feat(shared): Allow for has({ role | permission}) without scope (#5693)

Author: panteliselef

.changeset/salty-worms-attack.md

@@ -0,0 +1,9 @@
+---
+'@clerk/shared': patch
+---
+
+Allow for `has({ role | permission})` without scope.
+
+Examples:
+- `has({role: "admin"})`
+- `has({permission: "friends:add"})`

integration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/conditionals.tsx

@@ -1,22 +1,26 @@
 export function Conditionals({
   hasImpersonationRead,
   hasMagicLinksCreate,
+  hasMagicLinksCreateUnscoped,
   hasMagicLinksRead,
   hasImpersonationManage,
   hasAdminRole,
   hasManagerRole,
   hasImpersonationReaderRole,
+  hasImpersonationReaderRoleUnscoped,
   role,
   hasImpersonationFeature,
   hasMagicLinksFeature,
 }: {
   hasImpersonationRead: boolean;
   hasMagicLinksCreate: boolean;
+  hasMagicLinksCreateUnscoped: boolean;
   hasMagicLinksRead: boolean;
   hasImpersonationManage: boolean;
   hasAdminRole: boolean;
   hasManagerRole: boolean;
   hasImpersonationReaderRole: boolean;
+  hasImpersonationReaderRoleUnscoped: boolean;
   role: string | null | undefined;
   hasImpersonationFeature: boolean;
   hasMagicLinksFeature: boolean;
@@ -33,6 +37,11 @@ export function Conditionals({
         {hasMagicLinksCreate ? 'true' : 'false'}
       </pre>
 
+      <pre>
+        {`has({ permission: "magic_links:create" }) -> `}
+        {hasMagicLinksCreateUnscoped ? 'true' : 'false'}
+      </pre>
+
       <pre>
         {`has({ permission: "org:magic_links:read" }) -> `}
         {hasMagicLinksRead ? 'true' : 'false'}
@@ -58,6 +67,11 @@ export function Conditionals({
         {hasImpersonationReaderRole ? 'true' : 'false'}
       </pre>
 
+      <pre>
+        {`has({ role: "impersonation_reader" }) -> `}
+        {hasImpersonationReaderRoleUnscoped ? 'true' : 'false'}
+      </pre>
+
       <pre>
         {`role -> `}
         {role}

integration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/has-client/page.tsx

@@ -23,6 +23,8 @@ export default function Page() {
         role={orgRole}
         hasImpersonationFeature={has({ feature: 'org:impersonation' })}
         hasMagicLinksFeature={has({ feature: 'org:magic_links' })}
+        hasMagicLinksCreateUnscoped={has({ permission: 'magic_links:create' })}
+        hasImpersonationReaderRoleUnscoped={has({ role: 'impersonation_reader' })}
       />
     </>
   );

integration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/has-server/page.tsx

@@ -18,6 +18,8 @@ export default async function Page() {
         role={orgRole}
         hasImpersonationFeature={has({ feature: 'org:impersonation' })}
         hasMagicLinksFeature={has({ feature: 'org:magic_links' })}
+        hasMagicLinksCreateUnscoped={has({ permission: 'magic_links:create' })}
+        hasImpersonationReaderRoleUnscoped={has({ role: 'impersonation_reader' })}
       />
     </>
   );

integration/templates/next-app-router/src/app/jwt-v2-organizations/(tests)/has-ssr/client.tsx

@@ -23,6 +23,8 @@ export function SSR() {
         role={orgRole}
         hasImpersonationFeature={has({ feature: 'org:impersonation' })}
         hasMagicLinksFeature={has({ feature: 'org:magic_links' })}
+        hasMagicLinksCreateUnscoped={has({ permission: 'magic_links:create' })}
+        hasImpersonationReaderRoleUnscoped={has({ role: 'impersonation_reader' })}
       />
     </>
   );

