From 2fbd27d445d2bcef74a6fd415365804f32e691b4 Mon Sep 17 00:00:00 2001
From: Aaron Tainter <amtainter@gmail.com>
Date: Wed, 17 Sep 2025 16:40:00 -0700
Subject: [PATCH] Add roles from JWT payload

---
 .gitignore          | 1 +
 src/auth.spec.ts    | 4 ++++
 src/auth.ts         | 2 ++
 src/interfaces.ts   | 5 +++++
 src/session.spec.ts | 8 ++++++++
 src/session.ts      | 7 +++++++
 6 files changed, 27 insertions(+)

diff --git a/.gitignore b/.gitignore
index ee512fb..687f17b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 node_modules
 dist
 coverage/
+.idea
diff --git a/src/auth.spec.ts b/src/auth.spec.ts
index a2c9a28..b4668d1 100644
--- a/src/auth.spec.ts
+++ b/src/auth.spec.ts
@@ -108,6 +108,7 @@ describe('auth', () => {
       accessToken: 'new-access-token',
       organizationId: 'org_123456' as string | undefined,
       role: 'admin' as string | undefined,
+      roles: ['admin'] as string[] | undefined,
       permissions: ['read', 'write'] as string[] | undefined,
       entitlements: ['premium'] as string[] | undefined,
       featureFlags: ['flag-1', 'flag-2'] as string[] | undefined,
@@ -339,6 +340,7 @@ describe('auth', () => {
         sessionId: 'session-123',
         organizationId: 'org-456',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature-1', 'feature-2'],
         featureFlags: ['flag-1', 'flag-2'],
@@ -361,6 +363,7 @@ describe('auth', () => {
         sessionId: mockClaims.sessionId,
         organizationId: mockClaims.organizationId,
         role: mockClaims.role,
+        roles: mockClaims.roles,
         permissions: mockClaims.permissions,
         entitlements: mockClaims.entitlements,
         featureFlags: mockClaims.featureFlags,
@@ -395,6 +398,7 @@ describe('auth', () => {
         sessionId: 'session-123',
         organizationId: 'org-456',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature-1', 'feature-2'],
         featureFlags: ['flag-1', 'flag-2'],
diff --git a/src/auth.ts b/src/auth.ts
index b1717b5..7014306 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -51,6 +51,7 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
     entitlements,
     featureFlags,
     role,
+    roles,
     exp = 0,
   } = getClaimsFromAccessToken(session.accessToken);
 
@@ -70,6 +71,7 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
     sessionId,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     featureFlags,
diff --git a/src/interfaces.ts b/src/interfaces.ts
index 7ec75aa..3d5a3d5 100644
--- a/src/interfaces.ts
+++ b/src/interfaces.ts
@@ -55,6 +55,7 @@ export interface AccessToken {
   sid: string;
   org_id?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   feature_flags?: string[];
@@ -65,6 +66,7 @@ export interface UserInfo {
   sessionId: string;
   organizationId?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   featureFlags?: string[];
@@ -77,6 +79,7 @@ export interface NoUserInfo {
   sessionId?: undefined;
   organizationId?: undefined;
   role?: undefined;
+  roles?: undefined;
   permissions?: undefined;
   entitlements?: undefined;
   featureFlags?: undefined;
@@ -110,6 +113,7 @@ export interface AuthorizedData {
   sessionId: string;
   organizationId: string | null;
   role: string | null;
+  roles: string[] | null;
   permissions: string[];
   entitlements: string[];
   featureFlags: string[];
@@ -121,6 +125,7 @@ export interface UnauthorizedData {
   sessionId: null;
   organizationId: null;
   role: null;
+  roles: null;
   permissions: null;
   entitlements: null;
   featureFlags: null;
diff --git a/src/session.spec.ts b/src/session.spec.ts
index 39a6027..70bcbeb 100644
--- a/src/session.spec.ts
+++ b/src/session.spec.ts
@@ -293,6 +293,7 @@ describe('session', () => {
           entitlements: null,
           featureFlags: null,
           role: null,
+          roles: null,
           sessionId: null,
         });
       });
@@ -359,6 +360,7 @@ describe('session', () => {
           sid: 'test-session-id',
           org_id: 'org-123',
           role: 'admin',
+          roles: ['admin'],
           permissions: ['read', 'write'],
           entitlements: ['premium'],
           feature_flags: ['flag-1', 'flag-2'],
@@ -411,6 +413,7 @@ describe('session', () => {
           entitlements: ['premium'],
           featureFlags: ['flag-1', 'flag-2'],
           role: 'admin',
+          roles: ['admin'],
           sessionId: 'test-session-id',
         });
       });
@@ -559,6 +562,7 @@ describe('session', () => {
               sid: 'test-session-id',
               org_id: 'org-123',
               role: null,
+              roles: [],
               permissions: [],
               entitlements: [],
               feature_flags: [],
@@ -569,6 +573,7 @@ describe('session', () => {
               sid: 'new-session-id',
               org_id: 'org-123',
               role: 'user',
+              roles: ['user'],
               permissions: ['read'],
               entitlements: ['basic'],
               feature_flags: ['flag-1'],
@@ -594,6 +599,7 @@ describe('session', () => {
             sessionId: 'new-session-id',
             organizationId: 'org-123',
             role: 'user',
+            roles: ['user'],
             permissions: ['read'],
             entitlements: ['basic'],
             featureFlags: ['flag-1'],
@@ -738,6 +744,7 @@ describe('session', () => {
         sid: 'new-session-id',
         org_id: 'org-123',
         role: 'user',
+        roles: ['user'],
         permissions: ['read'],
         entitlements: ['basic'],
         feature_flags: ['flag-1'],
@@ -763,6 +770,7 @@ describe('session', () => {
         accessToken: 'new.valid.token',
         organizationId: 'org-123',
         role: 'user',
+        roles: ['user'],
         permissions: ['read'],
         entitlements: ['basic'],
         featureFlags: ['flag-1'],
diff --git a/src/session.ts b/src/session.ts
index dc4175b..25f0be9 100644
--- a/src/session.ts
+++ b/src/session.ts
@@ -72,6 +72,7 @@ export async function refreshSession(request: Request, { organizationId }: { org
       sessionId,
       organizationId: newOrgId,
       role,
+      roles,
       permissions,
       entitlements,
       featureFlags,
@@ -83,6 +84,7 @@ export async function refreshSession(request: Request, { organizationId }: { org
       accessToken,
       organizationId: newOrgId,
       role,
+      roles,
       permissions,
       entitlements,
       featureFlags,
@@ -332,6 +334,7 @@ export async function authkitLoader<Data = unknown>(
         entitlements: null,
         featureFlags: null,
         role: null,
+        roles: null,
         sessionId: null,
       };
 
@@ -343,6 +346,7 @@ export async function authkitLoader<Data = unknown>(
       sessionId,
       organizationId = null,
       role = null,
+      roles = null,
       permissions = [],
       entitlements = [],
       featureFlags = [],
@@ -365,6 +369,7 @@ export async function authkitLoader<Data = unknown>(
       sessionId,
       organizationId,
       role,
+      roles,
       permissions,
       entitlements,
       featureFlags,
@@ -497,6 +502,7 @@ export function getClaimsFromAccessToken(accessToken: string) {
     sid: sessionId,
     org_id: organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     feature_flags: featureFlags,
@@ -510,6 +516,7 @@ export function getClaimsFromAccessToken(accessToken: string) {
     sessionId,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     featureFlags,