feat: adding isGranted to check for scopes (#123)

packages/auth-common/src/components/__tests__/getScopes.test.ts

@@ -0,0 +1,105 @@
+import { importSPKI, jwtVerify } from "jose";
+import { isGranted } from "..";
+import { JWT, JWT_PUBLIC_KEY } from "../constants";
+vi.mock("jose");
+
+describe("isGranted", () => {
+	const token = "testToken";
+
+	it("should return false on error", async () => {
+		// @ts-expect-error
+		(importSPKI as vi.Mock).mockRejectedValue(new Error("test error"));
+
+		const result = await isGranted(token, ["scope1"]);
+
+		expect(result).toBe(false);
+	});
+
+	it("should verify that one scope is allowed", async () => {
+		const mockPublicKey = {};
+		const mockJwtVerifyResult = {
+			payload: {
+				scopes: ["scope1", "scope2"],
+			},
+			protectedHeader: "testHeader",
+		};
+		// @ts-expect-error
+		(importSPKI as vi.Mock).mockResolvedValue(mockPublicKey);
+		// @ts-expect-error
+		(jwtVerify as vi.Mock).mockResolvedValue(mockJwtVerifyResult);
+
+		const result = await isGranted(token, ["scope1"]);
+
+		expect(importSPKI).toHaveBeenCalledWith(JWT_PUBLIC_KEY, JWT.ALG);
+		expect(jwtVerify).toHaveBeenCalledWith(token, mockPublicKey, {
+			issuer: JWT.ISSUER,
+		});
+		expect(result).toBe(true);
+	});
+
+	it("should verify that 2 scopes are allowed", async () => {
+		const mockPublicKey = {};
+		const mockJwtVerifyResult = {
+			payload: {
+				scopes: ["scope1", "scope2"],
+			},
+			protectedHeader: "testHeader",
+		};
+		// @ts-expect-error
+		(importSPKI as vi.Mock).mockResolvedValue(mockPublicKey);
+		// @ts-expect-error
+		(jwtVerify as vi.Mock).mockResolvedValue(mockJwtVerifyResult);
+
+		const result = await isGranted(token, ["scope1", "scope2"]);
+
+		expect(importSPKI).toHaveBeenCalledWith(JWT_PUBLIC_KEY, JWT.ALG);
+		expect(jwtVerify).toHaveBeenCalledWith(token, mockPublicKey, {
+			issuer: JWT.ISSUER,
+		});
+		expect(result).toBe(true);
+	});
+
+	it("should verify that 1 scope is NOT allowed", async () => {
+		const mockPublicKey = {};
+		const mockJwtVerifyResult = {
+			payload: {
+				scopes: ["scope1", "scope2"],
+			},
+			protectedHeader: "testHeader",
+		};
+		// @ts-expect-error
+		(importSPKI as vi.Mock).mockResolvedValue(mockPublicKey);
+		// @ts-expect-error
+		(jwtVerify as vi.Mock).mockResolvedValue(mockJwtVerifyResult);
+
+		const result = await isGranted(token, ["scope3"]);
+
+		expect(importSPKI).toHaveBeenCalledWith(JWT_PUBLIC_KEY, JWT.ALG);
+		expect(jwtVerify).toHaveBeenCalledWith(token, mockPublicKey, {
+			issuer: JWT.ISSUER,
+		});
+		expect(result).toBe(false);
+	});
+
+	it("should verify that 1 allowed scope and 1 disallowed scope returns false", async () => {
+		const mockPublicKey = {};
+		const mockJwtVerifyResult = {
+			payload: {
+				scopes: ["scope1", "scope2"],
+			},
+			protectedHeader: "testHeader",
+		};
+		// @ts-expect-error
+		(importSPKI as vi.Mock).mockResolvedValue(mockPublicKey);
+		// @ts-expect-error
+		(jwtVerify as vi.Mock).mockResolvedValue(mockJwtVerifyResult);
+
+		const result = await isGranted(token, ["scope1", "scope3"]);
+
+		expect(importSPKI).toHaveBeenCalledWith(JWT_PUBLIC_KEY, JWT.ALG);
+		expect(jwtVerify).toHaveBeenCalledWith(token, mockPublicKey, {
+			issuer: JWT.ISSUER,
+		});
+		expect(result).toBe(false);
+	});
+});

packages/auth-common/src/components/index.ts

@@ -2,3 +2,4 @@ export * from "./constants";
 export * from "./verifyToken";
 export * from "./pkce";
 export * from "./getToken";
+export * from "./isGranted";

packages/auth-common/src/components/isGranted.ts

@@ -0,0 +1,15 @@
+import { JWT } from "./constants";
+import { verifyAndExtractToken } from "./verifyToken";
+
+export const isGranted = async (
+	token: string,
+	scopes: string[],
+): Promise<boolean> => {
+	const jwt = await verifyAndExtractToken(token);
+
+	if ((jwt && (jwt?.payload?.[JWT.SCOPES_KEY] as string[]))?.length) {
+		const tokenScopes = jwt.payload[JWT.SCOPES_KEY] as string[];
+		return scopes.every((scope) => tokenScopes.includes(scope));
+	}
+	return false;
+};