@cosmotech/core 1.18.2 → 1.19.1-beta.0

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## **1.19.0** <sub><sup>2024-10-22 (07716f7...07716f7)</sup></sub>
+
+### Features
+
+- add configuration option `rolesJwtClaim` in `AuthKeycloakRedirect` provider ([07716f7](https://github.com/Cosmo-Tech/webapp-component-core/commit/07716f7))
+
 ## **1.18.2** <sub><sup>2024-09-23 (e619d7e...e619d7e)</sup></sub>
 
 ### Bug Fixes

package/dist/index.cjs.js

@@ -57370,13 +57370,15 @@ var acquireTokens = /*#__PURE__*/function () {
 }();
 var handleResponse = response => {
   if (response != null) {
+    var _account$idTokenClaim, _account$idTokenClaim2;
     var account = response.account;
     _updateTokensInStorage(response);
     writeToStorage('authIdTokenPopup', response.idToken);
     writeToStorage('authAuthenticated', 'true');
     writeToStorage('authAccountId', account.homeAccountId);
+    writeToStorage('authEmail', (_account$idTokenClaim = account.idTokenClaims) === null || _account$idTokenClaim === void 0 ? void 0 : _account$idTokenClaim.email);
     authData.accountId = account.homeAccountId;
-    authData.userEmail = account.username; // In MSAL account data, username property contains user email
+    authData.userEmail = (_account$idTokenClaim2 = account.idTokenClaims) === null || _account$idTokenClaim2 === void 0 ? void 0 : _account$idTokenClaim2.email;
     authData.username = account.name;
     authData.userId = account.localAccountId;
     redirectOnAuthSuccess();
@@ -57402,6 +57404,7 @@ var signOut = () => {
   clearFromStorage('authIdToken');
   clearFromStorage('authAccessToken');
   clearFromStorage('authAccountId');
+  clearFromStorage('authEmail');
   writeToStorage('authAuthenticated', 'false');
   var logoutRequest = {
     account: msalApp.getAccountByHomeId((_authData$accountId = authData.accountId) !== null && _authData$accountId !== void 0 ? _authData$accountId : accountId),
@@ -57422,13 +57425,24 @@ var _updateTokensInStorage = tokens => {
   }
 };
 var _extractRolesFromAccessToken = accessToken => {
-  var result = [];
-  if (accessToken) {
-    var decodedToken = JSON.parse(atob(accessToken.split('.')[1]));
-    // The exact key to use may depend from keycloak client & API configuration
-    if (decodedToken !== null && decodedToken !== void 0 && decodedToken.roles) result = decodedToken.roles;else if (decodedToken !== null && decodedToken !== void 0 && decodedToken.userRoles) result = decodedToken.userRoles;
-  }
-  return result;
+  var _config2;
+  if (!accessToken) return [];
+  var decodedToken = JSON.parse(atob(accessToken.split('.')[1]));
+  // The exact key to use may depend from keycloak client & Cosmo Tech API configuration (c.f. the value of
+  // csm.platform.authorization.roles-jwt-claim in your k8s tenant secrets)
+  var rolesTokenAttribute = (_config2 = config) === null || _config2 === void 0 ? void 0 : _config2.rolesJwtClaim;
+  if (rolesTokenAttribute) {
+    if (decodedToken !== null && decodedToken !== void 0 && decodedToken[rolesTokenAttribute]) return decodedToken === null || decodedToken === void 0 ? void 0 : decodedToken[rolesTokenAttribute];
+    console.warn("Authentication provider configuration defined rolesJwtClaim=\"".concat(rolesTokenAttribute, "\" ") + 'but this key was not found in the access token. Please check your webapp and API configuration.');
+  }
+  if (decodedToken !== null && decodedToken !== void 0 && decodedToken.roles) return decodedToken.roles; // Legacy default key in token
+
+  if (decodedToken !== null && decodedToken !== void 0 && decodedToken.userRoles) {
