keycloak-express-middleware 6.0.3 → 6.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +88 -4
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -249,6 +249,46 @@ class keycloakExpressMiddleware {
|
|
|
249
249
|
* res.send('Accesso consentito dalla funzione di controllo personalizzata.');
|
|
250
250
|
* });
|
|
251
251
|
*
|
|
252
|
+
* --- Accesso ai dati del token nella route handler ---
|
|
253
|
+
*
|
|
254
|
+
* Dopo l'autenticazione riuscita, il token e le sue informazioni sono disponibili in:
|
|
255
|
+
* - `req.kauth.grant.access_token.content` - contenuto del token decodificato
|
|
256
|
+
* - `req.kauth.grant.access_token.content.scope` - gli scope concessi (es. 'openid profile email')
|
|
257
|
+
* - `req.kauth.grant.access_token.content.preferred_username` - username dell'utente
|
|
258
|
+
* - `req.kauth.grant.access_token.content.email` - email dell'utente
|
|
259
|
+
* - `req.kauth.grant.access_token.content.name` - nome completo dell'utente
|
|
260
|
+
* - `req.kauth.grant.access_token.content.resource_access` - ruoli per client specifici
|
|
261
|
+
* - `req.kauth.grant.access_token.content.realm_access` - ruoli di realm
|
|
262
|
+
* - Qualsiasi altro claim personalizzato del token
|
|
263
|
+
*
|
|
264
|
+
* ⭐ Esempio: Risorsa admin con verifica dello scope nella route handler
|
|
265
|
+
* Protegge la route richiedendo il ruolo 'admin'.
|
|
266
|
+
* Nella handler, verifica che l'utente abbia anche lo scope 'email':
|
|
267
|
+
*
|
|
268
|
+
* app.get('/admin/users', keycloakAdapter.protectMiddleware('admin'), (req, res) => {
|
|
269
|
+
* // Accedi ai dati del token autenticato
|
|
270
|
+
* const tokenContent = req.kauth.grant.access_token.content;
|
|
271
|
+
* const userScopes = tokenContent.scope || ''; // es. 'openid profile email'
|
|
272
|
+
* const username = tokenContent.preferred_username;
|
|
273
|
+
* const userEmail = tokenContent.email;
|
|
274
|
+
*
|
|
275
|
+
* // Verifica personalizzata dello scope nella handler
|
|
276
|
+
* if (!userScopes.includes('email')) {
|
|
277
|
+
* return res.status(403).json({
|
|
278
|
+
* error: 'Forbidden',
|
|
279
|
+
* message: 'L\'utente non ha lo scope email richiesto per questa operazione.'
|
|
280
|
+
* });
|
|
281
|
+
* }
|
|
282
|
+
*
|
|
283
|
+
* // Se tutte le verifiche passano, procedi
|
|
284
|
+
* res.json({
|
|
285
|
+
* message: 'Benvenuto admin!',
|
|
286
|
+
* username: username,
|
|
287
|
+
* email: userEmail,
|
|
288
|
+
* scopes: userScopes.split(' ')
|
|
289
|
+
* });
|
|
290
|
+
* });
|
|
291
|
+
*
|
|
252
292
|
* --- Dettagli sul token e metodi utili ---
|
|
253
293
|
*
|
|
254
294
|
* L'oggetto `token` passato alla funzione di controllo espone metodi come:
|
|
@@ -310,6 +350,46 @@ class keycloakExpressMiddleware {
|
|
|
310
350
|
* res.send('Access granted by custom authorization function.');
|
|
311
351
|
* });
|
|
312
352
|
*
|
|
353
|
+
* --- Accessing token data in the route handler ---
|
|
354
|
+
*
|
|
355
|
+
* After successful authentication, the token and its information are available at:
|
|
356
|
+
* - `req.kauth.grant.access_token.content` - decoded token content
|
|
357
|
+
* - `req.kauth.grant.access_token.content.scope` - granted scopes (e.g., 'openid profile email')
|
|
358
|
+
* - `req.kauth.grant.access_token.content.preferred_username` - user's username
|
|
359
|
+
* - `req.kauth.grant.access_token.content.email` - user's email
|
|
360
|
+
* - `req.kauth.grant.access_token.content.name` - user's full name
|
|
361
|
+
* - `req.kauth.grant.access_token.content.resource_access` - roles per specific client
|
|
362
|
+
* - `req.kauth.grant.access_token.content.realm_access` - realm roles
|
|
363
|
+
* - Any other custom token claims
|
|
364
|
+
*
|
|
365
|
+
* ⭐ Example: Admin resource with scope verification in route handler
|
|
366
|
+
* Protects the route requiring 'admin' role.
