Initial commit with Email Import Wizard and Task Processor updates

paperless-backend/src/auth/jwt.strategy.ts

@@ -0,0 +1,38 @@
+import { Injectable } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { Strategy, ExtractJwt } from 'passport-jwt';
+import { ConfigService } from '@nestjs/config';
+import { passportJwtSecret } from 'jwks-rsa';
+import { mapGroupsToPermissions } from './permissions.enum';
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
+  constructor(configService: ConfigService) {
+    const issuer = configService.get<string>('OIDC_ISSUER', '');
+
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      issuer,
+      algorithms: ['RS256'],
+      secretOrKeyProvider: passportJwtSecret({
+        cache: true,
+        rateLimit: true,
+        jwksRequestsPerMinute: 5,
+        jwksUri: `${issuer.endsWith('/') ? issuer.slice(0, -1) : issuer}/jwks/`,
+      }),
+    });
+  }
+
+  validate(payload: any): { userId: string; email: string; name: string; preferredUsername: string | null; groups: string[]; permissions: any[] } {
+    const groups = payload.groups || [];
+    return {
+      userId: payload.sub,
+      email: payload.email,
+      name: payload.name || payload.preferred_username,
+      preferredUsername: payload.preferred_username ?? null,
+      groups: groups,
+      permissions: mapGroupsToPermissions(groups),
+    };
+  }
+}