fix: Fix Keycloak JWT authentication in production

🔐 Fix Production Authentication

## Issue Fixed:
- 401 Unauthorized errors in production
- JWT strategy trying to validate Keycloak tokens with wrong secret
- Keycloak tokens signed by Keycloak, not our JWT_SECRET

## Solution:
- Modified JwtAuthGuard to validate Keycloak tokens directly
- Bypass JWT strategy validation for production
- Use AuthService.verifyToken() to validate with Keycloak
- Extract Bearer token from Authorization header

## Key Changes:
- JwtAuthGuard: Direct Keycloak token validation
- JwtStrategy: Simplified for development mode only
- Production: Validates tokens against Keycloak userinfo endpoint
- Development: Still uses DISABLE_AUTH bypass

## Authentication Flow:
1. Extract Bearer token from Authorization header
2. Call Keycloak userinfo endpoint with token
3. Parse user information from Keycloak response
4. Set request.user with validated user data

This fixes the 401 errors by properly validating Keycloak
JWT tokens in production environment.

Author: gnowgi

nodebook-base/src/auth/guards/jwt-auth.guard.ts

@@ -1,14 +1,18 @@
-import { Injectable, ExecutionContext } from '@nestjs/common';
+import { Injectable, ExecutionContext, UnauthorizedException } from '@nestjs/common';
 import { AuthGuard } from '@nestjs/passport';
 import { ConfigService } from '@nestjs/config';
+import { AuthService } from '../auth.service.js';
 
 @Injectable()
 export class JwtAuthGuard extends AuthGuard('jwt') {
-  constructor(private configService: ConfigService) {
+  constructor(
+    private configService: ConfigService,
+    private authService: AuthService,
+  ) {
     super();
   }
 
-  canActivate(context: ExecutionContext) {
+  async canActivate(context: ExecutionContext) {
     // Skip authentication in development mode
     if (this.configService.get<string>('DISABLE_AUTH') === 'true') {
       const request = context.switchToHttp().getRequest();
@@ -21,7 +25,27 @@ export class JwtAuthGuard extends AuthGuard('jwt') {
       return true;
     }
 
-    return super.canActivate(context);
+    // For production, validate Keycloak token directly
+    const request = context.switchToHttp().getRequest();
+    const authHeader = request.headers.authorization;
+    
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      throw new UnauthorizedException('No token provided');
+    }
+
+    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+    
+    try {
+      const user = await this.authService.verifyToken(token);
+      if (!user) {
+        throw new UnauthorizedException('Invalid token');
+      }
+      
+      request.user = user;
+      return true;
+    } catch (error) {
+      throw new UnauthorizedException('Token validation failed');
+    }
   }
 }
 

nodebook-base/src/auth/strategies/jwt.strategy.ts

@@ -28,12 +28,14 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
       };
     }
 
-    // For production, validate with Keycloak
-    const user = await this.authService.verifyToken(payload.access_token || payload.token);
-    if (!user) {
-      throw new UnauthorizedException();
-    }
-    return user;
+    // For production, this should not be called since we handle validation in the guard
+    // But if it is called, return the payload as user
+    return {
+      id: payload.sub || payload.id,
+      username: payload.preferred_username || payload.username,
+      email: payload.email,
+      isAdmin: payload.realm_access?.roles?.includes('admin') || false,
+    };
   }
 }