feat(rbac) azure entra (#86)

* show name when logged in via azure * give user role if no roles set * azure entra id get roles * azure entra id get roles * get roles always from id_token * remove unnecessary if
eclipse-mnestix · Jan 31, 2025 · aa0478f · aa0478f
1 parent 80a411a
commit aa0478f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/src/components/authentication/authConfig.ts b/src/components/authentication/authConfig.ts
@@ -50,6 +50,7 @@ export const authOptions: AuthOptions = {
     callbacks: {
         async jwt({ token, account }) {
             let roles = null;
+            let userName: string | null = null;
 
             const nowTimeStamp = Math.floor(Date.now() / 1000);
 
@@ -59,16 +60,21 @@ export const authOptions: AuthOptions = {
                 token.expires_at = account.expires_at;
                 token.refresh_token = account.refresh_token;
 
-                // The Roles are stored inside the access_token
-                if (account.access_token) {
-                    const decodedToken = jwt.decode(account.access_token);
+                // The roles are stored inside the id_token
+                if (account.id_token) {
+                    const decodedToken = jwt.decode(account.id_token);
                     if (decodedToken) {
+                        if (account.provider === 'azure-ad') {
+                            // @ts-expect-error name exits
+                            userName = decodedToken.name;
+                        }
                         // @ts-expect-error role exits
-                        roles = decodedToken?.role;
+                        roles = decodedToken.roles;
                     }
                 }
+
                 // Store Roles inside token
-                return { ...token, roles: roles };
+                return { ...token, roles: roles, ad_name: userName };
             } else if (nowTimeStamp < (token.expires_at as number)) {
                 return token;
             }
@@ -89,6 +95,10 @@ export const authOptions: AuthOptions = {
             session.accessToken = token.access_token as string;
             session.idToken = token.id_token as string;
             session.user.roles = token.roles as string[];
+            // Azure Entra ID:
+            if (token.ad_name) {
+                session.user.name = token.ad_name as string;
+            }
             return session;
         },
     },

diff --git a/src/lib/hooks/UseAuth.ts b/src/lib/hooks/UseAuth.ts
@@ -38,13 +38,12 @@ export function useAuth(): Auth {
             );
         },
         getAccount: (): Session | null => {
-            if (session && session.user.roles) {
+            if (session && session.user) {
                 // MnestixUser is the default role for a logged-in user
-                if (session.user) {
-                    session.user.mnestixRole = MnestixRole.MnestixUser;
-                    session.user.allowedRoutes = AllowedRoutes.mnestixUser;
-                }
-                if (session.user.roles.find((role) => role === MnestixRole.MnestixAdmin)) {
+                session.user.mnestixRole = MnestixRole.MnestixUser;
+                session.user.allowedRoutes = AllowedRoutes.mnestixUser;
+
+                if (session.user.roles && session.user.roles.find((role) => role === MnestixRole.MnestixAdmin)) {
                     session.user.mnestixRole = MnestixRole.MnestixAdmin;
                     session.user.allowedRoutes = AllowedRoutes.mnestixAdmin;
                 }