cortex-auth 1.1.1 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -0
- package/dist/index.js.map +1 -1
- package/dist/payload-access/access.d.ts +36 -0
- package/dist/payload-access/access.d.ts.map +1 -0
- package/dist/payload-access/access.js +116 -0
- package/dist/payload-access/access.js.map +1 -0
- package/dist/payload-access/index.d.ts +2 -0
- package/dist/payload-access/index.d.ts.map +1 -0
- package/dist/payload-access/index.js +2 -0
- package/dist/payload-access/index.js.map +1 -0
- package/dist/payload-jwt/authenticateRequest.d.ts +4 -0
- package/dist/payload-jwt/authenticateRequest.d.ts.map +1 -1
- package/dist/payload-jwt/authenticateRequest.js +0 -2
- package/dist/payload-jwt/authenticateRequest.js.map +1 -1
- package/dist/payload-jwt/configuration.d.ts +6 -0
- package/dist/payload-jwt/configuration.d.ts.map +1 -0
- package/dist/payload-jwt/configuration.js +48 -0
- package/dist/payload-jwt/configuration.js.map +1 -0
- package/dist/payload-jwt/getAccessToken.d.ts +3 -0
- package/dist/payload-jwt/getAccessToken.d.ts.map +1 -0
- package/dist/payload-jwt/getAccessToken.js +44 -0
- package/dist/payload-jwt/getAccessToken.js.map +1 -0
- package/dist/payload-jwt/index.d.ts +2 -0
- package/dist/payload-jwt/index.d.ts.map +1 -1
- package/dist/payload-jwt/index.js +2 -0
- package/dist/payload-jwt/index.js.map +1 -1
- package/dist/payload-jwt/user.d.ts +2 -2
- package/dist/payload-jwt/user.d.ts.map +1 -1
- package/dist/payload-jwt/user.js +4 -7
- package/dist/payload-jwt/user.js.map +1 -1
- package/dist/types.d.ts +36 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +2 -0
- package/dist/types.js.map +1 -0
- package/package.json +4 -2
package/dist/index.d.ts
CHANGED
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA;AAC7B,cAAc,kBAAkB,CAAA;AAChC,cAAc,SAAS,CAAA"}
|
package/dist/index.js
CHANGED
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA;AAC7B,cAAc,kBAAkB,CAAA;AAChC,cAAc,SAAS,CAAA"}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
import { AccessArgs } from 'payload';
|
|
2
|
+
import type { Where } from 'payload';
|
|
3
|
+
import type { User } from '../types';
|
|
4
|
+
/**
|
|
5
|
+
* Checks that the request is authenticated
|
|
6
|
+
*/
|
|
7
|
+
export declare const isAuthenticated: ({ req: { user } }: AccessArgs<Partial<Partial<User>>>) => boolean;
|
|
8
|
+
/**
|
|
9
|
+
* Checks that the user is a 'user' or 'admin' i.e. they are human
|
|
10
|
+
*/
|
|
11
|
+
export declare const isUser: ({ req: { user } }: AccessArgs<Partial<User>>) => boolean;
|
|
12
|
+
/**
|
|
13
|
+
* Checks that the user is a 'digital-colleague'
|
|
14
|
+
*/
|
|
15
|
+
export declare const isDigitalColleague: ({ req: { user } }: AccessArgs<Partial<User>>) => boolean;
|
|
16
|
+
/**
|
|
17
|
+
* Checks that the user is an 'admin'
|
|
18
|
+
*/
|
|
19
|
+
export declare const isAdmin: ({ req: { user } }: AccessArgs<Partial<User>>) => boolean;
|
|
20
|
+
/**
|
|
21
|
+
* Users can edit their own profile
|
|
22
|
+
*/
|
|
23
|
+
export declare const editOwnProfile: ({ req: { user }, data }: AccessArgs<Partial<User>>) => boolean;
|
|
24
|
+
/**
|
|
25
|
+
* can edit owned items
|
|
26
|
+
*/
|
|
27
|
+
export declare const isOwned: ({ req: { user } }: AccessArgs<Partial<User>>) => boolean | Where;
|
|
28
|
+
/**
|
|
29
|
+
