npm - itlab-internal-services - Versions diffs - 2.15.7 → 2.16.1 - Mend

itlab-internal-services 2.15.7 → 2.16.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (371) hide show

package/dist/models/{account-entity.model.js → user.model.js} RENAMED Viewed

@@ -9,50 +9,36 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccountEntity = void 0;
+exports.User = void 0;
 const swagger_1 = require("@nestjs/swagger");
-/**
- * Represents the identity and authorization details of a user account.
- *
- * This class is used in API responses to expose user metadata, including core profile
- * information (email, username, avatar) and permission scopes granted to the user.
- */
-class AccountEntity {
+class User {
 }
-exports.AccountEntity = AccountEntity;
+exports.User = User;
 __decorate([
     (0, swagger_1.ApiProperty)({
         description: 'Unique identifier for the account (MongoDB ObjectId)',
         example: '000000000000000000000000',
     }),
     __metadata("design:type", String)
-], AccountEntity.prototype, "id", void 0);
+], User.prototype, "id", void 0);
 __decorate([
     (0, swagger_1.ApiProperty)({
-        description: 'Email address registered to the account',
-        example: 'timo@example.com',
+        description: 'Display name of the account user',
+        example: 'Timo Scheuermann',
     }),
     __metadata("design:type", String)
-], AccountEntity.prototype, "email", void 0);
+], User.prototype, "username", void 0);
 __decorate([
     (0, swagger_1.ApiProperty)({
-        description: 'Display name of the account user',
-        example: 'Timo Scheuermann',
+        description: 'Email address registered to the account',
+        example: 'timo@example.com',
     }),
     __metadata("design:type", String)
-], AccountEntity.prototype, "username", void 0);
+], User.prototype, "email", void 0);
 __decorate([
     (0, swagger_1.ApiPropertyOptional)({
         description: "URL of the user's avatar image",
         example: 'https://file.svi-itlab.com/avatar/000000000000000000000000.webp',
     }),
     __metadata("design:type", String)
-], AccountEntity.prototype, "avatar", void 0);
-__decorate([
-    (0, swagger_1.ApiProperty)({
-        description: 'Permission strings assigned to the user account',
-        example: ['news.publish', 'dashboard.view'],
-        type: [String],
-    }),
-    __metadata("design:type", Array)
-], AccountEntity.prototype, "perms", void 0);
+], User.prototype, "avatar", void 0);

package/dist/modules/authentication/authentication-module-options.interface.d.ts CHANGED Viewed

@@ -4,15 +4,9 @@
  * JWT verification and internal Kubernetes token validation.
  */
 export type AuthenticationModuleOptions = {
-    /**
-     * Secret key used to sign and verify JSON Web Tokens (JWT).
-     * This should be a strong, securely stored string.
-     */
+    /** Secret key for signing and verifying JWTs */
     jwtSecret: string;
-    /**
-     * Token used for internal authentication, typically
-     * shared between services within a Kubernetes cluster.
-     */
+    /** Shared service token for internal service requests */
     k8sToken: string;
 };
 /**

package/dist/modules/authentication/authentication-options.parameter.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+/**
+ * Parameter decorator to inject AuthenticationModule options into services or guards.
+ */
+export declare function InjectAuthenticationOptions(): ParameterDecorator;

package/dist/modules/authentication/{inject-auth-options.decorator.js → authentication-options.parameter.js} RENAMED Viewed

@@ -1,8 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InjectAuthOptions = InjectAuthOptions;
+exports.InjectAuthenticationOptions = InjectAuthenticationOptions;
 const common_1 = require("@nestjs/common");
 const authentication_module_definition_1 = require("./authentication.module-definition");
-function InjectAuthOptions() {
+/**
+ * Parameter decorator to inject AuthenticationModule options into services or guards.
+ */
+function InjectAuthenticationOptions() {
     return (0, common_1.Inject)(authentication_module_definition_1.AUTHENTICATION_MODULE_OPTIONS_TOKEN);
 }

