvB;YACD,OAAO,EAAE,CAAC,oBAAoB,EAAE,uBAAuB,CAAC;SACxD,CAAC;IACH,CAAC;CACD,CAAA;AAhFY,mBAAmB;IAF/B,MAAM,EAAE;IACR,MAAM,CAAC,EAAE,CAAC;GACE,mBAAmB,CAgF/B"}

package/build/admin/keycloak.constants.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Injection token for the Keycloak Admin configuration object.
+ *
+ * Use this token when manually injecting the Keycloak admin configuration
+ * (typically not required — inject {@link KeycloakAdminService} instead).
+ *
+ * @example
+ * ```typescript
+ * constructor(@Inject(KEYCLOAK_ADMIN_CONFIG_TOKEN) config: KeycloakAdminConfig) {
+ *   // Access the configuration directly
+ *   console.log(config.realmName);
+ * }
+ * ```
+ */
+export declare const KEYCLOAK_ADMIN_CONFIG_TOKEN = "KEYCLOAK_ADMIN_CONFIG";
+//# sourceMappingURL=keycloak.constants.d.ts.map

package/build/admin/keycloak.constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.constants.d.ts","sourceRoot":"","sources":["../../src/admin/keycloak.constants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,2BAA2B,0BAA0B,CAAC"}

package/build/admin/keycloak.constants.js

@@ -0,0 +1,16 @@
+/**
+ * Injection token for the Keycloak Admin configuration object.
+ *
+ * Use this token when manually injecting the Keycloak admin configuration
+ * (typically not required — inject {@link KeycloakAdminService} instead).
+ *
+ * @example
+ * ```typescript
+ * constructor(@Inject(KEYCLOAK_ADMIN_CONFIG_TOKEN) config: KeycloakAdminConfig) {
+ *   // Access the configuration directly
+ *   console.log(config.realmName);
+ * }
+ * ```
+ */
+export const KEYCLOAK_ADMIN_CONFIG_TOKEN = 'KEYCLOAK_ADMIN_CONFIG';
+//# sourceMappingURL=keycloak.constants.js.map

package/build/admin/keycloak.constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.constants.js","sourceRoot":"","sources":["../../src/admin/keycloak.constants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,uBAAuB,CAAC"}

package/build/admin/permissions/index.d.ts

@@ -0,0 +1,2 @@
+export * from './keycloak-admin.permissions.js';
+//# sourceMappingURL=index.d.ts.map

package/build/admin/permissions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/admin/permissions/index.ts"],"names":[],"mappings":"AAAA,cAAc,iCAAiC,CAAC"}

package/build/admin/permissions/index.js

@@ -0,0 +1,2 @@
+export * from './keycloak-admin.permissions.js';
+//# sourceMappingURL=index.js.map

package/build/admin/permissions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/admin/permissions/index.ts"],"names":[],"mappings":"AAAA,cAAc,iCAAiC,CAAC"}

package/build/admin/permissions/keycloak-admin.permissions.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Permission scopes for the Keycloak Admin API.
+ *
+ * Each scope controls access to a category of Keycloak Admin REST API operations.
+ * Scopes ending in `:read` permit query/list operations only.
+ * Scopes ending in `:write` permit create/update/delete/mutation operations.
+ *
+ * @see {@link KEYCLOAK_DEFAULT_SCOPES} for the default read-only set
+ * @see {@link KEYCLOAK_ALL_SCOPES} for the full set including all write scopes
+ */
+export type KeycloakAdminScope = 'users:read' | 'users:write' | 'roles:read' | 'roles:write' | 'groups:read' | 'groups:write' | 'federated-identity:read' | 'federated-identity:write' | 'events:read' | 'clients:read' | 'clients:write' | 'realms:read' | 'realms:write' | 'identity-providers:read' | 'identity-providers:write' | 'authentication:read' | 'authentication:write';
+/**
+ * The default set of scopes granted when no `permissions` array is configured.
+ * Contains all read-only scopes. No write scopes are included.
+ */
+export declare const KEYCLOAK_DEFAULT_SCOPES: readonly KeycloakAdminScope[];
+/**
+ * All available scopes, including all write scopes.
+ * Use this as a convenience constant for adapter microservices that require
+ * full access. Ensure the Keycloak service account has all corresponding roles.
+ */
+export declare const KEYCLOAK_ALL_SCOPES: readonly KeycloakAdminScope[];
+/**
+ * Thrown when a Keycloak Admin API operation is called but the required
+ * permission scope has not been granted in the module configuration.
+ *
+ * This is a **configuration error**, not a Keycloak HTTP error. It is thrown
+ * synchronously before any network request is made.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await keycloakAdminService.users.create(realm, user);
+ * } catch (error) {
+ *   if (error instanceof KeycloakAdminScopeError) {
+ *     // Service is not configured to create users
+ *   }
+ * }
+ * ```
+ */
+export declare class KeycloakAdminScopeError extends Error {
+    readonly scope: KeycloakAdminScope;
+    constructor(scope: KeycloakAdminScope);
+}
+//# sourceMappingURL=keycloak-admin.permissions.d.ts.map

