From 6a847b2caa93b7624c179fbd1badac88f61e5620 Mon Sep 17 00:00:00 2001 From: David Porter Date: Thu, 2 Jul 2026 15:17:58 +1000 Subject: [PATCH] AP-9461 # update isAuthorised to accept SAML groups --- CHANGELOG.md | 1 + package-lock.json | 32 +------------------------------- src/apps/auth-service.ts | 22 ++++++++++++++++------ 3 files changed, 18 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24343d7f..dc631d4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **[BREAKING]** `useMfa()` to require an `mfaMethod` parameter for `beginMfaSetup(mfaMethod)` - **[BREAKING]** `useUserMeetsMfaRequirement(mfaRequirement)` to accept an `MfaRequirement` and return `{ mfaSetupRequired, isLoading, loadingError, refreshMfa }` instead of a boolean - **[BREAKING]** MFA functions and types moved from `authService` to `mfaService` +- **[BREAKING]** changed signaure of `authService.isAuthorised` to include SAML groups ### Fixed diff --git a/package-lock.json b/package-lock.json index 094efcbf..3d751727 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4629,7 +4629,7 @@ }, "node_modules/@oneblink/types": { "version": "1.0.0", - "resolved": "git+ssh://git@github.com/oneblink/types.git#7b9448e00309780bdd7d65993278231a7e30596d", + "resolved": "git+ssh://git@github.com/oneblink/types.git#f3828e0e3888734731ca145de59170c45b2a65a3", "dev": true, "license": "GPL-3.0-only", "dependencies": { @@ -5210,9 +5210,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -5230,9 +5227,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -5250,9 +5244,6 @@ "ppc64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -5270,9 +5261,6 @@ "s390x" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -5290,9 +5278,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -5310,9 +5295,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -12970,9 +12952,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -12994,9 +12973,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13018,9 +12994,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13042,9 +13015,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ diff --git a/src/apps/auth-service.ts b/src/apps/auth-service.ts index 74a1816e..52eb5a53 100644 --- a/src/apps/auth-service.ts +++ b/src/apps/auth-service.ts @@ -100,28 +100,38 @@ export function init({ oAuthClientId }: { oAuthClientId: string }) { /** * Determine if the current user is a OneBlink App User for a OneBlink Forms - * App. Returns `false` if the current user is not logged in. + * App. Returns `false` if the current user is not logged in or not authorised + * for the given SAML groups. * * #### Example * * ```js - * const formsAppId = 1 - * const isAuthorised = await authService.isAuthorised(formsAppId) + * const isAuthorised = await authService.isAuthorised({ + * formsAppId: 1, + * samlGroups: ['group1', 'group2'], + * }) * if (!isAuthorised) { * // handle unauthorised user * } * ``` * - * @param formsAppId + * @param options.formsAppId + * @param options.samlGroups * @param abortSignal * @returns */ export async function isAuthorised( - formsAppId: number, + { formsAppId, samlGroups }: { formsAppId: number; samlGroups?: string[] }, abortSignal?: AbortSignal, ): Promise { return getCurrentFormsAppUser(formsAppId, abortSignal) - .then(() => true) + .then((userProfile) => { + // if no SAML groups are provided, then provided the user is authenticated then they're authorised + if (!samlGroups) { + return true + } + return samlGroups.some((group) => userProfile?.groups.includes(group)) + }) .catch((error) => { if (error.status >= 400 && error.status < 500) { return false