cameleer/cameleer-saas
2
0
Fork 0
Code Issues 23 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: replace hardcoded permission map with direct OAuth2 scope checks

Browse Source 
Remove role-to-permission mapping (usePermissions, RequirePermission) and replace
with direct scope reads from the Logto access token JWT. OrgResolver decodes the
scope claim after /api/me resolves and stores scopes in Zustand. RequireScope and
useScopes replace the old hooks/components across all pages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-05 14:04:06 +02:00
parent 277d5ea638
commit 9c2a1d27b7
13 changed files with 87 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ui/src/auth/OrgResolver.tsx
View File

@@ -1,21 +1,23 @@
import { useEffect } from 'react';
import { useLogto } from '@logto/react';
import { Spinner } from '@cameleer/design-system';
import { useMe } from '../api/hooks';
import { useOrgStore } from './useOrganization';
import { fetchConfig } from '../config';
/**
* Fetches /api/me and populates the org store with platform admin status
* and tenant-to-org mapping. Renders children once resolved.
* Fetches /api/me and populates the org store with tenant-to-org mapping.
* Also reads OAuth2 scopes from the access token and stores them.
* Renders children once resolved.
*/
export function OrgResolver({ children }: { children: React.ReactNode }) {
const { data: me, isLoading, isError } = useMe();
const { setIsPlatformAdmin, setOrganizations, setCurrentOrg, currentOrgId } = useOrgStore();
const { getAccessToken } = useLogto();
const { setOrganizations, setCurrentOrg, setScopes, currentOrgId } = useOrgStore();
useEffect(() => {
if (!me) return;
setIsPlatformAdmin(me.isPlatformAdmin);
// Map tenants: logtoOrgId is the org ID for token scoping, id is the DB UUID
const orgEntries = me.tenants.map((t) => ({
id: t.logtoOrgId,
@@ -29,6 +31,21 @@ export function OrgResolver({ children }: { children: React.ReactNode }) {
if (orgEntries.length === 1 && !currentOrgId) {
setCurrentOrg(orgEntries[0].id);
}
// Read scopes from the access token JWT payload
fetchConfig().then((config) => {
if (!config.logtoResource) return;
getAccessToken(config.logtoResource).then((token) => {
if (!token) return;
try {
const payload = JSON.parse(atob(token.split('.')[1]));
const scopeStr = (payload.scope as string) ?? '';
setScopes(new Set(scopeStr.split(' ').filter(Boolean)));
} catch {
setScopes(new Set());
}
}).catch(() => setScopes(new Set()));
});
}, [me]);
if (isLoading) {