Alexander/homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Alexander:3a684a5d5a28a2ea321736bc5840be3f813be21e
Branches Tags
Alexander:master
..
compare: Alexander:022d727394dece36c1e13e48b8f8f461a7568260
Branches Tags
Alexander:master

2 Commits
3a684a5d5a ... 022d727394

Author SHA1 Message Date
Alexander Bocken
022d727394
OIDC can check for groups now to properly secure users 2024-02-15 04:10:06 +01:00
Alexander Bocken
650a6ce1fc
re-protect client paths 2024-02-15 03:13:49 +01:00
2 changed files with 45 additions and 24 deletions
Show Stats Expand all files Collapse all files

17
src/auth.ts
View File

@ -9,4 +9,21 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
clientSecret: AUTHENTIK_SECRET, clientSecret: AUTHENTIK_SECRET,
issuer: AUTHENTIK_ISSUER, issuer: AUTHENTIK_ISSUER,
})], })],
callbacks: {
// this feels like an extremely hacky way to get nickname and groups into the session object
// TODO: investigate if there's a better way to do this
jwt: async ({token, profile}) => {
if(profile){
token.nickname = profile.nickname;
token.groups = profile.groups;
}
return token;
},
session: async ({session, token}) => {
session.user.nickname = token.nickname;
session.user.groups = token.groups;
return session;
},
}
}) })

52
src/hooks.server.ts
View File

@ -2,28 +2,32 @@ import { authenticateUser } from "$lib/js/authenticate"
import type { Handle } from "@sveltejs/kit" import type { Handle } from "@sveltejs/kit"
import { redirect } from "@sveltejs/kit" import { redirect } from "@sveltejs/kit"
import { error } from "@sveltejs/kit" import { error } from "@sveltejs/kit"
export { handle } from "./auth" import { SvelteKitAuth } from "@auth/sveltekit"
import Authentik from "@auth/core/providers/authentik"
import { AUTHENTIK_ID, AUTHENTIK_SECRET, AUTHENTIK_ISSUER } from "$env/static/private";
import { sequence } from "@sveltejs/kit/hooks"
import * as auth from "./auth"
//export const handle : Handle = async({event, resolve}) => { async function authorization({ event, resolve }) {
// if(event.url.pathname.startsWith('/rezepte/edit') || event.url.pathname.startsWith('/rezepte/add')){ // Protect any routes under /authenticated
// event.locals.user = await authenticateUser(event.cookies) if (event.url.pathname.startsWith('/rezepte/edit') || event.url.pathname.startsWith('/rezepte/add')) {
// if(!event.locals.user){ const session = await event.locals.getSession();
// throw redirect(303, "/login") if (!session) {
// } throw redirect(303, '/auth/signin');
// else if(!event.locals.user.access.includes("rezepte")){ }
// throw error(401, "Your user does not have access to this page") else if (! session.user.groups.includes('rezepte_users')) {
// } // strip last dir from url
// } // TODO: give indication of why access failed
// else if(event.url.pathname.startsWith('/abrechnung')){ const new_url = event.url.pathname.split('/').slice(0, -1).join('/');
// event.locals.user = await authenticateUser(event.cookies) throw redirect(303, new_url);
// if(!event.locals.user){ }
// throw redirect(303, "/login") }
// }
// else if(!event.locals.user.access.includes("abrechnung")){ // If the request is still here, just proceed as normally
// throw error(401, "Your User does not have access to this page") return resolve(event);
// } }
// }
// export const handle: Handle = sequence(
// const response = await resolve(event) auth.handle,
// return response authorization
//} );