31 lines
1.1 KiB
TypeScript
31 lines
1.1 KiB
TypeScript
import { decodeJwtPayload } from "@/lib/auth/jwt-claims"
|
|
|
|
function normalizeGroups(claims: Record<string, unknown>): string[] {
|
|
const raw = claims.groups ?? claims.roles
|
|
if (!Array.isArray(raw)) return []
|
|
return raw
|
|
.filter((g): g is string => typeof g === "string")
|
|
.map((g) => g.trim().toLowerCase())
|
|
}
|
|
|
|
/** Platform admin from OIDC groups (`admin`, `role:admin`). */
|
|
export function isPlatformAdminFromToken(token: string | null | undefined): boolean {
|
|
if (!token) return false
|
|
const claims = decodeJwtPayload(token)
|
|
if (!claims) return false
|
|
return normalizeGroups(claims).some((g) => g === "admin" || g === "role:admin")
|
|
}
|
|
|
|
export function adminScopesFromToken(token: string | null | undefined): {
|
|
read: boolean
|
|
write: boolean
|
|
} {
|
|
if (!token) return { read: false, write: false }
|
|
if (isPlatformAdminFromToken(token)) return { read: true, write: true }
|
|
const groups = normalizeGroups(decodeJwtPayload(token) ?? {})
|
|
return {
|
|
read: groups.includes("admin:read") || groups.includes("admin:write"),
|
|
write: groups.includes("admin:write"),
|
|
}
|
|
}
|