@flink-app/jwt-auth-plugin 0.12.1-alpha.41 → 0.12.1-alpha.44

package/dist/FlinkJwtAuthPlugin.d.ts

@@ -23,7 +23,7 @@ export type PermissionChecker = (user: FlinkAuthUser, routePermissions: string[]
 export interface JwtAuthPluginOptions {
     secret: string;
     algo?: jwtSimple.TAlgorithm;
-    getUser: (tokenData: any) => Promise<FlinkAuthUser | null | undefined>;
+    getUser: (tokenData: any, req: FlinkRequest) => Promise<FlinkAuthUser | null | undefined>;
     passwordPolicy?: RegExp;
     tokenTTL?: number;
     rolePermissions: {
@@ -52,6 +52,27 @@ export interface JwtAuthPluginOptions {
      * ```
      */
     checkPermissions?: PermissionChecker;
+    /**
+     * When true, uses roles from the user object returned by getUser
+     * instead of roles from the decoded token for static permission checking.
+     *
+     * Useful for multi-tenant scenarios where user roles vary by organization context.
+     * The organization context can be determined from request headers, subdomain, path, etc.
+     *
+     * Example:
+     * ```typescript
+     * useDynamicRoles: true,
+     * getUser: async (tokenData, req) => {
+     *   const orgId = req.headers['x-organization-id'];
+     *   const membership = await getOrgMembership(tokenData.userId, orgId);
+     *   return {
+     *     id: tokenData.userId,
+     *     roles: [membership.role], // Org-specific role
+     *   };
+     * }
+     * ```
+     */
+    useDynamicRoles?: boolean;
 }
 export interface JwtAuthPlugin extends FlinkAuthPlugin {
     /**
@@ -82,4 +103,4 @@ export interface JwtAuthPlugin extends FlinkAuthPlugin {
  * Configures and creates authentication plugin.
  */
 export declare function jwtAuthPlugin({ secret, getUser, rolePermissions, algo, passwordPolicy, tokenTTL, //Defaults to hundred year
-tokenExtractor, checkPermissions, }: JwtAuthPluginOptions): JwtAuthPlugin;
+tokenExtractor, checkPermissions, useDynamicRoles, }: JwtAuthPluginOptions): JwtAuthPlugin;

