session correction sidebar items 8

2025-04-18 15:10:03 +02:00 · 2025-04-18 15:10:03 +02:00 · 64c8fed9f4
commit 64c8fed9f4
parent c3ba88177a
13 changed files with 456 additions and 0 deletions
--- a/app/api/auth/[...nextauth]/route.ts
+++ b/app/api/auth/[...nextauth]/route.ts
@ -1,5 +1,6 @@
 import NextAuth, { NextAuthOptions } from "next-auth";
 import KeycloakProvider from "next-auth/providers/keycloak";
+import { jwtDecode } from "jwt-decode";

 interface KeycloakProfile {
  sub: string;
@ -14,6 +15,13 @@ interface KeycloakProfile {
  };
 }

+interface DecodedToken {
+  realm_access?: {
+    roles: string[];
+  };
+  [key: string]: any;
+}
+
 declare module "next-auth" {
  interface Session {
    user: {
@ -170,6 +178,27 @@ export const authOptions: NextAuthOptions = {
          tokenRoles: token.role,
          token
        });
+      } else if (token.accessToken) {
+        // Decode the token to get roles
+        try {
+          const decoded = jwtDecode<DecodedToken>(token.accessToken);
+          console.log('Decoded token:', decoded);
+
+          if (decoded.realm_access?.roles) {
+            const roles = decoded.realm_access.roles;
+            console.log('Decoded token roles:', roles);
+
+            // Clean up roles by removing ROLE_ prefix and converting to lowercase
+            const cleanRoles = roles.map((role: string) => 
+              role.replace(/^ROLE_/, '').toLowerCase()
+            );
+
+            console.log('Decoded token cleaned roles:', cleanRoles);
+            token.role = cleanRoles;
+          }
+        } catch (error) {
+          console.error('Error decoding token:', error);
+        }
      }

      if (Date.now() < (token.accessTokenExpires as number) * 1000) {
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@ -3495,6 +3495,15 @@
      "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==",
      "license": "MIT"
    },
+    "node_modules/jwt-decode": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz",
+      "integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
    "node_modules/leac": {
      "version": "0.6.0",
      "resolved": "https://registry.npmjs.org/leac/-/leac-0.6.0.tgz",
--- a/node_modules/jwt-decode/LICENSE
+++ b/node_modules/jwt-decode/LICENSE
@ -0,0 +1,21 @@
+The MIT License (MIT)
+ 
+Copyright (c) 2015 Auth0, Inc. <support@auth0.com> (http://auth0.com)
+ 
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+ 
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+ 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/node_modules/jwt-decode/README.md
+++ b/node_modules/jwt-decode/README.md
@ -0,0 +1,134 @@
+![Browser library that helps decoding JWT tokens which are Base64Url encoded](https://cdn.auth0.com/website/sdks/banners/jwt-decode-banner.png)
+
+**IMPORTANT:** This library doesn't validate the token, any well-formed JWT can be decoded. You should validate the token in your server-side logic by using something like [express-jwt](https://github.com/auth0/express-jwt), [koa-jwt](https://github.com/stiang/koa-jwt), [Microsoft.AspNetCore.Authentication.JwtBearer](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer), etc.
+
+![Release](https://img.shields.io/npm/v/jwt-decode)
+![Downloads](https://img.shields.io/npm/dw/jwt-decode)
+[![License](https://img.shields.io/:license-MIT-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
+[![CircleCI](https://img.shields.io/circleci/build/github/auth0/jwt-decode)](https://circleci.com/gh/auth0/jwt-decode)
+
+:books: [Documentation](#documentation) - :rocket: [Getting Started](#getting-started) - :speech_balloon: [Feedback](#feedback)
+
+## Documentation
+
+- [Docs site](https://www.auth0.com/docs) - explore our docs site and learn more about Auth0.
+
+## Getting started
+
+### Installation
+
+Install with NPM or Yarn.
+
+Run `npm install jwt-decode` or `yarn add jwt-decode` to install the library.
+
+### Usage
+
+```js
+import { jwtDecode } from "jwt-decode";
+
+const token = "eyJ0eXAiO.../// jwt token";
+const decoded = jwtDecode(token);
+
+console.log(decoded);
+
+/* prints:
+ * { 
+ *   foo: "bar",
+ *   exp: 1393286893,
+ *   iat: 1393268893  
+ * }
+ */
+
+// decode header by passing in options (useful for when you need `kid` to verify a JWT):
+const decodedHeader = jwtDecode(token, { header: true });
+console.log(decodedHeader);
+
+/* prints:
+ * { 
+ *   typ: "JWT",
+ *   alg: "HS256" 
+ * }
+ */
+```
+
+**Note:** A falsy or malformed token will throw an `InvalidTokenError` error; see below for more information on specific errors.
