@tekcify/auth-backend 2.0.4 → 2.1.0

package/README.md

@@ -16,7 +16,9 @@ yarn add @tekcify/auth-backend
 
 - ✅ **NestJS Support** - Guards and decorators for NestJS applications
 - ✅ **Express Support** - Middleware for Express applications
-- ✅ **Token Verification** - JWT token validation with HMAC/RS256
+- ✅ **Token Verification** - JWT token validation with RS256/JWKS (recommended) or HS256
+- ✅ **JWKS Support** - Automatic public key fetching and caching
+- ✅ **Auto Key Rotation** - Works seamlessly with rotating keys
 - ✅ **User Info Fetching** - Helper to get user information from auth server
 - ✅ **TypeScript Support** - Full type definitions included
 
@@ -24,7 +26,17 @@ yarn add @tekcify/auth-backend
 
 ### Prerequisites
 
-You need the JWT access secret from your Tekcify Auth server. This should match the `JWT_ACCESS_SECRET` environment variable used by the auth server.
+**Option 1: JWKS (Recommended - More Secure)**
+
+No secrets needed! Just the auth server URL:
+
+```env
+AUTH_SERVER_URL=http://localhost:7001
+```
+
+**Option 2: Shared Secret (Legacy)**
+
+You need the JWT access secret from your Tekcify Auth server:
 
 ```env
 JWT_ACCESS_SECRET=your-jwt-access-secret-here
@@ -32,6 +44,36 @@ JWT_ACCESS_SECRET=your-jwt-access-secret-here
 
 **Note:** The auth server URL is centralized in `@tekcify/auth-core-client` package as `AUTH_SERVER_URL` (default: `http://localhost:7001`, override with `AUTH_SERVER_URL` env). Functions that communicate with the auth server use this constant automatically.
 
+---
+
+## 🔐 JWKS vs Shared Secret
+
+### JWKS (RS256) - Recommended ✅
+
+**Benefits:**
+- No shared secrets to distribute
+- Private key never leaves auth server
+- Automatic key rotation support
+- More secure for distributed systems
+
+**Use when:**
+- You have multiple products
+- Security is a top priority
+- You want automatic key rotation
+
+### Shared Secret (HS256) - Legacy
+
+**Benefits:**
+- Simpler setup
+- No network calls for verification
+
+**Use when:**
+- Single product setup
+- Quick prototyping
+- Migrating from old system
+
+**⚠️ Migration:** If you're migrating from HS256 to RS256, see [MIGRATION-RS256.md](../../MIGRATION-RS256.md)
+
 ## Auth Server Endpoints Used
 
 - Base prefix: `/api`
@@ -40,15 +82,47 @@ JWT_ACCESS_SECRET=your-jwt-access-secret-here
 
 ## NestJS Integration
 
-### Step 1: Install Dependencies
+### Option A: JWKS (Recommended)
+
+#### Step 1: Install Dependencies
 
 ```bash
 pnpm add @tekcify/auth-backend @nestjs/common @nestjs/core
 ```
 
-### Step 2: Create and Configure the Guard
+#### Step 2: Create and Configure the Guard
+
+Create a guard provider in your module using JWKS:
+
+```typescript
+import { Module } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
+import { JwksAuthGuard } from '@tekcify/auth-backend/nestjs';
+
+@Module({
+  providers: [
+    {
+      provide: APP_GUARD,
+      useFactory: () => {
+        return new JwksAuthGuard({
+          jwksUri: `${process.env.AUTH_SERVER_URL}/api/.well-known/jwks.json`,
+          cacheTime: 3600000, // Cache keys for 1 hour
+          issuer: 'tekcify-auth',
+          audience: 'tekcify-api',
+          getUserInfo: async (userId: string) => {
+            // Optional: Fetch user info from your database
+            const user = await userRepository.findById(userId);
+            return user ? { email: user.email } : null;
+          },
+        });
+      },
+    },
+  ],
+})
+export class AppModule {}
+```
 
-Create a guard provider in your module:
+### Option B: Shared Secret (Legacy)
 
 ```typescript
 import { Module } from '@nestjs/common';
@@ -65,8 +139,6 @@ import { JwtAuthGuard } from '@tekcify/auth-backend/nestjs';
           issuer: 'tekcify-auth',
           audience: 'tekcify-api',
           getUserInfo: async (userId: string) => {
-            // Optional: Fetch user info from your database
-            // This is called only if getUserInfo is provided
             const user = await userRepository.findById(userId);
             return user ? { email: user.email } : null;
           },
@@ -153,22 +225,25 @@ getCurrentUser(@CurrentUser() user: UserPayload) {
 