package/dist/FlinkJwtAuthPlugin.js

@@ -66,7 +66,7 @@ var defaultPasswordPolicy = /^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/;
 function jwtAuthPlugin(_a) {
     var _this = this;
     var secret = _a.secret, getUser = _a.getUser, rolePermissions = _a.rolePermissions, _b = _a.algo, algo = _b === void 0 ? "HS256" : _b, _c = _a.passwordPolicy, passwordPolicy = _c === void 0 ? defaultPasswordPolicy : _c, _d = _a.tokenTTL, tokenTTL = _d === void 0 ? 1000 * 60 * 60 * 24 * 365 * 100 : _d, //Defaults to hundred year
-    tokenExtractor = _a.tokenExtractor, checkPermissions = _a.checkPermissions;
+    tokenExtractor = _a.tokenExtractor, checkPermissions = _a.checkPermissions, _e = _a.useDynamicRoles, useDynamicRoles = _e === void 0 ? false : _e;
     return {
         authenticateRequest: function (req, permissions) { return __awaiter(_this, void 0, void 0, function () {
             return __generator(this, function (_a) {
@@ -76,6 +76,7 @@ function jwtAuthPlugin(_a) {
                         getUser: getUser,
                         tokenExtractor: tokenExtractor,
                         checkPermissions: checkPermissions,
+                        useDynamicRoles: useDynamicRoles,
                     })];
             });
         }); },
@@ -87,8 +88,8 @@ function jwtAuthPlugin(_a) {
 exports.jwtAuthPlugin = jwtAuthPlugin;
 function authenticateRequest(req_1, routePermissions_1, rolePermissions_1, _a) {
     return __awaiter(this, arguments, void 0, function (req, routePermissions, rolePermissions, _b) {
-        var token, decodedToken, permissionsArr, validPerms, user, hasPermission;
-        var secret = _b.secret, algo = _b.algo, getUser = _b.getUser, tokenExtractor = _b.tokenExtractor, checkPermissions = _b.checkPermissions;
+        var token, decodedToken, permissionsArr, validPerms, user, validPerms, hasPermission;
+        var secret = _b.secret, algo = _b.algo, getUser = _b.getUser, tokenExtractor = _b.tokenExtractor, checkPermissions = _b.checkPermissions, useDynamicRoles = _b.useDynamicRoles;
         return __generator(this, function (_c) {
             switch (_c.label) {
                 case 0:
@@ -116,20 +117,28 @@ function authenticateRequest(req_1, routePermissions_1, rolePermissions_1, _a) {
                     }
                     if (!decodedToken) return [3 /*break*/, 4];
                     permissionsArr = Array.isArray(routePermissions) ? routePermissions : [routePermissions];
-                    // Static permission check - only if custom checker NOT provided
-                    if (!checkPermissions && permissionsArr && permissionsArr.length > 0) {
+                    // Static permission check - only if custom checker NOT provided AND not using dynamic roles
+                    if (!checkPermissions && !useDynamicRoles && permissionsArr && permissionsArr.length > 0) {
                         validPerms = (0, PermissionValidator_1.hasValidPermissions)(decodedToken.roles || [], rolePermissions, permissionsArr);
                         if (!validPerms) {
                             return [2 /*return*/, false];
                         }
                     }
-                    return [4 /*yield*/, getUser(decodedToken)];
+                    return [4 /*yield*/, getUser(decodedToken, req)];
                 case 1:
                     user = _c.sent();
                     if (!user) {
                         flink_1.log.debug("[JWT AUTH PLUGIN] User not returned from getUser callback");
                         return [2 /*return*/, false];
                     }
+                    // Dynamic roles: check permissions using roles from user object
+                    if (!checkPermissions && useDynamicRoles && permissionsArr && permissionsArr.length > 0) {
+                        validPerms = (0, PermissionValidator_1.hasValidPermissions)(user.roles || [], rolePermissions, permissionsArr);
+                        if (!validPerms) {
+                            flink_1.log.debug("[JWT AUTH PLUGIN] Dynamic role permission check failed");
+                            return [2 /*return*/, false];
+                        }
+                    }
                     if (!(checkPermissions && permissionsArr && permissionsArr.length > 0)) return [3 /*break*/, 3];
                     return [4 /*yield*/, checkPermissions(user, permissionsArr)];
                 case 2:

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@flink-app/jwt-auth-plugin",
-    "version": "0.12.1-alpha.41",
+    "version": "0.12.1-alpha.44",
     "description": "Flink plugin for JWT auth",
     "scripts": {
         "test": "node --preserve-symlinks -r ts-node/register -- node_modules/jasmine/bin/jasmine --config=./spec/support/jasmine.json",
@@ -20,7 +20,7 @@
         "jwt-simple": "^0.5.6"
     },
     "devDependencies": {
-        "@flink-app/flink": "^0.12.1-alpha.40",
+        "@flink-app/flink": "^0.12.1-alpha.44",
         "@types/bcrypt": "^5.0.0",
         "@types/jasmine": "^3.7.1",
         "@types/node": "22.13.10",
@@ -31,5 +31,5 @@
         "tsc-watch": "^4.2.9",
         "typescript": "5.4.5"
     },
-    "gitHead": "76b54ee31f2c10c8c8f18af91facf5322b14ebf5"
+    "gitHead": "4243e3b3cd6d4e1ca001a61baa8436bf2bbe4113"
 }