+    console.warn("DEPRECATED: the token claim for API roles was automatically found in 'userRoles', but the lookup " + 'for this specific key will be removed in a future version. Please update your webapp configuration to ' + "explicitly set AUTH_KEYCLOAK_ROLES_JWT_CLAIM to 'userRoles'.");
+    return decodedToken.userRoles;
+  }
+  console.warn("Couldn't extract roles from access token. Please check your webapp and API configuration.");
+  return [];
 };
 var isUserSignedIn = /*#__PURE__*/function () {
   var _ref4 = _asyncToGenerator(function* () {
@@ -57446,12 +57460,12 @@ var isUserSignedIn = /*#__PURE__*/function () {
         clearFromStorage('authInteractionInProgress');
         var locationHashParameters = new URLSearchParams(window.location.hash.substring(1));
         if (locationHashParameters.has('state')) {
-          var _config2;
-          if (locationHashParameters.has('iss', (_config2 = config) === null || _config2 === void 0 || (_config2 = _config2.msalConfig) === null || _config2 === void 0 || (_config2 = _config2.auth) === null || _config2 === void 0 || (_config2 = _config2.authorityMetadata) === null || _config2 === void 0 ? void 0 : _config2.issuer)) {
+          var _config3;
+          if (locationHashParameters.has('iss', (_config3 = config) === null || _config3 === void 0 || (_config3 = _config3.msalConfig) === null || _config3 === void 0 || (_config3 = _config3.auth) === null || _config3 === void 0 || (_config3 = _config3.authorityMetadata) === null || _config3 === void 0 ? void 0 : _config3.issuer)) {
             msalApp.handleRedirectPromise().then(handleResponse); // Resume redirect workflow process
           } else if (locationHashParameters.has('iss')) {
-            var _config3;
-            var configIssuer = (_config3 = config) === null || _config3 === void 0 || (_config3 = _config3.msalConfig) === null || _config3 === void 0 || (_config3 = _config3.auth) === null || _config3 === void 0 || (_config3 = _config3.authorityMetadata) === null || _config3 === void 0 ? void 0 : _config3.issuer;
+            var _config4;
+            var configIssuer = (_config4 = config) === null || _config4 === void 0 || (_config4 = _config4.msalConfig) === null || _config4 === void 0 || (_config4 = _config4.auth) === null || _config4 === void 0 || (_config4 = _config4.authorityMetadata) === null || _config4 === void 0 ? void 0 : _config4.issuer;
             var urlIssuer = locationHashParameters.get('iss');
             console.warn("Issuer found in url \"".concat(urlIssuer, "\" does not match keycloak configuration: \"").concat(configIssuer, "\""));
           }
@@ -57482,10 +57496,10 @@ var refreshTokens = /*#__PURE__*/function () {
   };
 }();
 var getUserEmail = () => {
-  var _authData$userEmail, _msalApp$getAllAccoun2;
+  var _ref6, _readFromStorage, _msalApp$getAllAccoun2;
   if (!checkInit()) return;
   // Note: account data from MSAL seems to contain user email in the 'username' property
-  return (_authData$userEmail = authData === null || authData === void 0 ? void 0 : authData.userEmail) !== null && _authData$userEmail !== void 0 ? _authData$userEmail : (_msalApp$getAllAccoun2 = msalApp.getAllAccounts()) === null || _msalApp$getAllAccoun2 === void 0 || (_msalApp$getAllAccoun2 = _msalApp$getAllAccoun2[0]) === null || _msalApp$getAllAccoun2 === void 0 ? void 0 : _msalApp$getAllAccoun2.username;
+  return (_ref6 = (_readFromStorage = readFromStorage('authEmail')) !== null && _readFromStorage !== void 0 ? _readFromStorage : authData === null || authData === void 0 ? void 0 : authData.userEmail) !== null && _ref6 !== void 0 ? _ref6 : (_msalApp$getAllAccoun2 = msalApp.getAllAccounts()) === null || _msalApp$getAllAccoun2 === void 0 || (_msalApp$getAllAccoun2 = _msalApp$getAllAccoun2[0]) === null || _msalApp$getAllAccoun2 === void 0 ? void 0 : _msalApp$getAllAccoun2.username;
