fix(shared): Reverse permissions array on parsePermissions to match bitmask correctly (#5622)

Author: panteliselef

.changeset/fluffy-teeth-decide.md

@@ -2,4 +2,4 @@
 '@clerk/shared': patch
 ---
 
-Bug fix: Remove padding when parsing permissions from the JWT v2 format.
+Bug fix: Reverse permissions array on `parsePermissions` to match bitmask correctly.

packages/backend/src/tokens/__tests__/authObjects.test.ts

@@ -117,8 +117,8 @@ describe('signedInAuthObject', () => {
 
       const authObject = signedInAuthObject(mockAuthenticateContext, 'token', partialJwtPayload as JwtPayload);
 
-      expect(authObject.has({ permission: 'org:reservations:read' })).toBe(true);
-      expect(authObject.has({ permission: 'org:reservations:manage' })).toBe(false);
+      expect(authObject.has({ permission: 'org:reservations:read' })).toBe(false);
+      expect(authObject.has({ permission: 'org:reservations:manage' })).toBe(true);
 
       expect(authObject.has({ permission: 'org:support-chat:read' })).toBe(true);
       expect(authObject.has({ permission: 'org:support-chat:manage' })).toBe(true);

packages/clerk-js/bundlewatch.config.json

@@ -1,7 +1,7 @@
 {
   "files": [
     { "path": "./dist/clerk.js", "maxSize": "590kB" },
-    { "path": "./dist/clerk.browser.js", "maxSize": "73.69KB" },
+    { "path": "./dist/clerk.browser.js", "maxSize": "73.75KB" },
     { "path": "./dist/clerk.headless*.js", "maxSize": "55KB" },
     { "path": "./dist/ui-common*.js", "maxSize": "99KB" },
     { "path": "./dist/vendors*.js", "maxSize": "36KB" },

packages/shared/src/__tests__/jwtPayloadParser.test.ts

@@ -38,7 +38,7 @@ describe('JWTPayloadToAuthObjectProperties', () => {
       o: {
         id: 'org_xxxxxxx',
         rol: 'admin',
-        slg: '/test',
+        slg: 'org_test',
         per: 'read,manage',
         fpm: '3',
       },
@@ -48,32 +48,8 @@ describe('JWTPayloadToAuthObjectProperties', () => {
       ...baseClaims,
       org_id: 'org_xxxxxxx',
       org_role: 'org:admin',
-      org_slug: '/test',
-      org_permissions: ['org:impersonation:read', 'org:impersonation:manage'],
-    });
-    expect(signedInAuthObjectV1).toEqual(signedInAuthObjectV2);
-  });
-
-  test('produced auth object is the same for v1 and v2', () => {
-    const { sessionClaims: v2Claims, ...signedInAuthObjectV2 } = JWTPayloadToAuthObjectProperties({
-      ...baseClaims,
-      v: 2,
-      fea: 'o:impersonation',
-      o: {
-        id: 'org_xxxxxxx',
-        rol: 'admin',
-        slg: '/test',
-        per: 'read,manage',
-        fpm: '3',
-      },
-    });
-
-    const { sessionClaims: v1Claims, ...signedInAuthObjectV1 } = JWTPayloadToAuthObjectProperties({
-      ...baseClaims,
-      org_id: 'org_xxxxxxx',
-      org_role: 'org:admin',
-      org_slug: '/test',
-      org_permissions: ['org:impersonation:read', 'org:impersonation:manage'],
+      org_slug: 'org_test',
+      org_permissions: ['org:impersonation:manage', 'org:impersonation:read'],
     });
     expect(signedInAuthObjectV1).toEqual(signedInAuthObjectV2);
   });
@@ -86,9 +62,9 @@ describe('JWTPayloadToAuthObjectProperties', () => {
       o: {
         id: 'org_xxxxxxx',
         rol: 'admin',
-        slg: '/test',
+        slg: 'org_test',
         per: 'read,manage',
-        fpm: '2,3',
+        fpm: '1,3',
       },
     });
 
@@ -107,7 +83,7 @@ describe('JWTPayloadToAuthObjectProperties', () => {
         rol: 'admin',
         slg: 'org_slug',
         per: 'read,manage',
-        fpm: '2,3',
+        fpm: '1,3',
       },
     });
 
@@ -126,7 +102,7 @@ describe('JWTPayloadToAuthObjectProperties', () => {
         rol: 'admin',
         slg: 'org_slug',
         per: 'read,manage',
-        fpm: '2,3,2',
+        fpm: '1,3,1',
       },
     });
 
@@ -238,6 +214,51 @@ describe('JWTPayloadToAuthObjectProperties', () => {
       ].sort(),
     );
   });
+
+  test('org permissions are constructed correctly case 4', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObject } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      fea: 'o:repositories,o:projects,o:webhooks,o:impersonation',
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'read,manage',
+        fpm: '1,2,3',
+      },
+    });
+
+    expect(signedInAuthObject.orgPermissions?.sort()).toEqual(
+      ['org:repositories:read', 'org:projects:manage', 'org:webhooks:read', 'org:webhooks:manage'].sort(),
+    );
+  });
+
+  test('org permissions are constructed correctly case 5', () => {
+    const { sessionClaims: v2Claims, ...signedInAuthObject } = JWTPayloadToAuthObjectProperties({
+      ...baseClaims,
+      v: 2,
+      fea: 'o:repositories,uo:projects,u:goldprofileborder',
+      o: {
+        id: 'org_id',
+        rol: 'admin',
+        slg: 'org_slug',
+        per: 'read,create,update,delete,revoke',
+        fpm: '7,21',
+      },
+    });
+
+    expect(signedInAuthObject.orgPermissions?.sort()).toEqual(
+      [
+        'org:repositories:read',
+        'org:repositories:create',
+        'org:repositories:update',
+        'org:projects:read',
+        'org:projects:update',
+        'org:projects:revoke',
+      ].sort(),
+    );
+  });
 });
 
 describe('splitByScope ', () => {

packages/shared/src/jwtPayloadParser.ts

@@ -12,7 +12,10 @@ export const parsePermissions = ({ per, fpm }: { per?: string; fpm?: string }) =
     return { permissions: [], featurePermissionMap: [] };
   }
 
-  const permissions = per.split(',').map(p => p.trim());
+  const permissions = per
+    .split(',')
+    .map(p => p.trim())
+    .reverse();
 
   // TODO: make this more efficient
   const featurePermissionMap = fpm
@@ -21,6 +24,7 @@ export const parsePermissions = ({ per, fpm }: { per?: string; fpm?: string }) =
     .map((permission: number) =>
       permission
         .toString(2)
+        .padStart(permissions.length, '0')
         .split('')
         .map(bit => Number.parseInt(bit, 10)),
     )