feat(rsc-auth): Implement getRoles function in auth mw & update default ServerAuthState #10656
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update default serverAuthState to contain roles Make cookieHeader a required attribute
…-role-authmw * 'main' of github.com:redwoodjs/redwood: feat(auth-middleware): Return a Tuple with Route pattern configuration when creating dbAuth middleware (redwoodjs#10642)
dac09
changed the title
dac09
force-pushed
the
feat/extract-role-authmw
branch
from
f68acec
to
5f47249
Compare
…-role-authmw * 'main' of github.com:redwoodjs/redwood: fix(dbAuthMw): Update and fix logic related to dbAuth "verbs" and decryptionErrors (redwoodjs#10668) RSC: routes-auto-loader is not used for SSR anymore (redwoodjs#10672) chore(crwa): Remove unused jest dev dependency (redwoodjs#10673) RSC: rscBuildEntriesFile: Only ServerEntry and Routes needed for serverEntries (redwoodjs#10671) RSC: clientSsr: getServerEntryComponent() (redwoodjs#10670) RSC: worker: getFunctionComponent -> getRoutesComponent (redwoodjs#10669) RSC: kitchen-sink: Make the ReadFileServerCell output take up less space (redwoodjs#10667) RSC: Remove commented code related to prefixToRemove transform() (redwoodjs#10666) RSC Client Router (redwoodjs#10557) RSC: Add 'use client' to remaining client cells in kitchen-sink (redwoodjs#10665) RSC: vite auto-loader: Spell out 'path' and other chores (redwoodjs#10662) fix(cli): Handle case for no arguments for verbose baremetal deploy (redwoodjs#10663) RSC: kitchen-sink: Make it more clear where layout ends and main content starts (redwoodjs#10661) RSC: Make the kitchen-sink smoke-test more robust/resilient (redwoodjs#10660) RSC: Source format of EmptyUsersCell in kitchen-sink (redwoodjs#10658) RSC: Add 'use client' to all client cells in kitchen-sink (redwoodjs#10659) chore(__fixtures__): Follow-up: Make test projects match newer CRWA template (redwoodjs#10657) feat: Reworks RSC server entries and route manifest building to derive from routes and include if route info related to authentication (redwoodjs#10572) chore(__fixtures__): Make test projects match newer CRWA template (redwoodjs#10655)
…nto feat/extract-role-authmw * 'feat/extract-role-authmw' of github.com:dac09/redwood:
|
✋ HODL merge till we've gone through Server Router changes. |
dthyresson
reviewed
May 22, 2024
dthyresson
reviewed
May 22, 2024
dthyresson
reviewed
May 22, 2024
| @@ -68,6 +70,8 @@ const createSupabaseAuthMiddleware = ({ | |||
| isAuthenticated: !!currentUser, | |||
| hasError: false, | |||
| userMetadata: userMetadata || currentUser, | |||
| cookieHeader, | |||
| roles: extractRoles ? extractRoles(decoded) : [], | |||
There was a problem hiding this comment.
I am trying to think of a case where the decoded data from the authDecoder is needed to get roles -- and not just the currentUser.
I guess one doesn't have to set roles inside getCurrentUser but typically for the auth providers we do.
Though this does give some flexibility to define roles outside the currentUser .... which might make ABAC permission easier in the future. Ie - check a permission file/config or lookup db --- for if the username starts with admin , then then get the admin role.
Think will have to use it a bit and get the feel for it, but makes sense and can see ow it will work.
There was a problem hiding this comment.
I think for example, if you add roles in supabase user_metadata, it doesn't come through as currentUser.roles!
|
Hey DT, so I lookedup up types in the auth providers, and here's my notes on it. It just validates that we definitely need this getRoles function, but also that we could potentially have a default implementation for each auth provider (if no roles, just return Supabase userRoles in user.role, but I don't think that's the one we want to use. That's the role supabase uses I believe. In the examples I looked through with you it was in export interface User {
id: string
app_metadata: UserAppMetadata
user_metadata: UserMetadata
aud: string
confirmation_sent_at?: string
recovery_sent_at?: string
email_change_sent_at?: string
new_email?: string
new_phone?: string
invited_at?: string
action_link?: string
email?: string
phone?: string
created_at: string
confirmed_at?: string
email_confirmed_at?: string
phone_confirmed_at?: string
last_sign_in_at?: string
role?: string
updated_at?: string
identities?: UserIdentity[]
is_anonymous?: boolean
factors?: Factor[]
}Firebase userDoesn't have roles built in. Possibly can be added to UserMetadata. export declare interface User extends UserInfo {
readonly emailVerified: boolean;
readonly isAnonymous: boolean;
readonly metadata: UserMetadata;
readonly providerData: UserInfo[];
readonly refreshToken: string;
readonly tenantId: string | null;
delete(): Promise<void>;
getIdToken(forceRefresh?: boolean): Promise<string>;
getIdTokenResult(forceRefresh?: boolean): Promise<IdTokenResult>;
reload(): Promise<void>;
toJSON(): object;
}Netlify userRoles available in user.app_metadata.roles export interface User {
api: {
_sameOrigin?: boolean | undefined;
apiURL: string;
defaultHeaders: {
[header: string]: string | string[] | undefined;
};
};
app_metadata: {
provider: string;
roles: string[];
};
aud: string;
audience?: any;
confirmed_at: string;
created_at: string;
updated_at: string;
invited_at: string;
recovery_sent_at: string;
email: string;
