OIDC can check for groups now to properly secure users

2024-02-15 04:10:06 +01:00 · 2024-02-15 04:10:06 +01:00 · 022d727394
commit 022d727394
parent 650a6ce1fc
2 changed files with 23 additions and 0 deletions
--- a/src/auth.ts
+++ b/src/auth.ts
@ -9,4 +9,21 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
 			clientSecret: AUTHENTIK_SECRET,
 			issuer: AUTHENTIK_ISSUER,
 		})],
+	callbacks: {
+		// this feels like an extremely hacky way to get nickname and groups into the session object
+		// TODO: investigate if there's a better way to do this
+		jwt: async ({token, profile}) => {
+			if(profile){
+				token.nickname = profile.nickname;
+				token.groups = profile.groups;
+			}
+			return token;
+		},
+		session: async ({session, token}) => {
+			session.user.nickname = token.nickname;
+			session.user.groups = token.groups;
+			return session;
+		},
+
+	}
 })
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@ -15,6 +15,12 @@ async function authorization({ event, resolve }) {
 		if (!session) {
 			throw redirect(303, '/auth/signin');
 		}
+		else if (! session.user.groups.includes('rezepte_users')) {
+			// strip last dir from url
+			// TODO: give indication of why access failed
+			const new_url = event.url.pathname.split('/').slice(0, -1).join('/');
+			throw redirect(303, new_url);
+		}
 	}

 	// If the request is still here, just proceed as normally