package/readme.md

@@ -66,13 +66,14 @@ start();
 | Option | Type | Required | Default | Description |
 |--------|------|----------|---------|-------------|
 | `secret` | `string` | Yes | - | Secret key used to sign and verify JWT tokens. Keep this secure! |
-| `getUser` | `(tokenData: any) => Promise<FlinkAuthUser>` | Yes | - | Async function that retrieves user data from token payload |
+| `getUser` | `(tokenData: any, req: FlinkRequest) => Promise<FlinkAuthUser>` | Yes | - | Async function that retrieves user data from token payload. Has access to the full request object for context (headers, path, etc.) |
 | `rolePermissions` | `{ [role: string]: string[] }` | Yes | - | Maps roles to their allowed permissions |
 | `algo` | `jwtSimple.TAlgorithm` | No | `"HS256"` | JWT signing algorithm |
 | `passwordPolicy` | `RegExp` | No | `/^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/` | Regex to validate password strength |
 | `tokenTTL` | `number` | No | `1000 * 60 * 60 * 24 * 365 * 100` (100 years) | Token time-to-live in milliseconds |
 | `tokenExtractor` | `(req: FlinkRequest) => string \| null \| undefined` | No | - | Custom token extraction function. Return `string` for token, `null` for no token, `undefined` to fallback to Bearer |
 | `checkPermissions` | `(user: FlinkAuthUser, routePermissions: string[]) => Promise<boolean> \| boolean` | No | - | Custom permission validator for dynamic permissions from database. Replaces static `rolePermissions` when provided |
+| `useDynamicRoles` | `boolean` | No | `false` | When `true`, uses roles from the user object returned by `getUser` instead of roles from the token. Useful for multi-tenant scenarios where user roles vary by organization |
 
