feat: export isAuthorizedByRole util function (#85)

aerogear · May 13, 2020 · 752e426 · 752e426
1 parent a6247a9
commit 752e426
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 11 deletions.
diff --git a/src/directives/directiveResolvers.ts b/src/directives/directiveResolvers.ts
@@ -1,4 +1,5 @@
 import { CONTEXT_KEY } from '../KeycloakContext'
+import { isAuthorizedByRole } from './utils'
 
 /**
  * 
@@ -104,17 +105,8 @@ export const hasRole = (roles: Array<string>) => (next: Function) => (root: any,
   if (typeof roles === 'string') {
     roles = [roles]
   }
-
-  let foundRole = null // this will be the role the user was successfully authorized on
-
-  for (let role of roles) {
-    if (context[CONTEXT_KEY].hasRole(role)) {
-      foundRole = role
-      break
-    }
-  }
-
-  if (!foundRole) {
+
+  if (!isAuthorizedByRole(roles, context)) {
     const error: any = new Error(`User is not authorized. Must have one of the following roles: [${roles}]`);
     error.code = "FORBIDDEN"
     throw error

diff --git a/src/directives/utils.ts b/src/directives/utils.ts
@@ -0,0 +1,21 @@
+import { CONTEXT_KEY } from '../KeycloakContext'
+
+/**
+ * 
+ * @param roles the list of roles the user should match against
+ * @param context the graphql context that contains the user info
+ */
+export function isAuthorizedByRole(roles: string[], context?: any) {
+  if (!(context && context[CONTEXT_KEY])) {
+    console.error(`context.${CONTEXT_KEY} is missing. Keycloak integration is probably misconfigured`)  
+    return false
+  }
+
+  for (const role of roles) {
+    if (context[CONTEXT_KEY].hasRole(role)) {
+      return true
+    }
+  }
+
+  return false
+}
diff --git a/src/index.ts b/src/index.ts
@@ -2,3 +2,4 @@ export * from './KeycloakSubscriptionHandler'
 export * from './KeycloakContext'
 export * from './directives'
 export * from './api'
+export { isAuthorizedByRole } from './directives/utils'
diff --git a/test/utils.test.ts b/test/utils.test.ts
@@ -0,0 +1,48 @@
+import test from 'ava'
+import { isAuthorizedByRole } from '../src/directives/utils'
+import Keycloak from 'keycloak-connect'
+import { KeycloakContextBase } from '../src/KeycloakContext'
+
+test('isAuthorizedByRole returns the result of token.hasRole', (t) => {
+  t.plan(4)
+  const token = {
+    hasRole: (role: string) => {
+      t.pass()
+      return role === 'c'
+    },
+    isExpired: () => {
+      return false
+    }
+  } as Keycloak.Token
+
+  const context = { kauth: new KeycloakContextBase(token) } 
+
+  t.truthy(isAuthorizedByRole(['a', 'b', 'c'], context))
+})
+
+test('isAuthorizedByRole returns false if hasRole returns false', (t) => {
+  t.plan(4)
+  const token = {
+    hasRole: (role: string) => {
+      t.pass()
+      return false
+    },
+    isExpired: () => {
+      return false
+    }
+  } as Keycloak.Token
+
+  const context = { kauth: new KeycloakContextBase(token) } 
+
+  t.falsy(isAuthorizedByRole(['a', 'b', 'c'], context))
+})
+
+test('isAuthorizedByRole returns false if context is empty', (t) => {
+  const context = { } 
+  t.falsy(isAuthorizedByRole(['a', 'b', 'c'], context))
+})
+
+test('isAuthorizedByRole returns false if context undefined', (t) => {
+  const context = { } 
+  t.falsy(isAuthorizedByRole(['a', 'b', 'c'], undefined))
+})