add support for custom claims and roles

withinboredom · withinboredom · commit 789cc3a6b92c · 2025-07-29T11:01:37.000+02:00
Signed-off-by: Robert Landers &lt;landers.robert@gmail.com&gt;
diff --git a/cli/auth/keys.go b/cli/auth/keys.go
@@ -109,13 +109,20 @@ func ExtractUser(r *http.Request, config *config.Config) (user *User, ok bool) {
 // The token is signed using the active secret key from the config.
 // The token will expire in 72 hours and is valid starting from 5 minutes ago.
 // Returns the signed token string or an error if the signing process fails.
-func CreateUser(userId UserId, role []Role, config *config.Config) (string, error) {
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+func CreateUser(userId UserId, role []Role, claims map[string]string, config *config.Config) (string, error) {
+	claimMap := jwt.MapClaims{
 		"sub":   userId,
 		"exp":   time.Now().Add(72 * time.Hour).Unix(),
-		"iat":   time.Now().Add(-5 * time.Minute).Unix(),
+		"iat":   time.Now(),
+		"nbf":   time.Now().Add(-5 * time.Minute).Unix(),
 		"roles": role,
-	})
+	}
+
+	for k, v := range claims {
+		claimMap[k] = v
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claimMap)
 
 	key, err := getActiveKey(config)
 	if err != nil {
diff --git a/cli/cli.go b/cli/cli.go
@@ -529,6 +529,8 @@ func main() {
 	createUser := cli.NewCommand("create-user", "Create a new user").
 		WithArg(cli.NewArg("id", "The user id to assign to the user").WithType(cli.TypeString)).
 		WithOption(cli.NewOption("admin", "Create the user as an admin").WithType(cli.TypeBool)).
+		WithOption(cli.NewOption("roles", "Create with the roles").WithType(cli.TypeString).WithChar('r')).
+		WithOption(cli.NewOption("claims", "Create with the claims as key:value;key:value").WithType(cli.TypeString).WithChar('c')).
 		WithAction(func(args []string, options map[string]string) int {
 			cfg, err := config.GetProjectConfig()
 			if err != nil {
@@ -540,7 +542,22 @@ func main() {
 				rol = append(rol, "admin")
 			}
 
-			user, err := auth.CreateUser(auth.UserId(args[0]), rol, cfg)
+			roles := strings.Split(options["roles"], ",")
+			for _, role := range roles {
+				rol = append(rol, auth.Role(role))
+			}
+
+			claims := strings.Split(options["claims"], ";")
+			extraClaims := make(map[string]string)
+			for _, claim := range claims {
+				kv := strings.Split(claim, ":")
+				if len(kv) != 2 {
+					panic(fmt.Errorf("invalid claim: %s", claim))
+				}
+				extraClaims[kv[0]] = kv[1]
+			}
+
+			user, err := auth.CreateUser(auth.UserId(args[0]), rol, extraClaims, cfg)
 			if err != nil {
 				return 1
 			}
