Merge branch 'development-before-sso' of https://gitlab.com/mbugroup/lti-api into refactor-to-serve/with-middleware

internal/modules/sso/controllers/sso.controller.go

@@ -211,7 +211,6 @@ func (h *Controller) Callback(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusBadGateway, "missing access token")
 	}
 
-	fmt.Println(tokenResp.AccessToken)
 	verification, err := sso.VerifyAccessToken(tokenResp.AccessToken)
 	if err != nil {
 		utils.Log.Errorf("access token verification failed: %v", err)
@@ -308,6 +307,13 @@ func (h *Controller) UserInfo(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusBadGateway, "invalid user profile response")
 	}
 
+	// if sanitized, perms, ok := sanitizeUserInfoPayload(body); ok {
+	// 	if caps := capabilities.FromPermissions(perms); len(caps) > 0 {
+	// 		injectCapabilities(sanitized, caps)
+	// 	}
+	// 	return c.Status(resp.StatusCode).JSON(sanitized)
+	// }
+
 	if ct := resp.Header.Get("Content-Type"); ct != "" {
 		c.Set("Content-Type", ct)
 	} else {
@@ -545,6 +551,99 @@ func normalizeClientParam(raw string) string {
 	return strings.ToLower(value)
 }
 
+func sanitizeUserInfoPayload(body []byte) (map[string]any, []string, bool) {
+	if len(body) == 0 {
+		return map[string]any{}, nil, true
+	}
+
+	var payload any
+	if err := json.Unmarshal(body, &payload); err != nil {
+		return nil, nil, false
+	}
+
+	perms := collectPermissionNames(payload)
+
+	sensitive := map[string]struct{}{
+		"roles":       {},
+		"permissions": {},
+	}
+	payload = scrubSensitiveKeys(payload, sensitive)
+
+	sanitized, ok := payload.(map[string]any)
+	if !ok {
+		sanitized = map[string]any{"data": payload}
+	}
+
+	return sanitized, perms, true
+}
+
+func scrubSensitiveKeys(value any, sensitive map[string]struct{}) any {
+	switch v := value.(type) {
+	case map[string]any:
+		for key, val := range v {
+			if _, ok := sensitive[strings.ToLower(key)]; ok {
+				delete(v, key)
+				continue
+			}
+			v[key] = scrubSensitiveKeys(val, sensitive)
+		}
+		return v
+	case []any:
+		for i, item := range v {
+			v[i] = scrubSensitiveKeys(item, sensitive)
+		}
+		return v
+	default:
+		return value
+	}
+}
+
+func collectPermissionNames(value any) []string {
+	names := make(map[string]struct{})
+	collectPermissionRec(value, names)
+	out := make([]string, 0, len(names))
+	for name := range names {
+		out = append(out, name)
+	}
+	return out
+}
+
+func collectPermissionRec(value any, acc map[string]struct{}) {
+	switch v := value.(type) {
+	case map[string]any:
+		for key, val := range v {
+			if strings.EqualFold(key, "permissions") {
+				if arr, ok := val.([]any); ok {
+					for _, item := range arr {
+						if perm, ok := item.(map[string]any); ok {
+							if name, ok := perm["name"].(string); ok && strings.TrimSpace(name) != "" {
+								acc[strings.ToLower(strings.TrimSpace(name))] = struct{}{}
+							}
+						}
+					}
+				}
+			} else {
+				collectPermissionRec(val, acc)
+			}
+		}
+	case []any:
+		for _, item := range v {
+			collectPermissionRec(item, acc)
+		}
+	}
+}
+
+func injectCapabilities(payload map[string]any, caps map[string]bool) {
+	if len(caps) == 0 {
+		return
+	}
+	if data, ok := payload["data"].(map[string]any); ok {
+		data["capabilities"] = caps
+		return
+	}
+	payload["capabilities"] = caps
+}
+
 func findSSOClientConfig(requestedAlias string) (string, config.SSOClientConfig, bool) {
 	if requestedAlias == "" {
 		return "", config.SSOClientConfig{}, false