Active token for new scope after redirect to home #106

bkd-mba-fbi · Nov 6, 2023 · 7a613d6 · 7a613d6
1 parent c94da37
commit 7a613d6
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 2 deletions.
diff --git a/src/components/Content.ts b/src/components/Content.ts
@@ -6,6 +6,8 @@ import { keyed } from "lit/directives/keyed.js";
 import { localized } from "@lit/localize";
 import { theme } from "../utils/theme";
 import { when } from "lit/directives/when.js";
+import { getCurrentAccessToken } from "../utils/storage";
+import { getTokenPayload, tokenMatchesScope } from "../utils/token";
 
 @customElement("bkd-content")
 @localized()
@@ -93,7 +95,14 @@ export class Content extends LitElement {
   }
 
   render() {
-    // The keyed directive ensures that the entire iframe and any associated scripts are removed when the application changes.
+    if (!tokenMatchesScope(getCurrentAccessToken(), portalState.app.scope)) {
+      // Token scope does not match current app, wait for correct
+      // token to be activated in <Portal> component
+      return html`<main></main>`;
+    }
+
+    // The keyed directive ensures that the entire iframe and any
+    // associated scripts are removed when the application changes.
     return html`
       <main>
         ${when(

diff --git a/src/components/Portal.ts b/src/components/Portal.ts
@@ -22,6 +22,7 @@ import { getCurrentAccessToken } from "../utils/storage";
 import { settings } from "../settings";
 import { getInitialLocale } from "../utils/locale";
 import { getNavigationItemByAppPath } from "../utils/navigation.ts";
+import { tokenMatchesScope } from "../utils/token.ts";
 
 const oAuthClient = createOAuthClient();
 
@@ -78,6 +79,23 @@ export class Portal extends LitElement {
   connectedCallback(): void {
     super.connectedCallback();
 
+    portalState.initialized.then(() => {
+      // When all roles/permissions have been loaded and the current
+      // app does not match the scope of the current token, activate a
+      // token for the app's scope. This can be the case when
+      // previously authenticated as another user and the current user
+      // has no access to the navigation item from the redirect URL,
+      // hence is redirected to home (see
+      // https://github.com/bkd-mba-fbi/evento-portal/issues/106).
+      if (!tokenMatchesScope(getCurrentAccessToken(), portalState.app.scope)) {
+        activateTokenForScope(
+          oAuthClient,
+          portalState.app.scope,
+          portalState.locale,
+        );
+      }
+    });
+
     this.subscriptions.push(
       portalState.subscribeScopeAndLocale(
         (scope, locale) => activateTokenForScope(oAuthClient, scope, locale),

diff --git a/src/state/portal-state.ts b/src/state/portal-state.ts
@@ -64,7 +64,7 @@ export class PortalState extends State {
   actualAppPath: string | null = null;
 
   private setInitialized: () => void = () => undefined;
-  private initialized = new Promise(
+  initialized = new Promise(
     (resolve) => (this.setInitialized = () => resolve(null)),
   );
 

diff --git a/src/utils/token.ts b/src/utils/token.ts
@@ -84,6 +84,17 @@ export function isTokenHalfExpired(
   return expirationTime <= now + validFor / 2;
 }
 
+/**
+ * Returns whether the given token matches the given scope.
+ */
+export function tokenMatchesScope(
+  token: string | null,
+  scope: string,
+): boolean {
+  const tokenScope = token && getTokenPayload(token).scope;
+  return tokenScope === scope;
+}
+
 function parseTokenPayload(token: string): RawTokenPayload {
   const base64Url = token.split(".")[1];
   const base64 = base64Url.replace("-", "+").replace("_", "/");