package/build/admin/permissions/keycloak-admin.permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.permissions.d.ts","sourceRoot":"","sources":["../../../src/admin/permissions/keycloak-admin.permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,MAAM,kBAAkB,GAC3B,YAAY,GACZ,aAAa,GACb,YAAY,GACZ,aAAa,GACb,aAAa,GACb,cAAc,GACd,yBAAyB,GACzB,0BAA0B,GAC1B,aAAa,GACb,cAAc,GACd,eAAe,GACf,aAAa,GACb,cAAc,GACd,yBAAyB,GACzB,0BAA0B,GAC1B,qBAAqB,GACrB,sBAAsB,CAAC;AAE1B;;;GAGG;AACH,eAAO,MAAM,uBAAuB,EAAE,SAAS,kBAAkB,EAU/D,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,EAAE,SAAS,kBAAkB,EAkB3D,CAAC;AAEH;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;IACjD,SAAgB,KAAK,EAAE,kBAAkB,CAAC;gBAE9B,KAAK,EAAE,kBAAkB;CASrC"}

package/build/admin/permissions/keycloak-admin.permissions.js

@@ -0,0 +1,68 @@
+/**
+ * The default set of scopes granted when no `permissions` array is configured.
+ * Contains all read-only scopes. No write scopes are included.
+ */
+export const KEYCLOAK_DEFAULT_SCOPES = Object.freeze([
+    'users:read',
+    'roles:read',
+    'groups:read',
+    'federated-identity:read',
+    'events:read',
+    'clients:read',
+    'realms:read',
+    'identity-providers:read',
+    'authentication:read',
+]);
+/**
+ * All available scopes, including all write scopes.
+ * Use this as a convenience constant for adapter microservices that require
+ * full access. Ensure the Keycloak service account has all corresponding roles.
+ */
+export const KEYCLOAK_ALL_SCOPES = Object.freeze([
+    'users:read',
+    'users:write',
+    'roles:read',
+    'roles:write',
+    'groups:read',
+    'groups:write',
+    'federated-identity:read',
+    'federated-identity:write',
+    'events:read',
+    'clients:read',
+    'clients:write',
+    'realms:read',
+    'realms:write',
+    'identity-providers:read',
+    'identity-providers:write',
+    'authentication:read',
+    'authentication:write',
+]);
+/**
+ * Thrown when a Keycloak Admin API operation is called but the required
+ * permission scope has not been granted in the module configuration.
+ *
+ * This is a **configuration error**, not a Keycloak HTTP error. It is thrown
+ * synchronously before any network request is made.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await keycloakAdminService.users.create(realm, user);
+ * } catch (error) {
+ *   if (error instanceof KeycloakAdminScopeError) {
+ *     // Service is not configured to create users
+ *   }
+ * }
+ * ```
+ */
+export class KeycloakAdminScopeError extends Error {
+    scope;
+    constructor(scope) {
+        super(`Keycloak admin mutation blocked: scope '${scope}' is not granted. ` +
+            `Add '${scope}' to the permissions array in KeycloakAdminModule.forRoot() config.`);
+        this.name = 'KeycloakAdminScopeError';
+        this.scope = scope;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+//# sourceMappingURL=keycloak-admin.permissions.js.map

package/build/admin/permissions/keycloak-admin.permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.permissions.js","sourceRoot":"","sources":["../../../src/admin/permissions/keycloak-admin.permissions.ts"],"names":[],"mappings":"AA6BA;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,MAAM,CAAC,MAAM,CAAC;IACnF,YAAY;IACZ,YAAY;IACZ,aAAa;IACb,yBAAyB;IACzB,aAAa;IACb,cAAc;IACd,aAAa;IACb,yBAAyB;IACzB,qBAAqB;CACrB,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAkC,MAAM,CAAC,MAAM,CAAC;IAC/E,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,aAAa;IACb,aAAa;IACb,cAAc;IACd,yBAAyB;IACzB,0BAA0B;IAC1B,aAAa;IACb,cAAc;IACd,eAAe;IACf,aAAa;IACb,cAAc;IACd,yBAAyB;IACzB,0BAA0B;IAC1B,qBAAqB;IACrB,sBAAsB;CACtB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IACjC,KAAK,CAAqB;IAE1C,YAAY,KAAyB;QACpC,KAAK,CACJ,2CAA2C,KAAK,oBAAoB;YACpE,QAAQ,KAAK,qEAAqE,CAClF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;QACtC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IACjD,CAAC;CACD"}

