OIDC can check for groups now to properly secure users

src/auth.ts

@@ -9,4 +9,21 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
 			clientSecret: AUTHENTIK_SECRET,
 			issuer: AUTHENTIK_ISSUER,
 		})],
+	callbacks: {
+		// this feels like an extremely hacky way to get nickname and groups into the session object
+		// TODO: investigate if there's a better way to do this
+		jwt: async ({token, profile}) => {
+			if(profile){
+				token.nickname = profile.nickname;
+				token.groups = profile.groups;
+			}
+			return token;
+		},
+		session: async ({session, token}) => {
+			session.user.nickname = token.nickname;
+			session.user.groups = token.groups;
+			return session;
+		},
+
+	}
 })

src/hooks.server.ts

@@ -15,6 +15,12 @@ async function authorization({ event, resolve }) {
 		if (!session) {
 			throw redirect(303, '/auth/signin');
 		}
+		else if (! session.user.groups.includes('rezepte_users')) {
+			// strip last dir from url
+			// TODO: give indication of why access failed
+			const new_url = event.url.pathname.split('/').slice(0, -1).join('/');
+			throw redirect(303, new_url);
+		}
 	}
 
 	// If the request is still here, just proceed as normally