feat: check for permission using roles

2024-04-10 12:46:23 +07:00 · 2024-04-10 12:46:23 +07:00 · f89dfcad37
commit f89dfcad37
parent f7eea342cc
2 changed files with 9 additions and 7 deletions
--- a/src/middlewares/auth-provider/keycloak.ts
+++ b/src/middlewares/auth-provider/keycloak.ts
@ -16,11 +16,7 @@ const jwtVerify = createVerifier({

 const jwtDecode = createDecoder();

-export async function keycloakAuth(
-  request: Express.Request,
-  _securityName?: string,
-  _scopes?: string[],
-) {
+export async function keycloakAuth(request: Express.Request, roles?: string[]) {
  const token = request.headers["authorization"]?.includes("Bearer ")
    ? request.headers["authorization"].split(" ")[1]
    : request.headers["authorization"];
@ -49,6 +45,12 @@ export async function keycloakAuth(
      }
  }

+  if (Array.isArray(roles) && roles.length > 0 && Array.isArray(payload.roles)) {
+    if (!roles.some((a: string) => payload.roles.includes(a))) {
+      throw new HttpError(HttpStatus.FORBIDDEN, "คุณไม่มีสิทธิในการเข้าถึงข้อมูลดังกล่าว");
+    }
+  }
+
  return payload;
 }

--- a/src/middlewares/auth.ts
+++ b/src/middlewares/auth.ts
@ -6,11 +6,11 @@ import { keycloakAuth } from "./auth-provider/keycloak";
 export async function expressAuthentication(
  request: Express.Request,
  securityName: string,
-  _scopes?: string[],
+  scopes?: string[],
 ) {
  switch (securityName) {
    case "keycloak":
-      return keycloakAuth(request);
+      return keycloakAuth(request, scopes);
    default:
      throw new HttpError(HttpStatus.NOT_IMPLEMENTED, "ไม่ทราบวิธียืนยันตัวตน");
  }