@delmaredigital/payload-better-auth 0.6.6 → 0.6.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter/collections.js +5 -1
- package/dist/adapter/index.js +4 -1
- package/dist/plugin/index.js +90 -1
- package/package.json +1 -1
|
@@ -166,7 +166,11 @@ function generateCollection(modelKey, table, usePlural, adminGroup, customAccess
|
|
|
166
166
|
continue;
|
|
167
167
|
}
|
|
168
168
|
const fieldName = fieldDef.fieldName ?? fieldKey;
|
|
169
|
-
|
|
169
|
+
// Only treat as a relationship if it references the target's 'id' field.
|
|
170
|
+
// When referencing a non-PK field (e.g., oauthClient.clientId), use a plain
|
|
171
|
+
// text field instead — Payload relationships always FK to 'id', which would
|
|
172
|
+
// cause FK constraint violations for non-PK references.
|
|
173
|
+
const hasReferences = fieldDef.references !== undefined && (!fieldDef.references.field || fieldDef.references.field === 'id');
|
|
170
174
|
const fieldType = mapFieldType(fieldDef.type, fieldKey, hasReferences);
|
|
171
175
|
if (fieldType === 'relationship') {
|
|
172
176
|
// Use schema reference if available, otherwise infer from field name
|
package/dist/adapter/index.js
CHANGED
|
@@ -218,9 +218,12 @@
|
|
|
218
218
|
adapter: ({ schema, getModelName, debugLog })=>{
|
|
219
219
|
// Set fieldName on reference fields so the factory maps userId→user, etc.
|
|
220
220
|
// Payload uses relationship fields without the Id suffix.
|
|
221
|
+
// Only do this for references to 'id' (primary key). Non-PK references
|
|
222
|
+
// (e.g., oauthRefreshToken.clientId → oauthClient.clientId) stay as plain
|
|
223
|
+
// text fields and should keep their original name.
|
|
221
224
|
for (const table of Object.values(schema)){
|
|
222
225
|
for (const [fieldKey, fieldDef] of Object.entries(table.fields)){
|
|
223
|
-
if (fieldDef.references) {
|
|
226
|
+
if (fieldDef.references && (!fieldDef.references.field || fieldDef.references.field === 'id')) {
|
|
224
227
|
const stripped = fieldKey.replace(/(_id|Id)$/, '');
|
|
225
228
|
if (stripped !== fieldKey) fieldDef.fieldName = stripped;
|
|
226
229
|
}
|
package/dist/plugin/index.js
CHANGED
|
@@ -638,7 +638,96 @@ let apiKeyPermissionsConfig = undefined;
|
|
|
638
638
|
}
|
|
639
639
|
}
|
|
640
640
|
} catch {
|
|
641
|
-
|
|
641
|
+
// JWT verification failed — try opaque token lookup
|
|
642
|
+
// Refreshed OAuth tokens are opaque (not JWTs) and stored in the DB
|
|
643
|
+
try {
|
|
644
|
+
const adapter = auth.options?.adapter;
|
|
645
|
+
if (adapter?.findOne) {
|
|
646
|
+
// Hash the token the same way Better Auth stores it (SHA-256 base64url)
|
|
647
|
+
const { createHash } = await import('crypto');
|
|
648
|
+
const hashedToken = createHash('sha256').update(token).digest('base64url');
|
|
649
|
+
const accessTokenRecord = await adapter.findOne({
|
|
650
|
+
model: 'oauthAccessToken',
|
|
651
|
+
where: [
|
|
652
|
+
{
|
|
653
|
+
field: 'token',
|
|
654
|
+
value: hashedToken
|
|
655
|
+
}
|
|
656
|
+
]
|
|
657
|
+
});
|
|
658
|
+
if (accessTokenRecord && accessTokenRecord.userId) {
|
|
659
|
+
// Check expiry
|
|
660
|
+
const expiresAt = accessTokenRecord.expiresAt instanceof Date ? accessTokenRecord.expiresAt : new Date(accessTokenRecord.expiresAt);
|
|
661
|
+
if (expiresAt < new Date()) {
|
|
662
|
+
// Token expired
|
|
663
|
+
} else {
|
|
664
|
+
const userId = accessTokenRecord.userId;
|
|
665
|
+
const users = await payload.find({
|
|
666
|
+
collection: usersCollection,
|
|
667
|
+
where: {
|
|
668
|
+
id: {
|
|
669
|
+
equals: userId
|
|
670
|
+
}
|
|
671
|
+
},
|
|
672
|
+
limit: 1,
|
|
673
|
+
depth: 0
|
|
674
|
+
});
|
|
675
|
+
if (users.docs.length > 0) {
|
|
676
|
+
const scopes = Array.isArray(accessTokenRecord.scopes) ? accessTokenRecord.scopes : [];
|
|
677
|
+
const referenceId = accessTokenRecord.referenceId;
|
|
678
|
+
// Look up org role if referenceId (org ID) is present
|
|
679
|
+
let orgRole;
|
|
680
|
+
if (referenceId) {
|
|
681
|
+
try {
|
|
682
|
+
const memberships = await payload.find({
|
|
683
|
+
collection: membersCollection,
|
|
684
|
+
where: {
|
|
685
|
+
and: [
|
|
686
|
+
{
|
|
687
|
+
user: {
|
|
688
|
+
equals: userId
|
|
689
|
+
}
|
|
690
|
+
},
|
|
691
|
+
{
|
|
692
|
+
organization: {
|
|
693
|
+
equals: referenceId
|
|
694
|
+
}
|
|
695
|
+
}
|
|
696
|
+
]
|
|
697
|
+
},
|
|
698
|
+
limit: 1,
|
|
699
|
+
depth: 0
|
|
700
|
+
});
|
|
701
|
+
if (memberships.docs.length > 0) {
|
|
702
|
+
orgRole = memberships.docs[0].role;
|
|
703
|
+
}
|
|
704
|
+
} catch {
|
|
705
|
+
// Members collection might not exist
|
|
706
|
+
}
|
|
707
|
+
}
|
|
708
|
+
const userDoc = users.docs[0];
|
|
709
|
+
return {
|
|
710
|
+
user: {
|
|
711
|
+
...userDoc,
|
|
712
|
+
id: userDoc.id,
|
|
713
|
+
oauthScopes: scopes,
|
|
714
|
+
collection: usersCollection,
|
|
715
|
+
_strategy: 'better-auth',
|
|
716
|
+
...referenceId ? {
|
|
717
|
+
activeOrganizationId: referenceId
|
|
718
|
+
} : {},
|
|
719
|
+
...orgRole ? {
|
|
720
|
+
organizationRole: orgRole
|
|
721
|
+
} : {}
|
|
722
|
+
}
|
|
723
|
+
};
|
|
724
|
+
}
|
|
725
|
+
}
|
|
726
|
+
}
|
|
727
|
+
}
|
|
728
|
+
} catch {
|
|
729
|
+
// Opaque token lookup also failed — continue to return null
|
|
730
|
+
}
|
|
642
731
|
}
|
|
643
732
|
}
|
|
644
733
|
return {
|