Adiciona primeiros Guards de autenticacao

src/auth/keycloak.strategy.ts

@@ -0,0 +1,54 @@
+import { Injectable } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import * as jwksRsa from 'jwks-rsa';
+
+export type JwtAudience = string | string[] | undefined;
+export interface JwtRealmAccess {
+  roles: string[];
+}
+export interface JwtResourceAccessEntry {
+  roles: string[];
+}
+export type JwtResourceAccess =
+  | Record<string, JwtResourceAccessEntry>
+  | undefined;
+export interface JwtPayload {
+  sub: string;
+  email?: string;
+  preferred_username?: string;
+  given_name?: string;
+  family_name?: string;
+  scope?: string;
+  realm_access?: JwtRealmAccess;
+  resource_access?: JwtResourceAccess;
+  iat: number;
+  exp: number;
+  iss: string;
+  aud?: JwtAudience;
+  [claim: string]: unknown;
+}
+
+@Injectable()
+export class KeycloakJwtStrategy extends PassportStrategy(Strategy, 'jwt') {
+  constructor() {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      secretOrKeyProvider: jwksRsa.passportJwtSecret({
+        cache: true,
+        rateLimit: true,
+        jwksRequestsPerMinute: 5,
+        jwksUri:
+          'https://auth.clipperia.com.br/realms/clipperia/protocol/openid-connect/certs',
+      }),
+      algorithms: ['RS256'],
+      audience: 'account',
+      issuer: 'https://auth.clipperia.com.br/realms/clipperia',
+      ignoreExpiration: false,
+    });
+  }
+
+  validate(payload: JwtPayload): JwtPayload {
+    return payload;
+  }
+}