import { inject, Injectable, Signal } from '@angular/core'; import { toSignal } from '@angular/core/rxjs-interop'; import { OidcSecurityService } from 'angular-auth-oidc-client'; import { map } from 'rxjs'; import { AuthService } from './auth.service'; /** The subset of the medewerker token the portal reads: Keycloak nests realm roles here. */ interface MedewerkerClaims { realm_access?: { roles?: string[] }; } /** Medewerker-backed AuthService over angular-auth-oidc-client (Keycloak `medewerker` realm). */ @Injectable() export class MedewerkerAuthService extends AuthService { private readonly oidc = inject(OidcSecurityService); readonly isAuthenticated: Signal = toSignal( this.oidc.isAuthenticated$.pipe(map((result) => result.isAuthenticated)), { initialValue: false }, ); // Staff have no BSN; the abstract surface keeps this present for the shared guard/interceptor. readonly bsn: Signal = toSignal(this.oidc.userData$.pipe(map(() => undefined)), { initialValue: undefined, }); override readonly roles: Signal = toSignal( this.oidc.userData$.pipe( map((data) => (data.userData as MedewerkerClaims | null)?.realm_access?.roles ?? []), ), { initialValue: [] }, ); override login(): void { this.oidc.authorize(); } override logout(): void { this.oidc.logoff().subscribe(); } }