package/dist/modules/authentication/authentication.module.d.ts CHANGED Viewed

@@ -1,7 +1,30 @@
 import { DynamicModule } from '@nestjs/common';
 import { AuthenticationModuleAsyncOptions, AuthenticationModuleOptions } from './authentication-module-options.interface';
 import { AuthenticationModuleClass } from './authentication.module-definition';
+/**
+ * AuthenticationModule
+ *
+ * Globally available NestJS module providing:
+ * - JWT authentication
+ * - Internal service authentication
+ * - Permissions-based access control
+ *
+ * Supports both synchronous (`forRoot`) and asynchronous (`forRootAsync`) configuration.
+ */
 export declare class AuthenticationModule extends AuthenticationModuleClass {
+    /**
+     * Configure the module asynchronously.
+     * Useful when options must be loaded from environment or external services.
+     *
+     * @param asyncOptions - Factory function and providers for async configuration.
+     * @returns {DynamicModule} Fully configured module definition with async options exported.
+     */
     static forRoot(options: AuthenticationModuleOptions): DynamicModule;
+    /**
+     * Asynchronously configure the authentication module.
+     * Useful for dynamic config values loaded from environment or external services.
+     *
+     * @param asyncOptions - Factory function and injected providers for async configuration
+     */
     static forRootAsync(asyncOptions: AuthenticationModuleAsyncOptions): DynamicModule;
 }

package/dist/modules/authentication/authentication.module.js CHANGED Viewed

@@ -11,7 +11,24 @@ const common_1 = require("@nestjs/common");
 const jwt_1 = require("@nestjs/jwt");
 const authentication_module_definition_1 = require("./authentication.module-definition");
 const guards_1 = require("./guards");
+/**
+ * AuthenticationModule
+ *
+ * Globally available NestJS module providing:
+ * - JWT authentication
+ * - Internal service authentication
+ * - Permissions-based access control
+ *
+ * Supports both synchronous (`forRoot`) and asynchronous (`forRootAsync`) configuration.
+ */
 let AuthenticationModule = class AuthenticationModule extends authentication_module_definition_1.AuthenticationModuleClass {
+    /**
+     * Configure the module asynchronously.
+     * Useful when options must be loaded from environment or external services.
+     *
+     * @param asyncOptions - Factory function and providers for async configuration.
+     * @returns {DynamicModule} Fully configured module definition with async options exported.
+     */
     static forRoot(options) {
         const moduleDefinition = super.forRoot(options);
         return Object.assign(Object.assign({}, moduleDefinition), { exports: [
@@ -22,6 +39,12 @@ let AuthenticationModule = class AuthenticationModule extends authentication_mod
                 },
             ] });
     }
+    /**
+     * Asynchronously configure the authentication module.
+     * Useful for dynamic config values loaded from environment or external services.
+     *
+     * @param asyncOptions - Factory function and injected providers for async configuration
+     */
     static forRootAsync(asyncOptions) {
         const moduleDefinition = super.forRootAsync(asyncOptions);
         return Object.assign(Object.assign({}, moduleDefinition), { exports: [
@@ -38,6 +61,6 @@ exports.AuthenticationModule = AuthenticationModule;
 exports.AuthenticationModule = AuthenticationModule = __decorate([
     (0, common_1.Module)({
         imports: [jwt_1.JwtModule.register({ global: true })],
-        providers: [guards_1.AuthGuard, guards_1.InternalGuard, guards_1.PermissionsGuard],
+        providers: [guards_1.JwtAuthGuard, guards_1.ServiceAuthGuard, guards_1.PermissionsGuard],
     })
 ], AuthenticationModule);

package/dist/modules/authentication/guards/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export { AuthGuard, RequireJwtAuth } from './auth.guard';
-export { InternalGuard, InternalOnly } from './internal.guard';
+export { JwtAuthGuard, RequireJwtAuth } from './jwt-auth.guard';
 export { PermissionsGuard, RequirePermissions } from './permissions.guard';
 export { Public } from './public.guard';
+export { RequireServiceAuth, ServiceAuthGuard } from './service-auth.guard';