integration/tests/protect-jwt-v2.test.ts

@@ -74,6 +74,7 @@ testAgainstRunningApps({
     async function assertPermsRolesFeatures() {
       await expect(u.page.getByText(`has({ permission: "org:impersonation:read" }) -> true`)).toBeVisible();
       await expect(u.page.getByText(`has({ permission: "org:magic_links:create" }) -> true`)).toBeVisible();
+      await expect(u.page.getByText(`has({ permission: "magic_links:create" }) -> true`)).toBeVisible();
       await expect(u.page.getByText(`has({ permission: "org:magic_links:read" }) -> true`)).toBeVisible();
       await expect(u.page.getByText(`has({ permission: "org:impersonation:manage" }) -> true`)).toBeVisible();
       await expect(u.page.getByText(`has({ role: "org:admin" }) -> true`)).toBeVisible();
@@ -171,6 +172,7 @@ testAgainstRunningApps({
       await expect(u.page.getByText(`has({ role: "org:admin" }) -> false`)).toBeVisible();
       await expect(u.page.getByText(`has({ role: "org:manager" }) -> false`)).toBeVisible();
       await expect(u.page.getByText(`has({ role: "org:impersonation_reader" }) -> true`)).toBeVisible();
+      await expect(u.page.getByText(`has({ role: "impersonation_reader" }) -> true`)).toBeVisible();
       await expect(u.page.getByText(`role -> org:impersonation_reader`)).toBeVisible();
       await expect(u.page.getByText(`has({ feature: "org:impersonation" }) -> true`)).toBeVisible();
       await expect(u.page.getByText(`has({ feature: "org:magic_links" }) -> true`)).toBeVisible();

packages/backend/src/tokens/__tests__/authObjects.test.ts

@@ -34,6 +34,26 @@ describe('signedInAuthObject', () => {
   });
 
   describe('JWT v1', () => {
+    it('has() for user scope', () => {
+      const mockAuthenticateContext = { sessionToken: 'authContextToken' } as AuthenticateContext;
+
+      const partialJwtPayload = {
+        ___raw: 'raw',
+        act: { sub: 'actor' },
+        sid: 'sessionId',
+        sub: 'userId',
+      } as Partial<JwtPayload>;
+
+      const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);
+
+      expect(authObject.has({ role: 'org:admin' })).toBe(false);
+      expect(authObject.has({ role: 'admin' })).toBe(false);
+      expect(authObject.has({ permission: 'org:f1:read' })).toBe(false);
+      expect(authObject.has({ permission: 'f1:read' })).toBe(false);
+      expect(authObject.has({ feature: 'org:reservations' })).toBe(false);
+      expect(authObject.has({ feature: 'org:impersonation' })).toBe(false);
+    });
+
     it('has() for orgs', () => {
       const mockAuthenticateContext = { sessionToken: 'authContextToken' } as AuthenticateContext;
 
@@ -51,7 +71,9 @@ describe('signedInAuthObject', () => {
       const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);
 
       expect(authObject.has({ role: 'org:admin' })).toBe(true);
+      expect(authObject.has({ role: 'admin' })).toBe(true);
       expect(authObject.has({ permission: 'org:f1:read' })).toBe(true);
+      expect(authObject.has({ permission: 'f1:read' })).toBe(true);
       expect(authObject.has({ permission: 'org:f1' })).toBe(false);
       expect(authObject.has({ permission: 'org:f2:manage' })).toBe(true);
       expect(authObject.has({ permission: 'org:f2' })).toBe(false);
@@ -85,7 +107,9 @@ describe('signedInAuthObject', () => {
       const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);
 
       expect(authObject.has({ role: 'org:admin' })).toBe(true);
+      expect(authObject.has({ role: 'admin' })).toBe(true);
       expect(authObject.has({ permission: 'org:reservations:read' })).toBe(true);
+      expect(authObject.has({ permission: 'reservations:read' })).toBe(true);
       expect(authObject.has({ permission: 'org:reservations' })).toBe(false);
       expect(authObject.has({ permission: 'org:reservations:manage' })).toBe(true);
       expect(authObject.has({ permission: 'org:reservations' })).toBe(false);

packages/shared/src/authorization.ts

@@ -70,6 +70,8 @@ const isValidMaxAge = (maxAge: any) => typeof maxAge === 'number' && maxAge > 0;
 const isValidLevel = (level: any) => ALLOWED_LEVELS.has(level);
 const isValidVerificationType = (type: any) => ALLOWED_TYPES.has(type);
 
+const prefixWithOrg = (value: string) => (value.startsWith('org:') ? value : `org:${value}`);
+
 /**
  * Checks if a user has the required organization-level authorization.
  * Verifies if the user has the specified role or permission within their organization.
@@ -86,11 +88,11 @@ const checkOrgAuthorization: CheckOrgAuthorization = (params, options) => {
   }
 
   if (params.permission) {
-    return orgPermissions.includes(params.permission);
+    return orgPermissions.includes(prefixWithOrg(params.permission));
   }
 
   if (params.role) {
-    return orgRole === params.role;
+    return orgRole === prefixWithOrg(params.role);
   }
   return null;
 };