Allow array values in claim checks

OQCDoe · OQCDoe · commit d3d6e8fbba89 · 2025-09-02T13:48:16.000+02:00
diff --git a/backend/src/lib/template/dot-access.ts b/backend/src/lib/template/dot-access.ts
@@ -4,8 +4,8 @@
 export const getValueByDot = (
   obj: Record<string, unknown> | null | undefined,
   path: string,
-  defaultValue?: string | number | boolean
-): string | number | boolean | undefined => {
+  defaultValue?: string | number | boolean | string[]
+): string | number | boolean | string[] | undefined => {
   // Handle null or undefined input
   if (!obj) {
     return defaultValue;
@@ -26,7 +26,12 @@ export const getValueByDot = (
     current = (current as Record<string, unknown>)[part];
   }
 
-  if (typeof current !== "string" && typeof current !== "number" && typeof current !== "boolean") {
+  if (
+    typeof current !== "string" &&
+    typeof current !== "number" &&
+    typeof current !== "boolean" &&
+    !Array.isArray(current)
+  ) {
     return defaultValue;
   }
 
diff --git a/backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts b/backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts
@@ -1,6 +1,6 @@
 import picomatch from "picomatch";
 
-export const doesFieldValueMatchOidcPolicy = (fieldValue: string | number | boolean, policyValue: string) => {
+export const doesFieldValueMatchOidcPolicy = (fieldValue: string | number | boolean | string[], policyValue: string) => {
   if (typeof fieldValue === "boolean") {
     return fieldValue === (policyValue === "true");
   }
@@ -9,6 +9,10 @@ export const doesFieldValueMatchOidcPolicy = (fieldValue: string | number | bool
     return fieldValue === parseInt(policyValue, 10);
   }
 
+  if (Array.isArray(fieldValue)) {
+    return fieldValue.some((entry) => entry === policyValue || picomatch.isMatch(entry, policyValue));
+  }
+
   return policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
 };
 