 ### Default Password Policy
 
@@ -442,6 +443,338 @@ jwtAuthPlugin({
 
 **Solution**: Clear permission cache or reduce cache TTL
 
+## Multi-Tenant & Dynamic Roles
+
+The JWT auth plugin supports multi-tenant scenarios where users have different roles depending on the organization or context they're accessing. This is achieved through the `useDynamicRoles` option combined with the `req` parameter in `getUser`.
+
+### When to Use Dynamic Roles
+
+Use `useDynamicRoles: true` when:
+- Users belong to multiple organizations with different roles in each
+- User roles are determined by request context (headers, subdomain, path)
+- Roles need to be fetched from the database based on the current context
+- The same user token should grant different permissions in different contexts
+
+### How It Works
+
+1. **Default behavior** (`useDynamicRoles: false`):
+   - Roles from the JWT token are used for permission checking
+   - `getUser` can modify the user object, but token roles are what matter for permissions
+
+2. **Dynamic roles** (`useDynamicRoles: true`):
+   - Permission checking uses roles from the user object returned by `getUser`
+   - Token roles are ignored for permission checks
+   - `getUser` can fetch organization-specific roles from the database
+
+### Basic Multi-Tenant Example
+
+```typescript
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  useDynamicRoles: true,
+
+  getUser: async (tokenData, req) => {
+    const user = await ctx.repos.userRepo.getById(tokenData.userId);
+
+    // Get organization from request header
+    const orgId = req.headers['x-organization-id'] as string;
+
+    // Fetch user's role in this specific organization
+    const membership = await ctx.repos.orgMemberRepo.findOne({
+      userId: user._id,
+      organizationId: orgId
+    });
+
+    return {
+      id: user._id,
+      username: user.username,
+      organizationId: orgId,
+      roles: [membership.role], // Org-specific role
+    };
+  },
+
+  rolePermissions: {
+    admin: ["read", "write", "delete", "manage_users"],
+    user: ["read", "write"],
+    guest: ["read"],
+  },
+})
+```
+
+**Usage:**
+```bash
+# User is admin in org1
+curl -H "Authorization: Bearer <token>" \
+     -H "X-Organization-ID: org1" \
+     https://api.example.com/users
+# ✓ Has admin permissions in org1
+
+# Same user is regular user in org2
+curl -H "Authorization: Bearer <token>" \
+     -H "X-Organization-ID: org2" \
+     https://api.example.com/users
+# ✓ Has user permissions in org2 (cannot manage users)
+```
+
+### Subdomain-Based Organizations
+
+```typescript
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  useDynamicRoles: true,
+
+  getUser: async (tokenData, req) => {
+    // Extract org from subdomain (acme.yourapp.com -> "acme")
+    const host = req.headers.host || '';
+    const orgSubdomain = host.split('.')[0];
+
+    const membership = await ctx.repos.orgMemberRepo.findOne({
+      userId: tokenData.userId,
+      organizationSlug: orgSubdomain
+    });
+
+    if (!membership) {
+      return null; // User not member of this org
+    }
+
+    return {
+      id: tokenData.userId,
+      username: tokenData.username,
+      organizationSlug: orgSubdomain,
+      roles: [membership.role],
+    };
+  },
+
+  rolePermissions: {
+    owner: ["*"], // All permissions
+    admin: ["read", "write", "delete", "manage_users"],
+    member: ["read", "write"],
+  },
+})
+```
+
+### Path-Based Organization Context
+
+```typescript
+// Routes like: /orgs/:orgId/projects
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  useDynamicRoles: true,
+
+  getUser: async (tokenData, req) => {
+    // Extract org from path: /orgs/org123/projects
+    const pathMatch = req.path?.match(/^\/orgs\/([^\/]+)/);
+    const orgId = pathMatch?.[1];
+
+    if (!orgId) {
+      // Not an org-specific route, use default role
+      return {
+        id: tokenData.userId,
+        username: tokenData.username,
+        roles: ["user"],
+      };
+    }
+
+    const membership = await ctx.repos.orgMemberRepo.findOne({
+      userId: tokenData.userId,
+      organizationId: orgId
+    });
+
+    return {
+      id: tokenData.userId,
+      username: tokenData.username,
+      organizationId: orgId,
+      roles: [membership.role],
+    };
+  },
+
+  rolePermissions: {
+    admin: ["read", "write", "delete"],
+    member: ["read", "write"],
+    viewer: ["read"],
+  },
+})
+```
+
+### Combining Multiple Role Sources
+
+```typescript
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  useDynamicRoles: true,
+
+  getUser: async (tokenData, req) => {
+    const user = await ctx.repos.userRepo.getById(tokenData.userId);
