@delmaredigital/payload-better-auth 0.6.8 → 0.6.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/plugin/index.js +3 -90
- package/package.json +1 -1
package/dist/plugin/index.js
CHANGED
|
@@ -638,96 +638,9 @@ let apiKeyPermissionsConfig = undefined;
|
|
|
638
638
|
}
|
|
639
639
|
}
|
|
640
640
|
} catch {
|
|
641
|
-
|
|
642
|
-
|
|
643
|
-
|
|
644
|
-
const adapter = auth.options?.adapter;
|
|
645
|
-
if (adapter?.findOne) {
|
|
646
|
-
// Hash the token the same way Better Auth stores it (SHA-256 base64url)
|
|
647
|
-
const { createHash } = await import('crypto');
|
|
648
|
-
const hashedToken = createHash('sha256').update(token).digest('base64url');
|
|
649
|
-
const accessTokenRecord = await adapter.findOne({
|
|
650
|
-
model: 'oauthAccessToken',
|
|
651
|
-
where: [
|
|
652
|
-
{
|
|
653
|
-
field: 'token',
|
|
654
|
-
value: hashedToken
|
|
655
|
-
}
|
|
656
|
-
]
|
|
657
|
-
});
|
|
658
|
-
if (accessTokenRecord && accessTokenRecord.userId) {
|
|
659
|
-
// Check expiry
|
|
660
|
-
const expiresAt = accessTokenRecord.expiresAt instanceof Date ? accessTokenRecord.expiresAt : new Date(accessTokenRecord.expiresAt);
|
|
661
|
-
if (expiresAt < new Date()) {
|
|
662
|
-
// Token expired
|
|
663
|
-
} else {
|
|
664
|
-
const userId = accessTokenRecord.userId;
|
|
665
|
-
const users = await payload.find({
|
|
666
|
-
collection: usersCollection,
|
|
667
|
-
where: {
|
|
668
|
-
id: {
|
|
669
|
-
equals: userId
|
|
670
|
-
}
|
|
671
|
-
},
|
|
672
|
-
limit: 1,
|
|
673
|
-
depth: 0
|
|
674
|
-
});
|
|
675
|
-
if (users.docs.length > 0) {
|
|
676
|
-
const scopes = Array.isArray(accessTokenRecord.scopes) ? accessTokenRecord.scopes : [];
|
|
677
|
-
const referenceId = accessTokenRecord.referenceId;
|
|
678
|
-
// Look up org role if referenceId (org ID) is present
|
|
679
|
-
let orgRole;
|
|
680
|
-
if (referenceId) {
|
|
681
|
-
try {
|
|
682
|
-
const memberships = await payload.find({
|
|
683
|
-
collection: membersCollection,
|
|
684
|
-
where: {
|
|
685
|
-
and: [
|
|
686
|
-
{
|
|
687
|
-
user: {
|
|
688
|
-
equals: userId
|
|
689
|
-
}
|
|
690
|
-
},
|
|
691
|
-
{
|
|
692
|
-
organization: {
|
|
693
|
-
equals: referenceId
|
|
694
|
-
}
|
|
695
|
-
}
|
|
696
|
-
]
|
|
697
|
-
},
|
|
698
|
-
limit: 1,
|
|
699
|
-
depth: 0
|
|
700
|
-
});
|
|
701
|
-
if (memberships.docs.length > 0) {
|
|
702
|
-
orgRole = memberships.docs[0].role;
|
|
703
|
-
}
|
|
704
|
-
} catch {
|
|
705
|
-
// Members collection might not exist
|
|
706
|
-
}
|
|
707
|
-
}
|
|
708
|
-
const userDoc = users.docs[0];
|
|
709
|
-
return {
|
|
710
|
-
user: {
|
|
711
|
-
...userDoc,
|
|
712
|
-
id: userDoc.id,
|
|
713
|
-
oauthScopes: scopes,
|
|
714
|
-
collection: usersCollection,
|
|
715
|
-
_strategy: 'better-auth',
|
|
716
|
-
...referenceId ? {
|
|
717
|
-
activeOrganizationId: referenceId
|
|
718
|
-
} : {},
|
|
719
|
-
...orgRole ? {
|
|
720
|
-
organizationRole: orgRole
|
|
721
|
-
} : {}
|
|
722
|
-
}
|
|
723
|
-
};
|
|
724
|
-
}
|
|
725
|
-
}
|
|
726
|
-
}
|
|
727
|
-
}
|
|
728
|
-
} catch {
|
|
729
|
-
// Opaque token lookup also failed — continue to return null
|
|
730
|
-
}
|
|
641
|
+
// JWT verification failed — token is not a valid OAuth JWT
|
|
642
|
+
// Per Better Auth docs: "only accept JWT-formatted access tokens for your API"
|
|
643
|
+
// Opaque tokens should be handled via the /oauth2/introspect endpoint if needed
|
|
731
644
|
}
|
|
732
645
|
}
|
|
733
646
|
return {
|