[Task] Keycloak-JWT-Verifikation im Backend #5

New issue

Closed

opened 2026-04-14 18:29:29 +02:00 by admin-mrrm · 0 comments

admin-mrrm commented 2026-04-14 18:29:29 +02:00

Owner

Copy link

Ziel

NestJS-Guard, der Bearer-Tokens gegen Keycloak JWKS verifiziert. @CurrentUser() Decorator, Routen per Guard schützen.

Warum

Authentifizierung ist für alle Feature-Module nötig — einmal zentral umsetzen.

Schritte

• jose als JWT-Verifier einbinden
• KeycloakAuthGuard (JWKS-Validation, Caching der Keys)
• @CurrentUser() Decorator extrahiert sub, email, preferred_username
• Konfigurierbar per env: KC_ISSUER, KC_JWKS_URI, KC_AUDIENCE
• Tests: gültiges Token, abgelaufenes, falsche Signatur, wrong audience

## Ziel NestJS-Guard, der Bearer-Tokens gegen Keycloak JWKS verifiziert. `@CurrentUser()` Decorator, Routen per Guard schützen. ## Warum Authentifizierung ist für alle Feature-Module nötig — einmal zentral umsetzen. ## Schritte - [ ] `jose` als JWT-Verifier einbinden - [ ] KeycloakAuthGuard (JWKS-Validation, Caching der Keys) - [ ] @CurrentUser() Decorator extrahiert `sub`, `email`, `preferred_username` - [ ] Konfigurierbar per env: KC_ISSUER, KC_JWKS_URI, KC_AUDIENCE - [ ] Tests: gültiges Token, abgelaufenes, falsche Signatur, wrong audience

admin-mrrm added this to the Sprint 1 — Foundation milestone 2026-04-14 18:29:29 +02:00

admin-mrrm added the

area/auth

type/feature

size/m

area/api

labels 2026-04-14 18:29:29 +02:00

admin-mrrm added a new dependency 2026-04-14 18:32:52 +02:00

#6 [Story] Shopping-List CRUD-Endpoints

admin-mrrm referenced this issue from a commit 2026-04-14 23:03:08 +02:00

feat(api): Keycloak JWT verification as global guard

admin-mrrm closed this issue 2026-04-14 23:03:08 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/roadmap-rc32-done