+    const orgId = req.headers['x-organization-id'] as string;
+
+    // Get org-specific role
+    const orgMembership = await ctx.repos.orgMemberRepo.findOne({
+      userId: user._id,
+      organizationId: orgId
+    });
+
+    // Get global role from user
+    const globalRole = user.globalRole; // e.g., "super_admin"
+
+    // Combine roles (super admins have all permissions everywhere)
+    const roles = globalRole === 'super_admin'
+      ? ['super_admin']
+      : [orgMembership.role];
+
+    return {
+      id: user._id,
+      username: user.username,
+      organizationId: orgId,
+      globalRole,
+      roles,
+    };
+  },
+
+  rolePermissions: {
+    super_admin: ["*"], // Global super admins
+    org_admin: ["read", "write", "delete", "manage_members"],
+    org_member: ["read", "write"],
+    org_guest: ["read"],
+  },
+})
+```
+
+### Performance Considerations
+
+Since `getUser` is called on every authenticated request, consider caching:
+
+```typescript
+const roleCache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  useDynamicRoles: true,
+
+  getUser: async (tokenData, req) => {
+    const orgId = req.headers['x-organization-id'] as string;
+    const cacheKey = `${tokenData.userId}:${orgId}`;
+
+    // Check cache
+    const cached = roleCache.get(cacheKey);
+    if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+      return cached.user;
+    }
+
+    // Fetch from DB
+    const membership = await ctx.repos.orgMemberRepo.findOne({
+      userId: tokenData.userId,
+      organizationId: orgId
+    });
+
+    const user = {
+      id: tokenData.userId,
+      username: tokenData.username,
+      organizationId: orgId,
+      roles: [membership.role],
+    };
+
+    // Cache it
+    roleCache.set(cacheKey, {
+      user,
+      timestamp: Date.now(),
+    });
+
+    return user;
+  },
+
+  rolePermissions: {
+    admin: ["read", "write", "delete"],
+    member: ["read", "write"],
+  },
+})
+```
+
+### Request Context Access
+
+The `getUser` callback receives the full request object, giving you access to:
+
+```typescript
+getUser: async (tokenData, req) => {
+  // Available request properties:
+  req.path          // "/api/users"
+  req.method        // "GET", "POST", etc.
+  req.headers       // { "x-organization-id": "org1", ... }
+  req.query         // { page: "1", limit: "10" }
+  req.body          // Request body (if applicable)
+  req.params        // URL parameters
+  req.cookies       // Cookies (if cookie-parser middleware is used)
+
+  // Use any combination to determine context
+  const orgId = req.headers['x-organization-id']
+    || req.query.org
+    || req.params.orgId;
+
+  // Fetch and return user with context-specific roles
+  // ...
+}
+```
+
+### Migration from Static Roles
+
+If you have an existing app with static roles, you can migrate gradually:
+
+**Before (static roles):**
+```typescript
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  getUser: async (tokenData, req) => {
+    const user = await ctx.repos.userRepo.getById(tokenData.userId);
+    return {
+      id: user._id,
+      username: user.username,
+      // Token roles are used
+    };
+  },
+  rolePermissions: {
+    admin: ["read", "write", "delete"],
+    user: ["read", "write"],
+  },
+})
+```
+
+**After (dynamic multi-tenant roles):**
+```typescript
+jwtAuthPlugin({
+  secret: process.env.JWT_SECRET!,
+  useDynamicRoles: true, // ← Enable dynamic roles
+  getUser: async (tokenData, req) => { // ← Now has req parameter
+    const user = await ctx.repos.userRepo.getById(tokenData.userId);
+    const orgId = req.headers['x-organization-id'];
+
+    // Fetch org-specific role
+    const membership = await ctx.repos.orgMemberRepo.findOne({
+      userId: user._id,
+      organizationId: orgId
+    });
+
+    return {
+      id: user._id,
+      username: user.username,
+      organizationId: orgId,
+      roles: [membership.role], // ← Dynamic role
+    };
+  },
+  rolePermissions: {
+    admin: ["read", "write", "delete"],
+    user: ["read", "write"],
+  },
+})
+```
+
+### Important Notes
+
+- **Backward Compatible**: Setting `useDynamicRoles: false` (default) maintains existing behavior
+- **Token Still Required**: Dynamic roles don't bypass token validation - the token must be valid
+- **Organization Validation**: Always validate that the user has access to the requested organization
+- **Error Handling**: Return `null` from `getUser` if user doesn't have access to the organization
+- **Cache Invalidation**: Remember to invalidate role cache when user roles change in the database
+
 ## Context API
 
