feat(auth): 🔒 add checking for required group

2022-04-26 09:51:11 +02:00
parent b2b0685298
commit 3db753e886
1 changed files with 34 additions and 1 deletions
--- a/apps/builder/pages/api/auth/[...nextauth].ts
+++ b/apps/builder/pages/api/auth/[...nextauth].ts
@ -1,4 +1,4 @@
-import NextAuth from 'next-auth'
+import NextAuth, { Account } from 'next-auth'
 import EmailProvider from 'next-auth/providers/email'
 import GitHubProvider from 'next-auth/providers/github'
 import GitlabProvider from 'next-auth/providers/gitlab'
@ -96,6 +96,14 @@ const handler = (req: NextApiRequest, res: NextApiResponse) => {
          user: userFromDb,
        }
      },
+      signIn: async ({ account }) => {
+        const requiredGroups = getRequiredGroups(account.provider)
+        if (requiredGroups.length > 0) {
+          const userGroups = await getUserGroups(account)
+          return checkHasGroups(userGroups, requiredGroups)
+        }
+        return true
+      },
    },
  })
 }
@ -113,4 +121,29 @@ const updateLastActivityDate = async (user: User) => {
    })
 }

+async function getUserGroups(account: Account): Promise<string[]> {
+  switch (account.provider) {
+    case 'gitlab': {
+      const res = await fetch(
+        `${process.env.NEXT_PUBLIC_GITLAB_BASE_URL || 'gitlab.com'}/api/v4/groups`,
+        { headers: { 'Authorization': `Bearer ${account.access_token}` } },
+      )
+      const userGroups: string[] = (await res.json())
+      return userGroups.map((group: any) => group.full_path)
+    }
+    default: return []
+  }
+}
+
+function getRequiredGroups(provider: string): string[] {
+  switch (provider) {
+    case 'gitlab': return process.env.GITLAB_REQUIRED_GROUPS?.split(',') || []
+    default: return []
+  }
+}
+
+function checkHasGroups(userGroups: string[], requiredGroups: string[]) {
+  return userGroups?.some(userGroup => requiredGroups?.includes(userGroup))
+}
+
 export default withSentry(handler)