* User is in the member relationship of the item
|
|
30
|
+
*/
|
|
31
|
+
export declare const isMember: ({ req: { user } }: AccessArgs<Partial<User>>) => boolean | Where;
|
|
32
|
+
/**
|
|
33
|
+
* User is in the member relationship of the item
|
|
34
|
+
*/
|
|
35
|
+
export declare const isMemberOrOwner: ({ req: { user } }: AccessArgs<Partial<User>>) => boolean | Where;
|
|
36
|
+
//# sourceMappingURL=access.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/payload-access/access.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AACpC,OAAO,KAAK,EAAG,KAAK,EAAE,MAAM,SAAS,CAAA;AACrC,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAEnC;;GAEG;AAEH,eAAO,MAAM,eAAe,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,YAEpF,CAAA;AAED;;GAEG;AAEH,eAAO,MAAM,MAAM,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,YASlE,CAAA;AAED;;GAEG;AAEH,eAAO,MAAM,kBAAkB,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,YAM9E,CAAA;AAED;;GAEG;AAEH,eAAO,MAAM,OAAO,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAG,OAMtE,CAAA;AAGD;;GAEG;AACH,eAAO,MAAM,cAAc,GAAI,yBAAyB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAG,OAQnF,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,OAAO,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAG,OAAO,GAAG,KAchF,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,QAAQ,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAG,OAAO,GAAG,KAgBjF,CAAA;AAGD;;GAEG;AACH,eAAO,MAAM,eAAe,GAAI,mBAAmB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAG,OAAO,GAAG,KAuBxF,CAAA"}
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Checks that the request is authenticated
|
|
3
|
+
*/
|
|
4
|
+
export const isAuthenticated = ({ req: { user } }) => {
|
|
5
|
+
return Boolean(user);
|
|
6
|
+
};
|
|
7
|
+
/**
|
|
8
|
+
* Checks that the user is a 'user' or 'admin' i.e. they are human
|
|
9
|
+
*/
|
|
10
|
+
export const isUser = ({ req: { user } }) => {
|
|
11
|
+
if (!user)
|
|
12
|
+
return false;
|
|
13
|
+
if (user.role === 'user') {
|
|
14
|
+
return true;
|
|
15
|
+
}
|
|
16
|
+
if (user.role === 'admin') {
|
|
17
|
+
return true;
|
|
18
|
+
}
|
|
19
|
+
return false;
|
|
20
|
+
};
|
|
21
|
+
/**
|
|
22
|
+
* Checks that the user is a 'digital-colleague'
|
|
23
|
+
*/
|
|
24
|
+
export const isDigitalColleague = ({ req: { user } }) => {
|
|
25
|
+
if (!user)
|
|
26
|
+
return false;
|
|
27
|
+
if (user.role === 'digital-colleague') {
|
|
28
|
+
return true;
|
|
29
|
+
}
|
|
30
|
+
return false;
|
|
31
|
+
};
|
|
32
|
+
/**
|
|
33
|
+
* Checks that the user is an 'admin'
|
|
34
|
+
*/
|
|
35
|
+
export const isAdmin = ({ req: { user } }) => {
|
|
36
|
+
// console.log('Checking isAdminUser for user:', user)
|
|
37
|
+
if (user?.role === 'admin') {
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
return false;
|
|
41
|
+
};
|
|
42
|
+
/**
|
|
43
|
+
* Users can edit their own profile
|
|
44
|
+
*/
|
|
45
|
+
export const editOwnProfile = ({ req: { user }, data }) => {
|
|
46
|
+
// Allow admins to edit anything
|
|
47
|
+
if (user?.role === 'admin') {
|
|
48
|
+
return true;
|
|
49
|
+
}
|
|
50
|
+
// Allow users to edit their own record
|
|
51
|
+
return user?.id === data?.id;
|
|
52
|
+
};
|
|
53
|
+
/**
|
|
54
|
+
* can edit owned items
|
|
55
|
+
*/
|
|
56
|
+
export const isOwned = ({ req: { user } }) => {
|
|
57
|
+
