refactor(access-control): Remove legacy role aliases and normalize role handling

Author: jirhiker

src/providers/authentik-provider.ts

@@ -46,13 +46,11 @@ export interface AuthentikIdentity {
 
 export type AuthentikPermissions = string[]
 const TEST_AUTH_GROUPS: AuthentikPermissions = [
-  'Viewer',
-  'Editor',
-  'AMPViewer',
-  'AMPEditor',
-  'LexiconEditor',
-  'LexiconAdmin',
-  'OcotilloAdmin',
+  'AMP.Viewer',
+  'AMP.Editor',
+  'AMP.Admin',
+  'Geothermal.Viewer',
+  'Geothermal.Editor',
 ]
 const PKCE_LOCAL_FALLBACK_TTL_MS = 5 * 60 * 1000
 

src/test/providers/authentik-provider.access-control.test.ts

@@ -51,12 +51,13 @@ describe('authentik provider access-control normalization', () => {
 
   it('normalizes token groups from the ID token when testing auth is disabled', async () => {
     vi.doMock('@/config', async () => {
-      const actual = await vi.importActual<typeof import('@/config')>('@/config')
+      const actual =
+        await vi.importActual<typeof import('@/config')>('@/config')
       return { ...actual, IS_TESTING_AUTH: false }
     })
     vi.doMock('jwt-decode', () => ({
       jwtDecode: vi.fn().mockReturnValue({
-        groups: ['Viewer', 'Geothermal.Editor', 'OcotilloAdmin'],
+        groups: ['AMP.Viewer', 'Geothermal.Editor', 'AMP.Admin'],
       }),
     }))
     vi.doUnmock('@/providers/authentik-provider')
@@ -79,7 +80,8 @@ describe('authentik provider access-control normalization', () => {
 
   it('returns null when there is no ID token', async () => {
     vi.doMock('@/config', async () => {
-      const actual = await vi.importActual<typeof import('@/config')>('@/config')
+      const actual =
+        await vi.importActual<typeof import('@/config')>('@/config')
       return { ...actual, IS_TESTING_AUTH: false }
     })
     vi.doMock('jwt-decode', () => ({

src/test/utils/accessControl.test.ts

@@ -24,10 +24,15 @@ const actions: Action[] = ['list', 'show']
 const isRoutableResource = (
   resource: (typeof resources)[number]
 ): resource is ResourceWithRoutes =>
-  'list' in resource || 'show' in resource || 'edit' in resource || 'create' in resource
+  'list' in resource ||
+  'show' in resource ||
+  'edit' in resource ||
+  'create' in resource
 
 const routableResources = resources.filter(isRoutableResource)
-const routableResourceNames = routableResources.map((resource) => resource.name).sort()
+const routableResourceNames = routableResources
+  .map((resource) => resource.name)
+  .sort()
 const expectedRegisteredRoutableResources = [
   'ocotillo.collections',
   'ocotillo.contact',
@@ -219,23 +224,13 @@ const specialResourceExpectations: Array<{
 ]
 
