289 lines
9.9 KiB
TypeScript
289 lines
9.9 KiB
TypeScript
import NextAuth, { NextAuthOptions } from "next-auth";
|
|
import KeycloakProvider from "next-auth/providers/keycloak";
|
|
|
|
// Define Keycloak profile type
|
|
interface KeycloakProfile {
|
|
sub: string;
|
|
email?: string;
|
|
name?: string;
|
|
preferred_username?: string;
|
|
given_name?: string;
|
|
family_name?: string;
|
|
realm_access?: {
|
|
roles: string[];
|
|
};
|
|
}
|
|
|
|
// Define custom profile type
|
|
interface CustomProfile {
|
|
id: string;
|
|
name?: string | null;
|
|
email?: string | null;
|
|
username: string;
|
|
first_name: string;
|
|
last_name: string;
|
|
role: string[];
|
|
}
|
|
|
|
// Declare module augmentation for NextAuth types
|
|
declare module "next-auth" {
|
|
interface Session {
|
|
user: {
|
|
id: string;
|
|
name?: string | null;
|
|
email?: string | null;
|
|
image?: string | null;
|
|
username: string;
|
|
first_name: string;
|
|
last_name: string;
|
|
role: string[];
|
|
};
|
|
accessToken?: string;
|
|
}
|
|
|
|
interface JWT {
|
|
sub?: string;
|
|
accessToken?: string;
|
|
refreshToken?: string;
|
|
role?: string[];
|
|
username?: string;
|
|
first_name?: string;
|
|
last_name?: string;
|
|
}
|
|
}
|
|
|
|
// Simple, minimal implementation - NO REFRESH TOKEN LOGIC
|
|
export const authOptions: NextAuthOptions = {
|
|
providers: [
|
|
KeycloakProvider({
|
|
clientId: process.env.KEYCLOAK_CLIENT_ID || "",
|
|
clientSecret: process.env.KEYCLOAK_CLIENT_SECRET || "",
|
|
issuer: process.env.KEYCLOAK_ISSUER || "",
|
|
profile(profile: any) {
|
|
// Just return a simple profile with required fields
|
|
return {
|
|
id: profile.sub,
|
|
name: profile.name || profile.preferred_username,
|
|
email: profile.email,
|
|
image: null,
|
|
username: profile.preferred_username || profile.email?.split('@')[0] || '',
|
|
first_name: profile.given_name || '',
|
|
last_name: profile.family_name || '',
|
|
role: ['user'],
|
|
// Store raw profile data for later processing
|
|
raw_profile: profile
|
|
};
|
|
}
|
|
}),
|
|
],
|
|
session: {
|
|
strategy: "jwt",
|
|
maxAge: 8 * 60 * 60, // 8 hours
|
|
},
|
|
callbacks: {
|
|
async jwt({ token, account, profile, user }: any) {
|
|
// Debug input parameters to understand what's available
|
|
console.log('JWT callback - input parameters:', {
|
|
hasAccount: !!account,
|
|
hasProfile: !!profile,
|
|
hasUser: !!user,
|
|
hasToken: !!token,
|
|
tokenSub: token?.sub,
|
|
tokenAccessToken: token?.accessToken ? '[exists]' : undefined
|
|
});
|
|
|
|
// Initial sign in
|
|
if (account && account.access_token) {
|
|
console.log('JWT callback - NEW SIGN IN with access token detected');
|
|
token.accessToken = account.access_token;
|
|
token.refreshToken = account.refresh_token;
|
|
|
|
// Process the raw profile data if available
|
|
if (user && user.raw_profile) {
|
|
console.log('JWT callback - Raw profile data found, extracting roles');
|
|
const rawProfile = user.raw_profile;
|
|
|
|
// Extract roles from all possible sources
|
|
let roles: string[] = [];
|
|
|
|
// Get roles from realm_access
|
|
if (rawProfile.realm_access && Array.isArray(rawProfile.realm_access.roles)) {
|
|
console.log('Found realm_access roles:', rawProfile.realm_access.roles);
|
|
roles = roles.concat(rawProfile.realm_access.roles);
|
|
}
|
|
|
|
// Get roles from resource_access
|
|
if (rawProfile.resource_access) {
|
|
const clientId = process.env.KEYCLOAK_CLIENT_ID;
|
|
if (clientId &&
|
|
rawProfile.resource_access[clientId] &&
|
|
Array.isArray(rawProfile.resource_access[clientId].roles)) {
|
|
console.log('Found client-specific roles:', rawProfile.resource_access[clientId].roles);
|
|
roles = roles.concat(rawProfile.resource_access[clientId].roles);
|
|
}
|
|
|
|
// Also check resource_access roles under 'account'
|
|
if (rawProfile.resource_access.account &&
|
|
Array.isArray(rawProfile.resource_access.account.roles)) {
|
|
console.log('Found account roles:', rawProfile.resource_access.account.roles);
|
|
roles = roles.concat(rawProfile.resource_access.account.roles);
|
|
}
|
|
}
|
|
|
|
// Clean up roles and convert to lowercase
|
|
const cleanedRoles = roles
|
|
.filter(Boolean)
|
|
.map(role => role.toLowerCase());
|
|
|
|
// Always ensure user has basic user role
|
|
const finalRoles = [...new Set([...cleanedRoles, 'user'])];
|
|
|
|
// Add the application-specific roles for testing
|
|
finalRoles.push('admin', 'dataintelligence', 'coding', 'expression', 'mediation');
|
|
|
|
// Store roles in token
|
|
token.role = [...new Set(finalRoles)]; // Ensure uniqueness
|
|
console.log('JWT callback - Extracted roles:', token.role);
|
|
} else if (user && user.role) {
|
|
console.log('JWT callback - Using roles from user object:', user.role);
|
|
token.role = Array.isArray(user.role) ? user.role : [user.role];
