From 022d727394dece36c1e13e48b8f8f461a7568260 Mon Sep 17 00:00:00 2001 From: Alexander Bocken Date: Thu, 15 Feb 2024 04:10:06 +0100 Subject: [PATCH] OIDC can check for groups now to properly secure users --- src/auth.ts | 17 +++++++++++++++++ src/hooks.server.ts | 6 ++++++ 2 files changed, 23 insertions(+) diff --git a/src/auth.ts b/src/auth.ts index be4de21..50a5b77 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -9,4 +9,21 @@ export const { handle, signIn, signOut } = SvelteKitAuth({ clientSecret: AUTHENTIK_SECRET, issuer: AUTHENTIK_ISSUER, })], + callbacks: { + // this feels like an extremely hacky way to get nickname and groups into the session object + // TODO: investigate if there's a better way to do this + jwt: async ({token, profile}) => { + if(profile){ + token.nickname = profile.nickname; + token.groups = profile.groups; + } + return token; + }, + session: async ({session, token}) => { + session.user.nickname = token.nickname; + session.user.groups = token.groups; + return session; + }, + + } }) diff --git a/src/hooks.server.ts b/src/hooks.server.ts index 9ed9bc1..5569fae 100644 --- a/src/hooks.server.ts +++ b/src/hooks.server.ts @@ -15,6 +15,12 @@ async function authorization({ event, resolve }) { if (!session) { throw redirect(303, '/auth/signin'); } + else if (! session.user.groups.includes('rezepte_users')) { + // strip last dir from url + // TODO: give indication of why access failed + const new_url = event.url.pathname.split('/').slice(0, -1).join('/'); + throw redirect(303, new_url); + } } // If the request is still here, just proceed as normally