OIDC can check for groups now to properly secure users
This commit is contained in:
17
src/auth.ts
17
src/auth.ts
@@ -9,4 +9,21 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
|
|||||||
clientSecret: AUTHENTIK_SECRET,
|
clientSecret: AUTHENTIK_SECRET,
|
||||||
issuer: AUTHENTIK_ISSUER,
|
issuer: AUTHENTIK_ISSUER,
|
||||||
})],
|
})],
|
||||||
|
callbacks: {
|
||||||
|
// this feels like an extremely hacky way to get nickname and groups into the session object
|
||||||
|
// TODO: investigate if there's a better way to do this
|
||||||
|
jwt: async ({token, profile}) => {
|
||||||
|
if(profile){
|
||||||
|
token.nickname = profile.nickname;
|
||||||
|
token.groups = profile.groups;
|
||||||
|
}
|
||||||
|
return token;
|
||||||
|
},
|
||||||
|
session: async ({session, token}) => {
|
||||||
|
session.user.nickname = token.nickname;
|
||||||
|
session.user.groups = token.groups;
|
||||||
|
return session;
|
||||||
|
},
|
||||||
|
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|||||||
@@ -15,6 +15,12 @@ async function authorization({ event, resolve }) {
|
|||||||
if (!session) {
|
if (!session) {
|
||||||
throw redirect(303, '/auth/signin');
|
throw redirect(303, '/auth/signin');
|
||||||
}
|
}
|
||||||
|
else if (! session.user.groups.includes('rezepte_users')) {
|
||||||
|
// strip last dir from url
|
||||||
|
// TODO: give indication of why access failed
|
||||||
|
const new_url = event.url.pathname.split('/').slice(0, -1).join('/');
|
||||||
|
throw redirect(303, new_url);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the request is still here, just proceed as normally
|
// If the request is still here, just proceed as normally
|
||||||
|
|||||||
Reference in New Issue
Block a user