Add user roles support (#82)

* Initial

* fix defaults

Author: kendallstrautman

src/auth.spec.ts

@@ -108,6 +108,7 @@ describe('auth', () => {
       accessToken: 'new-access-token',
       organizationId: 'org_123456' as string | undefined,
       role: 'admin' as string | undefined,
+      roles: ['admin', 'member'] as string[] | undefined,
       permissions: ['read', 'write'] as string[] | undefined,
       entitlements: ['premium'] as string[] | undefined,
       impersonator: null,
@@ -338,6 +339,7 @@ describe('auth', () => {
         sessionId: 'session-123',
         organizationId: 'org-456',
         role: 'admin',
+        roles: ['admin', 'member'],
         permissions: ['read', 'write'],
         entitlements: ['feature-1', 'feature-2'],
         exp: Date.now() / 1000 + 3600, // 1 hour from now
@@ -359,6 +361,7 @@ describe('auth', () => {
         sessionId: mockClaims.sessionId,
         organizationId: mockClaims.organizationId,
         role: mockClaims.role,
+        roles: mockClaims.roles,
         permissions: mockClaims.permissions,
         entitlements: mockClaims.entitlements,
         impersonator: mockSession.impersonator,
@@ -392,6 +395,7 @@ describe('auth', () => {
         sessionId: 'session-123',
         organizationId: 'org-456',
         role: 'admin',
+        roles: ['admin', 'member'],
         permissions: ['read', 'write'],
         entitlements: ['feature-1', 'feature-2'],
         exp: Date.now() / 1000 - 3600, // 1 hour ago (expired)
@@ -419,6 +423,110 @@ describe('auth', () => {
       consoleWarnSpy.mockRestore();
     });
 
+    it('should handle multiple roles array properly', async () => {
+      // Mock session with valid access token
+      const mockSession = {
+        accessToken: 'valid-access-token',
+        refreshToken: 'refresh-token',
+        user: {
+          id: 'user-1',
+          email: '[email protected]',
+          firstName: 'Test',
+          lastName: 'User',
+          emailVerified: true,
+          profilePictureUrl: 'https://example.com/profile.jpg',
+          object: 'user' as const,
+          createdAt: '2023-01-01T00:00:00Z',
+          updatedAt: '2023-01-01T00:00:00Z',
+          lastSignInAt: '2023-01-01T00:00:00Z',
+          externalId: null,
+        },
+        impersonator: undefined,
+        headers: {},
+      };
+
+      // Mock claims with multiple roles
+      const mockClaims = {
+        sessionId: 'session-123',
+        organizationId: 'org-456',
+        role: 'user',
+        roles: ['user', 'editor', 'viewer'],
+        permissions: ['read'],
+        entitlements: ['basic'],
+        exp: Date.now() / 1000 + 3600,
+        iss: 'https://api.workos.com',
+      };
+
+      getSessionFromCookie.mockResolvedValue(mockSession);
+      getClaimsFromAccessToken.mockReturnValue(mockClaims);
+
+      const result = await withAuth(createMockRequest('wos-session=valid-session-data'));
+
+      expect(result).toEqual({
+        user: mockSession.user,
+        sessionId: mockClaims.sessionId,
+        organizationId: mockClaims.organizationId,
+        role: mockClaims.role,
+        roles: mockClaims.roles,
+        permissions: mockClaims.permissions,
+        entitlements: mockClaims.entitlements,
+        impersonator: mockSession.impersonator,
+        accessToken: mockSession.accessToken,
+      });
+    });
+
+    it('should handle missing roles field gracefully', async () => {
+      // Mock session with valid access token
+      const mockSession = {
+        accessToken: 'valid-access-token',
+        refreshToken: 'refresh-token',
+        user: {
+          id: 'user-1',
+          email: '[email protected]',
+          firstName: 'Test',
+          lastName: 'User',
+          emailVerified: true,
+          profilePictureUrl: 'https://example.com/profile.jpg',
+          object: 'user' as const,
+          createdAt: '2023-01-01T00:00:00Z',
+          updatedAt: '2023-01-01T00:00:00Z',
+          lastSignInAt: '2023-01-01T00:00:00Z',
+          externalId: null,
+        },
+        impersonator: undefined,
+        headers: {},
+      };
+
+      // Mock claims without roles field (for backward compatibility)
+      const mockClaims = {
+        sessionId: 'session-123',
+        organizationId: 'org-456',
+        role: 'user',
+        roles: ['user'],
+        permissions: ['read'],
+        entitlements: ['basic'],
+        exp: Date.now() / 1000 + 3600,
+        iss: 'https://api.workos.com',
+      };
+
+      getSessionFromCookie.mockResolvedValue(mockSession);
+      getClaimsFromAccessToken.mockReturnValue(mockClaims);
+
+      const result = await withAuth(createMockRequest('wos-session=valid-session-data'));
+
+      expect(result).toEqual({
+        user: mockSession.user,
+        sessionId: mockClaims.sessionId,
+        organizationId: mockClaims.organizationId,
+        role: mockClaims.role,
+        roles: mockClaims.roles,
+        permissions: mockClaims.permissions,
+        entitlements: mockClaims.entitlements,
+        impersonator: mockSession.impersonator,
+        accessToken: mockSession.accessToken,
+      });
+    });
+
     it('should return NoUserInfo when no session exists', async () => {
       // Mock no session
       getSessionFromCookie.mockResolvedValue(null);