if (!user)
|
|
58
|
+
return false;
|
|
59
|
+
// Allow admins to edit anything
|
|
60
|
+
if (user?.role === 'admin') {
|
|
61
|
+
return true;
|
|
62
|
+
}
|
|
63
|
+
// Allow users to edit their own record
|
|
64
|
+
const query = {
|
|
65
|
+
owner: {
|
|
66
|
+
equals: user.id,
|
|
67
|
+
},
|
|
68
|
+
};
|
|
69
|
+
return query;
|
|
70
|
+
};
|
|
71
|
+
/**
|
|
72
|
+
* User is in the member relationship of the item
|
|
73
|
+
*/
|
|
74
|
+
export const isMember = ({ req: { user } }) => {
|
|
75
|
+
if (!user)
|
|
76
|
+
return false;
|
|
77
|
+
// Allow admins to edit anything
|
|
78
|
+
if (user?.role === 'admin') {
|
|
79
|
+
return true;
|
|
80
|
+
}
|
|
81
|
+
// Allow users to edit their own record
|
|
82
|
+
const query = {
|
|
83
|
+
'members.user': {
|
|
84
|
+
equals: user.id,
|
|
85
|
+
},
|
|
86
|
+
};
|
|
87
|
+
return query;
|
|
88
|
+
};
|
|
89
|
+
/**
|
|
90
|
+
* User is in the member relationship of the item
|
|
91
|
+
*/
|
|
92
|
+
export const isMemberOrOwner = ({ req: { user } }) => {
|
|
93
|
+
if (!user)
|
|
94
|
+
return false;
|
|
95
|
+
// Allow admins to edit anything
|
|
96
|
+
if (user?.role === 'admin') {
|
|
97
|
+
return true;
|
|
98
|
+
}
|
|
99
|
+
// Allow users to edit their own record
|
|
100
|
+
const query = {
|
|
101
|
+
or: [
|
|
102
|
+
{
|
|
103
|
+
'members.user': {
|
|
104
|
+
equals: user.id,
|
|
105
|
+
},
|
|
106
|
+
},
|
|
107
|
+
{
|
|
108
|
+
owner: {
|
|
109
|
+
equals: user.id,
|
|
110
|
+
},
|
|
111
|
+
},
|
|
112
|
+
],
|
|
113
|
+
};
|
|
114
|
+
return query;
|
|
115
|
+
};
|
|
116
|
+
//# sourceMappingURL=access.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/payload-access/access.ts"],"names":[],"mappings":"AAIA;;GAEG;AAEH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAAsC,EAAE,EAAE;IACrF,OAAO,OAAO,CAAC,IAAI,CAAC,CAAA;AACxB,CAAC,CAAA;AAED;;GAEG;AAEH,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAA6B,EAAE,EAAE;IACnE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IACvB,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACvB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACxB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,OAAO,KAAK,CAAA;AAChB,CAAC,CAAA;AAED;;GAEG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAA6B,EAAE,EAAE;IAC/E,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IACvB,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACpC,OAAO,IAAI,CAAA;IACf,CAAC;IACD,OAAO,KAAK,CAAA;AAChB,CAAC,CAAA;AAED;;GAEG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAA6B,EAAW,EAAE;IAC7E,sDAAsD;IACtD,IAAI,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,OAAO,KAAK,CAAA;AAChB,CAAC,CAAA;AAGD;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,EAA6B,EAAW,EAAE;IAE1F,gCAAgC;IAChC,IAAI,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,uCAAuC;IACvC,OAAO,IAAI,EAAE,EAAE,KAAM,IAAa,EAAE,EAAE,CAAA;AAC1C,CAAC,CAAA;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAA6B,EAAmB,EAAE;IACrF,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IAEvB,gCAAgC;IAChC,IAAI,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,uCAAuC;IACvC,MAAM,KAAK,GAAU;QACjB,KAAK,EAAE;YACH,MAAM,EAAE,IAAI,CAAC,EAAE;SAClB;KACJ,CAAA;IACD,OAAO,KAAK,CAAA;AAChB,CAAC,CAAA;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAA6B,EAAmB,EAAE;IACtF,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