fix: bearer roles

Author: rob-at-cortex

packages/auth/docs/payload.md

@@ -146,8 +146,13 @@ export const Users: CollectionConfig = {
       {
         name: 'bearer-strategy',
         authenticate: async ({ payload, headers }) => {
-          const result = await authenticateRequestHeaders({headers, payload})
-          return result as any
+          const result = await authenticateRequestHeaders({ headers, payload })
+          if (!result?.user) return { user: null }
+          const user = await payload.findByID({
+            collection: 'users',
+            id: result.user.id,
+          })
+          return { user }
         },
       },
     ],
@@ -252,6 +257,18 @@ export const GET = auth(async (req) => {
 ```
 
 
+
+#### Example to fetch the logged in userid
+
+```js
+import { auth } from "@/lib/auth"
+
+function somefunction() {
+  const user = await auth().then((sess) => sess?.user?.id); // gets the user id
+}
+```
+
+
 #### Environment Variables
 ```bash
 PAYLOAD_SECRET=xxxxx

packages/auth/src/payload-jwt/authenticateRequest.ts

@@ -1,6 +1,7 @@
 
 
 import { verifySession, verifyToken } from "./user";
+import { type ValidRole, VALID_ROLES } from "./configuration";
 
 import { type Payload } from 'payload'
 
@@ -20,6 +21,16 @@ function createAuthError(message: string, statusCode: number): AuthError {
 
 export type { AuthError };
 
+function getValidRole(permissions?: string[]): ValidRole {
+  if (!permissions || permissions.length === 0) return 'user';
+  for (const permission of permissions) {
+    if (VALID_ROLES[permission]) {
+      return VALID_ROLES[permission];
+    }
+  }
+  return 'user';
+}
+
 interface User {
     id: string;
     email: string;
@@ -69,118 +80,110 @@ export async function authenticateRequest({ req, payload }: AuthenticateRequestO
             role: user.role,
             method: 'cookie',
         }
-    } else {
-        const session = await verifySession(req)
-
-        if (!session || !session.sub || !session.extra) throw createAuthError("No valid session found", 401);
-        const OAUTH_CLIENT_ID = process.env.OAUTH_CLIENT_ID!;
-        const permissions = ((session.resource_access as Record<string, { roles?: string[] }>)?.[OAUTH_CLIENT_ID]?.roles as string[] | undefined);
-        if (!permissions) throw createAuthError("User does not have permission to access this application.", 403);
-
-        if (!payload) throw createAuthError("Payload instance is required for Keycloak user normalisation", 500);
-        const payloadUser = (await payload.find({ collection: 'users', depth: 1, limit: 1, draft: false, overrideAccess: true, where: { email: { equals: session.extra.email } } })).docs[0]
-
-        if (!payloadUser && session.extra) {
-
-
-            // create the user in Payload
-            const newUser = await payload.create({
-                collection: 'users',
-                data: {
-                    email: session.extra.email,
-                    name: session.extra.name,
-                    role: permissions[0] || 'user',
-                    enabled: true,
-                    accounts: [
-                        {
-                            provider: 'keycloak', providerAccountId: session.sub, type: 'oidc',
-                        }
-                    ],
-                },
-                draft: false,
-                overrideAccess: true,
-            })
-            console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email)
-            return {
-                
-                method: 'bearer', ...newUser
-            }
-        } else if (payloadUser) {
-            // update user role if changed
-            if (payloadUser.role !== permissions[0]) {
-                await payload.update({
-                    collection: 'users',
-                    id: payloadUser.id,
-                    data: {
-                        role: permissions[0] || 'user',
-                    },
-                    draft: false,
-                    overrideAccess: true,
-                })
-                console.log(`Updated Payload user role for ${payloadUser.email} to ${permissions}`);
-            }
-
-            return { method: 'bearer', ...payloadUser }
-        } else {
-            return null;
-        }
     }
+
+    const session = await verifySession(req);
+    if (!session?.sub || !session.extra) throw createAuthError("No valid session found", 401);
+
+    const OAUTH_CLIENT_ID = process.env.OAUTH_CLIENT_ID!;
+    const permissions = ((session.resource_access as Record<string, { roles?: string[] }>)?.[OAUTH_CLIENT_ID]?.roles as string[] | undefined);
+    if (!permissions) throw createAuthError("User does not have permission to access this application.", 403);
+
+    if (!payload) throw createAuthError("Payload instance is required for Keycloak user normalisation", 500);
+
+    const payloadUser = (await payload.find({ 
+      collection: 'users', 
+      depth: 1, 
+      limit: 1, 
+      draft: false, 
+      overrideAccess: true, 
+      where: { email: { equals: session.extra.email } } 
+    })).docs[0];
+
+    const role = getValidRole(permissions);
+
+    if (!payloadUser) {
+      const newUser = await payload.create({
+        collection: 'users',
+        data: {
+          email: session.extra.email,
+          name: session.extra.name,
+          role,
+          enabled: true,
+          accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
+        },
+        draft: false,
+        overrideAccess: true,
+      });
+      console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
+      return { method: 'bearer', ...newUser };
+    }
+
+    if (payloadUser.role !== role) {
+      await payload.update({
+        collection: 'users',
+        id: payloadUser.id,
+        data: { role },
+        draft: false,
+        overrideAccess: true,
+      });
+      console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
+    }
+
+    return { method: 'bearer', ...payloadUser };
 }
 
 export async function authenticateRequestHeaders({ headers, payload }: { headers: Headers, payload: Payload }) {
-    if (!headers.get('authorization')) {
-        return null
-    }
+    const authHeader = headers.get('authorization');
+    if (!authHeader) return null;
 
