chore(shared,types): Org permissions claims is a string in v2

Author: octoper

packages/shared/src/__tests__/authorization.test.ts

@@ -20,7 +20,7 @@ describe('resolveSignedInAuthStateFromJWTClaims', () => {
         id: 'org_id',
         rol: 'admin',
         slg: 'org_slug',
-        per: ['permission1', 'permission2'],
+        per: 'permission1,permission2',
       },
     });
 
@@ -31,7 +31,7 @@ describe('resolveSignedInAuthStateFromJWTClaims', () => {
       org_slug: 'org_slug',
       org_permissions: ['permission1', 'permission2'],
     });
-    expect(signedInAuthObjectV1).toMatchObject(signedInAuthObjectV2);
+    expect(signedInAuthObjectV1).toEqual(signedInAuthObjectV2);
   });
 
   test('produced auth object with v2 matches v1 without having orgs related claims', () => {
@@ -43,6 +43,32 @@ describe('resolveSignedInAuthStateFromJWTClaims', () => {
     const { sessionClaims: v1Claims, ...signedInAuthObjectV1 } = resolveSignedInAuthStateFromJWTClaims({
       ...baseClaims,
     });
-    expect(signedInAuthObjectV1).toMatchObject(signedInAuthObjectV2);
+    expect(signedInAuthObjectV1).toEqual(signedInAuthObjectV2);
+  });
+
+  test('v2 org permissions are splitted correctly', () => {
+    const authObject = resolveSignedInAuthStateFromJWTClaims({
+      ...baseClaims,
+      v: 2,
+      org: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'permission1,permission2',
+      },
+    });
+    expect(authObject.orgPermissions).toEqual(['permission1', 'permission2']);
+
+    const authObject2 = resolveSignedInAuthStateFromJWTClaims({
+      ...baseClaims,
+      v: 2,
+      org: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'permission1',
+      },
+    });
+    expect(authObject2.orgPermissions).toEqual(['permission1']);
   });
 });

packages/shared/src/authorization.ts

@@ -303,7 +303,7 @@ const __experimental_resolveSignedInAuthStateFromJWTClaims = (claims: JwtPayload
   let orgId: string | undefined;
   let orgRole: OrganizationCustomRoleKey | undefined;
   let orgSlug: string | undefined;
-  let orgPermissions: string[] | undefined;
+  let orgPermissions: OrganizationCustomPermissionKey[] | undefined;
 
   // fva can be undefined for instances that have not opt-in
   const factorVerificationAge = claims.fva ?? null;
@@ -312,13 +312,13 @@ const __experimental_resolveSignedInAuthStateFromJWTClaims = (claims: JwtPayload
   const sessionStatus = claims.sts ?? null;
 
   switch (claims.v) {
-    case 2:
+    case 2: {
       orgId = claims.org?.id;
       orgRole = claims.org?.rol;
       orgSlug = claims.org?.slg;
-
-      orgPermissions = claims.org?.per;
+      orgPermissions = claims.org?.per?.split(',').map((permission: string) => permission.trim()) || undefined;
       break;
+    }
     default:
       orgId = claims.org_id;
       orgRole = claims.org_role;

packages/types/src/jwtv2.ts

@@ -160,7 +160,7 @@ export type VersionedJwtPayload =
          *
          * Active organization permissions.
          */
-        per?: OrganizationCustomPermissionKey[];
+        per?: string;
       };
     };