Experiment to propagate allowed-groups to clients

madnificent · madnificent · commit 1b1dc625f54e · 2025-12-22T16:19:07.000+01:00
We probably want to have some structure to better filter out quads and better filter out information sent to consumers (also see #26). This experiment allows dropping the access rights used in the request's header. It doesn't allow dropping the mu-session-id though doing so could allow for more involved folding and we see no reason not allow this too. The mu-auth-allowed-groups are still persisted in the delta body. It's not documented to be available there so we could remove it there too. A function can be specified to alter the access rights.
diff --git a/README.md b/README.md
@@ -72,6 +72,7 @@ The exported property contains an array of definitions, each linking a match to
   - `options.ignoreFromSelf`: Don't inform about changes that originated from the microservice to be informed (based on the hostname).
   - `options.retry`: (experimental) How many times the request is sent again on failure.  Defaults to 0. Warning: in case of retries, deltas may be received out of order!
   - `options.retryTimeout`: (experimental) How much time is left in between retries (in ms).  Currently defaults to 250ms.
+  - `options.propagateAllowedGroups`: (experimental) Should we propagate allowed groups to the consumer or should they be dropped?  Defaults to `true` which means propagate, can also be a function which receives the access rights to alter.
 
 ### Modifying quads
 #### Normalize datetime
diff --git a/send-request.js b/send-request.js
@@ -106,8 +106,13 @@ export async function sendRequest(
       "mu-session-id": muSessionId,
     };
 
-    if (changeSets[0].allowedGroups) {
-      headers["MU-AUTH-ALLOWED-GROUPS"] = changeSets[0].allowedGroups;
+    if (changeSets[0].allowedGroups) { // TODO: underspecified with sudo
+      const propagateAllowedGroups = entry.options?.propagateAllowedGroups;
+      if ( propagateAllowedGroups === true || propagateAllowedGroups === undefined) {
+        headers["MU-AUTH-ALLOWED-GROUPS"] = changeSets[0].allowedGroups;
+      } else if ( typeof propagateAllowedGroups === "function" ) {
+        headers["MU-AUTH-ALLOWED-GROUPS"] = propagateAllowedGroups(changeSets[0].allowedGroups);
+      }
     }
 
     let body;