|
|
} else {
|
|
console.log('JWT callback - No profile data, setting default roles');
|
|
token.role = ['user', 'admin', 'dataintelligence', 'coding', 'expression', 'mediation'];
|
|
}
|
|
|
|
// Store user information
|
|
if (user) {
|
|
token.username = user.username || user.name || '';
|
|
token.first_name = user.first_name || '';
|
|
token.last_name = user.last_name || '';
|
|
}
|
|
}
|
|
// Token exists but no roles, add default roles for testing
|
|
else if (token && !token.role) {
|
|
console.log('JWT callback - Token exists but no roles, adding defaults');
|
|
// For testing purposes, add all roles
|
|
token.role = ['user', 'admin', 'dataintelligence', 'coding', 'expression', 'mediation'];
|
|
}
|
|
|
|
// Log the token roles
|
|
console.log('JWT token structure:', JSON.stringify({
|
|
sub: token.sub,
|
|
role: token.role,
|
|
username: token.username
|
|
}, null, 2));
|
|
console.log('JWT token roles:', token.role);
|
|
return token;
|
|
},
|
|
async session({ session, token }: any) {
|
|
console.log('Session callback - input parameters:', {
|
|
hasSession: !!session,
|
|
hasToken: !!token,
|
|
tokenRole: token?.role,
|
|
tokenSub: token?.sub
|
|
});
|
|
|
|
// Pass necessary info to the session
|
|
session.accessToken = token.accessToken;
|
|
if (session.user) {
|
|
session.user.id = token.sub || "";
|
|
|
|
// Ensure roles are passed to the session
|
|
if (token.role && Array.isArray(token.role)) {
|
|
session.user.role = token.role;
|
|
session.user.username = token.username || '';
|
|
session.user.first_name = token.first_name || '';
|
|
session.user.last_name = token.last_name || '';
|
|
console.log('Session callback - using token roles:', token.role);
|
|
} else {
|
|
// Fallback roles - ENSURE ALL REQUIRED ROLES ARE INCLUDED
|
|
session.user.role = ["user", "admin", "dataintelligence", "coding", "expression", "mediation"];
|
|
session.user.username = '';
|
|
session.user.first_name = '';
|
|
session.user.last_name = '';
|
|
console.log('Session callback - no token roles, using fallback');
|
|
}
|
|
|
|
// Log the session user roles
|
|
console.log('Session user roles:', session.user.role);
|
|
}
|
|
return session;
|
|
}
|
|
},
|
|
pages: {
|
|
signIn: '/signin',
|
|
error: '/signin',
|
|
},
|
|
cookies: {
|
|
sessionToken: {
|
|
name: 'next-auth.session-token',
|
|
options: {
|
|
httpOnly: true,
|
|
sameSite: 'none',
|
|
path: '/',
|
|
secure: true,
|
|
},
|
|
},
|
|
},
|
|
debug: true, // Enable debug logs to help with troubleshooting
|
|
};
|
|
|
|
/**
|
|
* Maps Keycloak roles to application-specific roles
|
|
*/
|
|
function mapToApplicationRoles(keycloakRoles: string[]): string[] {
|
|
const mappings: Record<string, string[]> = {
|
|
// Map Keycloak roles to your application's role names
|
|
'admin': ['admin', 'dataintelligence', 'coding', 'expression', 'mediation'],
|
|
'owner': ['admin', 'dataintelligence', 'coding', 'expression', 'mediation'],
|
|
'cercle-admin': ['admin', 'dataintelligence', 'coding', 'expression', 'mediation'],
|
|
'manager': ['dataintelligence', 'coding', 'expression', 'mediation'],
|
|
'developer': ['coding', 'dataintelligence'],
|
|
'data-scientist': ['dataintelligence'],
|
|
'designer': ['expression'],
|
|
'writer': ['expression'],
|
|
'mediator': ['mediation'],
|
|
// Default access roles from Keycloak
|
|
'default-roles-cercle': ['user'],
|
|
'uma_authorization': ['user'],
|
|
'offline_access': ['user'],
|
|
// Add more mappings as needed
|
|
};
|
|
|
|
// Convert all keycloak roles to lowercase for case-insensitive matching
|
|
const lowerKeycloakRoles = keycloakRoles.map(role => role.toLowerCase());
|
|
|
|
// Map roles based on the defined mappings
|
|
let applicationRoles: string[] = [];
|
|
|
|
// Check all Keycloak roles for matches in our mapping
|
|
for (const role of lowerKeycloakRoles) {
|
|
if (mappings[role]) {
|
|
applicationRoles = applicationRoles.concat(mappings[role]);
|
|
}
|
|
|
|
// Handle any role that contains certain keywords
|
|
if (role.includes('admin')) {
|
|
applicationRoles.push('admin', 'dataintelligence', 'coding', 'expression', 'mediation');
|
|
} else if (role.includes('developer') || role.includes('dev')) {
|
|
applicationRoles.push('coding', 'dataintelligence');
|
|
} else if (role.includes('design')) {
|
|
applicationRoles.push('expression');
|
|
} else if (role.includes('data')) {
|
|
applicationRoles.push('dataintelligence');
|
|
} else if (role.includes('mediat')) {
|
|
applicationRoles.push('mediation');
|
|
}
|
|
}
|
|
|
|
// Ensure user always has basic access
|
|
applicationRoles.push('user');
|
|
|
|
// Return unique application roles
|
|
return [...new Set(applicationRoles)];
|
|
}
|
|
|
|
const handler = NextAuth(authOptions);
|
|
export { handler as GET, handler as POST };
|
|
|