Add roles to session JWT

.gitignore

@@ -2,3 +2,4 @@
 node_modules
 dist
 coverage
+.idea

src/components/authkit-provider.spec.tsx

@@ -223,6 +223,7 @@ describe('useAuth', () => {
       sessionId: 'test-session',
       organizationId: 'test-org',
       role: 'admin',
+      roles: ['admin'],
       permissions: ['read', 'write'],
       entitlements: ['feature1'],
       featureFlags: ['test-flag'],

src/components/authkit-provider.tsx

@@ -16,6 +16,7 @@ type AuthContextType = {
   sessionId: string | undefined;
   organizationId: string | undefined;
   role: string | undefined;
+  roles: string[] | undefined;
   permissions: string[] | undefined;
   entitlements: string[] | undefined;
   featureFlags: string[] | undefined;
@@ -46,6 +47,7 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
   const [sessionId, setSessionId] = useState<string | undefined>(undefined);
   const [organizationId, setOrganizationId] = useState<string | undefined>(undefined);
   const [role, setRole] = useState<string | undefined>(undefined);
+  const [roles, setRoles] = useState<string[] | undefined>(undefined);
   const [permissions, setPermissions] = useState<string[] | undefined>(undefined);
   const [entitlements, setEntitlements] = useState<string[] | undefined>(undefined);
   const [featureFlags, setFeatureFlags] = useState<string[] | undefined>(undefined);
@@ -60,6 +62,7 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
       setSessionId(auth.sessionId);
       setOrganizationId(auth.organizationId);
       setRole(auth.role);
+      setRoles(auth.roles);
       setPermissions(auth.permissions);
       setEntitlements(auth.entitlements);
       setFeatureFlags(auth.featureFlags);
@@ -69,6 +72,7 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
       setSessionId(undefined);
       setOrganizationId(undefined);
       setRole(undefined);
+      setRoles(undefined);
       setPermissions(undefined);
       setEntitlements(undefined);
       setFeatureFlags(undefined);
@@ -105,6 +109,7 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
         setSessionId(auth.sessionId);
         setOrganizationId(auth.organizationId);
         setRole(auth.role);
+        setRoles(auth.roles);
         setPermissions(auth.permissions);
         setEntitlements(auth.entitlements);
         setFeatureFlags(auth.featureFlags);
@@ -180,6 +185,7 @@ export const AuthKitProvider = ({ children, onSessionExpired }: AuthKitProviderP
         sessionId,
         organizationId,
         role,
+        roles,
         permissions,
         entitlements,
         featureFlags,

src/components/useTokenClaims.spec.tsx

@@ -88,6 +88,7 @@ describe('useTokenClaims', () => {
       sid: 'session_123',
       org_id: 'org_123',
       role: 'admin',
+      roles: ['admin'],
       permissions: ['read', 'write'],
       entitlements: ['feature_a'],
       feature_flags: ['device-authorization-grant'],
@@ -119,6 +120,7 @@ describe('useTokenClaims', () => {
       sid: 'session_123',
       org_id: 'org_123',
       role: 'admin',
+      roles: ['admin'],
       permissions: ['read', 'write'],
       entitlements: ['feature_a'],
       feature_flags: ['device-authorization-grant'],

src/interfaces.ts

@@ -30,6 +30,7 @@ export interface UserInfo {
   sessionId: string;
   organizationId?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   featureFlags?: string[];
@@ -41,6 +42,7 @@ export interface NoUserInfo {
   sessionId?: undefined;
   organizationId?: undefined;
   role?: undefined;
+  roles?: undefined;
   permissions?: undefined;
   entitlements?: undefined;
   featureFlags?: undefined;
@@ -52,6 +54,7 @@ export interface AccessToken {
   sid: string;
   org_id?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   feature_flags?: string[];

src/jwt.ts

@@ -57,6 +57,11 @@ export interface JWTPayload {
    */
   role?: string;
 
+  /**
+   * Roles of the user associated with the JWT
+   */
+  roles?: string[];
+
   /**
    * Permissions granted to the user associated with the JWT
    */

src/session.spec.ts

@@ -29,6 +29,7 @@ describe('session.ts', () => {
     sessionId: 'session_123',
     organizationId: 'org_123',
     role: 'member',
+    roles: ['member'],
     permissions: ['posts:create', 'posts:delete'],
     entitlements: ['audit-logs'],
     featureFlags: ['device-authorization-grant'],
@@ -867,6 +868,7 @@ describe('session.ts', () => {
         sub: 'user_123',
         org_id: 'org_123',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature_a'],
         feature_flags: ['device-authorization-grant'],
@@ -892,6 +894,7 @@ describe('session.ts', () => {
         sub: 'user_123',
         org_id: 'org_123',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature_a'],
         feature_flags: ['device-authorization-grant'],
@@ -914,6 +917,7 @@ describe('session.ts', () => {
         sid: 'session_123',
         org_id: 'org_123',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature_a'],
         feature_flags: ['device-authorization-grant'],

src/session.ts

@@ -179,6 +179,7 @@ async function updateSession(
       sid: sessionId,
       org_id: organizationId,
       role,
+      roles,
       permissions,
       entitlements,
       feature_flags: featureFlags,
@@ -200,6 +201,7 @@ async function updateSession(
         user: session.user,
         organizationId,
         role,
+        roles,
         permissions,
         entitlements,
         featureFlags,
@@ -251,6 +253,7 @@ async function updateSession(
       sid: sessionId,
       org_id: organizationId,
       role,
+      roles,
       permissions,
       entitlements,
       feature_flags: featureFlags,
@@ -264,6 +267,7 @@ async function updateSession(
         user,
         organizationId,
         role,
+        roles,
         permissions,
         entitlements,
         featureFlags,
@@ -347,6 +351,7 @@ async function refreshSession({
     sid: sessionId,
     org_id: organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     feature_flags: featureFlags,
@@ -357,6 +362,7 @@ async function refreshSession({
     user,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     featureFlags,
@@ -428,6 +434,7 @@ async function withAuth(options?: { ensureSignedIn?: boolean }): Promise<UserInf
     sid: sessionId,
     org_id: organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     feature_flags: featureFlags,
@@ -438,6 +445,7 @@ async function withAuth(options?: { ensureSignedIn?: boolean }): Promise<UserInf
     user: session.user,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     featureFlags,

src/test-helpers.ts

@@ -11,6 +11,7 @@ export async function generateTestToken(payload = {}, expired = false) {
     sid: 'session_123',
     org_id: 'org_123',
     role: 'member',
+    roles: ['member'],
     permissions: ['posts:create', 'posts:delete'],
     entitlements: ['audit-logs'],
     feature_flags: ['device-authorization-grant'],