Skip to content

Commit

Permalink
Add type guard from session claims
Browse files Browse the repository at this point in the history
  • Loading branch information
LauraBeatris committed Dec 19, 2024
1 parent 35f121e commit 4b60ed7
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 3 deletions.
6 changes: 3 additions & 3 deletions packages/backend/src/tokens/authObjects.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { createCheckAuthorization } from '@clerk/shared/authorization';
import type {
ActClaim,
CheckAuthorizationWithCustomPermissions,
CheckAuthorizationFromSessionClaims,
JwtPayload,
OrganizationCustomPermissionKey,
OrganizationCustomRoleKey,
Expand Down Expand Up @@ -42,7 +42,7 @@ export type SignedInAuthObject = {
*/
factorVerificationAge: [number, number] | null;
getToken: ServerGetToken;
has: CheckAuthorizationWithCustomPermissions;
has: CheckAuthorizationFromSessionClaims;
debug: AuthObjectDebug;
};

Expand All @@ -65,7 +65,7 @@ export type SignedOutAuthObject = {
*/
factorVerificationAge: null;
getToken: ServerGetToken;
has: CheckAuthorizationWithCustomPermissions;
has: CheckAuthorizationFromSessionClaims;
debug: AuthObjectDebug;
};

Expand Down
24 changes: 24 additions & 0 deletions packages/types/src/session.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import type {
OrganizationCustomPermissionKey,
OrganizationCustomRoleKey,
OrganizationPermissionKey,
OrganizationSystemPermissionPrefix,
} from './organizationMembership';
import type { ClerkResource } from './resource';
import type {
Expand All @@ -25,6 +26,29 @@ import type {
import type { TokenResource } from './token';
import type { UserResource } from './user';

type DisallowSystemPermissions<P extends string> = P extends `${OrganizationSystemPermissionPrefix}${string}`
? 'System permissions are not included in session claims and cannot be used on the server-side'
: P;

/**
* Type guard for server-side authorization checks using session claims.
* System permissions are not allowed since they are not included
* in session claims and cannot be verified on the server side.
*/
export type CheckAuthorizationFromSessionClaims = <P extends OrganizationCustomPermissionKey>(
isAuthorizedParams: WithReverification<
| {
role: OrganizationCustomRoleKey;
permission?: never;
}
| {
role?: never;
permission: DisallowSystemPermissions<P>;
}
| { role?: never; permission?: never }
>,
) => boolean;

export type CheckAuthorizationFn<Params> = (isAuthorizedParams: Params) => boolean;

export type CheckAuthorizationWithCustomPermissions =
Expand Down

0 comments on commit 4b60ed7

Please sign in to comment.