package/dist/modules/authentication/guards/index.js CHANGED Viewed

@@ -1,14 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Public = exports.RequirePermissions = exports.PermissionsGuard = exports.InternalOnly = exports.InternalGuard = exports.RequireJwtAuth = exports.AuthGuard = void 0;
-var auth_guard_1 = require("./auth.guard");
-Object.defineProperty(exports, "AuthGuard", { enumerable: true, get: function () { return auth_guard_1.AuthGuard; } });
-Object.defineProperty(exports, "RequireJwtAuth", { enumerable: true, get: function () { return auth_guard_1.RequireJwtAuth; } });
-var internal_guard_1 = require("./internal.guard");
-Object.defineProperty(exports, "InternalGuard", { enumerable: true, get: function () { return internal_guard_1.InternalGuard; } });
-Object.defineProperty(exports, "InternalOnly", { enumerable: true, get: function () { return internal_guard_1.InternalOnly; } });
+exports.ServiceAuthGuard = exports.RequireServiceAuth = exports.Public = exports.RequirePermissions = exports.PermissionsGuard = exports.RequireJwtAuth = exports.JwtAuthGuard = void 0;
+var jwt_auth_guard_1 = require("./jwt-auth.guard");
+Object.defineProperty(exports, "JwtAuthGuard", { enumerable: true, get: function () { return jwt_auth_guard_1.JwtAuthGuard; } });
+Object.defineProperty(exports, "RequireJwtAuth", { enumerable: true, get: function () { return jwt_auth_guard_1.RequireJwtAuth; } });
 var permissions_guard_1 = require("./permissions.guard");
 Object.defineProperty(exports, "PermissionsGuard", { enumerable: true, get: function () { return permissions_guard_1.PermissionsGuard; } });
 Object.defineProperty(exports, "RequirePermissions", { enumerable: true, get: function () { return permissions_guard_1.RequirePermissions; } });
 var public_guard_1 = require("./public.guard");
 Object.defineProperty(exports, "Public", { enumerable: true, get: function () { return public_guard_1.Public; } });
+var service_auth_guard_1 = require("./service-auth.guard");
+Object.defineProperty(exports, "RequireServiceAuth", { enumerable: true, get: function () { return service_auth_guard_1.RequireServiceAuth; } });
+Object.defineProperty(exports, "ServiceAuthGuard", { enumerable: true, get: function () { return service_auth_guard_1.ServiceAuthGuard; } });

package/dist/modules/authentication/guards/jwt-auth.guard.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { JwtService } from '@nestjs/jwt';
+import { AuthenticationModuleOptions } from '../authentication-module-options.interface';
+/**
+ * Guard implementing JWT authentication for routes.
+ * Skips authentication for public routes and service requests.
+ */
+export declare class JwtAuthGuard implements CanActivate {
+    private readonly authenticationOptions;
+    private readonly reflector;
+    private readonly jwtService;
+    constructor(authenticationOptions: AuthenticationModuleOptions, reflector: Reflector, jwtService: JwtService);
+    canActivate(context: ExecutionContext): boolean;
+}
+/** Decorator enforcing JWT authentication on routes/controllers */
+export declare function RequireJwtAuth(): MethodDecorator & ClassDecorator;

package/dist/modules/authentication/guards/jwt-auth.guard.js ADDED Viewed

@@ -0,0 +1,67 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = void 0;
+exports.RequireJwtAuth = RequireJwtAuth;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const jwt_1 = require("@nestjs/jwt");
+const swagger_1 = require("@nestjs/swagger");
+const authentication_options_parameter_1 = require("../authentication-options.parameter");
+const public_guard_1 = require("./public.guard");
+/**
+ * Guard implementing JWT authentication for routes.
+ * Skips authentication for public routes and service requests.
+ */
+let JwtAuthGuard = class JwtAuthGuard {
+    constructor(authenticationOptions, reflector, jwtService) {
+        this.authenticationOptions = authenticationOptions;
+        this.reflector = reflector;
+        this.jwtService = jwtService;
+    }
+    canActivate(context) {
+        if ((0, public_guard_1.isPublicRoute)(context, this.reflector))
+            return true;
+        const request = context.switchToHttp().getRequest();
+        const token = extractBearerToken(request);
+        if (!token)
+            throw new common_1.UnauthorizedException('Authorization token not found.');
+        try {
+            request.account = this.jwtService.verify(token, { secret: this.authenticationOptions.jwtSecret });
+        }
+        catch (_a) {
+            throw new common_1.UnauthorizedException('Invalid or expired token.');
+        }
+        return true;
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, authentication_options_parameter_1.InjectAuthenticationOptions)()),
+    __metadata("design:paramtypes", [Object, core_1.Reflector,
+        jwt_1.JwtService])
+], JwtAuthGuard);
+/** Extracts Bearer token from Authorization header */
+function extractBearerToken(request) {
+    const header = request.headers.authorization;
+    if (!header)
+        return undefined;
+    const [scheme, token] = header.split(' ');
+    return scheme === 'Bearer' && (token === null || token === void 0 ? void 0 : token.trim()) ? token : undefined;
+}
+/** Decorator enforcing JWT authentication on routes/controllers */
+function RequireJwtAuth() {
+    return (0, common_1.applyDecorators)((0, common_1.UseGuards)(JwtAuthGuard), (0, swagger_1.ApiBearerAuth)('Auth Token'), (0, swagger_1.ApiUnauthorizedResponse)({ description: 'Unauthorized: Invalid or missing JWT' }));
+}

