keycloak · jseparovic · Mar 7, 2022
diff --git a/keycloak.d.ts b/keycloak.d.ts
@@ -192,7 +192,7 @@ declare namespace KeycloakConnect {
     isExpired(): boolean
   }
 
-  type GuardFn = (accessToken: Token, req: express.Request, res: express.Response) => boolean
+  type GuardFn = (accessToken: Token, req: express.Request, res: express.Response) => boolean|Promise<boolean>
 
   interface EnforcerOptions {
     response_mode?: string,

diff --git a/middleware/protect.js b/middleware/protect.js
@@ -50,11 +50,21 @@ module.exports = function (keycloak, spec) {
 
   return function protect (request, response, next) {
     if (request.kauth && request.kauth.grant) {
-      if (!guard || guard(request.kauth.grant.access_token, request, response)) {
-        return next();
+      const guardedResponse = guard && guard(request.kauth.grant.access_token, request, response);
+      if (guardedResponse instanceof Promise) {
+        return guardedResponse
+            .then(function (authorized) {
+              return authorized ? next() : keycloak.accessDenied(request, response, next);
+            })
+            .catch(function () {
+              return keycloak.accessDenied(request, response, next);
+            });
+      } else {
+        if (!guard || guardedResponse) {
+          return next();
+        }
+        return keycloak.accessDenied(request, response, next);
       }
-
-      return keycloak.accessDenied(request, response, next);
     }
 
     if (keycloak.redirectToLogin(request)) {