@delmaredigital/payload-better-auth 0.6.7 → 0.6.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/plugin/index.js +90 -1
- package/package.json +1 -1
package/dist/plugin/index.js
CHANGED
|
@@ -638,7 +638,96 @@ let apiKeyPermissionsConfig = undefined;
|
|
|
638
638
|
}
|
|
639
639
|
}
|
|
640
640
|
} catch {
|
|
641
|
-
|
|
641
|
+
// JWT verification failed — try opaque token lookup
|
|
642
|
+
// Refreshed OAuth tokens are opaque (not JWTs) and stored in the DB
|
|
643
|
+
try {
|
|
644
|
+
const adapter = auth.options?.adapter;
|
|
645
|
+
if (adapter?.findOne) {
|
|
646
|
+
// Hash the token the same way Better Auth stores it (SHA-256 base64url)
|
|
647
|
+
const { createHash } = await import('crypto');
|
|
648
|
+
const hashedToken = createHash('sha256').update(token).digest('base64url');
|
|
649
|
+
const accessTokenRecord = await adapter.findOne({
|
|
650
|
+
model: 'oauthAccessToken',
|
|
651
|
+
where: [
|
|
652
|
+
{
|
|
653
|
+
field: 'token',
|
|
654
|
+
value: hashedToken
|
|
655
|
+
}
|
|
656
|
+
]
|
|
657
|
+
});
|
|
658
|
+
if (accessTokenRecord && accessTokenRecord.userId) {
|
|
659
|
+
// Check expiry
|
|
660
|
+
const expiresAt = accessTokenRecord.expiresAt instanceof Date ? accessTokenRecord.expiresAt : new Date(accessTokenRecord.expiresAt);
|
|
661
|
+
if (expiresAt < new Date()) {
|
|
662
|
+
// Token expired
|
|
663
|
+
} else {
|
|
664
|
+
const userId = accessTokenRecord.userId;
|
|
665
|
+
const users = await payload.find({
|
|
666
|
+
collection: usersCollection,
|
|
667
|
+
where: {
|
|
668
|
+
id: {
|
|
669
|
+
equals: userId
|
|
670
|
+
}
|
|
671
|
+
},
|
|
672
|
+
limit: 1,
|
|
673
|
+
depth: 0
|
|
674
|
+
});
|
|
675
|
+
if (users.docs.length > 0) {
|
|
676
|
+
const scopes = Array.isArray(accessTokenRecord.scopes) ? accessTokenRecord.scopes : [];
|
|
677
|
+
const referenceId = accessTokenRecord.referenceId;
|
|
678
|
+
// Look up org role if referenceId (org ID) is present
|
|
679
|
+
let orgRole;
|
|
680
|
+
if (referenceId) {
|
|
681
|
+
try {
|
|
682
|
+
const memberships = await payload.find({
|
|
683
|
+
collection: membersCollection,
|
|
684
|
+
where: {
|
|
685
|
+
and: [
|
|
686
|
+
{
|
|
687
|
+
user: {
|
|
688
|
+
equals: userId
|
|
689
|
+
}
|
|
690
|
+
},
|
|
691
|
+
{
|
|
692
|
+
organization: {
|
|
693
|
+
equals: referenceId
|
|
694
|
+
}
|
|
695
|
+
}
|
|
696
|
+
]
|
|
697
|
+
},
|
|
698
|
+
limit: 1,
|
|
699
|
+
depth: 0
|
|
700
|
+
});
|
|
701
|
+
if (memberships.docs.length > 0) {
|
|
702
|
+
orgRole = memberships.docs[0].role;
|
|
703
|
+
}
|
|
704
|
+
} catch {
|
|
705
|
+
// Members collection might not exist
|
|
706
|
+
}
|
|
707
|
+
}
|
|
708
|
+
const userDoc = users.docs[0];
|
|
709
|
+
return {
|
|
710
|
+
user: {
|
|
711
|
+
...userDoc,
|
|
712
|
+
id: userDoc.id,
|
|
713
|
+
oauthScopes: scopes,
|
|
714
|
+
collection: usersCollection,
|
|
715
|
+
_strategy: 'better-auth',
|
|
716
|
+
...referenceId ? {
|
|
717
|
+
activeOrganizationId: referenceId
|
|
718
|
+
} : {},
|
|
719
|
+
...orgRole ? {
|
|
720
|
+
organizationRole: orgRole
|
|
721
|
+
} : {}
|
|
722
|
+
}
|
|
723
|
+
};
|
|
724
|
+
}
|
|
725
|
+
}
|
|
726
|
+
}
|
|
727
|
+
}
|
|
728
|
+
} catch {
|
|
729
|
+
// Opaque token lookup also failed — continue to return null
|
|
730
|
+
}
|
|
642
731
|
}
|
|
643
732
|
}
|
|
644
733
|
return {
|