 ## Express Integration
 
-### Step 1: Install Dependencies
+### Option A: JWKS (Recommended)
+
+#### Step 1: Install Dependencies
 
 ```bash
 pnpm add @tekcify/auth-backend express
 ```
 
-### Step 2: Create Auth Middleware
+#### Step 2: Create Auth Middleware
 
 ```typescript
 import express from 'express';
-import { createAuthMiddleware } from '@tekcify/auth-backend/express';
+import { createJwksAuthMiddleware } from '@tekcify/auth-backend/express';
 
 const app = express();
 
-const authMiddleware = createAuthMiddleware({
-  secret: process.env.JWT_ACCESS_SECRET!,
+const authMiddleware = createJwksAuthMiddleware({
+  jwksUri: `${process.env.AUTH_SERVER_URL}/api/.well-known/jwks.json`,
+  cacheTime: 3600000, // Cache keys for 1 hour
   issuer: 'tekcify-auth',
   audience: 'tekcify-api',
   getUserInfo: async (userId: string) => {
@@ -193,6 +268,36 @@ app.get('/api/profile', (req, res) => {
 });
 ```
 
+### Option B: Shared Secret (Legacy)
+
+```typescript
+import express from 'express';
+import { createAuthMiddleware } from '@tekcify/auth-backend/express';
+
+const app = express();
+
+const authMiddleware = createAuthMiddleware({
+  secret: process.env.JWT_ACCESS_SECRET!,
+  issuer: 'tekcify-auth',
+  audience: 'tekcify-api',
+  getUserInfo: async (userId: string) => {
+    const user = await userRepository.findById(userId);
+    return user ? { email: user.email } : null;
+  },
+});
+
+app.use(express.json());
+app.use('/api', authMiddleware);
+
+app.get('/api/profile', (req, res) => {
+  res.json({
+    userId: req.user!.userId,
+    email: req.user!.email,
+    scopes: req.user!.scopes,
+  });
+});
+```
+
 ### Step 3: Route-Level Middleware
 
 You can also apply middleware to specific routes:
@@ -230,6 +335,36 @@ app.get('/api/user', authMiddleware, (req: Request, res: Response) => {
 
 For cases where you need to verify tokens directly (e.g., in background jobs, WebSocket connections):
 