feat/rc32-fdroid-nightly

feat/rc31-auto-index-on-mutation

feat/rc30-auto-index

chore/roadmap-rc28-done

feat/360-projects-source

chore/roadmap-rc27-done

feat/habits-ui

chore/roadmap-rc26-done

feat/planner-v1-depends-on

chore/roadmap-rc25-done

feat/calendar-settings-ui

chore/roadmap-rc24-done

feat/candidate-mark-done

chore/roadmap-rc23-done

fix/shared-schema-todo

chore/roadmap-rc22-done

chore/release-rc22

feat/todo-candidate-writer

chore/roadmap-rc21-done

chore/roadmap-rc21-json-fix

chore/release-v0.6.6-rc21

feat/day-planner-empty-state-ctas

chore/roadmap-rc17-rc18-done

chore/phase2-smoke-manual-trigger

chore/roadmap-rc19-done

fix/list-screens-scrollable

feat/dev-user-header-env-gate

wireup/ai-foundation-phase1

feat/443-search-ui

feat/442-background-indexer

feat/441-data-source-interface

feat/440-sqlite-vec

feat/439-embedding-service

feat/425-mlkit-image-preview-integration

archive/spike-77-ocr-mobile

fix/gitea-release-shell-scope

feat/396-version-sync

feat/376-e2e-drone-integration

feat/374-e2e-playwright-setup

feat/372-planner-v1

feat/370-calendar-read

feat/368-planner-v0

feat/366-habit-source

feat/178-mail-candidate-writer

feat/253-nli-template-ab

fix/348-settings-nav-hijack-v2

fix/347-web-side-drawer

fix/349-profile-menu-close

feat-297-sender-memory-ui

feat-296-web-classifier-sender-memory

feat/294-sender-label-memory

chore/268-analyze-script-dynamic-labels

fix/268-nli-threshold-025

fix/266-imap-getmessage-timeout

fix-imap-unhandled-error

fix-175-onnxruntime-anchor

fix-175-onnxruntime-mainapp

ci-release-gate-apk

ci-mobile-bundle-check

fix-175-native-startup

fix-175-stub-onnxruntime-web

fix-175-import-meta-hermes

feat-web-parcel-scan-toggle

feat-tracking-manual-sync

fix-track17-carrier-ids

feat-232-mail-scanner

feat-233-trackings-post

feat-aftership-provider

feat-195-loading-skeletons

feat-197-error-boundary

feat-194-toast-system

chore/add-claude-md

155-auth-callback-route

feat/fdroid-deploy

fix/mail-messages-pagination-types

feat/ocr-correction-review

fix/ocr-inference-oom

fix/ocr-oom-and-finetune-training

feat/ocr-easyocr-and-training-data

feat/ocr-image-rotate-preview

feat/mobile-image-picker-57

feat/ocr-parse-image-endpoint

feat/lists-notes-e2e

fix/web-show-auth-error-body

fix/deploy-envfile

fix/deploy-ssh-port

feat/drone-deploy

fix/drone-secret-names

fix/dockerfile-deploy-flag

feat/drone-ci

feat/apps-web

feat/shopping-list-crud

v0.6.7-rc33

v0.6.6-rc32

v0.6.6-rc31

v0.6.6-rc30

v0.6.6-rc29

v0.6.6-rc28

v0.6.6-rc27

v0.6.6-rc26

v0.6.6-rc25

v0.6.6-rc24

v0.6.6-rc23

v0.6.6-rc22

v0.6.6-rc21

v0.6.6-rc20

v0.6.6-rc19

debug-rpi5

v0.6.6-rc18

v0.6.6-rc17

v0.6.6-rc16

v0.6.6-rc15

v0.6.6-rc14

v0.6.6-rc13

v0.6.6-rc12

v0.6.6-rc11

v0.6.6-rc10

v0.6.6-rc9

v0.6.6-rc8

v0.6.6-rc7

v0.6.6-rc6

v0.6.6-rc5

v0.6.6-rc4

v0.6.6-rc3

v0.6.6-rc2

v0.6.6-rc1

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.6

v0.4.5

v1.0.515

v1.0.468

v1.0.449

v1.0.442

Labels

Clear labels   

app/archiv

Document & email archive (Paperless-ngx integration)

  

app/einkaufslisten

  

app/imap-client

  

app/wissensbasis

  

arch-answered

arch-question wurde vom Architekten beantwortet und vom PM in Produkt-Entscheidung übersetzt

  

arch-question

Anfrage an Software-Architekt — Tech-/Architektur-Entscheidung gebraucht (PM hat sie nicht selbst getroffen)

  

area/api

NestJS backend

  

area/auth

Keycloak / OIDC

  

area/infra

Monorepo / CI / tooling

  

area/mobile

Expo React Native app

  

area/shared

Shared packages

  

area/ui

Tamagui UI package

  

area/web

Vite web app

  

portfolio-status

Wöchentlicher CEO-Portfolio-Status

  

prio/high

High priority

  

prio/low

Low priority

  

prio/medium

Medium priority

  

roadmap/public

In der public Roadmap der App sichtbar (roadmap.json kuratiert)

  

size/l

2-3 days

  

size/m

About 1 day

  

size/s

Half a day

  

size/xl

More than 3 days — should be split

  

size/xs

Less than 1 hour

  

status/blocked

Waiting on something

  

status/needs-info

Open questions before work can continue

  

type/bug

Something is broken

  

type/chore

Infra / tooling / maintenance

  

type/docs

Documentation

  

type/feature

New user-facing functionality

  

type/idea

  

type/refactor

Code refactor without behavior change

No labels

app/archiv

app/einkaufslisten

app/imap-client

app/wissensbasis

arch-answered

arch-question

area/api

area/auth

area/infra

area/mobile

area/shared

area/ui

area/web

portfolio-status

prio/high

prio/low

prio/medium

roadmap/public

size/l

size/m

size/s

size/xl

size/xs

status/blocked

status/needs-info

type/bug

type/chore

type/docs

type/feature

type/idea

type/refactor

Milestone

Clear milestone

No items

No milestone

Sprint 1 — Foundation

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#6 [Story] Shopping-List CRUD-Endpoints

admin-mrrm/mrrmlabapp

Reference

admin-mrrm/mrrmlabapp#5

No description provided.