 Once configured, the plugin provides the following methods via the `auth` context:

package/spec/FlinkJwtAuthPlugin.spec.ts

@@ -6,7 +6,7 @@ describe("FlinkJwtAuthPlugin", () => {
   it("should create and configure plugin", () => {
     const plugin = jwtAuthPlugin({
       secret: "secret",
-      getUser: async (id: string) => {
+      getUser: async (id: string, req) => {
         return {
           id,
           username: "username",
@@ -21,7 +21,7 @@ describe("FlinkJwtAuthPlugin", () => {
   it("should fail auth if no token was provided", async () => {
     const plugin = jwtAuthPlugin({
       secret: "secret",
-      getUser: async (id: string) => {
+      getUser: async (id: string, req) => {
         return {
           id,
           username: "username",
@@ -46,7 +46,7 @@ describe("FlinkJwtAuthPlugin", () => {
   it("should fail auth if token is invalid provided", async () => {
     const plugin = jwtAuthPlugin({
       secret: "secret",
-      getUser: async (id: string) => {
+      getUser: async (id: string, req) => {
         fail(); // Should not invoke this
         return {
           id,
@@ -79,7 +79,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
     const plugin = jwtAuthPlugin({
       secret,
-      getUser: async ({ id }: { id: string }) => {
+      getUser: async ({ id }: { id: string }, req) => {
         expect(id).toBe(userId);
         return {
           id,
@@ -106,7 +106,7 @@ describe("FlinkJwtAuthPlugin", () => {
     const secret = "secret";
     const plugin = jwtAuthPlugin({
       secret,
-      getUser: async (id: string) => {
+      getUser: async (id: string, req) => {
         fail(); // Should not invoke this
         return {
           id,
@@ -138,7 +138,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           expect(id).toBe(userId);
           return {
             id,
@@ -169,7 +169,7 @@ describe("FlinkJwtAuthPlugin", () => {
     it("should fail auth when tokenExtractor returns null", async () => {
       const plugin = jwtAuthPlugin({
         secret: "secret",
-        getUser: async (id: string) => {
+        getUser: async (id: string, req) => {
           fail(); // Should not be called
           return {
             id,
@@ -206,7 +206,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           expect(id).toBe(userId);
           return {
             id,
@@ -247,7 +247,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return {
             id,
             username: "username",
@@ -300,7 +300,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return {
             id,
             username: "username",
@@ -335,7 +335,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return {
             id,
             username: "testuser",
@@ -382,7 +382,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return {
             id,
             username: "testuser",
@@ -422,7 +422,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return {
             id,
             username: "admin",
@@ -458,7 +458,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return {
             id,
             username: "testuser",
@@ -500,7 +500,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           return { id, username: "testuser" };
         },
         rolePermissions: {},
@@ -538,7 +538,7 @@ describe("FlinkJwtAuthPlugin", () => {
 
