OIDC can check for groups now to properly secure users

This commit is contained in:
Alexander Bocken 2024-02-15 04:10:06 +01:00
parent 650a6ce1fc
commit 022d727394
Signed by: Alexander
GPG Key ID: 1D237BE83F9B05E8
2 changed files with 23 additions and 0 deletions

View File

@ -9,4 +9,21 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
clientSecret: AUTHENTIK_SECRET, clientSecret: AUTHENTIK_SECRET,
issuer: AUTHENTIK_ISSUER, issuer: AUTHENTIK_ISSUER,
})], })],
callbacks: {
// this feels like an extremely hacky way to get nickname and groups into the session object
// TODO: investigate if there's a better way to do this
jwt: async ({token, profile}) => {
if(profile){
token.nickname = profile.nickname;
token.groups = profile.groups;
}
return token;
},
session: async ({session, token}) => {
session.user.nickname = token.nickname;
session.user.groups = token.groups;
return session;
},
}
}) })

View File

@ -15,6 +15,12 @@ async function authorization({ event, resolve }) {
if (!session) { if (!session) {
throw redirect(303, '/auth/signin'); throw redirect(303, '/auth/signin');
} }
else if (! session.user.groups.includes('rezepte_users')) {
// strip last dir from url
// TODO: give indication of why access failed
const new_url = event.url.pathname.split('/').slice(0, -1).join('/');
throw redirect(303, new_url);
}
} }
// If the request is still here, just proceed as normally // If the request is still here, just proceed as normally