Skip to content

feat(shared): Allow for has({ role | permission}) without scope #5693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 5, 2025
Merged

feat(shared): Allow for has({ role | permission}) without scope #5693

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c084020
feat(shared): Allow for `has({ role | permission})` without scope
panteliselef Apr 22, 2025
6cd98b8
add changeset
panteliselef Apr 22, 2025
9b9c091
add changeset
panteliselef Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .changeset/salty-worms-attack.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
'@clerk/shared': patch
---

Allow for `has({ role | permission})` without scope.

Examples:
- `has({role: "admin"})`
- `has({permission: "friends:add"})`
14 changes: 14 additions & 0 deletions integration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/conditionals.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,26 @@
export function Conditionals({
hasImpersonationRead,
hasMagicLinksCreate,
hasMagicLinksCreateUnscoped,
hasMagicLinksRead,
hasImpersonationManage,
hasAdminRole,
hasManagerRole,
hasImpersonationReaderRole,
hasImpersonationReaderRoleUnscoped,
role,
hasImpersonationFeature,
hasMagicLinksFeature,
}: {
hasImpersonationRead: boolean;
hasMagicLinksCreate: boolean;
hasMagicLinksCreateUnscoped: boolean;
hasMagicLinksRead: boolean;
hasImpersonationManage: boolean;
hasAdminRole: boolean;
hasManagerRole: boolean;
hasImpersonationReaderRole: boolean;
hasImpersonationReaderRoleUnscoped: boolean;
role: string | null | undefined;
hasImpersonationFeature: boolean;
hasMagicLinksFeature: boolean;
Expand All @@ -33,6 +37,11 @@ export function Conditionals({
{hasMagicLinksCreate ? 'true' : 'false'}
</pre>

<pre>
{`has({ permission: "magic_links:create" }) -> `}
{hasMagicLinksCreateUnscoped ? 'true' : 'false'}
</pre>

<pre>
{`has({ permission: "org:magic_links:read" }) -> `}
{hasMagicLinksRead ? 'true' : 'false'}
Expand All @@ -58,6 +67,11 @@ export function Conditionals({
{hasImpersonationReaderRole ? 'true' : 'false'}
</pre>

<pre>
{`has({ role: "impersonation_reader" }) -> `}
{hasImpersonationReaderRoleUnscoped ? 'true' : 'false'}
</pre>

<pre>
{`role -> `}
{role}
Expand Down
2 changes: 2 additions & 0 deletions ...ration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/has-client/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ export default function Page() {
role={orgRole}
hasImpersonationFeature={has({ feature: 'org:impersonation' })}
hasMagicLinksFeature={has({ feature: 'org:magic_links' })}
hasMagicLinksCreateUnscoped={has({ permission: 'magic_links:create' })}
hasImpersonationReaderRoleUnscoped={has({ role: 'impersonation_reader' })}
/>
</>
);
Expand Down
2 changes: 2 additions & 0 deletions ...ration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/has-server/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ export default async function Page() {
role={orgRole}
hasImpersonationFeature={has({ feature: 'org:impersonation' })}
hasMagicLinksFeature={has({ feature: 'org:magic_links' })}
hasMagicLinksCreateUnscoped={has({ permission: 'magic_links:create' })}
hasImpersonationReaderRoleUnscoped={has({ role: 'impersonation_reader' })}
/>
</>
);
Expand Down
2 changes: 2 additions & 0 deletions ...gration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/has-ssr/client.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ export function SSR() {
role={orgRole}
hasImpersonationFeature={has({ feature: 'org:impersonation' })}
hasMagicLinksFeature={has({ feature: 'org:magic_links' })}
hasMagicLinksCreateUnscoped={has({ permission: 'magic_links:create' })}
hasImpersonationReaderRoleUnscoped={has({ role: 'impersonation_reader' })}
/>
</>
);
Expand Down
2 changes: 2 additions & 0 deletions integration/tests/protect-jwt-v2.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ testAgainstRunningApps({
async function assertPermsRolesFeatures() {
await expect(u.page.getByText(`has({ permission: "org:impersonation:read" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ permission: "org:magic_links:create" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ permission: "magic_links:create" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ permission: "org:magic_links:read" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ permission: "org:impersonation:manage" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ role: "org:admin" }) -> true`)).toBeVisible();
Expand Down Expand Up @@ -171,6 +172,7 @@ testAgainstRunningApps({
await expect(u.page.getByText(`has({ role: "org:admin" }) -> false`)).toBeVisible();
await expect(u.page.getByText(`has({ role: "org:manager" }) -> false`)).toBeVisible();
await expect(u.page.getByText(`has({ role: "org:impersonation_reader" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ role: "impersonation_reader" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`role -> org:impersonation_reader`)).toBeVisible();
await expect(u.page.getByText(`has({ feature: "org:impersonation" }) -> true`)).toBeVisible();
await expect(u.page.getByText(`has({ feature: "org:magic_links" }) -> true`)).toBeVisible();
Expand Down
24 changes: 24 additions & 0 deletions packages/backend/src/tokens/__tests__/authObjects.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,26 @@ describe('signedInAuthObject', () => {
});