+### Option A: JWKS Verification (Recommended)
+
+```typescript
+import { createJwksVerifier } from '@tekcify/auth-backend';
+
+const verifier = createJwksVerifier({
+  jwksUri: `${process.env.AUTH_SERVER_URL}/api/.well-known/jwks.json`,
+  cacheTime: 3600000, // Cache keys for 1 hour
+  issuer: 'tekcify-auth',
+  audience: 'tekcify-api',
+});
+
+const token = req.headers.authorization?.replace('Bearer ', '');
+
+if (!token) {
+  throw new Error('No token provided');
+}
+
+const result = await verifier.verify(token);
+
+if (result.valid) {
+  console.log('User ID:', result.payload.sub);
+  console.log('Scopes:', result.payload.scopes);
+} else {
+  throw new Error('Invalid token');
+}
+```
+
+### Option B: Shared Secret Verification (Legacy)
+
 ```typescript
 import { verifyAccessToken } from '@tekcify/auth-backend';
 

package/dist/application-management.d.ts

@@ -7,7 +7,6 @@ export interface Application {
     redirectUris: string[];
     authorizedOrigins: string[] | null;
     scopes: string[];
-    primaryColor: string | null;
     createdAt: string;
     updatedAt: string;
 }
@@ -17,7 +16,6 @@ export interface CreateApplicationDto {
     redirectUris: string[];
     authorizedOrigins?: string[];
     scopes: string[];
-    primaryColor?: string;
 }
 export interface CreateApplicationResponse extends Application {
     clientSecret: string;
@@ -28,7 +26,6 @@ export interface UpdateApplicationDto {
     redirectUris?: string[];
     authorizedOrigins?: string[];
     scopes?: string[];
-    primaryColor?: string;
 }
 export interface LogoUploadResponse {
     logoUrl: string;

package/dist/application-management.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"application-management.d.ts","sourceRoot":"","sources":["../src/application-management.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACnC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,yBAA0B,SAAQ,WAAW;IAC5D,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,gBAAgB,CAAC;IACxB,IAAI,EAAE,WAAW,EAAE,CAAC;IACpB,UAAU,EAAE,cAAc,CAAC;CAC5B;AA8FD,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,wBAAwB,CAAC,CAWnC;AAED,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,CAAC,CAAC,CAMvD;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,yBAAyB,CAAC,CAQpC;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAQ9B;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAO9B;AAED,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,IAAI,GAAG,IAAI,EACjB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,kBAAkB,CAAC,CAgB7B;AAED,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,wBAAwB,CAAC,CAOnC"}
+{"version":3,"file":"application-management.d.ts","sourceRoot":"","sources":["../src/application-management.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACnC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,yBAA0B,SAAQ,WAAW;IAC5D,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,gBAAgB,CAAC;IACxB,IAAI,EAAE,WAAW,EAAE,CAAC;IACpB,UAAU,EAAE,cAAc,CAAC;CAC5B;AA8FD,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1C,OAAO,CAAC,wBAAwB,CAAC,CAWnC;AAED,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,CAAC,CAAC,CAMvD;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,yBAAyB,CAAC,CAQpC;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAQ9B;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAO9B;AAED,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,IAAI,GAAG,IAAI,EACjB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,kBAAkB,CAAC,CAgB7B;AAED,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,wBAAwB,CAAC,CAOnC"}

package/dist/application-management.js

@@ -7,9 +7,9 @@ exports.updateApplication = updateApplication;
 exports.deleteApplication = deleteApplication;
 exports.uploadApplicationLogo = uploadApplicationLogo;
 exports.regenerateApplicationSecret = regenerateApplicationSecret;
-const auth_core_client_1 = require("@tekcify/auth-core-client");
+const AUTH_SERVER_URL = 'https://auth-api.tekcify.com';
 function buildUrl(path, query) {
-    const url = new URL(`${auth_core_client_1.AUTH_SERVER_URL}${path}`);
+    const url = new URL(`${AUTH_SERVER_URL}${path}`);
     Object.entries(query ?? {}).forEach(([key, value]) => {
         if (value !== undefined) {
             url.searchParams.set(key, String(value));

package/dist/express/index.d.ts

@@ -1,3 +1,5 @@
 export { createAuthMiddleware } from './middleware';
 export type { ExpressAuthOptions } from './middleware';
+export { createJwksAuthMiddleware } from './jwks-middleware';
+export type { ExpressJwksAuthOptions } from './jwks-middleware';
 //# sourceMappingURL=index.d.ts.map

package/dist/express/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/express/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,YAAY,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/express/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,YAAY,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAC7D,YAAY,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/express/index.js

@@ -1,5 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAuthMiddleware = void 0;
+exports.createJwksAuthMiddleware = exports.createAuthMiddleware = void 0;
 var middleware_1 = require("./middleware");
 Object.defineProperty(exports, "createAuthMiddleware", { enumerable: true, get: function () { return middleware_1.createAuthMiddleware; } });
+var jwks_middleware_1 = require("./jwks-middleware");
+Object.defineProperty(exports, "createJwksAuthMiddleware", { enumerable: true, get: function () { return jwks_middleware_1.createJwksAuthMiddleware; } });

package/dist/express/jwks-middleware.d.ts

@@ -0,0 +1,17 @@
+import type { Request, Response, NextFunction } from 'express';
+import { type JwksVerifierOptions } from '../jwks-verifier';
+import type { UserPayload } from '../types';
+export interface ExpressJwksAuthOptions extends JwksVerifierOptions {
