AW-4628 Add role-based security to authguard

projects/common/src/fm/services/auth-guard.service.ts

@@ -24,26 +24,33 @@ export class AuthGuard implements CanActivate, CanLoad, CanActivateChild  {
   canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Promise<boolean> {
     let url: string = state.url;
 
-    return this.checkLogin(url);
+    return this.checkLogin(url, route);
   }
 
   canActivateChild(childRoute: ActivatedRouteSnapshot, state: RouterStateSnapshot): Promise<boolean> {
     let url: string = state.url;
 
-    return this.checkLogin(url);
+    return this.checkLogin(url, childRoute);
   }
 
   canLoad(route: Route): Promise<boolean> {
-    return this.checkLogin(route.path);
+    return this.checkLogin(route.path, null);
   }
 
-  checkLogin(url: string): Promise<boolean> {
+  checkLogin(url: string, route: ActivatedRouteSnapshot): Promise<boolean> {
     return new Promise<boolean>((resolve) => {
       if (!this.oauthService.hasValidAccessToken()) {
         console.debug("No valid token");
         this.oauthService.initCodeFlow(url);
         resolve(false);
-      } else {        
+      } else {
+        const requiredRoleClaim = route.data.role;
+        if (!requiredRoleClaim) { resolve(true); }
+        const ownedClaims = this.oauthService.getIdentityClaims();
+        if (!ownedClaims) { resolve(false); }
+        const ownedRoleClaims: string[] = ownedClaims['role'];
+        if (!ownedRoleClaims) { resolve(false); }
+        if (ownedRoleClaims.findIndex(r => r === requiredRoleClaim) <= -1) { resolve(false); }
         resolve(true);
       }
     });

src/app/admin/admin-router.module.ts

@@ -0,0 +1,25 @@
+import { NgModule } from '@angular/core';
+import { RouterModule } from '@angular/router';
+import { AuthGuard } from 'dist/common';
+import { AdminComponent } from './admin.component';
+
+const routes = [   
+  {
+      path: '',
+      component: AdminComponent,
+      canActivate: [AuthGuard],
+      data: {
+        role: 'admin'
+      }   
+  }
+];
+
+@NgModule({
+  imports: [
+      RouterModule.forChild(routes),
+  ],
+  exports: [
+      RouterModule
+  ]
+})
+export class AdminRouterModule { }

src/app/admin/admin.component.ts

@@ -0,0 +1,8 @@
+import { Component } from '@angular/core';
+
+@Component({
+  selector: 'app-test',
+  template: `<h1>Yes! You have access to the admin component.</h1>`
+})
+export class AdminComponent {
+}

src/app/admin/admin.module.ts

@@ -0,0 +1,14 @@
+import { NgModule } from '@angular/core';
+import { AdminRouterModule} from './admin-router.module';
+import { AdminComponent } from './admin.component';
+
+@NgModule({
+  imports: [
+      AdminRouterModule
+  ],
+  declarations: [
+      AdminComponent
+  ]
+})
+  
+export class AdminModule { }

src/app/app-routing.module.ts

@@ -65,6 +65,7 @@ const routes = [
   },
   { path: 'map', loadChildren: () => import('../../projects/common-map/src/public-api').then(m => m.AppCommonMapModule), canActivateChild: [AuthGuard],canActivate: [FullScreenGuard], },
   { path: 'map3d', loadChildren: () => import('./map3d/map3d.module').then(m => m.Map3DModule), canActivateChild: [AuthGuard], canActivate: [FullScreenGuard] },
+  { path: 'admin', loadChildren: () => import('./admin/admin.module').then(m => m.AdminModule), canActivateChild: [AuthGuard], canActivate: [FullScreenGuard], data: { role: 'admin' } },
   {
     path: 'registerdevice/:deviceToken',
     canActivate: [FullScreenGuard],