feat(portal-bff): extract Entra roles claim onto AuthenticatedUser #126

Merged
julien merged 1 commits from feat/portal-bff-extract-roles-claim into main 2026-05-14 00:30:39 +02:00

1 Commits

Author SHA1 Message Date
Julien Gautier 0e5e6904b5 feat(portal-bff): extract Entra roles claim onto AuthenticatedUser
CI / commits (pull_request) Successful in 2m13s
CI / scan (pull_request) Successful in 2m13s
CI / check (pull_request) Successful in 2m22s
CI / a11y (pull_request) Successful in 2m18s
CI / perf (pull_request) Successful in 5m32s
Adds a `roles: readonly string[]` field to `AuthenticatedUser` and
threads it through `toAuthenticatedUser()`. Entra includes the
`roles` claim in the ID token when the user has at least one app
role assigned on the BFF's app registration; the field flows onto
`session.user` via the existing module-augmentation chain.

No consumer yet — this is the prerequisite for the `AdminRoleGuard`
and `@RequireAdmin()` decorator landing in the next PR per ADR-0020.

Defensive parsing mirrors the `amr` claim: non-array claim → empty
array; non-string entries filtered out. Empty array means "no app
role assigned", not "claim unparseable".

Tests: +4 specs covering claim present, absent, non-array, and
mixed-type entries.
2026-05-14 00:27:29 +02:00