+    getUserInfo?: (userId: string) => Promise<{
+        email: string;
+    } | null>;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: UserPayload;
+        }
+    }
+}
+export declare function createJwksAuthMiddleware(options: ExpressJwksAuthOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=jwks-middleware.d.ts.map

package/dist/express/jwks-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-middleware.d.ts","sourceRoot":"","sources":["../../src/express/jwks-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAgB,KAAK,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5C,MAAM,WAAW,sBAAuB,SAAQ,mBAAmB;IACjE,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrE;AAED,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,WAAW,CAAC;SACpB;KACF;CACF;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,sBAAsB,IAIpE,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,MAAM,YAAY,KACjB,OAAO,CAAC,IAAI,CAAC,CA2CjB"}

package/dist/express/jwks-middleware.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createJwksAuthMiddleware = createJwksAuthMiddleware;
+const jwks_verifier_1 = require("../jwks-verifier");
+function createJwksAuthMiddleware(options) {
+    const verifier = new jwks_verifier_1.JwksVerifier(options);
+    return async (req, res, next) => {
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
+            res
+                .status(401)
+                .json({ message: 'Missing or invalid authorization header' });
+            return;
+        }
+        const token = authHeader.substring(7);
+        try {
+            const verified = await verifier.verify(token);
+            if (!verified.valid) {
+                res.status(401).json({ message: 'Invalid or expired token' });
+                return;
+            }
+            let email = '';
+            if (options.getUserInfo) {
+                const userInfo = await options.getUserInfo(verified.payload.sub);
+                if (!userInfo) {
+                    res.status(401).json({ message: 'User not found' });
+                    return;
+                }
+                email = userInfo.email;
+            }
+            req.user = {
+                userId: verified.payload.sub,
+                email,
+                scopes: Array.isArray(verified.payload.scopes)
+                    ? verified.payload.scopes
+                    : [],
+            };
+            next();
+        }
+        catch (error) {
+            res.status(500).json({ message: 'Internal server error' });
+        }
+    };
+}

package/dist/index.d.ts

@@ -1,5 +1,6 @@
 export * from './types';
 export * from './verify';
+export * from './jwks-verifier';
 export * from './userinfo';
 export * from './user-profile';
 export * from './application-management';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,YAAY,CAAC;AAC3B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,iBAAiB,CAAC;AAChC,cAAc,YAAY,CAAC;AAC3B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC"}

package/dist/index.js

@@ -16,6 +16,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./types"), exports);
 __exportStar(require("./verify"), exports);
+__exportStar(require("./jwks-verifier"), exports);
 __exportStar(require("./userinfo"), exports);
 __exportStar(require("./user-profile"), exports);
 __exportStar(require("./application-management"), exports);

package/dist/jwks-verifier.d.ts

@@ -0,0 +1,19 @@
+import type { VerifiedToken } from './types';
+export interface JwksVerifierOptions {
+    authServerUrl?: string;
+    jwksUri?: string;
+    cacheTime?: number;
+    rateLimit?: boolean;
+    issuer?: string;
+    audience?: string;
+}
+export declare class JwksVerifier {
+    private readonly client;
+    private readonly issuer;
+    private readonly audience;
+    constructor(options: JwksVerifierOptions);
+    verify(token: string): Promise<VerifiedToken>;
+    getPublicKey(kid: string): Promise<string>;
+}
+export declare function createJwksVerifier(options: JwksVerifierOptions): JwksVerifier;
+//# sourceMappingURL=jwks-verifier.d.ts.map

package/dist/jwks-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-verifier.d.ts","sourceRoot":"","sources":["../src/jwks-verifier.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAgB,aAAa,EAAE,MAAM,SAAS,CAAC;AAE3D,MAAM,WAAW,mBAAmB;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAmBD,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,OAAO,EAAE,mBAAmB;IAelC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAsC7C,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAIjD;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB,GAAG,YAAY,CAE7E"}

package/dist/jwks-verifier.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwksVerifier = void 0;
+exports.createJwksVerifier = createJwksVerifier;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const JWKS_PATH = '/api/.well-known/jwks.json';
+function resolveJwksUri(options) {
+    if (options.jwksUri) {
+        return options.jwksUri;
+    }
+    if (options.authServerUrl) {
+        const baseUrl = options.authServerUrl.replace(/\/$/, '');
+        return `${baseUrl}${JWKS_PATH}`;
+    }
+    throw new Error('Either authServerUrl or jwksUri must be provided in JwksVerifierOptions');
+}
+class JwksVerifier {
+    constructor(options) {
+        const jwksUri = resolveJwksUri(options);
+        this.client = (0, jwks_rsa_1.default)({
+            jwksUri,
+            cache: true,
+            cacheMaxAge: options.cacheTime ?? 3600000,
+            rateLimit: options.rateLimit ?? true,
+            jwksRequestsPerMinute: 10,
+        });
+        this.issuer = options.issuer ?? 'tekcify-auth';
+        this.audience = options.audience ?? 'tekcify-api';
+    }
+    async verify(token) {
+        try {
+            const decodedToken = jsonwebtoken_1.default.decode(token, { complete: true });
