@viardex/viardex-libs 1.0.4 → 1.0.5

package/README.md

@@ -1 +1,180 @@
 # Viardex Libs
+
+Shared NestJS infrastructure for Viardex services.
+
+## Argon
+
+`@viardex/viardex-libs` provides a shared Argon2id hashing module for passwords, passcodes, and transaction PINs.
+
+```ts
+import { ArgonModule, ArgonService } from '@viardex/viardex-libs';
+
+@Module({
+  imports: [ArgonModule],
+})
+export class AppModule {}
+```
+
+Example:
+
+```ts
+constructor(private readonly argonService: ArgonService) {}
+
+const hash = await this.argonService.hash(password);
+const isValid = await this.argonService.verify(hash, password);
+const shouldRotate = await this.argonService.needsRehash(hash);
+```
+
+`ArgonService.verify()` safely returns `false` for malformed hashes instead of leaking low-level argon exceptions into auth flows.
+
+## Auth
+
+`@viardex/viardex-libs` provides the shared JWT verifier module.
+
+```ts
+import { AuthModule } from '@viardex/viardex-libs';
+
+@Module({
+  imports: [AuthModule],
+})
+export class AppModule {}
+```
+
+### Decorators
+
+Use the shared barrel:
+
+```ts
+import {
+  AuthModule,
+  CurrentAuth,
+  Permissions,
+  Public,
+  Roles,
+} from '@viardex/viardex-libs';
+```
+
+- `@Public()` marks a route as bypassing the global JWT guard.
+- `@Roles(...roles)` declares allowed staff roles for a route.
+- `@Permissions(...permissions)` declares required permissions for a route.
+- `@CurrentAuth()` returns the verified JWT principal from the request.
+
+### Guards
+
+Guard classes live under `src/auth/guards` and are exported through the shared barrel:
+
+```ts
+import { PermissionsGuard, RolesGuard } from '@viardex/viardex-libs';
+```
+
+Example:
+
+```ts
+@UseGuards(RolesGuard, PermissionsGuard)
+@Roles('admin', 'support')
+@Permissions('tickets.read', 'tickets.resolve')
+@Get('tickets')
+listTickets() {}
+```
+
+### JWT Config
+
+Services should expose:
+
+```env
+JWT_ALGORITHM=RS256
+JWT_ISSUER=viardex-user-service
+JWT_AUDIENCE=viardex-api
+JWT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
+```
+
+The shared auth module verifies JWTs globally. Role and permission guards are opt-in at the route or controller level.
+
+## Logger
+
+`LoggerModule` is global and wraps `nestjs-pino`.
+
+- development uses `pino-pretty`
+- non-HTTP contexts are ignored by `LoggingInterceptor`
+- request logging keeps request id, method, URL, status code, and duration
+
+## Health
+
+`HealthModule` exposes:
+
+- `GET /health` for lightweight liveness
+- `GET /health/ready` for readiness checks
+
+Readiness currently checks storage, memory, and NATS connectivity.
+
+## Cache
+
+`CacheModule.register()` exposes a Redis-backed `CacheService`.
+
+Preferred APIs:
+
+- `set()` / `get()`
+- `setJson()` / `getJson()`
+- `setIfNotExists()` for idempotency / locks
+- `scan()` instead of `keys()` for production-safe pattern reads
+- `ping()` for lightweight health checks
+
+## Nest And Go Mapping
+
+The Go shared package in `viardex-go` follows the same auth concepts, but uses middleware and request context instead of Nest metadata and guards.
+
+| Nest (`viardex-libs`) | Go (`viardex-go`) |
+| --- | --- |
+| `AuthModule` | `auth` package setup in service bootstrap |
+| `AuthService` | `auth.NewService(...)` / `auth.Service` |
+| `AuthPrincipal` | `auth.Principal` |
+| `AuthTokenType` | `auth.TokenType` |
+| `AuthGuard` | `middlewares.Auth(...)` |
+| `RolesGuard` | `middlewares.RequireRoles(...)` |
+| `PermissionsGuard` | `middlewares.RequirePermissions(...)` |
+| `AuthTokenTypes(...)` | `middlewares.RequireTokenTypes(...)` |
+| `Public()` | keep route/group outside auth middleware |
+| `Roles(...)` | wrap route/group with `middlewares.RequireRoles(...)` |
+| `Permissions(...)` | wrap route/group with `middlewares.RequirePermissions(...)` |
+| `CurrentAuth()` | `auth.PrincipalFromContext(r.Context())` |
+
+### Example Comparison
+
+Nest:
+
+```ts
+@UseGuards(PermissionsGuard)
+@Permissions('ledger.read')
+@Get('/ledger')
+```
+
+Go:
+
+```go
+r.With(middlewares.RequirePermissions("ledger.read")).Get("/ledger", handler)
+```
+
+Nest:
+
+```ts
+@Public()
+@Get('/health')
+```
+
+Go:
+
+```go
+r.Get("/health", handler)
+```
+
+Nest:
+
+```ts
+const principal = request.user;
+```
+
+Go:
+
+```go
+principal, ok := auth.PrincipalFromContext(r.Context())
+```

