feat(rsc-auth): Implement getRoles function in auth mw & update default ServerAuthState

.changesets/10656.md

@@ -0,0 +1,23 @@
+- feat(rsc-auth): Implement getRoles function in auth mw & update default ServerAuthState (#10656) by @dac09
+
+- Implement getRoles function in supabase and dbAuth middleware
+- Updates default serverAuthState to contain roles
+- Make cookieHeader a required attribute
+- Introduces new `clear()` function to remove auth state - just syntax sugar
+
+## Example usage
+```tsx
+// In entry.server.tsx
+export const registerMiddleware = () => {
+  // This actually returns [dbAuthMiddleware, '*']
+  const authMw = initDbAuthMiddleware({
+    dbAuthHandler,
+    getCurrentUser,
+    getRoles: (decoded) => {
+      return decoded.currentUser.roles || []
+    }
+  })
+
+  return [authMw]
+}
+```

packages/auth-providers/dbAuth/middleware/README.md

@@ -1,5 +1,7 @@
 # DbAuth Middleware
 
+### Example instantiation 
+
 ```tsx filename='entry.server.tsx'
 import type { TagDescriptor } from '@redwoodjs/web'
 
@@ -18,9 +20,10 @@ interface Props {
 export const registerMiddleware = () => {
   // This actually returns [dbAuthMiddleware, '*']
   const authMw = initDbAuthMiddleware({
-    cookieName,
     dbAuthHandler,
     getCurrentUser,
+    // cookieName optional
+    // getRoles optional
     // dbAuthUrl? optional
   })
 
@@ -35,3 +38,50 @@ export const ServerEntry: React.FC<Props> = ({ css, meta }) => {
   )
 }
 ```
+
+### Roles handling
+By default the middleware assumes your roles will be in `currentUser.roles` - either as a string or an array of strings. 
+
+For example
+```js
+
+// If this is your current user:
+{
+  email: '[email protected]',
+  id: 'mocked-current-user-1',
+  roles: 'admin'
+}
+
+// In the ServerAuthState
+{
+  cookieHeader: 'session=session_cookie',
+  currentUser: {
+    email: '[email protected]',
+    id: 'mocked-current-user-1',
+    roles: 'admin' // <-- you sent back 'admin' as string
+  },
+  hasError: false,
+  isAuthenticated: true,
+  loading: false,
+  userMetadata: /*..*/
+  roles: ['admin'] // <-- converted to array
+}
+```
+
+You can customise this by passing a custom `getRoles` function into `initDbAuthMiddleware`. For example:
+
+```ts
+  const authMw = initDbAuthMiddleware({
+    dbAuthHandler,
+    getCurrentUser,
+    getRoles: (decoded) => {
+      // Assuming you want to get roles from a property called org
+      if (decoded.currentUser.org) {
+        return [decoded.currentUser.org]
+      } else {
+        return []
+      }
+    }
+  })
+
+```

packages/auth-providers/dbAuth/middleware/src/__tests__/defaultGetRoles.test.ts

@@ -0,0 +1,28 @@
+import { describe, expect, it } from 'vitest'
+
+import { defaultGetRoles } from '../defaultGetRoles'
+
+describe('dbAuth: defaultGetRoles', () => {
+  it('returns an empty array if no roles are present', () => {
+    const decoded = {
+      currentUser: {
+        id: 1,
+        email: '[email protected]',
+      },
+    }
+    const roles = defaultGetRoles(decoded)
+    expect(roles).toEqual([])
+  })
+
+  it('always returns an array of roles, even when currentUser has a string', () => {
+    const decoded = { currentUser: { roles: 'admin' } }
+    const roles = defaultGetRoles(decoded)
+    expect(roles).toEqual(['admin'])
+  })
+
+  it('falls back to an empty array if the decoded object is null', () => {
+    const decoded = null
+    const roles = defaultGetRoles(decoded)
+    expect(roles).toEqual([])
+  })
+})

packages/auth-providers/dbAuth/middleware/src/__tests__/initDbAuthMiddleware.test.ts

@@ -8,6 +8,7 @@ import {
   MiddlewareResponse,
 } from '@redwoodjs/vite/middleware'
 
