From 18269879537a47ae8be7ba20a93b645e0e90a697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gunnlaugur=20Gu=C3=B0mundsson?= <34029342+GunnlaugurG@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:03:19 +0000 Subject: [PATCH] feat(auth-admin): Allow non super users to publish super user fields (#17290) --- .../app/v2/clients/test/me-clients.spec.ts | 24 ++++++++++++------- .../clients/admin/admin-clients.service.ts | 17 +------------ 2 files changed, 17 insertions(+), 24 deletions(-) diff --git a/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts b/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts index 58235d12f2b1..3e73048f6aca 100644 --- a/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts +++ b/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts @@ -431,23 +431,26 @@ describe('MeClientsController with auth', () => { slidingRefreshTokenLifetime: typeSpecificDefaults.slidingRefreshTokenLifetime ?? clientBaseAttributes.slidingRefreshTokenLifetime, - accessTokenLifetime: clientBaseAttributes.accessTokenLifetime, + accessTokenLifetime: + typeSpecificDefaults.accessTokenLifetime ?? + clientBaseAttributes.accessTokenLifetime, allowOfflineAccess: clientBaseAttributes.allowOfflineAccess, redirectUris: [], postLogoutRedirectUris: [], requireApiScopes: false, requireConsent: false, - requirePkce: true, - supportTokenExchange: false, + requirePkce: + typeSpecificDefaults.requirePkce ?? clientBaseAttributes.requirePkce, + supportTokenExchange: typeSpecificDefaults.supportTokenExchange, supportsCustomDelegation: false, supportsLegalGuardians: false, supportsPersonalRepresentatives: false, supportsProcuringHolders: false, promptDelegations: false, - customClaims: [], + customClaims: typeSpecificDefaults.customClaims ?? [], singleSession: false, supportedDelegationTypes: [], - allowedAcr: [defaultAcrValue], + allowedAcr: typeSpecificDefaults.allowedAcr ?? [defaultAcrValue], }) // Assert - db record @@ -468,9 +471,14 @@ describe('MeClientsController with auth', () => { absoluteRefreshTokenLifetime: typeSpecificDefaults.absoluteRefreshTokenLifetime ?? clientBaseAttributes.absoluteRefreshTokenLifetime, - accessTokenLifetime: clientBaseAttributes.accessTokenLifetime, - allowOfflineAccess: clientBaseAttributes.allowOfflineAccess, - requirePkce: clientBaseAttributes.requirePkce, + accessTokenLifetime: + typeSpecificDefaults.accessTokenLifetime ?? + clientBaseAttributes.accessTokenLifetime, + allowOfflineAccess: + typeSpecificDefaults.allowOfflineAccess ?? + clientBaseAttributes.allowOfflineAccess, + requirePkce: + typeSpecificDefaults.requirePkce ?? clientBaseAttributes.requirePkce, refreshTokenExpiration: translateRefreshTokenExpiration( typeSpecificDefaults.refreshTokenExpiration, ), diff --git a/libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts b/libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts index f919f1611294..474cf26dbee2 100644 --- a/libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts +++ b/libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts @@ -173,21 +173,6 @@ export class AdminClientsService { throw new BadRequestException('Invalid client id') } - // If user is not super admin, we remove the super admin fields from the input to default to the client base attributes - if (!this.isSuperAdmin(user)) { - clientDto = { - clientId: clientDto.clientId, - clientType: clientDto.clientType, - clientName: clientDto.clientName, - // Remove defined super admin fields - ...omit(clientDto, superUserFields), - // Remove personal representative from delegation types since it is not allowed for non-super admins - supportedDelegationTypes: delegationTypeSuperUserFilter( - clientDto.supportedDelegationTypes ?? [], - ), - } - } - const { customClaims, displayName, @@ -600,7 +585,7 @@ export class AdminClientsService { client.supportedDelegationTypes?.map( (clientDelegationType) => clientDelegationType.delegationType, ) ?? [], - allowedAcr: client.allowedAcr ?? [], + allowedAcr: client.allowedAcr.map((v) => v.toString()) ?? [], } }