+
+## Errors
+
+This library works with valid JSON web tokens. The basic format of these token is
+```
+[part1].[part2].[part3]
+```
+All parts are supposed to be valid base64 (url) encoded json.
+Depending on the `{ header: <option> }` option it will decode part 1 (only if header: true is specified) or part 2 (default)
+
+Not adhering to the format will result in a `InvalidTokenError` with one of the following messages:
+
+- `Invalid token specified: must be a string` => the token passed was not a string, this library only works on strings. 
+- `Invalid token specified: missing part #` => this probably means you are missing a dot (`.`) in the token 
+- `Invalid token specified: invalid base64 for part #` => the part could not be base64 decoded (the message should contain the error the base64 decoder gave)
+- `Invalid token specified: invalid json for part #` => the part was correctly base64 decoded, however, the decoded value was not valid JSON (the message should contain the error the JSON parser gave)
+
+#### Use with TypeScript
+
+The return type of the `jwtDecode` function is determined by the `header` property of the object passed as the second argument. If omitted (or set to false), it'll use `JwtPayload`, when true it will use `JwtHeader`. 
+If needed, you can specify what the expected return type should be by passing a type argument to the `jwtDecode` function.
+
+You can extend both `JwtHeader` and `JwtPayload` to include non-standard claims or properties.
+
+```typescript
+import { jwtDecode } from "jwt-decode";
+
+const token = "eyJhsw5c";
+const decoded = jwtDecode<JwtPayload>(token); // Returns with the JwtPayload type
+```
+
+#### Use as a CommonJS package
+
+```javascript
+const { jwtDecode } = require('jwt-decode');
+...
+```
+
+#### Include with a script tag
+
+Copy the file `jwt-decode.js` from the root of the `build/esm` folder to your project somewhere, then import `jwtDecode` from it inside a script tag that's marked with `type="module"`:
+
+```html
+<script type="module">
+  import { jwtDecode } from "/path/to/jwt-decode.js";
+
+  const token = "eyJhsw5c";
+  const decoded = jwtDecode(token);
+</script>
+```
+
+## Feedback
+
+### Contributing
+
+We appreciate feedback and contribution to this repo! Before you get started, please see the following:
+
+- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
+- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
+
+### Raise an issue
+
+To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/jwt-decode/issues).
+
+### Vulnerability Reporting
+
+Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/responsible-disclosure-policy) details the procedure for disclosing security issues.
+
+---
+
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png"   width="150">
+    <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150">
+    <img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
+  </picture>
+</p>
+<p align="center">Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a></p>
+<p align="center">
+This project is licensed under the MIT license. See the <a href="./LICENSE"> LICENSE</a> file for more info.</p>
--- a/node_modules/jwt-decode/build/cjs/index.d.ts
+++ b/node_modules/jwt-decode/build/cjs/index.d.ts
@ -0,0 +1,23 @@
+export interface JwtDecodeOptions {
+    header?: boolean;
+}
+export interface JwtHeader {
+    typ?: string;
+    alg?: string;
+    kid?: string;
+}
+export interface JwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+export declare class InvalidTokenError extends Error {
+}
+export declare function jwtDecode<T = JwtHeader>(token: string, options: JwtDecodeOptions & {
+    header: true;
+}): T;
+export declare function jwtDecode<T = JwtPayload>(token: string, options?: JwtDecodeOptions): T;
--- a/node_modules/jwt-decode/build/cjs/index.js
+++ b/node_modules/jwt-decode/build/cjs/index.js
@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtDecode = exports.InvalidTokenError = void 0;
+class InvalidTokenError extends Error {
+}
+exports.InvalidTokenError = InvalidTokenError;
+InvalidTokenError.prototype.name = "InvalidTokenError";
