Module: JwtAuthCognito::AuthorizationConcern

Extended by:: ActiveSupport::Concern

Defined in:: lib/jwt_auth_cognito/authorization_concern.rb

Overview

Rails Concern that adds granular permission enforcement to controllers.

Usage in ApplicationController (or any controller):

include JwtAuthCognito::AuthorizationConcern

# Provide the validator instance (required):
def jwt_validator
  @jwt_validator ||= JwtAuthCognito::JwtValidator.new
end

# Provide the current user's Cognito sub (required):
# Override jwt_user_id — typically populated by your auth before_action.
def jwt_user_id
  @jwt_user_id ||= request.env['jwt.payload']&.dig('sub')
end

Then in any action or before_action:

before_action -> { authorize_permission!('fleet:vehicles:read') }

# OR require at least one of several permissions:
before_action -> { authorize_any_permission!('fleet:read', 'fleet:vehicles:read') }

appId and orgId are resolved from X-App-Id / X-Organization-Id headers, falling back to params / params.

Instance Method Summary collapse

#authorize_any_permission!(*permissions) ⇒ Object

Raises ForbiddenError unless the current user has AT LEAST ONE of the given permissions.
#authorize_permission!(*permissions) ⇒ Object

Raises ForbiddenError unless the current user has ALL of the given permissions.
#current_user_permissions ⇒ Object

Returns the full list of effective permissions for the current user/app/org context.

Instance Method Details

#authorize_any_permission!(*permissions) ⇒ `Object`

Raises ForbiddenError unless the current user has AT LEAST ONE of the given permissions.

Raises:

(JwtAuthCognito::ForbiddenError)

# File 'lib/jwt_auth_cognito/authorization_concern.rb', line 50

def authorize_any_permission!(*permissions)
  return if permissions.flatten.any? { |p| current_user_has_permission?(p) }

  log_permission_denied(permissions)
  raise JwtAuthCognito::ForbiddenError, 'Access denied'
end

#authorize_permission!(*permissions) ⇒ `Object`

Raises ForbiddenError unless the current user has ALL of the given permissions.

# File 'lib/jwt_auth_cognito/authorization_concern.rb', line 40

def authorize_permission!(*permissions)
  permissions.flatten.each do |permission|
    next if current_user_has_permission?(permission)

    log_permission_denied(permissions)
    raise JwtAuthCognito::ForbiddenError, 'Access denied'
  end
end

#current_user_permissions ⇒ `Object`

Returns the full list of effective permissions for the current user/app/org context.



58
59
60

# File 'lib/jwt_auth_cognito/authorization_concern.rb', line 58

def current_user_permissions
  @current_user_permissions ||= fetch_current_user_permissions
end