package/dist/argon/argon.module.d.ts

@@ -0,0 +1,2 @@
+export declare class ArgonModule {
+}

package/dist/{notification/notification.module.js → argon/argon.module.js}

@@ -6,15 +6,16 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NotificationModule = void 0;
+exports.ArgonModule = void 0;
 const common_1 = require("@nestjs/common");
-const notification_client_1 = require("./notification.client");
-let NotificationModule = class NotificationModule {
+const argon_service_1 = require("./argon.service");
+let ArgonModule = class ArgonModule {
 };
-exports.NotificationModule = NotificationModule;
-exports.NotificationModule = NotificationModule = __decorate([
+exports.ArgonModule = ArgonModule;
+exports.ArgonModule = ArgonModule = __decorate([
+    (0, common_1.Global)(),
     (0, common_1.Module)({
-        providers: [notification_client_1.Notification],
-        exports: [notification_client_1.Notification],
+        providers: [argon_service_1.ArgonService],
+        exports: [argon_service_1.ArgonService],
     })
-], NotificationModule);
+], ArgonModule);

package/dist/argon/argon.service.d.ts

@@ -0,0 +1,6 @@
+export declare class ArgonService {
+    private readonly options;
+    hash(value: string): Promise<string>;
+    verify(hash: string, value: string): Promise<boolean>;
+    needsRehash(hash: string): Promise<boolean>;
+}

package/dist/argon/argon.service.js

@@ -0,0 +1,74 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ArgonService = void 0;
+const common_1 = require("@nestjs/common");
+const argon2 = __importStar(require("argon2"));
+let ArgonService = class ArgonService {
+    options = {
+        type: argon2.argon2id,
+        memoryCost: 2 ** 16,
+        timeCost: 3,
+        parallelism: 1,
+    };
+    async hash(value) {
+        return argon2.hash(value, this.options);
+    }
+    async verify(hash, value) {
+        try {
+            return await argon2.verify(hash, value);
+        }
+        catch {
+            return false;
+        }
+    }
+    async needsRehash(hash) {
+        return argon2.needsRehash(hash, {
+            memoryCost: this.options.memoryCost,
+            timeCost: this.options.timeCost,
+            parallelism: this.options.parallelism,
+        });
+    }
+};
+exports.ArgonService = ArgonService;
+exports.ArgonService = ArgonService = __decorate([
+    (0, common_1.Injectable)()
+], ArgonService);

package/dist/argon/index.d.ts

@@ -0,0 +1,2 @@
+export * from './argon.module';
+export * from './argon.service';

package/dist/{notification → argon}/index.js

@@ -14,7 +14,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./notification.client"), exports);
-__exportStar(require("./notification.interface"), exports);
-__exportStar(require("./notification.enum"), exports);
-__exportStar(require("./notification.module"), exports);
+__exportStar(require("./argon.module"), exports);
+__exportStar(require("./argon.service"), exports);

package/dist/auth/auth.constants.d.ts

@@ -0,0 +1,4 @@
+export declare const IS_PUBLIC_KEY = "viardex:isPublic";
+export declare const AUTH_TOKEN_TYPES_KEY = "viardex:authTokenTypes";
+export declare const AUTH_ROLES_KEY = "viardex:authRoles";
+export declare const AUTH_PERMISSIONS_KEY = "viardex:authPermissions";

package/dist/auth/auth.constants.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTH_PERMISSIONS_KEY = exports.AUTH_ROLES_KEY = exports.AUTH_TOKEN_TYPES_KEY = exports.IS_PUBLIC_KEY = void 0;
+exports.IS_PUBLIC_KEY = 'viardex:isPublic';
+exports.AUTH_TOKEN_TYPES_KEY = 'viardex:authTokenTypes';
+exports.AUTH_ROLES_KEY = 'viardex:authRoles';
+exports.AUTH_PERMISSIONS_KEY = 'viardex:authPermissions';