src/auth.ts

@@ -50,6 +50,7 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
     permissions,
     entitlements,
     role,
+    roles,
     exp = 0,
   } = getClaimsFromAccessToken(session.accessToken);
 
@@ -69,6 +70,7 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
     sessionId,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     impersonator: session.impersonator,

src/interfaces.ts

@@ -56,6 +56,7 @@ export interface AccessToken {
   sid: string;
   org_id?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
 }
@@ -65,6 +66,7 @@ export interface UserInfo {
   sessionId: string;
   organizationId?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   impersonator?: Impersonator;
@@ -76,6 +78,7 @@ export interface NoUserInfo {
   sessionId?: undefined;
   organizationId?: undefined;
   role?: undefined;
+  roles?: undefined;
   permissions?: undefined;
   entitlements?: undefined;
   impersonator?: undefined;
@@ -103,6 +106,7 @@ export interface AuthorizedData {
   sessionId: string;
   organizationId: string | null;
   role: string | null;
+  roles: string[] | null;
   permissions: string[];
   entitlements: string[];
   impersonator: Impersonator | null;
@@ -113,6 +117,7 @@ export interface UnauthorizedData {
   sessionId: null;
   organizationId: null;
   role: null;
+  roles: null;
   permissions: null;
   entitlements: null;
   impersonator: null;

