OAuth: add ALLOWED_LDAP_GROUPS

.env.example

@@ -1,6 +1,9 @@
 # to use a normal user, put `uid=username,ou=People,dc=hackerspace,dc=pl` as DN
 LDAP_USER_DN=ldap_service_user_full_dn
 LDAP_USER_PW=ldap_service_user_password
+# to be authorized, user must be in one of these groups
+# hint: for debug, add group with the same name as your username
+ALLOWED_LDAP_GROUPS=radex,walne-users,zarzad,staff
 # create test client on sso.hackerspace.pl, with these options:
 # - client uri: (anything)
 # - redirect uri: http://localhost:5173/auth/callback/hswaw

src/hooks.server.ts

@@ -83,6 +83,21 @@ export const handle = ({ event, resolve }) => {
 	}
 	return SvelteKitAuth({
 		providers: [getHswawOauthConfig()],
+		callbacks: {
+			async signIn({ user, account, profile, email, credentials }) {
+				// ldap groups authorized to use `walne`
+				const allowedGroups = (env.ALLOWED_LDAP_GROUPS || '').split(',');
+				if (!allowedGroups.length) {
+					throw new Error('No allowed groups defined');
+				}
+
+				// user's ldap groups
+				const groups = (profile?.groups ?? []) as string[];
+
+				const isAuthorized = allowedGroups.some((allowedGroup) => groups.includes(allowedGroup));
+				return isAuthorized;
+			}
+		},
 		// debug: true,
 		trustHost: true,
 		redirectProxyUrl: env.REDIRECT_PROXY_URL