I recently set up an app using CBSecurity with the JwtAuthValidator@cbsecurity validator. Based on my understanding of the documentation, the validator should call both the hasRole(), and hasPermission() functions on the user object to validate the security annotations. In my app, only the hasPermission() function is being called by the validator. Is this by design?
That’s a very good point we may need to update on the docs to show that as of now, the Validator only evaluates the scopes a token has against the permissions the user has. Json Web Tokens have no concept of roles, just scopes. That’s why only the permissions are evaluated for incoming tokens.
// Do we have any permissions to validate?
if ( listLen( arguments.permissions ) ) {
// Check if the user has the right permissions?
results.allow = (
tokenHasScopes( arguments.permissions, payload.scope )
||
variables.cbSecurity.has( arguments.permissions )
);
results.type = "authorization";
} else {
// We are satisfied!
results.allow = true;
}
We already have a precedent in cbsecurity of evaluating roles, so I can’t discard the usage of it. I would suggest we add a ticket for this.