package/dist/auth/auth.interfaces.d.ts

@@ -0,0 +1,19 @@
+export type AuthTokenType = 'user' | 'ops';
+export interface TokenVerifierConfig {
+    issuer: string;
+    audience: string;
+    publicKey?: string;
+    algorithm: string;
+}
+export interface AuthPrincipal {
+    sub: string;
+    iss: string;
+    aud: string | string[];
+    iat?: number;
+    exp?: number;
+    jti?: string;
+    tokenType: AuthTokenType;
+    role?: string;
+    permissions?: string[];
+    claims: Record<string, unknown>;
+}

package/dist/auth/auth.module.d.ts

@@ -0,0 +1,2 @@
+export declare class AuthModule {
+}

package/dist/auth/auth.module.js

@@ -0,0 +1,30 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthModule = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const guards_1 = require("./guards");
+const auth_service_1 = require("./auth.service");
+let AuthModule = class AuthModule {
+};
+exports.AuthModule = AuthModule;
+exports.AuthModule = AuthModule = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({
+        providers: [
+            auth_service_1.AuthService,
+            guards_1.AuthGuard,
+            {
+                provide: core_1.APP_GUARD,
+                useClass: guards_1.AuthGuard,
+            },
+        ],
+        exports: [guards_1.AuthGuard, auth_service_1.AuthService],
+    })
+], AuthModule);

package/dist/auth/auth.service.d.ts

@@ -0,0 +1,13 @@
+import { ConfigService } from '@nestjs/config';
+import { AuthPrincipal, AuthTokenType, TokenVerifierConfig } from './auth.interfaces';
+type ResolvedVerifierConfig = TokenVerifierConfig & {
+    tokenType: AuthTokenType;
+};
+export declare class AuthService {
+    private readonly configService;
+    constructor(configService: ConfigService);
+    verifyAccessToken(token: string): AuthPrincipal;
+    getVerifierConfig(): ResolvedVerifierConfig;
+    private normalizePublicKey;
+}
+export {};

package/dist/auth/auth.service.js

@@ -0,0 +1,99 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = void 0;
+const common_1 = require("@nestjs/common");
+const jwt = __importStar(require("jsonwebtoken"));
+let AuthService = class AuthService {
+    configService;
+    constructor(configService) {
+        this.configService = configService;
+    }
+    verifyAccessToken(token) {
+        const verifier = this.getVerifierConfig();
+        if (!verifier.publicKey) {
+            throw new common_1.UnauthorizedException('Missing JWT public key configuration');
+        }
+        try {
+            const claims = jwt.verify(token, verifier.publicKey, {
+                algorithms: [verifier.algorithm],
+                issuer: verifier.issuer,
+                audience: verifier.audience,
+            });
+            if (!claims.sub || !claims.iss || !claims.aud) {
+                throw new common_1.UnauthorizedException('JWT payload is missing required claims');
+            }
+            return {
+                sub: String(claims.sub),
+                iss: String(claims.iss),
+                aud: claims.aud,
+                iat: claims.iat,
+                exp: claims.exp,
+                jti: claims.jti,
+                tokenType: verifier.tokenType,
+                role: claims.role ? String(claims.role) : undefined,
+                permissions: Array.isArray(claims.permissions)
+                    ? claims.permissions.map((permission) => String(permission))
+                    : undefined,
+                claims: claims,
+            };
+        }
+        catch (error) {
+            throw new common_1.UnauthorizedException(error?.message || 'Token verification failed');
+        }
+    }
+    getVerifierConfig() {
+        return {
+            issuer: this.configService.get('jwt.issuer', ''),
+            audience: this.configService.get('jwt.audience', ''),
+            publicKey: this.normalizePublicKey(this.configService.get('jwt.publicKey')),
+            algorithm: this.configService.get('jwt.algorithm', 'RS256') ?? 'RS256',
+            tokenType: 'user',
+        };
+    }
+    normalizePublicKey(value) {
+        return value?.replace(/\\n/g, '\n');
+    }
+};
+exports.AuthService = AuthService;
+exports.AuthService = AuthService = __decorate([
+    (0, common_1.Injectable)()
+], AuthService);

package/dist/auth/decorators/auth-token-types.decorator.d.ts

@@ -0,0 +1,2 @@
+import { AuthTokenType } from '../auth.interfaces';
+export declare const AuthTokenTypes: (...types: AuthTokenType[]) => import("@nestjs/common").CustomDecorator<string>;

package/dist/auth/decorators/auth-token-types.decorator.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthTokenTypes = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("../auth.constants");
+const AuthTokenTypes = (...types) => (0, common_1.SetMetadata)(auth_constants_1.AUTH_TOKEN_TYPES_KEY, types);
+exports.AuthTokenTypes = AuthTokenTypes;