+            if (!decodedToken || typeof decodedToken === 'string') {
+                return { payload: {}, valid: false };
+            }
+            const kid = decodedToken.header.kid;
+            if (!kid) {
+                return { payload: {}, valid: false };
+            }
+            const key = await this.client.getSigningKey(kid);
+            const publicKey = key.getPublicKey();
+            const decoded = jsonwebtoken_1.default.verify(token, publicKey, {
+                algorithms: ['RS256'],
+                issuer: this.issuer,
+                audience: this.audience,
+            });
+            if (decoded.type !== 'access') {
+                return { payload: decoded, valid: false };
+            }
+            return { payload: decoded, valid: true };
+        }
+        catch (error) {
+            if (error instanceof jsonwebtoken_1.default.JsonWebTokenError ||
+                error instanceof jsonwebtoken_1.default.TokenExpiredError) {
+                return { payload: {}, valid: false };
+            }
+            throw error;
+        }
+    }
+    async getPublicKey(kid) {
+        const key = await this.client.getSigningKey(kid);
+        return key.getPublicKey();
+    }
+}
+exports.JwksVerifier = JwksVerifier;
+function createJwksVerifier(options) {
+    return new JwksVerifier(options);
+}

package/dist/nestjs/guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/nestjs/guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAEjB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,KAAK,EAAE,kBAAkB,EAAe,MAAM,UAAU,CAAC;AAEhE,MAAM,WAAW,mBAAoB,SAAQ,kBAAkB;IAC7D,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrE;AAED,qBACa,YAAa,YAAW,WAAW;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,mBAAmB;IAEnD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAsC/D"}
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/nestjs/guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAEjB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,KAAK,EAAE,kBAAkB,EAAe,MAAM,UAAU,CAAC;AAEhE,MAAM,WAAW,mBAAoB,SAAQ,kBAAkB;IAC7D,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrE;AAED,qBACa,YAAa,YAAW,WAAW;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,mBAAmB;IAEnD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAuC/D"}

package/dist/nestjs/guard.js

@@ -1,94 +1,55 @@
 "use strict";
-var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
-    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
-    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
-    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
-    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
-    var _, done = false;
-    for (var i = decorators.length - 1; i >= 0; i--) {
-        var context = {};
-        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
-        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
-        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
-        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
-        if (kind === "accessor") {
-            if (result === void 0) continue;
-            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
-            if (_ = accept(result.get)) descriptor.get = _;
-            if (_ = accept(result.set)) descriptor.set = _;
-            if (_ = accept(result.init)) initializers.unshift(_);
-        }
-        else if (_ = accept(result)) {
-            if (kind === "field") initializers.unshift(_);
-            else descriptor[key] = _;
-        }
-    }
-    if (target) Object.defineProperty(target, contextIn.name, descriptor);
-    done = true;
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
-    var useValue = arguments.length > 2;
-    for (var i = 0; i < initializers.length; i++) {
-        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
-    }
-    return useValue ? value : void 0;
-};
-var __setFunctionName = (this && this.__setFunctionName) || function (f, name, prefix) {
-    if (typeof name === "symbol") name = name.description ? "[".concat(name.description, "]") : "";
-    return Object.defineProperty(f, "name", { configurable: true, value: prefix ? "".concat(prefix, " ", name) : name });
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JwtAuthGuard = void 0;
 const common_1 = require("@nestjs/common");
 const verify_1 = require("../verify");
-let JwtAuthGuard = (() => {
-    let _classDecorators = [(0, common_1.Injectable)()];
-    let _classDescriptor;
-    let _classExtraInitializers = [];
-    let _classThis;
-    var JwtAuthGuard = _classThis = class {
-        constructor(options) {
-            this.options = options;
+let JwtAuthGuard = class JwtAuthGuard {
+    constructor(options) {
+        this.options = options;
+    }
+    async canActivate(context) {
+        const request = context
+            .switchToHttp()
+            .getRequest();
+        const authHeader = request.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
+            throw new common_1.UnauthorizedException('Missing or invalid authorization header');
         }
-        async canActivate(context) {
-            const request = context
-                .switchToHttp()
-                .getRequest();
-            const authHeader = request.headers.authorization;
-            if (!authHeader?.startsWith('Bearer ')) {
-                throw new common_1.UnauthorizedException('Missing or invalid authorization header');
-            }
-            const token = authHeader.substring(7);
-            const verified = (0, verify_1.verifyAccessToken)(token, this.options);
-            if (!verified.valid) {
-                throw new common_1.UnauthorizedException('Invalid or expired token');
-            }
-            let email = '';
-            if (this.options.getUserInfo) {
