-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add session claims helper methods to check roles and permissions
- Loading branch information
1 parent
fede4e5
commit 7c37e14
Showing
3 changed files
with
65 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| package clerk | ||
|
|
||
| import ( | ||
| "encoding/json" | ||
|
|
||
| "github.com/go-jose/go-jose/v3/jwt" | ||
| ) | ||
|
|
||
| type SessionClaims struct { | ||
| jwt.Claims | ||
| SessionID string `json:"sid"` | ||
| AuthorizedParty string `json:"azp"` | ||
| ActiveOrganizationID string `json:"org_id"` | ||
| ActiveOrganizationSlug string `json:"org_slug"` | ||
| ActiveOrganizationRole string `json:"org_role"` | ||
| ActiveOrganizationPermissions []string `json:"org_permissions"` | ||
| Actor json.RawMessage `json:"act,omitempty"` | ||
| } | ||
|
|
||
| // HasPermission checks if the user has the specific permission | ||
| // in their session claims. | ||
| func (s *SessionClaims) HasPermission(permission string) bool { | ||
| for _, sessPermission := range s.ActiveOrganizationPermissions { | ||
| if sessPermission == permission { | ||
| return true | ||
| } | ||
| } | ||
| return false | ||
| } | ||
|
|
||
| // HasRole checks if the user has the specific role | ||
| // in their session claims. | ||
| // Performing role checks is not considered a best-practice and | ||
| // developers should avoid it as much as possible. | ||
| // Usually, complex role checks can be refactored with a single permission check. | ||
| func (s *SessionClaims) HasRole(role string) bool { | ||
| return s.ActiveOrganizationRole == role | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| package clerk | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| "github.com/stretchr/testify/assert" | ||
| ) | ||
|
|
||
| func TestSessionClaims_HasPermissiont(t *testing.T) { | ||
| // user has permission | ||
| hasPermission := dummySessionClaims.HasPermission("org:billing:manage") | ||
| assert.True(t, hasPermission) | ||
|
|
||
| // user does not have permission | ||
| hasPermission = dummySessionClaims.HasPermission("org:billing:create") | ||
| assert.False(t, hasPermission) | ||
| } | ||
|
|
||
| func TestSessionClaims_HasRole(t *testing.T) { | ||
| // user has role | ||
| hasRole := dummySessionClaims.HasRole("org_role") | ||
| assert.True(t, hasRole) | ||
|
|
||
| // user does not have role | ||
| hasRole = dummySessionClaims.HasRole("org_role_nonexistent") | ||
| assert.False(t, hasRole) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters