@quanticjs/auth-web-bff 5.7.0 → 5.9.0

package/dist/bff.controller.js

@@ -81,13 +81,17 @@ let BffController = class BffController {
         }
         const cookieName = this.bffService.getCookieName();
         const sessionId = req.cookies?.[cookieName];
+        let idToken;
         if (sessionId) {
+            const session = await this.bffService.getSession(sessionId);
+            idToken = session?.idToken;
             await this.bffService.destroySession(sessionId);
         }
+        const endSessionUrl = this.bffService.getEndSessionUrl(idToken);
         res
             .clearCookie(cookieName, this.bffService.getCookieOptions())
             .clearCookie(this.bffService.getCsrfCookieName(), this.bffService.getCsrfCookieOptions())
-            .json({ success: true });
+            .json({ success: true, endSessionUrl });
     }
     async me(req, res) {
         const cookieName = this.bffService.getCookieName();

package/dist/bff.service.d.ts

@@ -25,6 +25,7 @@ export declare class BffService implements OnModuleInit {
     getAccessToken(sessionId: string): Promise<string | null>;
     refreshSession(sessionId: string, session?: SessionData): Promise<string | null>;
     destroySession(sessionId: string): Promise<void>;
+    getEndSessionUrl(idToken?: string): string | null;
     getUserInfo(sessionId: string): Promise<Record<string, unknown> | null>;
     getCookieOptions(): Record<string, unknown>;
     getCookieName(): string;

package/dist/bff.service.js

@@ -19,15 +19,20 @@ const uuid_1 = require("uuid");
 const crypto_1 = require("crypto");
 const core_1 = require("@quanticjs/core");
 const interfaces_1 = require("./interfaces");
-function extractRealmRoles(accessToken) {
+function extractTokenClaims(accessToken, clientId) {
     try {
         const payload = JSON.parse(Buffer.from(accessToken.split('.')[1], 'base64url').toString());
-        return Array.isArray(payload.realm_access?.roles)
-            ? payload.realm_access.roles
-            : [];
+        return {
+            realmRoles: Array.isArray(payload.realm_access?.roles)
+                ? payload.realm_access.roles
+                : [],
+            clientRoles: Array.isArray(payload.resource_access?.[clientId]?.roles)
+                ? payload.resource_access[clientId].roles
+                : [],
+        };
     }
     catch {
-        return [];
+        return { realmRoles: [], clientRoles: [] };
     }
 }
 let BffService = class BffService {
@@ -78,6 +83,11 @@ let BffService = class BffService {
         const tokenSet = await this.client.callback(this.getCallbackUrl(), { code, state, iss: this.client.issuer.metadata.issuer }, { code_verifier: codeVerifier, state });
         const claims = tokenSet.claims();
         const sessionId = (0, uuid_1.v4)();
+        const { realmRoles, clientRoles } = extractTokenClaims(tokenSet.access_token, this.options.keycloak.clientId);
+        let permissions = clientRoles;
+        if (this.options.permissionResolver) {
+            permissions = await this.options.permissionResolver(realmRoles, clientRoles);
+        }
         const sessionData = {
             accessToken: tokenSet.access_token,
             refreshToken: tokenSet.refresh_token,
@@ -86,7 +96,8 @@ let BffService = class BffService {
             id: claims.sub,
             email: claims.email ?? '',
             displayName: claims.name ?? claims.preferred_username ?? '',
-            roles: extractRealmRoles(tokenSet.access_token),
+            roles: realmRoles,
+            permissions,
             username: claims.preferred_username,
         };
         await this.saveSession(sessionId, sessionData);
@@ -123,13 +134,19 @@ let BffService = class BffService {
             return null;
         try {
             const tokenSet = await this.client.refresh(sess.refreshToken);
+            const { realmRoles, clientRoles } = extractTokenClaims(tokenSet.access_token, this.options.keycloak.clientId);
+            let permissions = clientRoles;
+            if (this.options.permissionResolver) {
+                permissions = await this.options.permissionResolver(realmRoles, clientRoles);
+            }
             const updated = {
                 ...sess,
                 accessToken: tokenSet.access_token,
                 refreshToken: tokenSet.refresh_token ?? sess.refreshToken,
                 idToken: tokenSet.id_token ?? sess.idToken,
                 expiresAt: tokenSet.expires_at ?? Math.floor(Date.now() / 1000) + 300,
-                roles: extractRealmRoles(tokenSet.access_token),
+                roles: realmRoles,
+                permissions,
             };
             await this.saveSession(sessionId, updated);
             return updated.accessToken;
@@ -143,9 +160,19 @@ let BffService = class BffService {
         const session = await this.getSession(sessionId);
         if (!this.redis)
             return;
-        if (session?.accessToken) {
+        if (session) {
+            try {
+                if (session.refreshToken) {
+                    await this.client.revoke(session.refreshToken, 'refresh_token');
+                }
+            }
+            catch {
+                // best-effort revocation
+            }
             try {
-                await this.client.revoke(session.accessToken, 'access_token');
+                if (session.accessToken) {
+                    await this.client.revoke(session.accessToken, 'access_token');
+                }
             }
             catch {
                 // best-effort revocation
@@ -153,6 +180,20 @@ let BffService = class BffService {
         }
         await this.redis.del(this.sessionPrefix + sessionId);
     }
+    getEndSessionUrl(idToken) {
+        const endSessionEndpoint = this.client.issuer.metadata.end_session_endpoint;
+        if (!endSessionEndpoint)
+            return null;
+        const publicUrl = endSessionEndpoint.replace(this.internalKeycloakBase, this.publicKeycloakBase);
+        const redirectUri = this.options.publicUrl ?? 'http://localhost:5173';
+        const params = new URLSearchParams({
+            client_id: this.options.keycloak.clientId,
+            post_logout_redirect_uri: redirectUri,
+        });
+        if (idToken)
+            params.set('id_token_hint', idToken);
+        return `${publicUrl}?${params.toString()}`;
+    }
     async getUserInfo(sessionId) {
         const session = await this.getSession(sessionId);
         if (!session)
@@ -162,6 +203,7 @@ let BffService = class BffService {
             email: session.email,
             displayName: session.displayName,
             roles: session.roles,
+            permissions: session.permissions,
             username: session.username,
         };
     }

package/dist/interfaces.d.ts

@@ -16,6 +16,7 @@ export interface BffModuleOptions {
     };
     publicUrl: string;
     callbackPath?: string;
+    permissionResolver?: (realmRoles: string[], clientRoles: string[]) => string[] | Promise<string[]>;
 }
 export interface SessionData {
     accessToken: string;
@@ -26,6 +27,7 @@ export interface SessionData {
     email: string;
     displayName: string;
     roles: string[];
+    permissions: string[];
     username?: string;
 }
 export declare const BFF_OPTIONS: unique symbol;

package/package.json

@@ -1,15 +1,16 @@
 {
   "name": "@quanticjs/auth-web-bff",
-  "version": "5.7.0",
+  "version": "5.9.0",
   "description": "BFF authentication module — Keycloak OIDC, Redis sessions, httpOnly cookies",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {
     "build": "tsc -p tsconfig.json",
+    "test": "jest --passWithNoTests",
     "clean": "rm -rf dist"
   },
   "dependencies": {
-    "@quanticjs/core": "^5.7.0"
+    "@quanticjs/core": "^5.9.0"
   },
   "peerDependencies": {
     "@nestjs/common": "^10.0.0 || ^11.0.0",