IAEvB,gCAAgC;IAChC,IAAI,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,uCAAuC;IACvC,MAAM,KAAK,GAAU;QAEjB,cAAc,EAAE;YACZ,MAAM,EAAE,IAAI,CAAC,EAAE;SAClB;KAEJ,CAAA;IACD,OAAO,KAAK,CAAA;AAChB,CAAC,CAAA;AAGD;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,EAA6B,EAAmB,EAAE;IAC7F,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IAEvB,gCAAgC;IAChC,IAAI,IAAI,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACf,CAAC;IACD,uCAAuC;IACvC,MAAM,KAAK,GAAU;QACjB,EAAE,EAAE;YACA;gBACI,cAAc,EAAE;oBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;iBAClB;aACJ;YACD;gBACI,KAAK,EAAE;oBACH,MAAM,EAAE,IAAI,CAAC,EAAE;iBAClB;aACJ;SACJ;KACJ,CAAA;IACD,OAAO,KAAK,CAAA;AAChB,CAAC,CAAA"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/payload-access/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAA"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/payload-access/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAA"}
|
|
@@ -1,5 +1,9 @@
|
|
|
1
1
|
import { type Payload } from 'payload';
|
|
2
2
|
import { NextAuthRequest } from "next-auth";
|
|
3
|
+
interface AuthError extends Error {
|
|
4
|
+
statusCode: number;
|
|
5
|
+
}
|
|
6
|
+
export type { AuthError };
|
|
3
7
|
export declare function authenticateRequest({ req, payload }: {
|
|
4
8
|
req: NextAuthRequest;
|
|
5
9
|
payload?: Payload;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/authenticateRequest.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,SAAS,CAAA;AAEtC,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/authenticateRequest.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,SAAS,CAAA;AAEtC,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,UAAU,SAAU,SAAQ,KAAK;IAC7B,UAAU,EAAE,MAAM,CAAC;CACtB;AAQD,YAAY,EAAE,SAAS,EAAE,CAAC;AAoC1B,wBAAsB,mBAAmB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;IAAE,GAAG,EAAE,eAAe,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE;;;;;;GA2EtG"}
|
|
@@ -5,7 +5,6 @@ function createAuthError(message, statusCode) {
|
|
|
5
5
|
return error;
|
|
6
6
|
}
|
|
7
7
|
export async function authenticateRequest({ req, payload }) {
|
|
8
|
-
let type = 'cookie';
|
|
9
8
|
if (req.auth) {
|
|
10
9
|
const user = req.auth.user;
|
|
11
10
|
return {
|
|
@@ -17,7 +16,6 @@ export async function authenticateRequest({ req, payload }) {
|
|
|
17
16
|
};
|
|
18
17
|
}
|
|
19
18
|
else {
|
|
20
|
-
type = 'bearer';
|
|
21
19
|
const session = await verifySession(req);
|
|
22
20
|
if (!session || !session.sub || !session.extra)
|
|
23
21
|
throw createAuthError("No valid session found", 401);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authenticateRequest.js","sourceRoot":"","sources":["../../src/payload-jwt/authenticateRequest.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AAUvC,SAAS,eAAe,CAAC,OAAe,EAAE,UAAkB;IACxD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAc,CAAC;IAC9C,KAAK,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9B,OAAO,KAAK,CAAC;AACjB,CAAC;
|
|
1
|
+
