Support authorization check in Consumer authenticateJwtLocal#155
Draft
jlai-stytch wants to merge 4 commits into
Draft
Support authorization check in Consumer authenticateJwtLocal#155jlai-stytch wants to merge 4 commits into
jlai-stytch wants to merge 4 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds support for the
authorizationCheckparam for the Consumer (B2C)authenticateJwtLocal()method. Currently only the B2B method supports it:stytch-java/stytch/src/main/kotlin/com/stytch/java/b2b/api/sessions/Sessions.kt
Line 501 in 01930a8
but not the B2C one:
stytch-java/stytch/src/main/kotlin/com/stytch/java/consumer/api/sessions/Sessions.kt
Line 352 in 01930a8
Since the RBAC helper in this repo only exists for B2B today, this PR also generalizes the existing
PolicyCache. It extracts a consumer-flavored authorization check that skips the tenancy check and org-policy merge, operating only on the global policy's roles.I tried to keep the implementation in line with Node SDK's shared-base + thin-wrapper structure, since that SDK supports the authZ check for both B2C and B2B.
Since this touches some codegen'd files and not just the manual/hand-written methods, this also requires a small PR there: https://github.com/stytchauth/sdk-codegen/pull/388
None of the B2B-specific files were modified.
New files
common/BasePolicyCache.kt— shared base holding the cache/refresh machinery (getPolicy, lazy + background refresh,cancelBackgroundRefresh), a normalizedRoleView/PermissionView, the sharedhasRolePermissionmatcher, andPermissionException(moved here, retyped toAnyso it works for both verticals'AuthorizationCheck)common/ConsumerPolicyCache.kt— thin B2C wrapper over the consumer RBAC client. No org policy, no tenancy check — evaluates purely against the project policy's rolescommon/ConsumerPolicyCacheTest.kt— consumer analogue of the B2B tests (matching resource/action, wildcard, permission denied, fetch-once/caching, cancel)Modified files
common/PolicyCache.kt— B2B cache keeps its name (so zero B2B call-site churn) but now extendsBasePolicyCache<Policy>; retains org-policy cache +TenancyException, and maps its roles into the shared matcherconsumer/api/sessions/Sessions.kt— addedauthorizationCheck: AuthorizationCheck? = null(beforeleeway) to all threeauthenticateJwtLocaloverloads; the suspend impl throwsMissingRolesClaimif roles are absent, else callspolicyCache.performAuthorizationCheck;SessionsImplgained apolicyCacheconstructor param; imports + ADDIMPORT hints addedconsumer/StytchClient.kt— constructsConsumerPolicyCache, injects it intoSessionsImpl, cancels it inclose(). PasspolicyCachetoIDPImpl.consumer/api/sessions/SessionsTest.kt— passes a relaxedpolicyCachemock to the updated constructorconsumer/api/idp/IDP.kt— addedpolicyCache: ConsumerPolicyCacheparam + importMotivation
Contracted customer feature request, see https://twilio-engineering.atlassian.net/browse/STDS-347
Testing