+function b64DecodeUnicode(str) {
+    return decodeURIComponent(atob(str).replace(/(.)/g, (m, p) => {
+        let code = p.charCodeAt(0).toString(16).toUpperCase();
+        if (code.length < 2) {
+            code = "0" + code;
+        }
+        return "%" + code;
+    }));
+}
+function base64UrlDecode(str) {
+    let output = str.replace(/-/g, "+").replace(/_/g, "/");
+    switch (output.length % 4) {
+        case 0:
+            break;
+        case 2:
+            output += "==";
+            break;
+        case 3:
+            output += "=";
+            break;
+        default:
+            throw new Error("base64 string is not of the correct length");
+    }
+    try {
+        return b64DecodeUnicode(output);
+    }
+    catch (err) {
+        return atob(output);
+    }
+}
+function jwtDecode(token, options) {
+    if (typeof token !== "string") {
+        throw new InvalidTokenError("Invalid token specified: must be a string");
+    }
+    options || (options = {});
+    const pos = options.header === true ? 0 : 1;
+    const part = token.split(".")[pos];
+    if (typeof part !== "string") {
+        throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);
+    }
+    let decoded;
+    try {
+        decoded = base64UrlDecode(part);
+    }
+    catch (e) {
+        throw new InvalidTokenError(`Invalid token specified: invalid base64 for part #${pos + 1} (${e.message})`);
+    }
+    try {
+        return JSON.parse(decoded);
+    }
+    catch (e) {
+        throw new InvalidTokenError(`Invalid token specified: invalid json for part #${pos + 1} (${e.message})`);
+    }
+}
+exports.jwtDecode = jwtDecode;
--- a/node_modules/jwt-decode/build/cjs/package.json
+++ b/node_modules/jwt-decode/build/cjs/package.json
@ -0,0 +1 @@
+{"type": "commonjs"}
--- a/node_modules/jwt-decode/build/esm/index.d.ts
+++ b/node_modules/jwt-decode/build/esm/index.d.ts
@ -0,0 +1,23 @@
+export interface JwtDecodeOptions {
+    header?: boolean;
+}
+export interface JwtHeader {
+    typ?: string;
+    alg?: string;
+    kid?: string;
+}
+export interface JwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+export declare class InvalidTokenError extends Error {
+}
+export declare function jwtDecode<T = JwtHeader>(token: string, options: JwtDecodeOptions & {
+    header: true;
+}): T;
+export declare function jwtDecode<T = JwtPayload>(token: string, options?: JwtDecodeOptions): T;
--- a/node_modules/jwt-decode/build/esm/index.js
+++ b/node_modules/jwt-decode/build/esm/index.js
@ -0,0 +1,57 @@
+export class InvalidTokenError extends Error {
+}
+InvalidTokenError.prototype.name = "InvalidTokenError";
+function b64DecodeUnicode(str) {
+    return decodeURIComponent(atob(str).replace(/(.)/g, (m, p) => {
+        let code = p.charCodeAt(0).toString(16).toUpperCase();
+        if (code.length < 2) {
+            code = "0" + code;
+        }
+        return "%" + code;
+    }));
+}
+function base64UrlDecode(str) {
+    let output = str.replace(/-/g, "+").replace(/_/g, "/");
+    switch (output.length % 4) {
+        case 0:
+            break;
+        case 2:
+            output += "==";
+            break;
+        case 3:
+            output += "=";
+            break;
+        default:
+            throw new Error("base64 string is not of the correct length");
+    }
+    try {
+        return b64DecodeUnicode(output);
+    }
+    catch (err) {
+        return atob(output);
+    }
+}
+export function jwtDecode(token, options) {
+    if (typeof token !== "string") {
+        throw new InvalidTokenError("Invalid token specified: must be a string");
+    }
+    options || (options = {});
+    const pos = options.header === true ? 0 : 1;
+    const part = token.split(".")[pos];
+    if (typeof part !== "string") {
+        throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);
+    }
+    let decoded;
+    try {
+        decoded = base64UrlDecode(part);
+    }
+    catch (e) {
+        throw new InvalidTokenError(`Invalid token specified: invalid base64 for part #${pos + 1} (${e.message})`);
+    }
+    try {
+        return JSON.parse(decoded);
+    }
+    catch (e) {