-    const session = await verifyToken(headers.get('authorization')!.replace('Bearer ', ''));
+    const session = await verifyToken(authHeader.replace('Bearer ', ''));
+    if (!session?.sub || !session.extra) throw createAuthError("No valid session found", 401);
 
-    if (!session || !session.sub || !session.extra) throw createAuthError("No valid session found", 401);
     const OAUTH_CLIENT_ID = process.env.OAUTH_CLIENT_ID!;
     const permissions = ((session.resource_access as Record<string, { roles?: string[] }>)?.[OAUTH_CLIENT_ID]?.roles as string[] | undefined);
     if (!permissions) throw createAuthError("User does not have permission to access this application.", 403);
 
     if (!payload) throw createAuthError("Payload instance is required for Keycloak user normalisation", 500);
-    const payloadUser = (await payload.find({ collection: 'users', depth: 1, limit: 1, draft: false, overrideAccess: true, where: { email: { equals: session.extra.email } } })).docs[0]
-
-    if (!payloadUser && session.extra) {
-        // create the user in Payload
-        const newUser = await payload.create({
-            collection: 'users',
-            data: {
-                email: session.extra.email,
-                name: session.extra.name,
-                role: permissions[0] || 'user',
-                enabled: true,
-                accounts: [
-                    {
-                        provider: 'keycloak', providerAccountId: session.sub, type: 'oidc',
-                    }
-                ],
-            },
-            draft: false,
-            overrideAccess: true,
-        })
-        console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email)
-        return { user: { ...newUser, collection: 'users' as const } }
-
-    } else if (payloadUser) {
-        // update user role if changed
-        if (payloadUser.role !== permissions[0]) {
-            await payload.update({
-                collection: 'users',
-                id: payloadUser.id,
-                data: {
-                    role: permissions[0] || 'user',
-                },
-                draft: false,
-                overrideAccess: true,
-            })
-            console.log(`Updated Payload user role for ${payloadUser.email} to ${permissions}`);
-        }
 
-        return { user: { ...payloadUser, collection: 'users' as const } }
+    const payloadUser = (await payload.find({ 
+      collection: 'users', 
+      depth: 1, 
+      limit: 1, 
+      draft: false, 
+      overrideAccess: true, 
+      where: { email: { equals: session.extra.email } } 
+    })).docs[0];
+
+    const role = getValidRole(permissions);
+
+    if (!payloadUser) {
+      const newUser = await payload.create({
+        collection: 'users',
+        data: {
+          email: session.extra.email,
+          name: session.extra.name,
+          role,
+          enabled: true,
+          accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
+        },
+        draft: false,
+        overrideAccess: true,
+      });
+      console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
+      return { user: { ...newUser, collection: 'users' as const } };
+    }
 
-    } else {
-        return null;
+    if (payloadUser.role !== role) {
+      await payload.update({
+        collection: 'users',
+        id: payloadUser.id,
+        data: { role },
+        draft: false,
+        overrideAccess: true,
+      });
+      console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
     }
+
+    return { user: { ...payloadUser, collection: 'users' as const } };
 }

packages/auth/src/payload-jwt/configuration.ts

@@ -59,8 +59,8 @@ function upsertAccount(existing: AccountType[] = [], account: IncomingAccount, u
 }
 
 
-type ValidRole = 'user' | 'admin' | 'digital-colleague'
-const validRoles: Record<string, ValidRole> = {
+export type ValidRole = 'user' | 'admin' | 'digital-colleague'
+export const VALID_ROLES: Record<string, ValidRole> = {
   'admin': 'admin',
   'digital-colleague': 'digital-colleague',
   'user': 'user',
@@ -73,8 +73,8 @@ function profileRoles(profile: { sub: string;[key: string]: unknown }, tokens: {
     const permissions = ((decodedJWT.resource_access as Record<string, { roles?: string[] }>)?.[process.env.OAUTH_CLIENT_ID!]?.roles as string[] | undefined);
     if (permissions && Array.isArray(permissions)) {
       for (const permission of permissions) {
-        if (validRoles[permission]) {
-          role = validRoles[permission];
+        if (VALID_ROLES[permission]) {
+          role = VALID_ROLES[permission];
           break;
         }
       }
@@ -101,8 +101,8 @@ async function persistTokens(userId: string, account: IncomingAccount, payloadCo
     const permissions = ((decodedJWT.resource_access as Record<string, { roles?: string[] }>)?.[process.env.OAUTH_CLIENT_ID!]?.roles as string[] | undefined);
     if (permissions && Array.isArray(permissions)) {
       for (const permission of permissions) {
-        if (validRoles[permission]) {
-          role = validRoles[permission];
+        if (VALID_ROLES[permission]) {
+          role = VALID_ROLES[permission];
           break;
         }
       }