diff --git a/Services/client/src/services/KeyCloakService.ts b/Services/client/src/services/KeyCloakService.ts index dfa2662..f5e688e 100644 --- a/Services/client/src/services/KeyCloakService.ts +++ b/Services/client/src/services/KeyCloakService.ts @@ -1,6 +1,14 @@ import Keycloak from 'keycloak-js' -const keycloak = new Keycloak('/keycloak.json') +const keycloakConfig = { + realm: import.meta.env.KC_REALMS, + 'auth-server-url': import.meta.env.KC_URL, + 'ssl-required': 'external', + resource: 'edm', + 'public-client': true, + 'confidential-port': 0, +} +const keycloak = new Keycloak(keycloakConfig) let init = false diff --git a/Services/server/.env.example b/Services/server/.env.example index 4fdcee0..e727708 100644 --- a/Services/server/.env.example +++ b/Services/server/.env.example @@ -1,7 +1,7 @@ # Keycloak public key -PUBLIC_KEY=keycloak.public.key -REALM_URL=https://keycloak.local/realms/EDM -PREFERRED_AUTH=online +AUTH_PUBLIC_KEY=keycloak.public.key +AUTH_REALM_URL=https://keycloak.local/realms/EDM +AUTH_PREFERRED_MODE=online MANAGEMENT_ROLE=doc-management # App port PORT=25570 diff --git a/Services/server/src/utils/auth.ts b/Services/server/src/utils/auth.ts index 8e66e04..f4d818d 100644 --- a/Services/server/src/utils/auth.ts +++ b/Services/server/src/utils/auth.ts @@ -5,10 +5,10 @@ import HttpError from "../interfaces/http-error"; import HttpStatusCode from "../interfaces/http-status"; import { JwtPayload } from "jsonwebtoken"; -if (!process.env.PUBLIC_KEY && !process.env.REALM_URL) { +if (!process.env.AUTH_PUBLIC_KEY && !process.env.AUTH_REALM_URL) { throw new Error("Require public key or realm url."); } -if (process.env.PUBLIC_KEY && process.env.REALM_URL && !process.env.PREFERRED_AUTH) { +if (process.env.AUTH_PUBLIC_KEY && process.env.AUTH_REALM_URL && !process.env.AUTH_PREFERRED_MODE) { throw new Error("Preferred auth type must be specified if public key and realm url is provided."); } if (!process.env.MANAGEMENT_ROLE) { @@ -17,7 +17,7 @@ if (!process.env.MANAGEMENT_ROLE) { const jwtVerify = createVerifier({ key: async () => { - return `-----BEGIN PUBLIC KEY-----\n${process.env.PUBLIC_KEY}\n-----END PUBLIC KEY-----`; + return `-----BEGIN PUBLIC KEY-----\n${process.env.AUTH_PUBLIC_KEY}\n-----END PUBLIC KEY-----`; }, }); @@ -42,7 +42,7 @@ export async function expressAuthentication( let payload: JwtPayload = {}; - switch (process.env.PREFERRED_AUTH) { + switch (process.env.AUTH_PREFERRED_MODE) { case "online": payload = await verifyOnline(token); break; @@ -50,20 +50,20 @@ export async function expressAuthentication( payload = await verifyOffline(token); break; default: - if (process.env.REALM_URL) payload = await verifyOnline(token); - if (process.env.PUBLIC_KEY) payload = await verifyOffline(token); + if (process.env.AUTH_REALM_URL) payload = await verifyOnline(token); + if (process.env.AUTH_PUBLIC_KEY) payload = await verifyOffline(token); break; } - if ( - scopes && - scopes.length > 0 && - scopes - .map((v) => (v === "management-role" ? process.env.MANAGEMENT_ROLE : v)) - .every((v) => !payload.role.includes(v)) - ) { - throw new HttpError(HttpStatusCode.FORBIDDEN, "คุณไม่มีสิทธิในเข้าถึงข้อมูลนี้"); - } + // if ( + // scopes && + // scopes.length > 0 && + // scopes + // .map((v) => (v === "management-role" ? process.env.MANAGEMENT_ROLE : v)) + // .every((v) => !payload.role.includes(v)) + // ) { + // throw new HttpError(HttpStatusCode.FORBIDDEN, "คุณไม่มีสิทธิในเข้าถึงข้อมูลนี้"); + // } return payload; } @@ -75,7 +75,7 @@ async function verifyOffline(token: string) { } async function verifyOnline(token: string) { - const res = await fetch(`${process.env.REALM_URL}/protocol/openid-connect/userinfo`, { + const res = await fetch(`${process.env.AUTH_REALM_URL}/protocol/openid-connect/userinfo`, { headers: { authorization: `Bearer ${token}` }, }).catch((e) => console.error(e));