package/dist/modules/authentication/guards/permissions.guard.d.ts CHANGED Viewed

@@ -1,36 +1,14 @@
 import { CanActivate, ExecutionContext } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
+import { AuthenticationModuleOptions } from '../authentication-module-options.interface';
 /**
- * Guard responsible for enforcing permissions-based access control.
- * It checks whether the authenticated user possesses all required permissions
- * defined via metadata on route handlers.
+ * Guard enforcing that authenticated users have the necessary permissions.
  */
 export declare class PermissionsGuard implements CanActivate {
+    private readonly authenticationOptions;
     private readonly reflector;
-    constructor(reflector: Reflector);
-    /**
-     * Determines if the current user has sufficient permissions to access the resource.
-     *
-     * - Retrieves required permissions metadata for the current handler.
-     * - Allows access immediately if no permissions are specified (no restriction).
-     * - Validates presence of user permissions and checks if they satisfy requirements.
-     * - Throws ForbiddenException with detailed message if authorization fails.
-     *
-     * @param {ExecutionContext} context - The execution context of the current request.
-     * @returns {boolean} True if user has required permissions; otherwise throws.
-     * @throws {ForbiddenException} When user lacks required permissions.
-     */
+    constructor(authenticationOptions: AuthenticationModuleOptions, reflector: Reflector);
     canActivate(context: ExecutionContext): boolean;
 }
-/**
- * RequirePermissions
- *
- * Decorator factory that:
- * - Attaches required permissions metadata to the route handler.
- * - Applies the AuthGuard and PermissionsGuard to secure the route.
- * - Adds Swagger documentation for bearer authentication and forbidden responses.
- *
- * @param {...string[]} permissions - List of permissions required to access the route.
- * @returns {MethodDecorator & ClassDecorator} A composite decorator securing the route.
- */
+/** Decorator enforcing permissions on routes/controllers */
 export declare function RequirePermissions(...permissions: string[]): MethodDecorator & ClassDecorator;