src/session.spec.ts

@@ -290,6 +290,7 @@ describe('session', () => {
           permissions: null,
           entitlements: null,
           role: null,
+          roles: null,
           sessionId: null,
         });
       });
@@ -356,6 +357,7 @@ describe('session', () => {
           sid: 'test-session-id',
           org_id: 'org-123',
           role: 'admin',
+          roles: ['admin', 'member'],
           permissions: ['read', 'write'],
           entitlements: ['premium'],
         });
@@ -406,6 +408,56 @@ describe('session', () => {
           permissions: ['read', 'write'],
           entitlements: ['premium'],
           role: 'admin',
+          roles: ['admin', 'member'],
+          sessionId: 'test-session-id',
+        });
+      });
+
+      it('should handle roles array with multiple roles', async () => {
+        // Override the JWT decoding to return multiple roles
+        (jose.decodeJwt as jest.Mock).mockReturnValueOnce({
+          sid: 'test-session-id',
+          org_id: 'org-123',
+          role: 'admin',
+          roles: ['admin', 'member', 'viewer'],
+          permissions: ['read', 'write'],
+          entitlements: ['premium'],
+        });
+
+        const { data } = await authkitLoader(createLoaderArgs(createMockRequest()));
+
+        expect(data).toEqual({
+          user: mockSessionData.user,
+          impersonator: null,
+          organizationId: 'org-123',
+          permissions: ['read', 'write'],
+          entitlements: ['premium'],
+          role: 'admin',
+          roles: ['admin', 'member', 'viewer'],
+          sessionId: 'test-session-id',
+        });
+      });
+
+      it('should handle missing roles field gracefully', async () => {
+        // Override the JWT decoding to not include roles at all
+        (jose.decodeJwt as jest.Mock).mockReturnValueOnce({
+          sid: 'test-session-id',
+          org_id: 'org-123',
+          role: 'admin',
+          permissions: ['read', 'write'],
+          entitlements: ['premium'],
+        });
+
+        const { data } = await authkitLoader(createLoaderArgs(createMockRequest()));
+
+        expect(data).toEqual({
+          user: mockSessionData.user,
+          impersonator: null,
+          organizationId: 'org-123',
+          permissions: ['read', 'write'],
+          entitlements: ['premium'],
+          role: 'admin',
+          roles: null,
           sessionId: 'test-session-id',
         });
       });
@@ -775,6 +827,7 @@ describe('session', () => {
               sid: 'new-session-id',
               org_id: 'org-123',
               role: 'user',
+              roles: ['user', 'viewer'],
               permissions: ['read'],
               entitlements: ['basic'],
             };
@@ -799,6 +852,7 @@ describe('session', () => {
             sessionId: 'new-session-id',
             organizationId: 'org-123',
             role: 'user',
+            roles: ['user', 'viewer'],
             permissions: ['read'],
             entitlements: ['basic'],
           }),
@@ -942,6 +996,7 @@ describe('session', () => {
         sid: 'new-session-id',
         org_id: 'org-123',
         role: 'user',
+        roles: ['user', 'viewer'],
         permissions: ['read'],
         entitlements: ['basic'],
       });
@@ -966,6 +1021,7 @@ describe('session', () => {
         accessToken: 'new.valid.token',
         organizationId: 'org-123',
         role: 'user',
+        roles: ['user', 'viewer'],
         permissions: ['read'],
         entitlements: ['basic'],
         impersonator: null,

src/session.ts

@@ -72,6 +72,7 @@ export async function refreshSession(request: Request, { organizationId }: { org
       sessionId,
       organizationId: newOrgId,
       role,
+      roles,
       permissions,
       entitlements,
     } = getClaimsFromAccessToken(accessToken);
@@ -82,6 +83,7 @@ export async function refreshSession(request: Request, { organizationId }: { org
       accessToken,
       organizationId: newOrgId,
       role,
+      roles,
       permissions,
       entitlements,
       impersonator: impersonator ?? null,
@@ -329,6 +331,7 @@ export async function authkitLoader<Data = unknown>(
         permissions: null,
         entitlements: null,
         role: null,
+        roles: null,
         sessionId: null,
       };
 
@@ -340,6 +343,7 @@ export async function authkitLoader<Data = unknown>(
       sessionId,
       organizationId = null,
       role = null,
+      roles = null,
       permissions = [],
       entitlements = [],
     } = getClaimsFromAccessToken(session.accessToken);
@@ -361,6 +365,7 @@ export async function authkitLoader<Data = unknown>(
       sessionId,
       organizationId,
       role,
+      roles,
       permissions,
       entitlements,
       impersonator,
@@ -545,6 +550,7 @@ export function getClaimsFromAccessToken(accessToken: string) {
     sid: sessionId,
     org_id: organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     exp,
@@ -557,6 +563,7 @@ export function getClaimsFromAccessToken(accessToken: string) {
     sessionId,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
   };