feat: Add active organization's permission in session claims

When decoding and verifying a session token, we are now parsing any organization
permissions that might be included and make them available as part of the
SessionClaims struct

clerk/tokens.go

@@ -18,12 +18,13 @@ type TokenClaims struct {
 
 type SessionClaims struct {
 	jwt.Claims
-	SessionID              string          `json:"sid"`
-	AuthorizedParty        string          `json:"azp"`
-	ActiveOrganizationID   string          `json:"org_id"`
-	ActiveOrganizationSlug string          `json:"org_slug"`
-	ActiveOrganizationRole string          `json:"org_role"`
-	Actor                  json.RawMessage `json:"act,omitempty"`
+	SessionID                     string          `json:"sid"`
+	AuthorizedParty               string          `json:"azp"`
+	ActiveOrganizationID          string          `json:"org_id"`
+	ActiveOrganizationSlug        string          `json:"org_slug"`
+	ActiveOrganizationRole        string          `json:"org_role"`
+	ActiveOrganizationPermissions []string        `json:"org_permissions"`
+	Actor                         json.RawMessage `json:"act,omitempty"`
 }
 
 // DecodeToken decodes a jwt token without verifying it.

clerk/tokens_test.go

@@ -48,11 +48,12 @@ var (
 			Expiry:   nil,
 			IssuedAt: nil,
 		},
-		SessionID:              "session_id",
-		AuthorizedParty:        "authorized_party",
-		ActiveOrganizationID:   "org_id",
-		ActiveOrganizationSlug: "org_slug",
-		ActiveOrganizationRole: "org_role",
+		SessionID:                     "session_id",
+		AuthorizedParty:               "authorized_party",
+		ActiveOrganizationID:          "org_id",
+		ActiveOrganizationSlug:        "org_slug",
+		ActiveOrganizationRole:        "org_role",
+		ActiveOrganizationPermissions: []string{"org:billing:manage", "org:report:view"},
 	}
 )