id: string;
role: string;
token?: Token | undefined;
url: string;
user_metadata: {
avatar_url?: string;
full_name?: string;
} | null;
}Clerk userCan't see roles directly in the user object, but likely to be in user.publicMetadata ? export interface UserResource extends ClerkResource {
id: string;
externalId: string | null;
primaryEmailAddressId: string | null;
primaryEmailAddress: EmailAddressResource | null;
primaryPhoneNumberId: string | null;
primaryPhoneNumber: PhoneNumberResource | null;
primaryWeb3WalletId: string | null;
primaryWeb3Wallet: Web3WalletResource | null;
username: string | null;
fullName: string | null;
firstName: string | null;
lastName: string | null;
profileImageUrl: string;
imageUrl: string;
hasImage: boolean;
emailAddresses: EmailAddressResource[];
phoneNumbers: PhoneNumberResource[];
web3Wallets: Web3WalletResource[];
externalAccounts: ExternalAccountResource[];
samlAccounts: SamlAccountResource[];
organizationMemberships: OrganizationMembershipResource[];
passwordEnabled: boolean;
totpEnabled: boolean;
backupCodeEnabled: boolean;
twoFactorEnabled: boolean;
publicMetadata: UserPublicMetadata;
unsafeMetadata: UserUnsafeMetadata;
lastSignInAt: Date | null;
createOrganizationEnabled: boolean;
deleteSelfEnabled: boolean;
updatedAt: Date | null;
createdAt: Date | null;
update: (params: UpdateUserParams) => Promise<UserResource>;
delete: () => Promise<void>;
updatePassword: (params: UpdateUserPasswordParams) => Promise<UserResource>;
removePassword: (params: RemoveUserPasswordParams) => Promise<UserResource>;
createEmailAddress: (params: CreateEmailAddressParams) => Promise<EmailAddressResource>;
createPhoneNumber: (params: CreatePhoneNumberParams) => Promise<PhoneNumberResource>;
createWeb3Wallet: (params: CreateWeb3WalletParams) => Promise<Web3WalletResource>;
isPrimaryIdentification: (ident: EmailAddressResource | PhoneNumberResource | Web3WalletResource) => boolean;
getSessions: () => Promise<SessionWithActivitiesResource[]>;
setProfileImage: (params: SetProfileImageParams) => Promise<ImageResource>;
createExternalAccount: (params: CreateExternalAccountParams) => Promise<ExternalAccountResource>;
getOrganizationMemberships: GetOrganizationMemberships;
getOrganizationInvitations: (params?: GetUserOrganizationInvitationsParams) => Promise<ClerkPaginatedResponse<UserOrganizationInvitationResource>>;
getOrganizationSuggestions: (params?: GetUserOrganizationSuggestionsParams) => Promise<ClerkPaginatedResponse<OrganizationSuggestionResource>>;
leaveOrganization: (organizationId: string) => Promise<DeletedObjectResource>;
createTOTP: () => Promise<TOTPResource>;
verifyTOTP: (params: VerifyTOTPParams) => Promise<TOTPResource>;
disableTOTP: () => Promise<DeletedObjectResource>;
createBackupCode: () => Promise<BackupCodeResource>;
get verifiedExternalAccounts(): ExternalAccountResource[];
get unverifiedExternalAccounts(): ExternalAccountResource[];
get hasVerifiedEmailAddress(): boolean;
get hasVerifiedPhoneNumber(): boolean;
}Auth0No roles, but possibly comes through in scopes in the JWT? dbAuth UserUp to the user! But in our test-project fixture this is the Prisma schema: |
dac09
commented
May 27, 2024
dac09
commented
May 27, 2024
packages/auth-providers/supabase/middleware/src/__tests__/defaultGetRoles.test.ts
Show resolved
Hide resolved
dthyresson
changed the title
|
@dac09 I tested type SupabaseAppMetadata = {
provider: string
providers: string[]
roles: string[]
}
const supabaseAuthMiddleware = initSupabaseMiddleware({
getCurrentUser,
getRoles: ({ app_metadata }: { app_metadata: SupabaseAppMetadata }) => {
console.log('>>>> in getRoles', app_metadata.roles)
return app_metadata.roles
},
})
return [supabaseAuthMiddleware]
}Typically, roles in Supabase will be stored in app_metadata (data the app but the user cannot change) and preferences (data the user may change) in user_metadata: update AUTH.users
set raw_app_meta_data = raw_app_meta_data || '{"roles": "admin"}',
raw_user_meta_data = raw_user_meta_data || '{"favoriteColor": "yellow"}';
select * from auth.users;
Here the role in app_metadata is admin and can confirm this role is enforced: <Set wrap={BlogLayout}>
<Route path="/waterfall/{id:Int}" page={WaterfallPage} prerender name="waterfall" />
<PrivateSet unauthenticated="login" roles={['admin']}>
<Route path="/profile" page={ProfilePage} name="profile" />
</PrivateSet>
<Route path="/blog-post/{id:Int}" page={BlogPostPage} name="blogPost" prerender />
<Route path="/contact" page={ContactUsPage} name="contactUs" />
<PrivateSet unauthenticated="login" roles={['superuser']}>
<Route path="/about" page={AboutPage} name="about" prerender />
</PrivateSet>
<Route path="/" page={HomePage} name="home" prerender />
<Route notfound page={NotFoundPage} prerender />
</Set> |
|
Also, the dev can decided to keep the and then in type SupabaseAppMetadata = {
provider: string
providers: string[]
roles: string[]
}
export const getRoles = ({
app_metadata,
}: {
app_metadata: SupabaseAppMetadata
}) => {
console.log('>>>> in getRoles', app_metadata.roles)
return app_metadata.roles
}which is nice. |
dac09
commented
May 28, 2024
|
@dac09 Approved. Good to merge. I tested with string and array roles in a custom get roles. Working well. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
clear()function to remove auth state - just syntax sugarOutstanding
Example usage