fix(frontend,backend): Remove hardcoded legalconsenthub keycloak client ID

2026-03-16 08:29:54 +01:00
parent d4c6def398
commit 37a907e087
4 changed files with 12 additions and 11 deletions
--- a/legalconsenthub-backend/src/main/kotlin/com/betriebsratkanzlei/legalconsenthub/security/CustomJwtAuthenticationConverter.kt
+++ b/legalconsenthub-backend/src/main/kotlin/com/betriebsratkanzlei/legalconsenthub/security/CustomJwtAuthenticationConverter.kt
@@ -1,5 +1,6 @@
 package com.betriebsratkanzlei.legalconsenthub.security

+import org.springframework.beans.factory.annotation.Value
 import org.springframework.core.convert.converter.Converter
 import org.springframework.security.authentication.AbstractAuthenticationToken
 import org.springframework.security.core.GrantedAuthority
@@ -8,14 +9,16 @@ import org.springframework.security.oauth2.jwt.Jwt
 import org.springframework.stereotype.Component

@Component
-class CustomJwtAuthenticationConverter : Converter<Jwt, AbstractAuthenticationToken> {
+class CustomJwtAuthenticationConverter(
+    @Value("\${legalconsenthub.keycloak.client-id}") private val keycloakClientId: String,
+) : Converter<Jwt, AbstractAuthenticationToken> {
    override fun convert(jwt: Jwt): AbstractAuthenticationToken {
        val userId = jwt.subject
        val username = jwt.getClaimAsString("name")

        val resourceAccess = jwt.getClaimAsMap("resource_access") as? Map<*, *>
-        val legalconsenthubResource = resourceAccess?.get("legalconsenthub") as? Map<*, *>
-        val roles = (legalconsenthubResource?.get("roles") as? List<*>)?.mapNotNull { it as? String } ?: emptyList()
+        val clientResource = resourceAccess?.get(keycloakClientId) as? Map<*, *>
+        val roles = (clientResource?.get("roles") as? List<*>)?.mapNotNull { it as? String } ?: emptyList()

        val organizationIds = extractOrganizationIds(jwt)

--- a/legalconsenthub-backend/src/main/resources/application.yaml
+++ b/legalconsenthub-backend/src/main/resources/application.yaml
@@ -63,6 +63,8 @@ spring:
      max-request-size: 50MB

 legalconsenthub:
+  keycloak:
+    client-id: ${KEYCLOAK_CLIENT_ID:gremiumhub}
  file:
    storage:
      filesystem:
--- a/legalconsenthub/server/routes/auth/keycloak.get.ts
+++ b/legalconsenthub/server/routes/auth/keycloak.get.ts
@@ -21,7 +21,7 @@ export default defineOAuthKeycloakEventHandler({
    }

    const organizations = decodedJwt ? extractOrganizations(decodedJwt) : []
-    const roles = decodedJwt ? extractRoles(decodedJwt) : []
+    const roles = decodedJwt ? extractRoles(decodedJwt, config.oauth.keycloak.clientId) : []

    await setUserSession(event, {
      user: {
@@ -71,6 +71,6 @@ function extractOrganizations(decoded: KeycloakTokenPayload): Organization[] {
  return organizations
 }

-function extractRoles(decoded: KeycloakTokenPayload): string[] {
-  return decoded?.resource_access?.legalconsenthub?.roles ?? []
+function extractRoles(decoded: KeycloakTokenPayload, clientId: string): string[] {
+  return decoded?.resource_access?.[clientId]?.roles ?? []
 }
--- a/legalconsenthub/types/keycloak.ts
+++ b/legalconsenthub/types/keycloak.ts
@@ -5,11 +5,7 @@ export interface KeycloakTokenPayload {
  family_name?: string
  email?: string
  organization?: Record<string, { id?: string }>
-  resource_access?: {
-    legalconsenthub?: {
-      roles?: string[]
-    }
-  }
+  resource_access?: Record<string, { roles?: string[] } | undefined>
 }

 export interface Organization {