package/dist/modules/authentication/guards/permissions.guard.js CHANGED Viewed

@@ -8,6 +8,9 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PermissionsGuard = void 0;
 exports.RequirePermissions = RequirePermissions;
@@ -16,78 +19,43 @@ const core_1 = require("@nestjs/core");
 const swagger_1 = require("@nestjs/swagger");
 const class_validator_1 = require("class-validator");
 const itlab_functions_1 = require("itlab-functions");
-const auth_guard_1 = require("./auth.guard");
-/**
- * PERMISSIONS_METADATA_KEY
- *
- * Metadata key used to store the list of required permissions for a route handler.
- * This key is used by the PermissionsGuard to retrieve permissions metadata.
- */
-const PERMISSIONS_METADATA_KEY = 'itlab-internal-perms-guard';
+const authentication_options_parameter_1 = require("../authentication-options.parameter");
+const jwt_auth_guard_1 = require("./jwt-auth.guard");
+const public_guard_1 = require("./public.guard");
+/** Metadata key storing required permissions for routes */
+const PERMISSIONS_METADATA_KEY = Symbol('itlab-permissions-guard');
 /**
- * Guard responsible for enforcing permissions-based access control.
- * It checks whether the authenticated user possesses all required permissions
- * defined via metadata on route handlers.
+ * Guard enforcing that authenticated users have the necessary permissions.
  */
 let PermissionsGuard = class PermissionsGuard {
-    constructor(reflector) {
+    constructor(authenticationOptions, reflector) {
+        this.authenticationOptions = authenticationOptions;
         this.reflector = reflector;
     }
-    /**
-     * Determines if the current user has sufficient permissions to access the resource.
-     *
-     * - Retrieves required permissions metadata for the current handler.
-     * - Allows access immediately if no permissions are specified (no restriction).
-     * - Validates presence of user permissions and checks if they satisfy requirements.
-     * - Throws ForbiddenException with detailed message if authorization fails.
-     *
-     * @param {ExecutionContext} context - The execution context of the current request.
-     * @returns {boolean} True if user has required permissions; otherwise throws.
-     * @throws {ForbiddenException} When user lacks required permissions.
-     */
     canActivate(context) {
-        // Retrieve the array of permissions required by this route handler.
-        const requiredPermissions = this.reflector.get(PERMISSIONS_METADATA_KEY, context.getHandler());
-        // If no permissions are specified, allow unrestricted access.
-        if (!requiredPermissions || requiredPermissions.length === 0) {
+        if ((0, public_guard_1.isPublicRoute)(context, this.reflector))
             return true;
-        }
-        // Extract the authenticated user from the request object.
-        const { user } = context.switchToHttp().getRequest();
-        // Check user existence, ensure user has at least one permission,
-        // and verify user permissions satisfy required permissions.
-        const userHasPermissions = user && (0, class_validator_1.arrayMinSize)(user.perms, 1) && (0, itlab_functions_1.hasSomePermission)(requiredPermissions, user.perms);
-        if (userHasPermissions) {
+        const requiredPermissions = this.reflector.get(PERMISSIONS_METADATA_KEY, context.getHandler());
+        if (hasRequiredPermissions(context, requiredPermissions))
             return true;
-        }
-        // Compose a user-friendly permission list string for error message.
-        const permissionList = (0, itlab_functions_1.formatList)(requiredPermissions, 'or');
-        // Deny access with a clear explanation of missing permissions.
-        throw new common_1.ForbiddenException(`Insufficient permissions: ${permissionList}`);
+        throw new common_1.ForbiddenException(`Insufficient permissions: ${(0, itlab_functions_1.formatList)(requiredPermissions, 'or')}`);
     }
 };
 exports.PermissionsGuard = PermissionsGuard;
 exports.PermissionsGuard = PermissionsGuard = __decorate([
     (0, common_1.Injectable)(),
-    __metadata("design:paramtypes", [core_1.Reflector])
+    __param(0, (0, authentication_options_parameter_1.InjectAuthenticationOptions)()),
+    __metadata("design:paramtypes", [Object, core_1.Reflector])
 ], PermissionsGuard);
-/**
- * RequirePermissions
- *
- * Decorator factory that:
- * - Attaches required permissions metadata to the route handler.
- * - Applies the AuthGuard and PermissionsGuard to secure the route.
- * - Adds Swagger documentation for bearer authentication and forbidden responses.
- *
- * @param {...string[]} permissions - List of permissions required to access the route.
- * @returns {MethodDecorator & ClassDecorator} A composite decorator securing the route.
- */
+/** Check if account has required permissions */
+function hasRequiredPermissions(context, requiredPermissions) {
+    // If no permissions are specified, allow unrestricted access.
+    if (!requiredPermissions || requiredPermissions.length === 0)
+        return true;
+    const { account } = context.switchToHttp().getRequest();
+    return (0, class_validator_1.arrayMinSize)(account === null || account === void 0 ? void 0 : account.perms, 1) && (0, itlab_functions_1.hasSomePermission)(requiredPermissions, account.perms);
+}
+/** Decorator enforcing permissions on routes/controllers */
 function RequirePermissions(...permissions) {
-    return (0, common_1.applyDecorators)((0, common_1.SetMetadata)(PERMISSIONS_METADATA_KEY, permissions),
-    // Ensure the request is authenticated before checking permissions.
-    (0, common_1.UseGuards)(auth_guard_1.AuthGuard, PermissionsGuard),
-    // Swagger decorator indicating Bearer token authentication is required.
-    (0, swagger_1.ApiBearerAuth)(),
-    // Swagger decorator documenting the 403 Forbidden response with permission details.
-    (0, swagger_1.ApiForbiddenResponse)({ description: `Insufficient permissions: ${(0, itlab_functions_1.formatList)(permissions, 'or')}` }));
+    return (0, common_1.applyDecorators)((0, common_1.SetMetadata)(PERMISSIONS_METADATA_KEY, permissions), (0, common_1.UseGuards)(jwt_auth_guard_1.JwtAuthGuard, PermissionsGuard), (0, swagger_1.ApiBearerAuth)('Auth Token'), (0, swagger_1.ApiForbiddenResponse)({ description: `Insufficient permissions: ${(0, itlab_functions_1.formatList)(permissions, 'or')}` }));
 }