       const plugin = jwtAuthPlugin({
         secret,
-        getUser: async ({ id }: { id: string }) => {
+        getUser: async ({ id }: { id: string }, req) => {
           // Simulate fetching permissions from DB
           const permissions = dbPermissions[id] || [];
           return {
@@ -569,4 +569,248 @@ describe("FlinkJwtAuthPlugin", () => {
       expect(mockRequest.user?.permissions).toContain("custom_permission");
     });
   });
+
+  describe("useDynamicRoles", () => {
+    it("should use roles from user object when useDynamicRoles is true", async () => {
+      const secret = "secret";
+      const userId = "123";
+      // Token has one set of roles
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["guest"] }, // Token says guest
+        secret
+      );
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        useDynamicRoles: true,
+        getUser: async ({ id }: { id: string }, req) => {
+          // Simulate fetching org-specific role based on header
+          const orgId = req.headers["x-organization-id"];
+          const role = orgId === "org1" ? "admin" : "user";
+
+          return {
+            id,
+            username: "testuser",
+            roles: [role], // Dynamic role from database/context
+          };
+        },
+        rolePermissions: {
+          admin: ["read", "write", "delete"],
+          user: ["read", "write"],
+          guest: ["read"],
+        },
+      });
+
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+          "x-organization-id": "org1",
+        },
+      } as unknown as FlinkRequest;
+
+      // Should pass because user is admin in org1 (despite token saying guest)
+      const authenticated = await plugin.authenticateRequest(mockRequest, ["delete"]);
+
+      expect(authenticated).toBeTruthy();
+      expect(mockRequest.user?.roles).toEqual(["admin"]);
+    });
+
+    it("should fail when dynamic role doesn't have required permission", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["admin"] }, // Token says admin
+        secret
+      );
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        useDynamicRoles: true,
+        getUser: async ({ id }: { id: string }, req) => {
+          const orgId = req.headers["x-organization-id"];
+          const role = orgId === "org2" ? "guest" : "admin";
+
+          return {
+            id,
+            username: "testuser",
+            roles: [role],
+          };
+        },
+        rolePermissions: {
+          admin: ["read", "write", "delete"],
+          guest: ["read"],
+        },
+      });
+
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+          "x-organization-id": "org2", // In org2, user is guest
+        },
+      } as unknown as FlinkRequest;
+
+      // Should fail because user is only guest in org2
+      const authenticated = await plugin.authenticateRequest(mockRequest, ["delete"]);
+
+      expect(authenticated).toBeFalse();
+    });
+
+    it("should use token roles when useDynamicRoles is false (default)", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: ["admin"] },
+        secret
+      );
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        // useDynamicRoles not set (defaults to false)
+        getUser: async ({ id }: { id: string }, req) => {
+          return {
+            id,
+            username: "testuser",
+            roles: ["guest"], // This should be ignored
+          };
+        },
+        rolePermissions: {
+          admin: ["read", "write", "delete"],
+          guest: ["read"],
+        },
+      });
+
+      const mockRequest = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+        },
+      } as FlinkRequest;
+
+      // Should pass because token has admin role (user.roles ignored)
+      const authenticated = await plugin.authenticateRequest(mockRequest, ["delete"]);
+
+      expect(authenticated).toBeTruthy();
+    });
+
+    it("should support multi-tenant scenario with organization context", async () => {
+      const secret = "secret";
+      const userId = "user123";
+      const encodedToken = jwtSimple.encode(
+        { id: userId, roles: [] }, // No roles in token
+        secret
+      );
+
+      // Simulate database of org memberships
+      const orgMemberships: { [key: string]: { [userId: string]: string } } = {
+        org1: { user123: "admin" },
+        org2: { user123: "user" },
+        org3: { user123: "guest" },
+      };
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        useDynamicRoles: true,
+        getUser: async ({ id }: { id: string }, req) => {
+          const orgId = req.headers["x-organization-id"] as string;
+          const role = orgMemberships[orgId]?.[id] || "guest";
+
+          return {
+            id,
+            username: "multitenantuser",
+            organizationId: orgId,
+            roles: [role],
+          };
+        },
+        rolePermissions: {
+          admin: ["read", "write", "delete", "manage"],
+          user: ["read", "write"],
+          guest: ["read"],
+        },
+      });
+
+      // Test as admin in org1
+      const org1Request = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+          "x-organization-id": "org1",
+        },
+      } as unknown as FlinkRequest;
+
+      const org1Auth = await plugin.authenticateRequest(org1Request, ["manage"]);
+      expect(org1Auth).toBeTruthy();
+      expect(org1Request.user?.roles).toEqual(["admin"]);
+
+      // Test as user in org2
+      const org2Request = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+          "x-organization-id": "org2",
+        },
+      } as unknown as FlinkRequest;
+
+      const org2AuthWrite = await plugin.authenticateRequest(org2Request, ["write"]);
+      expect(org2AuthWrite).toBeTruthy();
+
+      const org2AuthManage = await plugin.authenticateRequest(org2Request, ["manage"]);
+      expect(org2AuthManage).toBeFalse(); // User can't manage in org2
+
+      // Test as guest in org3
+      const org3Request = {
+        headers: {
+          authorization: "Bearer " + encodedToken,
+          "x-organization-id": "org3",
+        },
+      } as unknown as FlinkRequest;
+
+      const org3AuthRead = await plugin.authenticateRequest(org3Request, ["read"]);
+      expect(org3AuthRead).toBeTruthy();
+
+      const org3AuthWrite = await plugin.authenticateRequest(org3Request, ["write"]);
+      expect(org3AuthWrite).toBeFalse(); // Guest can't write in org3
+    });
+
+    it("should have access to request properties in getUser callback", async () => {
+      const secret = "secret";
+      const userId = "123";
+      const encodedToken = jwtSimple.encode({ id: userId }, secret);
+
+      let capturedPath: string | undefined;
+      let capturedMethod: string | undefined;
+      let capturedHeaders: any;
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        useDynamicRoles: true,
+        getUser: async ({ id }: { id: string }, req) => {
+          // Capture request properties to verify they're accessible
+          capturedPath = req.path;
+          capturedMethod = req.method;
+          capturedHeaders = req.headers;
+
+          return {
+            id,
+            username: "testuser",
+            roles: ["user"],
+          };
+        },
+        rolePermissions: {
+          user: ["read"],
+        },
+      });
+
+      const mockRequest = {
+        path: "/api/users",
+        method: "GET",
+        headers: {
+          authorization: "Bearer " + encodedToken,
+          "x-custom-header": "custom-value",
+        },
+      } as unknown as FlinkRequest;
+
+      await plugin.authenticateRequest(mockRequest, ["read"]);
+
+      expect(capturedPath).toBe("/api/users");
+      expect(capturedMethod).toBe("GET");
+      expect(capturedHeaders["x-custom-header"]).toBe("custom-value");
+    });
+  });
 });