 describe('accessControl helpers', () => {
-  it('normalizes legacy aliases and expands role hierarchies', () => {
-    expect(normalizeAccessControlGroups(['Viewer'])).toEqual(['AMP.Viewer'])
-    expect(normalizeAccessControlGroups(['Editor'])).toEqual([
+  it('normalizes canonical roles and expands hierarchies', () => {
+    expect(normalizeAccessControlGroups(['AMP.Viewer'])).toEqual(['AMP.Viewer'])
+    expect(normalizeAccessControlGroups(['AMP.Editor'])).toEqual([
       'AMP.Viewer',
       'AMP.Editor',
     ])
-    expect(normalizeAccessControlGroups(['Admin'])).toEqual([
-      'AMP.Viewer',
-      'AMP.Editor',
-      'AMP.Admin',
-    ])
-    expect(normalizeAccessControlGroups(['AMPViewer'])).toEqual(['AMP.Viewer'])
-    expect(normalizeAccessControlGroups(['AMPEditor'])).toEqual([
-      'AMP.Viewer',
-      'AMP.Editor',
-    ])
-    expect(normalizeAccessControlGroups(['OcotilloAdmin'])).toEqual([
+    expect(normalizeAccessControlGroups(['AMP.Admin'])).toEqual([
       'AMP.Viewer',
       'AMP.Editor',
       'AMP.Admin',
@@ -246,12 +241,8 @@ describe('accessControl helpers', () => {
       'Geothermal.Admin',
     ])
     expect(
-      normalizeAccessControlGroups(['Viewer', 'Geothermal.Editor'])
-    ).toEqual([
-      'AMP.Viewer',
-      'Geothermal.Viewer',
-      'Geothermal.Editor',
-    ])
+      normalizeAccessControlGroups(['AMP.Viewer', 'Geothermal.Editor'])
+    ).toEqual(['AMP.Viewer', 'Geothermal.Viewer', 'Geothermal.Editor'])
   })
 
   it('derives capability flags from normalized roles', () => {
@@ -294,22 +285,22 @@ describe('accessControl helpers', () => {
       canViewLexicon: true,
     })
 
-    expect(getAccessCapabilities(['AMP.Admin', 'Geothermal.Editor'])).toMatchObject(
-      {
-        roles: [
-          'AMP.Viewer',
-          'AMP.Editor',
-          'AMP.Admin',
-          'Geothermal.Viewer',
-          'Geothermal.Editor',
-        ],
-        primaryRole: 'Geothermal.Editor',
-        canManageAmp: true,
-        canViewUnfinished: true,
-        canEditGeothermal: true,
-        canManageGeothermal: false,
-      }
-    )
+    expect(
+      getAccessCapabilities(['AMP.Admin', 'Geothermal.Editor'])
+    ).toMatchObject({
+      roles: [
+        'AMP.Viewer',
+        'AMP.Editor',
+        'AMP.Admin',
+        'Geothermal.Viewer',
+        'Geothermal.Editor',
+      ],
+      primaryRole: 'Geothermal.Editor',
+      canManageAmp: true,
+      canViewUnfinished: true,
+      canEditGeothermal: true,
+      canManageGeothermal: false,
+    })
   })
 })
 

src/utils/accessControl.ts

@@ -12,24 +12,6 @@ export type GeothermalRole =
   | 'Geothermal.Admin'
 export type PortalRole = AmpRole | GeothermalRole
 
-// Temporary compatibility shim for pre-v1 Authentik group names.
-// Remove these legacy aliases before the v1 release once all users/groups
-// have been migrated to AMP.Viewer / AMP.Editor / AMP.Admin.
-const legacyRoleMap: Record<string, PortalRole> = {
-  Viewer: 'AMP.Viewer',
-  Editor: 'AMP.Editor',
-  Admin: 'AMP.Admin',
-  AMPViewer: 'AMP.Viewer',
-  AMPEditor: 'AMP.Editor',
-  OcotilloAdmin: 'AMP.Admin',
-  'AMP.Viewer': 'AMP.Viewer',
-  'AMP.Editor': 'AMP.Editor',
-  'AMP.Admin': 'AMP.Admin',
-  'Geothermal.Viewer': 'Geothermal.Viewer',
-  'Geothermal.Editor': 'Geothermal.Editor',
-  'Geothermal.Admin': 'Geothermal.Admin',
-}
-
 const roleOrder: PortalRole[] = [
   'AMP.Viewer',
   'AMP.Editor',
@@ -148,9 +130,8 @@ export const normalizeAccessControlGroups = (
   const normalized = new Set<PortalRole>()
 
   for (const group of groups ?? []) {
-    const mapped = legacyRoleMap[group]
-    if (mapped) {
-      normalized.add(mapped)
+    if (roleOrder.includes(group as PortalRole)) {
+      normalized.add(group as PortalRole)
     }
   }