@mereb/shared-packages 0.0.41 → 0.0.43
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/jwks.d.ts +7 -0
- package/dist/auth/jwks.d.ts.map +1 -1
- package/dist/auth/jwks.js +27 -0
- package/package.json +1 -1
package/dist/auth/jwks.d.ts
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
import { type JWTPayload } from 'jose';
|
|
2
2
|
import type { IncomingHttpHeaders } from 'node:http';
|
|
3
|
+
export declare const FULL_ADMIN_ROLES: readonly ["admin", "mereb.admin", "realm-admin"];
|
|
4
|
+
export declare const LIMITED_ADMIN_ROLES: readonly ["moderator", "support", "admin.viewer", "mereb.staff"];
|
|
5
|
+
export declare const READ_ONLY_ADMIN_ROLES: readonly ["admin", "mereb.admin", "realm-admin", "moderator", "support", "admin.viewer", "mereb.staff"];
|
|
3
6
|
export interface VerifyJwtOptions {
|
|
4
7
|
issuer: string;
|
|
5
8
|
audience?: string | string[];
|
|
@@ -8,5 +11,9 @@ export interface VerifyJwtOptions {
|
|
|
8
11
|
export declare function initJwks(issuer: string): Promise<void>;
|
|
9
12
|
export declare function verifyJwt(token: string, { issuer, audience }: VerifyJwtOptions): Promise<JWTPayload>;
|
|
10
13
|
export declare function extractUserId(payload: JWTPayload): string | undefined;
|
|
14
|
+
export declare function extractJwtRoles(payload: JWTPayload): string[];
|
|
15
|
+
export declare function hasAnyRole(roles: readonly string[] | undefined, allowedRoles: readonly string[]): boolean;
|
|
16
|
+
export declare function hasAdminReadAccess(roles: readonly string[] | undefined): boolean;
|
|
17
|
+
export declare function hasFullAdminAccess(roles: readonly string[] | undefined): boolean;
|
|
11
18
|
export declare function parseAuthHeader(headers: IncomingHttpHeaders): string | undefined;
|
|
12
19
|
//# sourceMappingURL=jwks.d.ts.map
|
package/dist/auth/jwks.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwks.d.ts","sourceRoot":"","sources":["../../src/auth/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiC,KAAK,UAAU,EAAE,MAAM,MAAM,CAAC;AACtE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAIrD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,QAAQ,CAAC,MAAM,EAAE,MAAM,iBAI5C;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,gBAAgB,uBAYvC;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,sBAEhD;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,mBAAmB,GAC3B,MAAM,GAAG,SAAS,CAMpB"}
|
|
1
|
+
{"version":3,"file":"jwks.d.ts","sourceRoot":"","sources":["../../src/auth/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiC,KAAK,UAAU,EAAE,MAAM,MAAM,CAAC;AACtE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAIrD,eAAO,MAAM,gBAAgB,kDAAmD,CAAC;AACjF,eAAO,MAAM,mBAAmB,kEAKtB,CAAC;AACX,eAAO,MAAM,qBAAqB,yGAAyD,CAAC;AAE5F,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,QAAQ,CAAC,MAAM,EAAE,MAAM,iBAI5C;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,gBAAgB,uBAYvC;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,sBAEhD;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM,EAAE,CAS7D;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,EAAE,YAAY,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAKzG;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,GAAG,OAAO,CAEhF;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,GAAG,OAAO,CAEhF;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,mBAAmB,GAC3B,MAAM,GAAG,SAAS,CAMpB"}
|
package/dist/auth/jwks.js
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
import { createRemoteJWKSet, jwtVerify } from 'jose';
|
|
2
2
|
let jwks;
|
|
3
|
+
export const FULL_ADMIN_ROLES = ['admin', 'mereb.admin', 'realm-admin'];
|
|
4
|
+
export const LIMITED_ADMIN_ROLES = [
|
|
5
|
+
'moderator',
|
|
6
|
+
'support',
|
|
7
|
+
'admin.viewer',
|
|
8
|
+
'mereb.staff'
|
|
9
|
+
];
|
|
10
|
+
export const READ_ONLY_ADMIN_ROLES = [...FULL_ADMIN_ROLES, ...LIMITED_ADMIN_ROLES];
|
|
3
11
|
export async function initJwks(issuer) {
|
|
4
12
|
jwks = createRemoteJWKSet(new URL(`${issuer.replace(/\/$/, '')}/protocol/openid-connect/certs`));
|
|
5
13
|
}
|
|
@@ -16,6 +24,25 @@ export async function verifyJwt(token, { issuer, audience }) {
|
|
|
16
24
|
export function extractUserId(payload) {
|
|
17
25
|
return typeof payload.sub === 'string' ? payload.sub : undefined;
|
|
18
26
|
}
|
|
27
|
+
export function extractJwtRoles(payload) {
|
|
28
|
+
const realmRoles = Array.isArray(payload.realm_access?.roles)
|
|
29
|
+
? (payload.realm_access?.roles ?? [])
|
|
30
|
+
: [];
|
|
31
|
+
const resourceRoles = Object.values(payload.resource_access ?? {}).flatMap((access) => (Array.isArray(access?.roles) ? access.roles.filter((role) => typeof role === 'string') : []));
|
|
32
|
+
return Array.from(new Set([...realmRoles, ...resourceRoles]));
|
|
33
|
+
}
|
|
34
|
+
export function hasAnyRole(roles, allowedRoles) {
|
|
35
|
+
if (!roles || roles.length === 0) {
|
|
36
|
+
return false;
|
|
37
|
+
}
|
|
38
|
+
return roles.some((role) => allowedRoles.includes(role));
|
|
39
|
+
}
|
|
40
|
+
export function hasAdminReadAccess(roles) {
|
|
41
|
+
return hasAnyRole(roles, READ_ONLY_ADMIN_ROLES);
|
|
42
|
+
}
|
|
43
|
+
export function hasFullAdminAccess(roles) {
|
|
44
|
+
return hasAnyRole(roles, FULL_ADMIN_ROLES);
|
|
45
|
+
}
|
|
19
46
|
export function parseAuthHeader(headers) {
|
|
20
47
|
const auth = headers.authorization;
|
|
21
48
|
if (!auth || !auth.startsWith('Bearer ')) {
|