-                const userInfo = await this.options.getUserInfo(verified.payload.sub);
-                if (!userInfo) {
-                    throw new common_1.UnauthorizedException('User not found');
-                }
-                email = userInfo.email;
+        const token = authHeader.substring(7);
+        const verified = (0, verify_1.verifyAccessToken)(token, this.options);
+        if (!verified.valid) {
+            throw new common_1.UnauthorizedException('Invalid or expired token');
+        }
+        let email = '';
+        if (this.options.getUserInfo) {
+            const userInfo = await this.options.getUserInfo(verified.payload.sub);
+            if (!userInfo) {
+                throw new common_1.UnauthorizedException('User not found');
             }
-            request.user = {
-                userId: verified.payload.sub,
-                email,
-                scopes: Array.isArray(verified.payload.scopes)
-                    ? verified.payload.scopes
-                    : [],
-            };
-            return true;
+            email = userInfo.email;
         }
-    };
-    __setFunctionName(_classThis, "JwtAuthGuard");
-    (() => {
-        const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
-        __esDecorate(null, _classDescriptor = { value: _classThis }, _classDecorators, { kind: "class", name: _classThis.name, metadata: _metadata }, null, _classExtraInitializers);
-        JwtAuthGuard = _classThis = _classDescriptor.value;
-        if (_metadata) Object.defineProperty(_classThis, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
-        __runInitializers(_classThis, _classExtraInitializers);
-    })();
-    return JwtAuthGuard = _classThis;
-})();
+        request.user = {
+            userId: verified.payload.sub,
+            email,
+            scopes: Array.isArray(verified.payload.scopes)
+                ? verified.payload.scopes
+                : [],
+            role: typeof verified.payload.role === 'string' ? verified.payload.role : undefined,
+        };
+        return true;
+    }
+};
 exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [Object])
+], JwtAuthGuard);

package/dist/nestjs/index.d.ts

@@ -1,5 +1,7 @@
 export { JwtAuthGuard } from './guard';
 export type { JwtAuthGuardOptions } from './guard';
+export { JwksAuthGuard } from './jwks-guard';
+export type { JwksAuthGuardOptions } from './jwks-guard';
 export { CurrentUser } from './decorator';
 export type { UserPayload } from '../types';
 //# sourceMappingURL=index.d.ts.map

package/dist/nestjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nestjs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,YAAY,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,YAAY,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nestjs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,YAAY,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,YAAY,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,YAAY,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC"}

package/dist/nestjs/index.js

@@ -1,7 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CurrentUser = exports.JwtAuthGuard = void 0;
+exports.CurrentUser = exports.JwksAuthGuard = exports.JwtAuthGuard = void 0;
 var guard_1 = require("./guard");
 Object.defineProperty(exports, "JwtAuthGuard", { enumerable: true, get: function () { return guard_1.JwtAuthGuard; } });
+var jwks_guard_1 = require("./jwks-guard");
+Object.defineProperty(exports, "JwksAuthGuard", { enumerable: true, get: function () { return jwks_guard_1.JwksAuthGuard; } });
 var decorator_1 = require("./decorator");
 Object.defineProperty(exports, "CurrentUser", { enumerable: true, get: function () { return decorator_1.CurrentUser; } });

package/dist/nestjs/jwks-guard.d.ts

@@ -0,0 +1,14 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { type JwksVerifierOptions } from '../jwks-verifier';
+export interface JwksAuthGuardOptions extends JwksVerifierOptions {
+    getUserInfo?: (userId: string) => Promise<{
+        email: string;
+    } | null>;
+}
+export declare class JwksAuthGuard implements CanActivate {
+    private readonly options;
+    private readonly verifier;
+    constructor(options: JwksAuthGuardOptions);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=jwks-guard.d.ts.map

package/dist/nestjs/jwks-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-guard.d.ts","sourceRoot":"","sources":["../../src/nestjs/jwks-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAEjB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAgB,KAAK,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAG1E,MAAM,WAAW,oBAAqB,SAAQ,mBAAmB;IAC/D,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrE;AAED,qBACa,aAAc,YAAW,WAAW;IAGnC,OAAO,CAAC,QAAQ,CAAC,OAAO;IAFpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAe;gBAEX,OAAO,EAAE,oBAAoB;IAIpD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAkD/D"}

package/dist/nestjs/jwks-guard.js

@@ -0,0 +1,66 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwksAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const jwks_verifier_1 = require("../jwks-verifier");
+let JwksAuthGuard = class JwksAuthGuard {
+    constructor(options) {
+        this.options = options;
+        this.verifier = new jwks_verifier_1.JwksVerifier(options);
+    }
+    async canActivate(context) {
+        const request = context
+            .switchToHttp()
+            .getRequest();
+        const authHeader = request.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
+            throw new common_1.UnauthorizedException('Missing or invalid authorization header');
+        }
+        const token = authHeader.substring(7);
+        try {
+            const verified = await this.verifier.verify(token);
+            if (!verified.valid) {
+                throw new common_1.UnauthorizedException('Invalid or expired token');
