diff --git a/example/src/app.controller.ts b/example/src/app.controller.ts index 1e62ce1..6f9f916 100644 --- a/example/src/app.controller.ts +++ b/example/src/app.controller.ts @@ -4,6 +4,7 @@ import { Public, Roles, RoleMatchingMode, + RoleMatch, } from 'nest-keycloak-connect'; @Controller() @@ -27,7 +28,8 @@ export class AppController { } @Get('admin') - @Roles({ roles: ['admin'], mode: RoleMatchingMode.ALL }) + @Roles('admin') + @RoleMatchingMode(RoleMatch.ANY) adminRole() { return 'Admin only!'; } diff --git a/example/src/product/product/product.controller.ts b/example/src/product/product/product.controller.ts index 8117af8..ca8f7ce 100644 --- a/example/src/product/product/product.controller.ts +++ b/example/src/product/product/product.controller.ts @@ -44,7 +44,7 @@ export class ProductController { } @Get(':code') - @Roles({ roles: ['realm:basic', 'realm:admin'] }) + @Roles('realm:basic', 'realm:admin') findByCode(@Param('code') code: string) { return this.service.findByCode(code); } diff --git a/src/guards/resource.guard.ts b/src/guards/resource.guard.ts index c1680b8..120df61 100644 --- a/src/guards/resource.guard.ts +++ b/src/guards/resource.guard.ts @@ -46,6 +46,22 @@ export class ResourceGuard implements CanActivate { ) {} async canActivate(context: ExecutionContext): Promise { + const defaultEnforcerOpts: KeycloakConnect.EnforcerOptions = { + claims: (request: any) => { + const httpUri = request.url; + const userAgent = request.headers['user-agent']; + + this.logger.verbose( + `Enforcing claims, http.uri: ${httpUri}, user.agent: ${userAgent}`, + ); + + return { + 'http.uri': [httpUri], + 'user.agent': userAgent, + }; + }, + }; + const resource = this.reflector.get( META_RESOURCE, context.getClass(), @@ -64,7 +80,7 @@ export class ResourceGuard implements CanActivate { this.reflector.getAllAndOverride( META_ENFORCER_OPTIONS, [context.getClass(), context.getHandler()], - ); + ) ?? defaultEnforcerOpts; // Default to permissive const policyEnforcementMode =