+import { middlewareDefaultAuthProviderState } from '../../../../../auth/dist/AuthProvider/AuthProviderState'
 import type { DbAuthMiddlewareOptions } from '../index'
 import { initDbAuthMiddleware } from '../index'
 const FIXTURE_PATH = path.resolve(
@@ -50,25 +51,17 @@ describe('dbAuthMiddleware', () => {
   it('When no cookie headers, pass through the response', async () => {
     const options: DbAuthMiddlewareOptions = {
       cookieName: '8911',
-      getCurrentUser: async () => {
-        return { id: 1, email: '[email protected]' }
-      },
-      dbAuthHandler: async () => {
-        return {
-          body: 'body',
-          headers: {},
-          statusCode: 200,
-        }
-      },
+      getCurrentUser: vi.fn(),
+      dbAuthHandler: vi.fn(),
     }
+
     const [middleware] = initDbAuthMiddleware(options)
     const req = {
       method: 'GET',
       headers: new Headers(),
       url: 'http://localhost:8911',
     } as MiddlewareRequest
 
-    // Typecase for the test
     const res = await middleware(req, { passthrough: true } as any)
 
     expect(res).toEqual({ passthrough: true })
@@ -82,6 +75,7 @@ describe('dbAuthMiddleware', () => {
         return { id: 'mocked-current-user-1', email: '[email protected]' }
       }),
       dbAuthHandler: vi.fn(),
+      getRoles: vi.fn(() => ['f1driver']),
     }
     const [middleware] = initDbAuthMiddleware(options)
 
@@ -109,6 +103,15 @@ describe('dbAuthMiddleware', () => {
         email: '[email protected]',
         id: 'mocked-current-user-1',
       },
+      roles: ['f1driver'], // Because we override the getRoles function
+    })
+
+    expect(options.getRoles).toHaveBeenCalledWith({
+      currentUser: {
+        email: '[email protected]',
+        id: 'mocked-current-user-1',
+      },
+      mockedSession: 'this_is_the_only_correct_session',
     })
 
     // Allow react render, because body is not defined, and status code not redirect
@@ -152,6 +155,8 @@ describe('dbAuthMiddleware', () => {
         email: '[email protected]',
         id: 'mocked-current-user-1',
       },
+      // No get roles function, so it should be empty
+      roles: [],
     })
 
     // Allow react render, because body is not defined, and status code not redirect
@@ -500,6 +505,12 @@ describe('dbAuthMiddleware', () => {
   })
 
   describe('handle exception cases', async () => {
+    const unauthenticatedServerAuthState = {
+      ...middlewareDefaultAuthProviderState,
+      cookieHeader: null,
+      roles: [],
+    }
+
     beforeAll(() => {
       // So that we don't see errors in console when running negative cases
       vi.spyOn(console, 'error').mockImplementation(() => {})
@@ -578,7 +589,11 @@ describe('dbAuthMiddleware', () => {
       expect(res).toBeDefined()
 
       const serverAuthState = mwReq.serverAuthState.get()
-      expect(serverAuthState).toBeNull()
+      expect(serverAuthState).toEqual({
+        ...unauthenticatedServerAuthState,
+        cookieHeader:
+          'session_8911=some-bad-encrypted-cookie;auth-provider=dbAuth',
+      })
 
       expect(res?.toResponse().headers.getSetCookie()).toEqual([
         // Expired cookies, will be removed by browser

packages/auth-providers/dbAuth/middleware/src/defaultGetRoles.ts

@@ -0,0 +1,13 @@
+export const defaultGetRoles = (decoded: Record<string, any>): string[] => {
+  try {
+    const roles = decoded?.currentUser?.roles
+
+    if (Array.isArray(roles)) {
+      return roles
+    } else {
+      return roles ? [roles] : []
+    }
+  } catch (e) {
+    return []
+  }
+}

packages/auth-providers/dbAuth/middleware/src/index.ts

@@ -9,6 +9,8 @@ import type { GetCurrentUser } from '@redwoodjs/graphql-server'
 import type { Middleware, MiddlewareRequest } from '@redwoodjs/vite/middleware'
 import { MiddlewareResponse } from '@redwoodjs/vite/middleware'
 
+import { defaultGetRoles } from './defaultGetRoles'
+
 export interface DbAuthMiddlewareOptions {
   cookieName?: string
   dbAuthUrl?: string
@@ -18,12 +20,14 @@ export interface DbAuthMiddlewareOptions {
     req: Request | APIGatewayProxyEvent,
     context?: Context,
   ) => DbAuthResponse
+  getRoles?: (decoded: any) => string[]
   getCurrentUser: GetCurrentUser
 }
 
 export const initDbAuthMiddleware = ({
   dbAuthHandler,
   getCurrentUser,
+  getRoles = defaultGetRoles,
   cookieName,
   dbAuthUrl = '/middleware/dbauth',
 }: DbAuthMiddlewareOptions): [Middleware, '*'] => {
@@ -71,7 +75,7 @@ export const initDbAuthMiddleware = ({
     try {
       // Call the dbAuth auth decoder. For dbAuth we have direct access to the `dbAuthSession` function.
       // Other providers will be slightly different.
-      const { currentUser } = await validateSession({
+      const { currentUser, decryptedSession } = await validateSession({
         req,
         cookieName,
         getCurrentUser,
@@ -84,11 +88,12 @@ export const initDbAuthMiddleware = ({
         hasError: false,
         userMetadata: currentUser, // dbAuth doesn't have userMetadata
         cookieHeader,
+        roles: getRoles(decryptedSession),
       })
     } catch (e) {
       // Clear server auth context
       console.error('Error decrypting dbAuth cookie \n', e)
-      req.serverAuthState.set(null)
+      req.serverAuthState.clear()
 
