Module: KindeSdk::Client::Roles

Included in:

KindeSdk::Client

Defined in:

lib/kinde_sdk/client/roles.rb

Instance Method Summary

• #get_roles(options = {}) ⇒ Array

  Get all roles for the authenticated user Matches the JavaScript SDK API: getRoles(options?) Implements smart fallback: uses API automatically if token claims are empty.

• #getRoles ⇒ Array

  PHP SDK compatible alias for get_roles with hard check Matches PHP: $client->getRoles().

• #has_roles?(role_keys, options = {}) ⇒ Boolean (also: #hasRoles)

  Check if user has specific roles Matches JavaScript SDK hasRoles functionality.

Instance Method Details

#get_roles(options = {}) ⇒ Array

Get all roles for the authenticated user Matches the JavaScript SDK API: getRoles(options?) Implements smart fallback: uses API automatically if token claims are empty

Examples:

# Soft check (from token) with auto-fallback to API if empty
client.get_roles
# => [{ id: "role_123", name: "Admin", key: "admin" }]

# Hard check (from API - always fresh)
client.get_roles(force_api: true)
# => [{ id: "role_123", name: "Admin", key: "admin" }]

Parameters:

• options (Hash) (defaults to: {}) —

  Options for retrieving roles

Options Hash (options):

• :force_api (Boolean) — default: false —

  If true, calls the API to get fresh roles, otherwise extracts from token claims. Will auto-fallback to API if token claims are empty.

• :token_type (Symbol) — default: :access_token —

  The token type to use for soft check (:access_token or :id_token)

Returns:

• (Array) —

  Array of role objects with id, name, and key

# File 'lib/kinde_sdk/client/roles.rb', line 21

def get_roles(options = {})
  # Handle legacy positional argument for backward compatibility
  if options.is_a?(Symbol)
    options = { token_type: options }
  end
  
  # Extract options with defaults - use member variable if not overridden
  force_api = options[:force_api] || @force_api || false
  token_type = options[:token_type] || :access_token

  # Smart fallback logic matching js-utils exactly
  # Check if we have role claims first (efficiency optimization)
  roles_claim = get_claim("roles", token_type)
  
  if force_api || !roles_claim&.dig(:value)&.any?
    # Use API if explicitly requested OR if token claims are empty
    log_info("Using API for roles: force_api=#{force_api}, empty_claims=#{!roles_claim&.dig(:value)&.any?}")
    return get_roles_from_api
  end

  # Use token claims (soft check)
  get_roles_from_token(token_type)
end

#getRoles ⇒ Array

PHP SDK compatible alias for get_roles with hard check Matches PHP: $client->getRoles()

Returns:

• (Array) —

  Array of role objects

# File 'lib/kinde_sdk/client/roles.rb', line 72

def getRoles
  # Use client's force_api setting, default to true for PHP SDK compatibility
  force_api_setting = @force_api.nil? ? true : @force_api
  get_roles(force_api: force_api_setting)
end

#has_roles?(role_keys, options = {}) ⇒ Boolean Also known as: hasRoles

Check if user has specific roles Matches JavaScript SDK hasRoles functionality

Parameters:

• role_keys (Array<String>, String) —

  Array of role keys to check, or single role key

• options (Hash) (defaults to: {}) —

  Options for retrieving roles (same as get_roles)

Returns:

• (Boolean) —

  True if user has all specified roles, false otherwise

# File 'lib/kinde_sdk/client/roles.rb', line 51

def has_roles?(role_keys, options = {})
  return true if role_keys.nil? || (role_keys.respond_to?(:empty?) && role_keys.empty?)
  
  begin
    user_roles = get_roles(options)
    role_keys_array = Array(role_keys)
    user_role_keys = user_roles.map { |role| role[:key] || role['key'] }.compact
    
    result = role_keys_array.all? { |role_key| user_role_keys.include?(role_key.to_s) }
    log_debug("Role check for #{role_keys_array}: #{result} (user has: #{user_role_keys})")
    result
  rescue StandardError => e
    log_error("Error checking roles: #{e.message}")
    false
  end
end