+            }
+            let email = '';
+            if (this.options.getUserInfo) {
+                const userInfo = await this.options.getUserInfo(verified.payload.sub);
+                if (!userInfo) {
+                    throw new common_1.UnauthorizedException('User not found');
+                }
+                email = userInfo.email;
+            }
+            request.user = {
+                userId: verified.payload.sub,
+                email,
+                scopes: Array.isArray(verified.payload.scopes)
+                    ? verified.payload.scopes
+                    : [],
+                role: typeof verified.payload.role === 'string'
+                    ? verified.payload.role
+                    : undefined,
+            };
+            return true;
+        }
+        catch (error) {
+            if (error instanceof common_1.UnauthorizedException) {
+                throw error;
+            }
+            throw new common_1.UnauthorizedException('Invalid or expired token');
+        }
+    }
+};
+exports.JwksAuthGuard = JwksAuthGuard;
+exports.JwksAuthGuard = JwksAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [Object])
+], JwksAuthGuard);

package/dist/types.d.ts

@@ -18,5 +18,6 @@ export interface UserPayload {
     userId: string;
     email: string;
     scopes?: string[];
+    role?: string;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;IACpC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,YAAY,CAAC;IACtB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;IACpC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,YAAY,CAAC;IACtB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf"}

package/dist/user-profile.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user-profile.d.ts","sourceRoot":"","sources":["../src/user-profile.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC,CAuBtB;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,WAAW,CAAC,CAwBtB;AAED,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,GAAG,IAAI,EACjB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,cAAc,CAAC,CA+BzB"}
+{"version":3,"file":"user-profile.d.ts","sourceRoot":"","sources":["../src/user-profile.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,WAAW,CAAC,CAqBtB;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,WAAW,CAAC,CAsBtB;AAED,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,GAAG,IAAI,EACjB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,cAAc,CAAC,CA6BzB"}

package/dist/user-profile.js

@@ -3,9 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getUserProfile = getUserProfile;
 exports.updateUserProfile = updateUserProfile;
 exports.uploadProfilePicture = uploadProfilePicture;
-const auth_core_client_1 = require("@tekcify/auth-core-client");
+const AUTH_SERVER_URL = 'https://auth-api.tekcify.com';
 async function getUserProfile(accessToken) {
-    const response = await fetch(`${auth_core_client_1.AUTH_SERVER_URL}/api/user/profile`, {
+    const response = await fetch(`${AUTH_SERVER_URL}/api/user/profile`, {
         method: 'GET',
         headers: {
             Authorization: `Bearer ${accessToken}`,
@@ -13,12 +13,10 @@ async function getUserProfile(accessToken) {
         },
     });
     if (!response.ok) {
-        const error = await response
+        const error = (await response
             .json()
-            .catch(() => ({ message: response.statusText }));
-        const errorMessage = error?.message &&
-            typeof error.message === 'string' &&
-            error.message.trim()
+            .catch(() => ({ message: response.statusText })));
+        const errorMessage = error?.message && typeof error.message === 'string' && error.message.trim()
             ? error.message
             : `Failed to get user profile: ${response.statusText} (Status: ${response.status})`;
         throw new Error(errorMessage);
@@ -26,7 +24,7 @@ async function getUserProfile(accessToken) {
     return response.json();
 }
 async function updateUserProfile(accessToken, data) {
-    const response = await fetch(`${auth_core_client_1.AUTH_SERVER_URL}/api/user/profile`, {
+    const response = await fetch(`${AUTH_SERVER_URL}/api/user/profile`, {
         method: 'PUT',
         headers: {
             Authorization: `Bearer ${accessToken}`,
@@ -35,12 +33,10 @@ async function updateUserProfile(accessToken, data) {
         body: JSON.stringify(data),
     });
     if (!response.ok) {
-        const error = await response
+        const error = (await response
             .json()
-            .catch(() => ({ message: response.statusText }));
-        const errorMessage = error?.message &&
-            typeof error.message === 'string' &&
-            error.message.trim()
+            .catch(() => ({ message: response.statusText })));
+        const errorMessage = error?.message && typeof error.message === 'string' && error.message.trim()
             ? error.message
             : `Failed to update user profile: ${response.statusText} (Status: ${response.status})`;
         throw new Error(errorMessage);
@@ -55,7 +51,7 @@ async function uploadProfilePicture(accessToken, file, fileName) {
     else {
         formData.append('file', file);
     }
-    const response = await fetch(`${auth_core_client_1.AUTH_SERVER_URL}/api/user/profile/picture`, {
+    const response = await fetch(`${AUTH_SERVER_URL}/api/user/profile/picture`, {
         method: 'POST',
         headers: {
             Authorization: `Bearer ${accessToken}`,
@@ -63,12 +59,10 @@ async function uploadProfilePicture(accessToken, file, fileName) {
         body: formData,
     });
     if (!response.ok) {
-        const error = await response
+        const error = (await response
             .json()
-            .catch(() => ({ message: response.statusText }));