       // Note we have to use ".unset" and not ".clear"
       // because we want to remove these cookies from the browser

packages/auth-providers/supabase/middleware/README.md

@@ -1,11 +1,5 @@
 # Supabase Middleware
 
----
-
-NOTE: This README needs to be updated when the Supabase Web Auth will create a client and register the middleware
-
-----
-
 ```tsx filename='entry.server.tsx'
 import type { TagDescriptor } from '@redwoodjs/web'
 
@@ -20,12 +14,24 @@ interface Props {
   meta?: TagDescriptor[]
 }
 
+type SupabaseAppMetadata = {
+  provider: string
+  providers: string[]
+  roles: string[]
+}
+
 export const registerMiddleware = () => {
   const supabaseAuthMiddleware = initSupabaseMiddleware({
     // Optional. If not set, Supabase will use its own `currentUser` function
     // instead of your app's
     getCurrentUser,
+    // Optional. If you wish to enforce RBAC, define a function to return roles.
+    // Typically, one will define roles in Supabase in the user's app_metadata.
+    getRoles: ({ app_metadata }: { app_metadata: SupabaseAppMetadata }) => {
+      return app_metadata.roles
+    },
   })
+
   return [supabaseAuthMiddleware]
 }
 

packages/auth-providers/supabase/middleware/src/__tests__/defaultGetRoles.test.ts

@@ -0,0 +1,76 @@
+import { describe, expect, it } from 'vitest'
+
+import { defaultGetRoles } from '../defaultGetRoles'
+
+describe('dbAuth: defaultGetRoles', () => {
+  it('returns an empty array if no roles are present', () => {
+    const decoded = {
+      aud: 'authenticated',
+      exp: 1716806712,
+      iat: 1716803112,
+      iss: 'https://bubnfbrfzfdryapcuybr.supabase.co/auth/v1',
+      sub: '75fd8091-e0a7-4e7d-8a8d-138d0eb3ca5a',
+      email: '[email protected]',
+      phone: '',
+      app_metadata: {
+        provider: 'email',
+        providers: ['email'],
+      },
+      user_metadata: {
+        'full-name': 'Danny Choudhury 1',
+      },
+      role: 'authenticated', // <-- ⭐ this refers to supabase role, not app role
+      aal: 'aal1',
+      amr: [
+        {
+          method: 'password',
+          timestamp: 1716803107,
+        },
+      ],
+      session_id: '39b4ae31-c57a-4ac1-8f01-e9d6ccbd9365',
+      is_anonymous: false,
+    }
+
+    const roles = defaultGetRoles(decoded)
+    expect(roles).toEqual([])
+  })
+
+  it('always returns an array of roles, even when currentUser has a string', () => {
+    const decoded = {
+      aud: 'authenticated',
+      exp: 1716806712,
+      iat: 1716803112,
+      iss: 'https://bubnfbrfzfdryapcuybr.supabase.co/auth/v1',
+      sub: '75fd8091-e0a7-4e7d-8a8d-138d0eb3ca5a',
+      email: '[email protected]',
+      phone: '',
+      app_metadata: {
+        provider: 'email',
+        providers: ['email'],
+        roles: 'admin', // <-- ⭐ this is the role we are looking for, set by the app
+      },
+      user_metadata: {
+        'full-name': 'Danny Choudhury 1',
+      },
+      role: 'IGNORE_ME', // <-- ⭐ not this one
+      aal: 'aal1',
+      amr: [
+        {
+          method: 'password',
+          timestamp: 1716803107,
+        },
+      ],
+      session_id: '39b4ae31-c57a-4ac1-8f01-e9d6ccbd9365',
+      is_anonymous: false,
+    }
+
+    const roles = defaultGetRoles(decoded)
+    expect(roles).toEqual(['admin'])
+  })
+
+  it('falls back to an empty array if the decoded object is null', () => {
+    const decoded = null
+    const roles = defaultGetRoles(decoded as any)
+    expect(roles).toEqual([])
+  })
+})