Finaliza auth de rotas

src/auth/keycloak.strategy.ts

@@ -1,4 +1,4 @@
-import { Injectable } from '@nestjs/common';
+import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { ExtractJwt, Strategy } from 'passport-jwt';
 import * as jwksRsa from 'jwks-rsa';
@@ -32,23 +32,31 @@ export interface JwtPayload {
 @Injectable()
 export class KeycloakJwtStrategy extends PassportStrategy(Strategy, 'jwt') {
   constructor() {
+    const baseUrl =
+      process.env.NODE_ENV === 'production'
+        ? 'http://keycloak:8080'
+        : 'https://auth.clipperia.com.br';
+
     super({
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       secretOrKeyProvider: jwksRsa.passportJwtSecret({
         cache: true,
         rateLimit: true,
         jwksRequestsPerMinute: 5,
-        jwksUri:
-          'https://auth.clipperia.com.br/realms/clipperia/protocol/openid-connect/certs',
+        jwksUri: `${baseUrl}/realms/clipperia/protocol/openid-connect/certs`,
       }),
       algorithms: ['RS256'],
-      audience: 'account',
-      issuer: 'https://auth.clipperia.com.br/realms/clipperia',
+      issuer: `${baseUrl}/realms/clipperia`,
       ignoreExpiration: false,
     });
   }
 
   validate(payload: JwtPayload): JwtPayload {
+    if (payload.exp < Date.now() / 1000) {
+      throw new UnauthorizedException('Token expirado');
+    }
+
     return payload;
   }
 }