-        const errorMessage = error?.message &&
-            typeof error.message === 'string' &&
-            error.message.trim()
+            .catch(() => ({ message: response.statusText })));
+        const errorMessage = error?.message && typeof error.message === 'string' && error.message.trim()
             ? error.message
             : `Failed to upload profile picture: ${response.statusText} (Status: ${response.status})`;
         throw new Error(errorMessage);

package/dist/userinfo.d.ts

@@ -1,4 +1,23 @@
-import type { UserInfo, IntrospectResult } from '@tekcify/auth-core-client';
+export interface UserInfo {
+    sub: string;
+    email: string;
+    email_verified: boolean;
+    given_name: string | null;
+    family_name: string | null;
+    name: string | null;
+    picture: string | null;
+    updated_at: number;
+}
+export interface IntrospectResult {
+    active: boolean;
+    clientId?: string;
+    username?: string;
+    scope?: string;
+    sub?: string;
+    exp?: number;
+    iat?: number;
+    tokenType?: string;
+}
 export declare function fetchUserInfo(accessToken: string): Promise<UserInfo>;
 export interface IntrospectTokenOptions {
     token: string;

package/dist/userinfo.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"userinfo.d.ts","sourceRoot":"","sources":["../src/userinfo.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAG5E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAE1E;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAM3B"}
+{"version":3,"file":"userinfo.d.ts","sourceRoot":"","sources":["../src/userinfo.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAc1E;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA0B3B"}

package/dist/userinfo.js

@@ -2,14 +2,40 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.fetchUserInfo = fetchUserInfo;
 exports.introspectAccessToken = introspectAccessToken;
-const auth_core_client_1 = require("@tekcify/auth-core-client");
+const AUTH_SERVER_URL = 'https://auth-api.tekcify.com';
 async function fetchUserInfo(accessToken) {
-    return (0, auth_core_client_1.getUserInfo)(accessToken);
+    const response = await fetch(`${AUTH_SERVER_URL}/api/oauth/userinfo`, {
+        method: 'GET',
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+        },
+    });
+    if (!response.ok) {
+        const error = (await response.json().catch(() => ({})));
+        throw new Error(error.message ?? 'Failed to get user info');
+    }
+    return response.json();
 }
 async function introspectAccessToken(options) {
-    return (0, auth_core_client_1.introspectToken)({
+    const body = {
         token: options.token,
-        clientId: options.clientId,
-        clientSecret: options.clientSecret,
+    };
+    if (options.clientId) {
+        body.clientId = options.clientId;
+    }
+    if (options.clientSecret) {
+        body.clientSecret = options.clientSecret;
+    }
+    const response = await fetch(`${AUTH_SERVER_URL}/api/oauth/token/introspect`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
     });
+    if (!response.ok) {
+        const error = (await response.json().catch(() => ({})));
+        throw new Error(error.message ?? 'Failed to introspect token');
+    }
+    return response.json();
 }

package/dist/verify.d.ts

@@ -1,4 +1,4 @@
-import type { TokenPayload, VerifyTokenOptions, VerifiedToken } from "./types";
+import type { TokenPayload, VerifyTokenOptions, VerifiedToken } from './types';
 export declare function verifyAccessToken(token: string, options: VerifyTokenOptions): VerifiedToken;
 export declare function decodeToken(token: string): TokenPayload | null;
 //# sourceMappingURL=verify.d.ts.map

package/dist/verify.js

@@ -1,57 +1,27 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAccessToken = verifyAccessToken;
 exports.decodeToken = decodeToken;
-const jwt = __importStar(require("jsonwebtoken"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 function verifyAccessToken(token, options) {
     try {
-        const decoded = jwt.verify(token, options.secret, {
-            issuer: options.issuer ?? "tekcify-auth",
-            audience: options.audience ?? "tekcify-api",
+        const decoded = jsonwebtoken_1.default.verify(token, options.secret, {
+            issuer: options.issuer ?? 'tekcify-auth',
+            audience: options.audience ?? 'tekcify-api',
         });
-        if (decoded.type !== "access") {
+        if (decoded.type !== 'access') {
             return { payload: decoded, valid: false };
         }
         return { payload: decoded, valid: true };
     }
     catch (error) {
-        if (error instanceof jwt.JsonWebTokenError) {
+        if (error instanceof jsonwebtoken_1.default.JsonWebTokenError) {
             return { payload: {}, valid: false };
         }
-        if (error instanceof jwt.TokenExpiredError) {
+        if (error instanceof jsonwebtoken_1.default.TokenExpiredError) {
             return { payload: {}, valid: false };
         }
         throw error;
@@ -59,7 +29,7 @@ function verifyAccessToken(token, options) {
 }
 function decodeToken(token) {
     try {
-        return jwt.decode(token);
+        return jsonwebtoken_1.default.decode(token);
     }
     catch {
         return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tekcify/auth-backend",
-  "version": "2.0.4",
+  "version": "2.1.0",
   "description": "Backend authentication helpers for Tekcify Auth. Provides middleware, guards, and utilities for validating JWT tokens and protecting API routes in NestJS and Express applications.",
   "author": "Tekcify",
   "main": "./dist/index.js",
@@ -51,7 +51,8 @@
   "license": "MIT",
   "dependencies": {
     "@tekcify/auth-core-client": "^2.0.0",
-    "jsonwebtoken": "^9.0.3"
+    "jsonwebtoken": "^9.0.3",
+    "jwks-rsa": "^3.2.1"
   },
   "devDependencies": {
     "@nestjs/common": "^11.1.9",