package/dist/modules/authentication/guards/public.guard.d.ts CHANGED Viewed

@@ -1,14 +1,8 @@
-/**
- * Metadata key used to mark route handlers as public,
- * indicating that they do not require authentication.
- */
-export declare const IS_PUBLIC_METADATA_KEY = "itlab-public-guard";
-/**
- * Decorator to designate a route or controller as publicly accessible.
- * This bypasses authentication guards that check for authorization tokens.
- * It also updates Swagger documentation to clarify that authentication
- * is not required for this endpoint.
- *
- * @returns {MethodDecorator & ClassDecorator} A composite decorator marking routes as public.
- */
+import { ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/** Metadata key marking a route as public (no auth required) */
+export declare const PUBLIC_METADATA_KEY: unique symbol;
+/** Check if a route or controller is marked as public */
+export declare function isPublicRoute(context: ExecutionContext, reflector: Reflector): boolean;
+/** Decorator marking a route/controller as public */
 export declare function Public(): MethodDecorator & ClassDecorator;

package/dist/modules/authentication/guards/public.guard.js CHANGED Viewed

@@ -1,30 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IS_PUBLIC_METADATA_KEY = void 0;
+exports.PUBLIC_METADATA_KEY = void 0;
+exports.isPublicRoute = isPublicRoute;
 exports.Public = Public;
 const common_1 = require("@nestjs/common");
-const swagger_1 = require("@nestjs/swagger");
-/**
- * Metadata key used to mark route handlers as public,
- * indicating that they do not require authentication.
- */
-exports.IS_PUBLIC_METADATA_KEY = 'itlab-public-guard';
-/**
- * Decorator to designate a route or controller as publicly accessible.
- * This bypasses authentication guards that check for authorization tokens.
- * It also updates Swagger documentation to clarify that authentication
- * is not required for this endpoint.
- *
- * @returns {MethodDecorator & ClassDecorator} A composite decorator marking routes as public.
- */
+/** Metadata key marking a route as public (no auth required) */
+exports.PUBLIC_METADATA_KEY = Symbol('itlab-public-guard');
+/** Check if a route or controller is marked as public */
+function isPublicRoute(context, reflector) {
+    return reflector.getAllAndOverride(exports.PUBLIC_METADATA_KEY, [context.getHandler(), context.getClass()]);
+}
+/** Decorator marking a route/controller as public */
 function Public() {
-    return (0, common_1.applyDecorators)(
-    // Attach metadata signaling that this route is public (auth not required).
-    (0, common_1.SetMetadata)(exports.IS_PUBLIC_METADATA_KEY, true),
-    // Explicitly clear security requirements for this route to override global auth
-    (0, swagger_1.ApiSecurity)(''), // Empty string disables security for this route
-    // Document the 401 Unauthorized response with an explanatory message.
-    (0, swagger_1.ApiUnauthorizedResponse)({
-        description: 'This is a public endpoint and does not require authentication',
-    }));
+    return (0, common_1.applyDecorators)((0, common_1.SetMetadata)(exports.PUBLIC_METADATA_KEY, true), (0, common_1.SetMetadata)('swagger/apiSecurity', ['public']));
 }