|
|
367
|
+
* In the handler, verifies that the user also has the 'email' scope:
|
|
368
|
+
*
|
|
369
|
+
* app.get('/admin/users', keycloakAdapter.protectMiddleware('admin'), (req, res) => {
|
|
370
|
+
* // Access authenticated token data
|
|
371
|
+
* const tokenContent = req.kauth.grant.access_token.content;
|
|
372
|
+
* const userScopes = tokenContent.scope || ''; // e.g., 'openid profile email'
|
|
373
|
+
* const username = tokenContent.preferred_username;
|
|
374
|
+
* const userEmail = tokenContent.email;
|
|
375
|
+
*
|
|
376
|
+
* // Custom scope verification in the handler
|
|
377
|
+
* if (!userScopes.includes('email')) {
|
|
378
|
+
* return res.status(403).json({
|
|
379
|
+
* error: 'Forbidden',
|
|
380
|
+
* message: 'The user does not have the email scope required for this operation.'
|
|
381
|
+
* });
|
|
382
|
+
* }
|
|
383
|
+
*
|
|
384
|
+
* // If all checks pass, proceed
|
|
385
|
+
* res.json({
|
|
386
|
+
* message: 'Welcome admin!',
|
|
387
|
+
* username: username,
|
|
388
|
+
* email: userEmail,
|
|
389
|
+
* scopes: userScopes.split(' ')
|
|
390
|
+
* });
|
|
391
|
+
* });
|
|
392
|
+
*
|
|
313
393
|
* --- Token details and useful methods ---
|
|
314
394
|
*
|
|
315
395
|
* The `token` object passed to the authorization function exposes methods such as:
|
|
@@ -339,6 +419,11 @@ class keycloakExpressMiddleware {
|
|
|
339
419
|
return this.keycloak.protect(conditions);
|
|
340
420
|
}
|
|
341
421
|
|
|
422
|
+
// Se conditions è null, undefined o non fornito, delega a keycloak.protect() senza parametri
|
|
423
|
+
if (conditions === null || conditions === undefined) {
|
|
424
|
+
return this.keycloak.protect();
|
|
425
|
+
}
|
|
426
|
+
|
|
342
427
|
// Altrimenti, gestisci ruoli singoli o multipli
|
|
343
428
|
return (req, res, next) => {
|
|
344
429
|
const roles = Array.isArray(conditions) ? conditions : [conditions];
|
|
@@ -421,11 +506,10 @@ class keycloakExpressMiddleware {
|
|
|
421
506
|
*/
|
|
422
507
|
|
|
423
508
|
customProtectMiddleware(customFunction){
|
|
424
|
-
|
|
425
|
-
return function(req, res, next){
|
|
509
|
+
return (req, res, next) => {
|
|
426
510
|
let protectionString=customFunction(req,res);
|
|
427
|
-
|
|
428
|
-
}
|
|
511
|
+
this.keycloak.protect(protectionString)(req,res,next);
|
|
512
|
+
};
|
|
429
513
|
}
|
|
430
514
|
|
|
431
515
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "keycloak-express-middleware",
|
|
3
|
-
"version": "6.0.
|
|
3
|
+
"version": "6.0.5",
|
|
4
4
|
"description": "Adapter API to integrate Node.js (Express) applications with Keycloak. Provides middleware for authentication, authorization, token validation, and route protection via OpenID Connect.",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|