+        throw new InvalidTokenError(`Invalid token specified: invalid json for part #${pos + 1} (${e.message})`);
+    }
+}
--- a/node_modules/jwt-decode/package.json
+++ b/node_modules/jwt-decode/package.json
@ -0,0 +1,81 @@
+{
+  "name": "jwt-decode",
+  "version": "4.0.0",
+  "description": "Decode JWT tokens, mostly useful for browser applications.",
+  "type": "module",
+  "main": "build/cjs/index.js",
+  "module": "build/esm/index.js",
+  "types": "build/cjs/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./build/esm/index.d.ts",
+        "default": "./build/esm/index.js"
+      },
+      "require": {
+        "types": "./build/cjs/index.d.ts",
+        "default": "./build/cjs/index.js"
+      }
+    }
+  },
+  "keywords": [
+    "jwt",
+    "browser"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/auth0/jwt-decode"
+  },
+  "url": "https://github.com/auth0/jwt-decode/issues",
+  "homepage": "https://github.com/auth0/jwt-decode#readme",
+  "scripts": {
+    "dev": "concurrently --kill-others \"npm run build:watch\" \"npm run dev:server\"",
+    "dev:server": "browser-sync start --config bs-config.json",
+    "prebuild": "shx rm -rf ./build && shx mkdir -p ./build/cjs && shx echo '{\"type\": \"commonjs\"}'> build/cjs/package.json",
+    "build": "tsc -b ./tsconfig.cjs.json ./tsconfig.esm.json",
+    "build:watch": "npm run build -- --watch",
+    "lint": "eslint .",
+    "lint:package": "publint",
+    "test": "npm run test:node && npm run test:browser",
+    "test:node": "NODE_OPTIONS='--experimental-vm-modules --no-warnings' jest --coverage",
+    "test:browser": "NODE_OPTIONS='--experimental-vm-modules --no-warnings' jest --coverage --testEnvironment=jsdom",
+    "prepack": "npm run build",
+    "prepare": "husky install"
+  },
+  "author": "Jose F. Romaniello <jfromaniello@gmail.com>",
+  "contributors": [
+    "Sam Bellen <sam.bellen@auth0.com>"
+  ],
+  "license": "MIT",
+  "devDependencies": {
+    "@babel/core": "7.23.2",
+    "@typescript-eslint/eslint-plugin": "^6.4.1",
+    "@typescript-eslint/parser": "^6.4.1",
+    "browser-sync": "^2.29.3",
+    "concurrently": "^8.2.0",
+    "eslint": "^8.48.0",
+    "eslint-config-prettier": "^9.0.0",
+    "eslint-import-resolver-typescript": "^3.6.0",
+    "eslint-plugin-import": "^2.28.1",
+    "eslint-plugin-prettier": "^5.0.0",
+    "husky": "^8.0.3",
+    "jest": "^29.7.0",
+    "jest-environment-jsdom": "^29.6.2",
+    "lint-staged": "^15.0.2",
+    "prettier": "^3.0.2",
+    "publint": "^0.2.2",
+    "shx": "^0.3.4",
+    "ts-jest": "^29.1.1",
+    "ts-node": "^10.9.1",
+    "typescript": "^5.1.6"
+  },
+  "files": [
+    "build"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "lint-staged": {
+    "*.{js,ts}": "eslint --fix"
+  }
+}
--- a/package-lock.json
+++ b/package-lock.json
@ -54,6 +54,7 @@
        "imap": "^0.8.19",
        "imapflow": "^1.0.184",
        "input-otp": "1.4.1",
+        "jwt-decode": "^4.0.0",
        "lucide-react": "^0.454.0",
        "mailparser": "^3.7.2",
        "next": "14.2.24",
@ -4113,6 +4114,15 @@
      "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==",
      "license": "MIT"
    },
+    "node_modules/jwt-decode": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz",
+      "integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
    "node_modules/leac": {
      "version": "0.6.0",
      "resolved": "https://registry.npmjs.org/leac/-/leac-0.6.0.tgz",
--- a/package.json
+++ b/package.json
@ -55,6 +55,7 @@
    "imap": "^0.8.19",
    "imapflow": "^1.0.184",
    "input-otp": "1.4.1",
+    "jwt-decode": "^4.0.0",
    "lucide-react": "^0.454.0",
    "mailparser": "^3.7.2",
    "next": "14.2.24",
--- a/yarn.lock
+++ b/yarn.lock
@ -1815,6 +1815,11 @@ jsbn@1.1.0:
  resolved "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz"
  integrity sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==

+jwt-decode@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz"
+  integrity sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==
+
 leac@^0.6.0:
  version "0.6.0"
  resolved "https://registry.npmjs.org/leac/-/leac-0.6.0.tgz"