 };
 var getUserName = () => {
   var _authData$name, _msalApp$getAllAccoun3;

package/dist/index.esm.js

@@ -57368,13 +57368,15 @@ var acquireTokens = /*#__PURE__*/function () {
 }();
 var handleResponse = response => {
   if (response != null) {
+    var _account$idTokenClaim, _account$idTokenClaim2;
     var account = response.account;
     _updateTokensInStorage(response);
     writeToStorage('authIdTokenPopup', response.idToken);
     writeToStorage('authAuthenticated', 'true');
     writeToStorage('authAccountId', account.homeAccountId);
+    writeToStorage('authEmail', (_account$idTokenClaim = account.idTokenClaims) === null || _account$idTokenClaim === void 0 ? void 0 : _account$idTokenClaim.email);
     authData.accountId = account.homeAccountId;
-    authData.userEmail = account.username; // In MSAL account data, username property contains user email
+    authData.userEmail = (_account$idTokenClaim2 = account.idTokenClaims) === null || _account$idTokenClaim2 === void 0 ? void 0 : _account$idTokenClaim2.email;
     authData.username = account.name;
     authData.userId = account.localAccountId;
     redirectOnAuthSuccess();
@@ -57400,6 +57402,7 @@ var signOut = () => {
   clearFromStorage('authIdToken');
   clearFromStorage('authAccessToken');
   clearFromStorage('authAccountId');
+  clearFromStorage('authEmail');
   writeToStorage('authAuthenticated', 'false');
   var logoutRequest = {
     account: msalApp.getAccountByHomeId((_authData$accountId = authData.accountId) !== null && _authData$accountId !== void 0 ? _authData$accountId : accountId),
@@ -57420,13 +57423,24 @@ var _updateTokensInStorage = tokens => {
   }
 };
 var _extractRolesFromAccessToken = accessToken => {
-  var result = [];
-  if (accessToken) {
-    var decodedToken = JSON.parse(atob(accessToken.split('.')[1]));
-    // The exact key to use may depend from keycloak client & API configuration
-    if (decodedToken !== null && decodedToken !== void 0 && decodedToken.roles) result = decodedToken.roles;else if (decodedToken !== null && decodedToken !== void 0 && decodedToken.userRoles) result = decodedToken.userRoles;
-  }
-  return result;
+  var _config2;
+  if (!accessToken) return [];
+  var decodedToken = JSON.parse(atob(accessToken.split('.')[1]));
+  // The exact key to use may depend from keycloak client & Cosmo Tech API configuration (c.f. the value of
+  // csm.platform.authorization.roles-jwt-claim in your k8s tenant secrets)
+  var rolesTokenAttribute = (_config2 = config) === null || _config2 === void 0 ? void 0 : _config2.rolesJwtClaim;
+  if (rolesTokenAttribute) {
+    if (decodedToken !== null && decodedToken !== void 0 && decodedToken[rolesTokenAttribute]) return decodedToken === null || decodedToken === void 0 ? void 0 : decodedToken[rolesTokenAttribute];
+    console.warn("Authentication provider configuration defined rolesJwtClaim=\"".concat(rolesTokenAttribute, "\" ") + 'but this key was not found in the access token. Please check your webapp and API configuration.');
+  }
+  if (decodedToken !== null && decodedToken !== void 0 && decodedToken.roles) return decodedToken.roles; // Legacy default key in token
+
+  if (decodedToken !== null && decodedToken !== void 0 && decodedToken.userRoles) {
+    console.warn("DEPRECATED: the token claim for API roles was automatically found in 'userRoles', but the lookup " + 'for this specific key will be removed in a future version. Please update your webapp configuration to ' + "explicitly set AUTH_KEYCLOAK_ROLES_JWT_CLAIM to 'userRoles'.");
+    return decodedToken.userRoles;
+  }
+  console.warn("Couldn't extract roles from access token. Please check your webapp and API configuration.");