package/dist/modules/authentication/guards/service-auth.guard.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { AuthenticationModuleOptions } from '../authentication-module-options.interface';
+/** Header key used for internal Kubernetes service authentication */
+export declare const SERVICE_AUTH_HEADER_KEY = "X-itlab-k8s-auth";
+/**
+ * Guard validating service-to-service requests using a shared token.
+ */
+export declare class ServiceAuthGuard implements CanActivate {
+    private readonly authenticationOptions;
+    private readonly reflector;
+    constructor(authenticationOptions: AuthenticationModuleOptions, reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+/**
+ * Check if request contains the required internal service token.
+ */
+export declare function isServiceRequest(context: ExecutionContext, requiredk8sToken: string): boolean;
+/**
+ * Decorator for routes/controllers accessible only by internal services.
+ */
+export declare function RequireServiceAuth(): MethodDecorator & ClassDecorator;

package/dist/modules/authentication/guards/service-auth.guard.js ADDED Viewed

@@ -0,0 +1,65 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServiceAuthGuard = exports.SERVICE_AUTH_HEADER_KEY = void 0;
+exports.isServiceRequest = isServiceRequest;
+exports.RequireServiceAuth = RequireServiceAuth;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const swagger_1 = require("@nestjs/swagger");
+const authentication_options_parameter_1 = require("../authentication-options.parameter");
+const public_guard_1 = require("./public.guard");
+/** Header key used for internal Kubernetes service authentication */
+exports.SERVICE_AUTH_HEADER_KEY = 'X-itlab-k8s-auth';
+/**
+ * Guard validating service-to-service requests using a shared token.
+ */
+let ServiceAuthGuard = class ServiceAuthGuard {
+    constructor(authenticationOptions, reflector) {
+        this.authenticationOptions = authenticationOptions;
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        if ((0, public_guard_1.isPublicRoute)(context, this.reflector))
+            return true;
+        if (isServiceRequest(context, this.authenticationOptions.k8sToken))
+            return true;
+        throw new common_1.UnauthorizedException('Application unauthorized');
+    }
+};
+exports.ServiceAuthGuard = ServiceAuthGuard;
+exports.ServiceAuthGuard = ServiceAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, authentication_options_parameter_1.InjectAuthenticationOptions)()),
+    __metadata("design:paramtypes", [Object, core_1.Reflector])
+], ServiceAuthGuard);
+/**
+ * Check if request contains the required internal service token.
+ */
+function isServiceRequest(context, requiredk8sToken) {
+    const request = context.switchToHttp().getRequest();
+    const token = request.header(exports.SERVICE_AUTH_HEADER_KEY);
+    return token && token === requiredk8sToken;
+}
+/**
+ * Decorator for routes/controllers accessible only by internal services.
+ */
+function RequireServiceAuth() {
+    return (0, common_1.applyDecorators)((0, common_1.UseGuards)(ServiceAuthGuard), (0, swagger_1.ApiSecurity)('Service Token'), (0, swagger_1.ApiHeader)({
+        name: exports.SERVICE_AUTH_HEADER_KEY,
+        description: 'Token for service authentication',
+        allowEmptyValue: true,
+        required: true,
+    }), (0, swagger_1.ApiUnauthorizedResponse)({ description: 'Application unauthorized' }));
+}

package/dist/modules/authentication/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
+export * from './authentication-module-options.interface';
+export * from './authentication-options.parameter';
+export * from './authentication.module';
 export * from './guards';
-export { AuthenticationModuleOptions } from './authentication-module-options.interface';
-export { AuthenticationModule } from './authentication.module';
-export { InjectAuthOptions } from './inject-auth-options.decorator';

package/dist/modules/authentication/index.js CHANGED Viewed

@@ -14,9 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InjectAuthOptions = exports.AuthenticationModule = void 0;
+__exportStar(require("./authentication-module-options.interface"), exports);
+__exportStar(require("./authentication-options.parameter"), exports);
+__exportStar(require("./authentication.module"), exports);
 __exportStar(require("./guards"), exports);
-var authentication_module_1 = require("./authentication.module");
-Object.defineProperty(exports, "AuthenticationModule", { enumerable: true, get: function () { return authentication_module_1.AuthenticationModule; } });
-var inject_auth_options_decorator_1 = require("./inject-auth-options.decorator");
-Object.defineProperty(exports, "InjectAuthOptions", { enumerable: true, get: function () { return inject_auth_options_decorator_1.InjectAuthOptions; } });