Files
arcadia-cloud/lib/arcadia_cloud/guardian.ex
Giuliano Silvestro c10b847324 Fix operator role gate: platform-admin (hyphen), not platform_admin
arcadia-app issues the role slug "platform-admin" (hyphen) — confirmed
from a live arcadia-dev JWT (roles: ["admin","platform-admin"]). Every
authorization check here tested for "platform_admin" (underscore), so
real operator tokens got 403 on billing / dashboard / drift and an
empty tenant-scoped result on inventory.

The smoke tests missed it because Guardian.mint_dev_token hardcoded the
underscore form — fixed there too, so the dev helper now matches what
arcadia-app actually emits.

Replaced the string literal "platform_admin" -> "platform-admin" in all
six controllers + guardian.ex. The platform_admin?/1 function names keep
underscores (Elixir identifiers can't contain hyphens) — only the role
string changed.

Verified: with a platform-admin token, /inventory, /billing/balance,
/dashboard/margin and /drift all return 200.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 18:17:13 +10:00

64 lines
1.8 KiB
Elixir

defmodule ArcadiaCloud.Guardian do
@moduledoc """
Verify-only Guardian implementation.
arcadia-cloud never issues tokens — that is arcadia-app's job. We only
decode and verify tokens minted by `Arcadia.Guardian`, then expose the
claims as a lightweight identity struct.
Token contract (set by arcadia-app):
sub => "<user_id>:<tenant_id>"
tenant_id => UUID string
tenant_slug => string
email => string
roles => [string]
"""
use Guardian, otp_app: :arcadia_cloud
def subject_for_token(%{"sub" => sub}, _claims) when is_binary(sub), do: {:ok, sub}
def subject_for_token(_resource, _claims), do: {:error, :not_token_issuer}
def resource_from_claims(claims) when is_map(claims) do
{user_id, tenant_id_from_sub} = parse_subject(claims["sub"])
{:ok,
%{
user_id: user_id,
tenant_id: claims["tenant_id"] || tenant_id_from_sub,
tenant_slug: claims["tenant_slug"],
email: claims["email"],
roles: claims["roles"] || []
}}
end
def resource_from_claims(_), do: {:error, :invalid_claims}
@doc """
Dev/test helper: mint a JWT using the local secret. Production tokens
are minted by arcadia-app.
"""
def mint_dev_token(claims_overrides \\ %{}) do
defaults = %{
"sub" => "user-dev:tenant-dev",
"tenant_id" => "tenant-dev",
"tenant_slug" => "dev",
"email" => "dev@example.com",
"roles" => ["platform-admin"]
}
claims = Map.merge(defaults, claims_overrides)
{:ok, token, _claims} = encode_and_sign(claims, claims, token_type: :access)
{:ok, token}
end
defp parse_subject(nil), do: {nil, nil}
defp parse_subject(subject) when is_binary(subject) do
case String.split(subject, ":", parts: 2) do
[user_id, tenant_id] -> {user_id, tenant_id}
[user_id] -> {user_id, nil}
end
end
end