+  return [];
 };
 var isUserSignedIn = /*#__PURE__*/function () {
   var _ref4 = _asyncToGenerator(function* () {
@@ -57444,12 +57458,12 @@ var isUserSignedIn = /*#__PURE__*/function () {
         clearFromStorage('authInteractionInProgress');
         var locationHashParameters = new URLSearchParams(window.location.hash.substring(1));
         if (locationHashParameters.has('state')) {
-          var _config2;
-          if (locationHashParameters.has('iss', (_config2 = config) === null || _config2 === void 0 || (_config2 = _config2.msalConfig) === null || _config2 === void 0 || (_config2 = _config2.auth) === null || _config2 === void 0 || (_config2 = _config2.authorityMetadata) === null || _config2 === void 0 ? void 0 : _config2.issuer)) {
+          var _config3;
+          if (locationHashParameters.has('iss', (_config3 = config) === null || _config3 === void 0 || (_config3 = _config3.msalConfig) === null || _config3 === void 0 || (_config3 = _config3.auth) === null || _config3 === void 0 || (_config3 = _config3.authorityMetadata) === null || _config3 === void 0 ? void 0 : _config3.issuer)) {
             msalApp.handleRedirectPromise().then(handleResponse); // Resume redirect workflow process
           } else if (locationHashParameters.has('iss')) {
-            var _config3;
-            var configIssuer = (_config3 = config) === null || _config3 === void 0 || (_config3 = _config3.msalConfig) === null || _config3 === void 0 || (_config3 = _config3.auth) === null || _config3 === void 0 || (_config3 = _config3.authorityMetadata) === null || _config3 === void 0 ? void 0 : _config3.issuer;
+            var _config4;
+            var configIssuer = (_config4 = config) === null || _config4 === void 0 || (_config4 = _config4.msalConfig) === null || _config4 === void 0 || (_config4 = _config4.auth) === null || _config4 === void 0 || (_config4 = _config4.authorityMetadata) === null || _config4 === void 0 ? void 0 : _config4.issuer;
             var urlIssuer = locationHashParameters.get('iss');
             console.warn("Issuer found in url \"".concat(urlIssuer, "\" does not match keycloak configuration: \"").concat(configIssuer, "\""));
           }
@@ -57480,10 +57494,10 @@ var refreshTokens = /*#__PURE__*/function () {
   };
 }();
 var getUserEmail = () => {
-  var _authData$userEmail, _msalApp$getAllAccoun2;
+  var _ref6, _readFromStorage, _msalApp$getAllAccoun2;
   if (!checkInit()) return;
   // Note: account data from MSAL seems to contain user email in the 'username' property
-  return (_authData$userEmail = authData === null || authData === void 0 ? void 0 : authData.userEmail) !== null && _authData$userEmail !== void 0 ? _authData$userEmail : (_msalApp$getAllAccoun2 = msalApp.getAllAccounts()) === null || _msalApp$getAllAccoun2 === void 0 || (_msalApp$getAllAccoun2 = _msalApp$getAllAccoun2[0]) === null || _msalApp$getAllAccoun2 === void 0 ? void 0 : _msalApp$getAllAccoun2.username;
+  return (_ref6 = (_readFromStorage = readFromStorage('authEmail')) !== null && _readFromStorage !== void 0 ? _readFromStorage : authData === null || authData === void 0 ? void 0 : authData.userEmail) !== null && _ref6 !== void 0 ? _ref6 : (_msalApp$getAllAccoun2 = msalApp.getAllAccounts()) === null || _msalApp$getAllAccoun2 === void 0 || (_msalApp$getAllAccoun2 = _msalApp$getAllAccoun2[0]) === null || _msalApp$getAllAccoun2 === void 0 ? void 0 : _msalApp$getAllAccoun2.username;
 };
 var getUserName = () => {
   var _authData$name, _msalApp$getAllAccoun3;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmotech/core",
-  "version": "1.18.2",
+  "version": "1.19.1-beta.0",
   "description": "",
   "main": "dist/index.cjs.js",
   "module": "dist/index.esm.js",