initial commit

2024-04-01 13:28:43 +07:00 · 2024-04-01 13:28:43 +07:00 · c5e3107e03
commit c5e3107e03
26 changed files with 3828 additions and 0 deletions
--- a/src/services/keycloak.ts
+++ b/src/services/keycloak.ts
@ -0,0 +1,193 @@
+import { DecodedJwt, createDecoder } from "fast-jwt";
+
+const KC_URL = process.env.KC_URL;
+const KC_REALM = process.env.KC_REALM;
+const KC_CLIENT_ID = process.env.KC_SERVICE_ACCOUNT_CLIENT_ID;
+const KC_SECRET = process.env.KC_SERVICE_ACCOUNT_SECRET;
+
+let token: string | null = null;
+let decoded: DecodedJwt | null = null;
+
+const jwtDecode = createDecoder({ complete: true });
+
+/**
+ * Check if token is expired or will expire in 30 seconds
+ * @returns true if expire or can't get exp, false otherwise
+ */
+export function isTokenExpired(token: string, beforeExpire: number = 30) {
+  decoded = jwtDecode(token);
+
+  if (decoded && decoded.payload.exp) {
+    return Date.now() / 1000 >= decoded.payload.exp - beforeExpire;
+  }
+
+  return true;
+}
+
+/**
+ * Get token from keycloak if needed
+ */
+export async function getToken() {
+  if (!KC_CLIENT_ID || !KC_SECRET) {
+    throw new Error("KC_CLIENT_ID and KC_SECRET are required to used this feature.");
+  }
+
+  if (token && !isTokenExpired(token)) return token;
+
+  const body = new URLSearchParams();
+
+  body.append("client_id", KC_CLIENT_ID);
+  body.append("client_secret", KC_SECRET);
+  body.append("grant_type", "client_credentials");
+
+  const res = await fetch(`${KC_URL}/realms/${KC_REALM}/protocol/openid-connect/token`, {
+    method: "POST",
+    body: body,
+  }).catch((e) => console.error(e));
+
+  if (!res) {
+    throw new Error("Cannot get token from keycloak.");
+  }
+
+  const data = await res.json();
+
+  if (data && data.access_token) {
+    token = data.access_token;
+  }
+
+  return token;
+}
+
+/**
+ * Create keycloak user by given username and password with roles
+ *
+ * Client must have permission to manage realm's user
+ *
+ * @returns user uuid or true if success, false otherwise.
+ */
+export async function createUser(username: string, password: string) {
+  const res = await fetch(`${KC_URL}/admin/realms/${KC_REALM}/users`, {
+    // prettier-ignore
+    headers: {
+      "authorization": `Bearer ${await getToken()}`,
+      "content-type": `application/json`,
+    },
+    method: "POST",
+    body: JSON.stringify({
+      enabled: true,
+      credentials: [{ type: "password", value: password }],
+      username,
+    }),
+  }).catch((e) => console.log("Keycloak Error: ", e));
+
+  if (!res) return false;
+  if (!res.ok) {
+    return Boolean(console.error("Keycloak Error Response: ", await res.json()));
+  }
+
+  const path = res.headers.get("Location");
+  const id = path?.split("/").at(-1);
+  return id || true;
+}
+
+/**
+ * Get roles list or specific role data
+ *
+ * Client must have permission to get realms roles
+ *
+ * @returns role's info (array if not specify name) if success, null if not found, false otherwise.
+ */
+export async function getRoles(name?: string) {
+  const res = await fetch(
+    `${KC_URL}/admin/realms/${KC_REALM}/roles`.concat((name && `/${name}`) || ""),
+    {
+      // prettier-ignore
+      headers: {
+      "authorization": `Bearer ${await getToken()}`,
+    },
+    },
+  ).catch((e) => console.log(e));
+
+  if (!res) return false;
+  if (!res.ok && res.status !== 404) {
+    return Boolean(console.error("Keycloak Error Response: ", await res.json()));
+  }
+
+  if (res.status === 404) {
+    return null;
+  }
+
+  const data = await res.json();
+
+  if (Array.isArray(data)) {
+    return data.map((v: Record<string, any>) => ({ id: v.id, name: v.name }));
+  }
+
+  return {
+    id: data.id,
+    name: data.name,
+  };
+}
+
+/**
+ * Assign role to user
+ *
+ * Client must have permission to manage realm's user roles
+ *
+ * @returns true if success, false otherwise.
+ */
+export async function addUserRoles(userId: string, roleId: string[]) {
+  const res = await fetch(
+    `${KC_URL}/admin/realms/${KC_REALM}/users/${userId}/role-mappings/realm`,
+    {
+      // prettier-ignore
+      headers: {
+      "authorization": `Bearer ${await getToken()}`,
+      "content-type": `application/json`,
+    },
+      method: "POST",
+      body: JSON.stringify(roleId.map((v) => ({ id: v }))),
+    },
+  ).catch((e) => console.log(e));
+
+  if (!res) return false;
+  if (!res.ok) {
+    return Boolean(console.error("Keycloak Error Response: ", await res.json()));
+  }
+  return true;
+}
+
+/**
+ * Remove role from user
+ *
+ * Client must have permission to manage realm's user roles
+ *
+ * @returns true if success, false otherwise.
+ */
+export async function removeUserRoles(userId: string, roleId: string[]) {
+  const res = await fetch(
+    `${KC_URL}/admin/realms/${KC_REALM}/users/${userId}/role-mappings/realm`,
+    {
+      // prettier-ignore
+      headers: {
+      "authorization": `Bearer ${await getToken()}`,
+      "content-type": `application/json`,
+    },
+      method: "DELETE",
+      body: JSON.stringify(roleId.map((v) => ({ id: v }))),
+    },
+  ).catch((e) => console.log(e));
+
+  if (!res) return false;
+  if (!res.ok) {
+    return Boolean(console.error("Keycloak Error Response: ", await res.json()));
+  }
+  return true;
+}
+
+export default {
+  createUser,
+  getRoles,
+  addUserRoles,
+  removeUserRoles,
+};