describe('JWT v1', () => {
it('has() for user scope', () => {
const mockAuthenticateContext = { sessionToken: 'authContextToken' } as AuthenticateContext;

const partialJwtPayload = {
___raw: 'raw',
act: { sub: 'actor' },
sid: 'sessionId',
sub: 'userId',
} as Partial<JwtPayload>;

const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);

expect(authObject.has({ role: 'org:admin' })).toBe(false);
expect(authObject.has({ role: 'admin' })).toBe(false);
expect(authObject.has({ permission: 'org:f1:read' })).toBe(false);
expect(authObject.has({ permission: 'f1:read' })).toBe(false);
expect(authObject.has({ feature: 'org:reservations' })).toBe(false);
expect(authObject.has({ feature: 'org:impersonation' })).toBe(false);
});

it('has() for orgs', () => {
const mockAuthenticateContext = { sessionToken: 'authContextToken' } as AuthenticateContext;

Expand All @@ -50,7 +70,9 @@ describe('signedInAuthObject', () => {
const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);

expect(authObject.has({ role: 'org:admin' })).toBe(true);
expect(authObject.has({ role: 'admin' })).toBe(true);
expect(authObject.has({ permission: 'org:f1:read' })).toBe(true);
expect(authObject.has({ permission: 'f1:read' })).toBe(true);
expect(authObject.has({ permission: 'org:f1' })).toBe(false);
expect(authObject.has({ permission: 'org:f2:manage' })).toBe(true);
expect(authObject.has({ permission: 'org:f2' })).toBe(false);
Expand Down Expand Up @@ -84,7 +106,9 @@ describe('signedInAuthObject', () => {
const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);

expect(authObject.has({ role: 'org:admin' })).toBe(true);
expect(authObject.has({ role: 'admin' })).toBe(true);
expect(authObject.has({ permission: 'org:reservations:read' })).toBe(true);
expect(authObject.has({ permission: 'reservations:read' })).toBe(true);
expect(authObject.has({ permission: 'org:reservations' })).toBe(false);
expect(authObject.has({ permission: 'org:reservations:manage' })).toBe(true);
expect(authObject.has({ permission: 'org:reservations' })).toBe(false);
Expand Down
6 changes: 4 additions & 2 deletions packages/shared/src/authorization.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ const isValidMaxAge = (maxAge: any) => typeof maxAge === 'number' && maxAge > 0;
const isValidLevel = (level: any) => ALLOWED_LEVELS.has(level);
const isValidVerificationType = (type: any) => ALLOWED_TYPES.has(type);

const prefixWithOrg = (value: string) => (value.startsWith('org:') ? value : `org:${value}`);

/**
* Checks if a user has the required organization-level authorization.
* Verifies if the user has the specified role or permission within their organization.
Expand All @@ -86,11 +88,11 @@ const checkOrgAuthorization: CheckOrgAuthorization = (params, options) => {
}

if (params.permission) {
return orgPermissions.includes(params.permission);
return orgPermissions.includes(prefixWithOrg(params.permission));
}

if (params.role) {
return orgRole === params.role;
return orgRole === prefixWithOrg(params.role);
}
return null;
};
Expand Down