package/src/FlinkJwtAuthPlugin.ts

@@ -37,7 +37,7 @@ export type PermissionChecker = (
 export interface JwtAuthPluginOptions {
     secret: string;
     algo?: jwtSimple.TAlgorithm;
-    getUser: (tokenData: any) => Promise<FlinkAuthUser | null | undefined>;
+    getUser: (tokenData: any, req: FlinkRequest) => Promise<FlinkAuthUser | null | undefined>;
     passwordPolicy?: RegExp;
     tokenTTL?: number;
     rolePermissions: {
@@ -66,6 +66,27 @@ export interface JwtAuthPluginOptions {
      * ```
      */
     checkPermissions?: PermissionChecker;
+    /**
+     * When true, uses roles from the user object returned by getUser
+     * instead of roles from the decoded token for static permission checking.
+     *
+     * Useful for multi-tenant scenarios where user roles vary by organization context.
+     * The organization context can be determined from request headers, subdomain, path, etc.
+     *
+     * Example:
+     * ```typescript
+     * useDynamicRoles: true,
+     * getUser: async (tokenData, req) => {
+     *   const orgId = req.headers['x-organization-id'];
+     *   const membership = await getOrgMembership(tokenData.userId, orgId);
+     *   return {
+     *     id: tokenData.userId,
+     *     roles: [membership.role], // Org-specific role
+     *   };
+     * }
+     * ```
+     */
+    useDynamicRoles?: boolean;
 }
 
 export interface JwtAuthPlugin extends FlinkAuthPlugin {
@@ -105,6 +126,7 @@ export function jwtAuthPlugin({
     tokenTTL = 1000 * 60 * 60 * 24 * 365 * 100, //Defaults to hundred year
     tokenExtractor,
     checkPermissions,
+    useDynamicRoles = false,
 }: JwtAuthPluginOptions): JwtAuthPlugin {
     return {
         authenticateRequest: async (req, permissions) =>
@@ -114,6 +136,7 @@ export function jwtAuthPlugin({
                 getUser,
                 tokenExtractor,
                 checkPermissions,
+                useDynamicRoles,
             }),
         createToken: (payload, roles) => createToken({ ...payload, roles }, { algo, secret, tokenTTL }),
         createPasswordHashAndSalt: (password: string) => createPasswordHashAndSalt(password, passwordPolicy),
@@ -125,9 +148,9 @@ async function authenticateRequest(
     req: FlinkRequest,
     routePermissions: string | string[],
     rolePermissions: { [x: string]: string[] },
-    { secret, algo, getUser, tokenExtractor, checkPermissions }: Pick<
+    { secret, algo, getUser, tokenExtractor, checkPermissions, useDynamicRoles }: Pick<
         JwtAuthPluginOptions,
-        "algo" | "secret" | "getUser" | "tokenExtractor" | "checkPermissions"
+        "algo" | "secret" | "getUser" | "tokenExtractor" | "checkPermissions" | "useDynamicRoles"
     >
 ) {
     let token: string | null | undefined;
@@ -159,8 +182,8 @@ async function authenticateRequest(
         if (decodedToken) {
             const permissionsArr = Array.isArray(routePermissions) ? routePermissions : [routePermissions];
 
-            // Static permission check - only if custom checker NOT provided
-            if (!checkPermissions && permissionsArr && permissionsArr.length > 0) {
+            // Static permission check - only if custom checker NOT provided AND not using dynamic roles
+            if (!checkPermissions && !useDynamicRoles && permissionsArr && permissionsArr.length > 0) {
                 const validPerms = hasValidPermissions(decodedToken.roles || [], rolePermissions, permissionsArr);
 
                 if (!validPerms) {
@@ -168,13 +191,23 @@ async function authenticateRequest(
                 }
             }
 
-            const user = await getUser(decodedToken);
+            const user = await getUser(decodedToken, req);
 
             if (!user) {
                 log.debug("[JWT AUTH PLUGIN] User not returned from getUser callback");
                 return false;
             }
 
+            // Dynamic roles: check permissions using roles from user object
+            if (!checkPermissions && useDynamicRoles && permissionsArr && permissionsArr.length > 0) {
+                const validPerms = hasValidPermissions(user.roles || [], rolePermissions, permissionsArr);
+
+                if (!validPerms) {
+                    log.debug("[JWT AUTH PLUGIN] Dynamic role permission check failed");
+                    return false;
+                }
+            }
+
             // Custom permission check - only if provided
             if (checkPermissions && permissionsArr && permissionsArr.length > 0) {
                 const hasPermission = await checkPermissions(user, permissionsArr);