package/build/admin/services/keycloak-admin.service.d.ts

@@ -0,0 +1,64 @@
+import { OnModuleInit } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { KeycloakClient } from '../client/client.js';
+import { AppLogger } from '@pawells/nestjs-shared/common';
+import type { LazyModuleRefService } from '@pawells/nestjs-shared/common';
+import type { KeycloakAdminConfig } from '../config/keycloak.config.js';
+import type { UserService } from '../client/services/user.service.js';
+import type { RealmService } from '../client/services/realm.service.js';
+import type { ClientService } from '../client/services/client.service.js';
+import type { RoleService } from '../client/services/role.service.js';
+import type { GroupService } from '../client/services/group.service.js';
+import type { IdentityProviderService } from '../client/services/identity-provider.service.js';
+import type { AuthenticationService } from '../client/services/authentication.service.js';
+import type { FederatedIdentityService } from '../client/services/federated-identity.service.js';
+import type { EventService } from '../client/services/event.service.js';
+export declare class KeycloakAdminService implements OnModuleInit, LazyModuleRefService {
+    private readonly logger;
+    private client;
+    private grantedScopes;
+    readonly Module: ModuleRef;
+    get Config(): KeycloakAdminConfig;
+    get AppLogger(): AppLogger;
+    constructor(module: ModuleRef);
+    onModuleInit(): Promise<void>;
+    getClient(): KeycloakClient | null;
+    isEnabled(): boolean;
+    isAuthenticated(): boolean;
+    get users(): UserService;
+    get realms(): RealmService;
+    get clients(): ClientService;
+    get roles(): RoleService;
+    get groups(): GroupService;
+    get identityProviders(): IdentityProviderService;
+    get authentication(): AuthenticationService;
+    /**
+     * Get the federated identity service for managing identity provider links
+     *
+     * Provides methods to list, link, and unlink external identity providers for users.
+     *
+     * @returns FederatedIdentityService instance
+     * @throws {Error} If Keycloak client is not initialized
+     *
+     * @example
+     * ```typescript
+     * const links = await keycloakAdmin.federatedIdentity.list(userId);
+     * ```
+     */
+    get federatedIdentity(): FederatedIdentityService;
+    /**
+     * Get the event service for querying realm events
+     *
+     * Provides methods to query administrative and access events for audit logging and monitoring.
+     *
+     * @returns EventService instance
+     * @throws {Error} If Keycloak client is not initialized
+     *
+     * @example
+     * ```typescript
+     * const events = await keycloakAdmin.events.getAdminEvents({ max: 100 });
+     * ```
+     */
+    get events(): EventService;
+}
+//# sourceMappingURL=keycloak-admin.service.d.ts.map

package/build/admin/services/keycloak-admin.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak-admin.service.d.ts","sourceRoot":"","sources":["../../../src/admin/services/keycloak-admin.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAmB,MAAM,+BAA+B,CAAC;AAC3E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAGxE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AACxE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAC1E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AACxE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,iDAAiD,CAAC;AAC/F,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8CAA8C,CAAC;AAC1F,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kDAAkD,CAAC;AACjG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AAExE,qBACa,oBAAqB,YAAW,YAAY,EAAE,oBAAoB;IAC9E,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IAEnC,OAAO,CAAC,MAAM,CAA+B;IAE7C,OAAO,CAAC,aAAa,CAAwG;IAE7H,SAAgB,MAAM,EAAE,SAAS,CAAC;IAElC,IAAW,MAAM,IAAI,mBAAmB,CAEvC;IAED,IAAW,SAAS,IAAI,SAAS,CAEhC;gBAEW,MAAM,EAAE,SAAS;IAKhB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IA6CnC,SAAS,IAAI,cAAc,GAAG,IAAI;IAIlC,SAAS,IAAI,OAAO;IAIpB,eAAe,IAAI,OAAO;IAKjC,IAAW,KAAK,IAAI,WAAW,CAG9B;IAED,IAAW,MAAM,IAAI,YAAY,CAGhC;IAED,IAAW,OAAO,IAAI,aAAa,CAGlC;IAED,IAAW,KAAK,IAAI,WAAW,CAG9B;IAED,IAAW,MAAM,IAAI,YAAY,CAGhC;IAED,IAAW,iBAAiB,IAAI,uBAAuB,CAGtD;IAED,IAAW,cAAc,IAAI,qBAAqB,CAGjD;IAED;;;;;;;;;;;;OAYG;IACH,IAAW,iBAAiB,IAAI,wBAAwB,CAGvD;IAED;;;;;;;;;;;;OAYG;IACH,IAAW,MAAM,IAAI,YAAY,CAGhC;CACD"}