Expanded jwt for oauth

Author: jzongker

src/modules/membership/auth/AuthenticatedUser.ts

@@ -81,6 +81,41 @@ export class AuthenticatedUser extends BaseAuthenticatedUser {
     );
   }
 
+  public static getCombinedApiJwt(user: User, userChurch: LoginUserChurch) {
+    const permList: string[] = [];
+
+    userChurch.apis?.forEach((api) => {
+      api.permissions?.forEach((p) => {
+        let permString = p.contentType + "_" + String(p.contentId).replace("null", "") + "_" + p.action;
+        if (p.apiName) permString = p.apiName + "_" + p.contentType + "_" + String(p.contentId).replace("null", "") + "_" + p.action;
+        permList.push(permString);
+      });
+    });
+
+    const groupIds: string[] = [];
+    userChurch.groups?.forEach((g) => groupIds.push(g.id));
+    const leaderGroupIds: string[] = [];
+    userChurch.groups?.forEach((g) => { if (g.leader) leaderGroupIds.push(g.id); });
+
+    const options: SignOptions = { expiresIn: Environment.jwtExpiration as any };
+    return jwt.sign(
+      {
+        id: user.id,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName,
+        churchId: userChurch.church.id,
+        personId: userChurch.person.id,
+        permissions: permList,
+        groupIds,
+        leaderGroupIds,
+        membershipStatus: userChurch.person?.membershipStatus
+      },
+      Environment.jwtSecret,
+      options
+    );
+  }
+
   public static getUserJwt(user: User) {
     return jwt.sign({ id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName }, Environment.jwtSecret, { expiresIn: "180 days" });
   }

src/modules/membership/controllers/OAuthController.ts

@@ -112,11 +112,17 @@ export class OAuthController extends MembershipBaseController {
           apis: []
         };
 
+        // Load permissions for all APIs
+        const permissionData = await this.repos.rolePermission.loadUserPermissionInChurch(user.id, church.id);
+        if (permissionData) {
+          loginUserChurch.apis = permissionData.apis;
+        }
+
         // Create access token
         const token: OAuthToken = {
           clientId: client.clientId,
           userChurchId: authCode.userChurchId,
-          accessToken: AuthenticatedUser.getChurchJwt(user, loginUserChurch),
+          accessToken: AuthenticatedUser.getCombinedApiJwt(user, loginUserChurch),
           refreshToken: UniqueIdHelper.shortId(),
           scopes: authCode.scopes,
           expiresAt: new Date(Date.now() + 60 * 60 * 1000 * 12) // 12 hours
@@ -156,11 +162,17 @@ export class OAuthController extends MembershipBaseController {
           apis: []
         };
 
+        // Load permissions for all APIs
+        const permissionData = await this.repos.rolePermission.loadUserPermissionInChurch(user.id, church.id);
+        if (permissionData) {
+          loginUserChurch.apis = permissionData.apis;
+        }
+
         // Create new access token with proper JWT
         const token: OAuthToken = {
           clientId: client.clientId,
           userChurchId: oldToken.userChurchId,
-          accessToken: AuthenticatedUser.getChurchJwt(user, loginUserChurch),
+          accessToken: AuthenticatedUser.getCombinedApiJwt(user, loginUserChurch),
           refreshToken: UniqueIdHelper.shortId(),
           scopes: oldToken.scopes,
           expiresAt: new Date(Date.now() + 60 * 60 * 1000 * 12) // 12 hours
@@ -288,8 +300,14 @@ export class OAuthController extends MembershipBaseController {
           apis: []
         };
 
+        // Load permissions for all APIs
+        const permissionData = await this.repos.rolePermission.loadUserPermissionInChurch(user.id, church.id);
+        if (permissionData) {
+          loginUserChurch.apis = permissionData.apis;
+        }
+
         // Create access token
-        const accessToken = AuthenticatedUser.getChurchJwt(user, loginUserChurch);
+        const accessToken = AuthenticatedUser.getCombinedApiJwt(user, loginUserChurch);
         const refreshToken = UniqueIdHelper.shortId();
 
         // Store the refresh token for later use