package/dist/auth/decorators/current-auth.decorator.d.ts

@@ -0,0 +1 @@
+export declare const CurrentAuth: (...dataOrPipes: unknown[]) => ParameterDecorator;

package/dist/auth/decorators/current-auth.decorator.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentAuth = void 0;
+const common_1 = require("@nestjs/common");
+exports.CurrentAuth = (0, common_1.createParamDecorator)((_data, context) => {
+    const request = context
+        .switchToHttp()
+        .getRequest();
+    return request.user;
+});

package/dist/auth/decorators/index.d.ts

@@ -0,0 +1,5 @@
+export * from './auth-token-types.decorator';
+export * from './current-auth.decorator';
+export * from './permissions.decorator';
+export * from './public.decorator';
+export * from './roles.decorator';

package/dist/auth/decorators/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth-token-types.decorator"), exports);
+__exportStar(require("./current-auth.decorator"), exports);
+__exportStar(require("./permissions.decorator"), exports);
+__exportStar(require("./public.decorator"), exports);
+__exportStar(require("./roles.decorator"), exports);

package/dist/auth/decorators/permissions.decorator.d.ts

@@ -0,0 +1 @@
+export declare const Permissions: (...permissions: string[]) => import("@nestjs/common").CustomDecorator<string>;

package/dist/auth/decorators/permissions.decorator.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Permissions = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("../auth.constants");
+const Permissions = (...permissions) => (0, common_1.SetMetadata)(auth_constants_1.AUTH_PERMISSIONS_KEY, permissions);
+exports.Permissions = Permissions;

package/dist/auth/decorators/public.decorator.d.ts

@@ -0,0 +1 @@
+export declare const Public: () => import("@nestjs/common").CustomDecorator<string>;

package/dist/auth/decorators/public.decorator.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Public = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("../auth.constants");
+const Public = () => (0, common_1.SetMetadata)(auth_constants_1.IS_PUBLIC_KEY, true);
+exports.Public = Public;

package/dist/auth/decorators/roles.decorator.d.ts

@@ -0,0 +1 @@
+export declare const Roles: (...roles: string[]) => import("@nestjs/common").CustomDecorator<string>;

package/dist/auth/decorators/roles.decorator.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Roles = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("../auth.constants");
+const Roles = (...roles) => (0, common_1.SetMetadata)(auth_constants_1.AUTH_ROLES_KEY, roles);
+exports.Roles = Roles;

package/dist/auth/guards/auth.guard.d.ts

@@ -0,0 +1,10 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { AuthService } from '../auth.service';
+export declare class AuthGuard implements CanActivate {
+    private readonly reflector;
+    private readonly authService;
+    constructor(reflector: Reflector, authService: AuthService);
+    canActivate(context: ExecutionContext): boolean;
+    private extractBearerToken;
+}

package/dist/auth/guards/auth.guard.js

@@ -0,0 +1,58 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("../auth.constants");
+let AuthGuard = class AuthGuard {
+    reflector;
+    authService;
+    constructor(reflector, authService) {
+        this.reflector = reflector;
+        this.authService = authService;
+    }
+    canActivate(context) {
+        const isPublic = this.reflector.getAllAndOverride(auth_constants_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const token = this.extractBearerToken(request.headers.authorization);
+        const principal = this.authService.verifyAccessToken(token);
+        const allowedTypes = this.reflector.getAllAndOverride(auth_constants_1.AUTH_TOKEN_TYPES_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]) ?? [];
+        if (allowedTypes.length > 0 &&
+            !allowedTypes.includes(principal.tokenType)) {
+            throw new common_1.UnauthorizedException('Token type is not allowed for this route');
+        }
+        request.user = principal;
+        return true;
+    }
+    extractBearerToken(authorizationHeader) {
+        const value = Array.isArray(authorizationHeader)
+            ? authorizationHeader[0]
+            : authorizationHeader;
+        if (!value) {
+            throw new common_1.UnauthorizedException('Authorization header is missing');
+        }
+        const [scheme, token] = value.split(' ');
+        if (scheme !== 'Bearer' || !token) {
+            throw new common_1.UnauthorizedException('Invalid authorization header format');
+        }
+        return token;
+    }
+};
+exports.AuthGuard = AuthGuard;
+exports.AuthGuard = AuthGuard = __decorate([
+    (0, common_1.Injectable)()
+], AuthGuard);

package/dist/auth/guards/index.d.ts

@@ -0,0 +1,3 @@
+export * from './auth.guard';
+export * from './permissions.guard';
+export * from './roles.guard';