feat: fga-based workos rbac (#1771)

fern-api · Nov 4, 2024 · fae7cab · fae7cab
1 parent d8cb555
commit fae7cab
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/packages/ui/docs-bundle/src/server/auth/getAuthState.ts b/packages/ui/docs-bundle/src/server/auth/getAuthState.ts
@@ -100,12 +100,14 @@ export async function getAuthState(
         const session = fernToken != null ? await getSessionFromToken(fernToken) : undefined;
         const workosUserInfo = await toSessionUserInfo(session);
         if (workosUserInfo.user) {
+            // TODO: should this be stored in the session itself?
+            const roles = await getWorkosRbacRoles(authConfig.organization, workosUserInfo.user.email);
             return {
                 domain,
                 host,
                 authed: true,
                 ok: true,
-                user: toFernUser(workosUserInfo),
+                user: toFernUser(workosUserInfo, roles),
                 partner: authConfig.partner,
             };
         }
@@ -116,12 +118,14 @@ export async function getAuthState(
                 if (setFernToken) {
                     setFernToken(await encryptSession(updatedSession));
                 }
+                // TODO: should this be stored in the session itself?
+                const roles = await getWorkosRbacRoles(authConfig.organization, updatedSession.user.email);
                 return {
                     domain,
                     host,
                     authed: true,
                     ok: true,
-                    user: toFernUser(await toSessionUserInfo(updatedSession)),
+                    user: toFernUser(await toSessionUserInfo(updatedSession), roles),
                     partner: authConfig.partner,
                 };
             }
@@ -161,3 +165,20 @@ function getAuthorizationUrl(authConfig: AuthEdgeConfig, host: string, pathname?
 
     return undefined;
 }
+
+export async function getWorkosRbacRoles(org: string, email: string): Promise<string[]> {
+    try {
+        // TODO: use `rbac.ferndocs.dev` for staging, and `rbac.ferndocs.com` for production, once available
+        const roles = await fetch(
+            `https://rbac.ferndocs.dev/${encodeURIComponent(org)}/users/${encodeURIComponent(email)}/roles`,
+        ).then((res) => res.json());
+        if (Array.isArray(roles)) {
+            return roles.filter((role) => typeof role === "string");
+        }
+        return [];
+    } catch (error) {
+        // eslint-disable-next-line no-console
+        console.error(`Error fetching RBAC roles for ${org}/${email}: ${error}`);
+        return [];
+    }
+}
diff --git a/packages/ui/docs-bundle/src/server/auth/workos-user-to-fern-user.ts b/packages/ui/docs-bundle/src/server/auth/workos-user-to-fern-user.ts
@@ -2,9 +2,10 @@ import { FernUser } from "@fern-ui/fern-docs-auth";
 import { compact } from "es-toolkit/array";
 import { NoWorkOSUserInfo, WorkOSUserInfo } from "./interfaces";
 
-export function toFernUser({ user }: WorkOSUserInfo | NoWorkOSUserInfo): FernUser {
+export function toFernUser({ user }: WorkOSUserInfo | NoWorkOSUserInfo, roles?: string[]): FernUser {
     return {
         email: user?.email,
         name: compact([user?.firstName, user?.lastName]).join(" ") || user?.email?.split("@")[0],
+        roles,
     };
 }