{"version":3,"file":"authenticateRequest.js","sourceRoot":"","sources":["../../src/payload-jwt/authenticateRequest.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AAUvC,SAAS,eAAe,CAAC,OAAe,EAAE,UAAkB;IACxD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAc,CAAC;IAC9C,KAAK,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9B,OAAO,KAAK,CAAC;AACjB,CAAC;AAsCD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EAAE,GAAG,EAAE,OAAO,EAA+C;IACnG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACX,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,IAAY,CAAA;QAClC,OAAO;YACH,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,QAAQ;SACnB,CAAA;IACL,CAAC;SAAM,CAAC;QACJ,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAA;QAExC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK;YAAE,MAAM,eAAe,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;QACrG,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,eAAgB,CAAC;QACrD,MAAM,WAAW,GAAK,OAAO,CAAC,eAAwD,EAAE,CAAC,eAAe,CAAC,EAAE,KAA8B,CAAC;QAC1I,IAAI,CAAC,WAAW;YAAE,MAAM,eAAe,CAAC,2DAA2D,EAAE,GAAG,CAAC,CAAC;QAE1G,IAAI,CAAC,OAAO;YAAE,MAAM,eAAe,CAAC,8DAA8D,EAAE,GAAG,CAAC,CAAC;QACzG,MAAM,WAAW,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAEpL,IAAI,CAAC,WAAW,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAGhC,6BAA6B;YAC7B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC;gBACjC,UAAU,EAAE,OAAO;gBACnB,IAAI,EAAE;oBACF,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK;oBAC1B,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;oBACxB,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,MAAM;oBAC9B,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE;wBACN;4BACI,QAAQ,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM;yBACrE;qBACJ;iBACJ;gBACD,KAAK,EAAE,KAAK;gBACZ,cAAc,EAAE,IAAI;aACvB,CAAC,CAAA;YACF,OAAO,CAAC,GAAG,CAAC,6CAA6C,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;YACrF,OAAO;gBACH,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,MAAM,EAAE,QAAQ;aACnB,CAAA;QACL,CAAC;aAAM,IAAI,WAAW,EAAE,CAAC;YACrB,8BAA8B;YAC9B,IAAI,WAAW,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtC,MAAM,OAAO,CAAC,MAAM,CAAC;oBACjB,UAAU,EAAE,OAAO;oBACnB,EAAE,EAAE,WAAW,CAAC,EAAE;oBAClB,IAAI,EAAE;wBACF,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,MAAM;qBACjC;oBACD,KAAK,EAAE,KAAK;oBACZ,cAAc,EAAE,IAAI;iBACvB,CAAC,CAAA;gBACF,OAAO,CAAC,GAAG,CAAC,iCAAiC,WAAW,CAAC,KAAK,OAAO,WAAW,EAAE,CAAC,CAAC;YACxF,CAAC;YAED,OAAO;gBACH,EAAE,EAAE,WAAW,CAAC,EAAE;gBAClB,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,IAAI,EAAE,WAAW,CAAC,IAAI;gBACtB,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,MAAM;gBAC9B,MAAM,EAAE,QAAQ;aACnB,CAAA;QACL,CAAC;aAAM,CAAC;YACJ,MAAM,eAAe,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;IACL,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
import type { User } from '../types';
|
|
2
|
+
import type { Payload } from 'payload';
|
|
3
|
+
type AccountType = NonNullable<User['accounts']>[number];
|
|
4
|
+
export declare function persistTokens(userId: string, account: AccountType, payload: Payload): Promise<void>;
|
|
5
|
+
export {};
|
|
6
|
+
//# sourceMappingURL=configuration.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"configuration.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/configuration.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AACnC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AAGtC,KAAK,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;AAkCxD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,iBAsBzF"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import { decodeJwt } from 'jose';
|
|
2
|
+
function upsertAccount(existing = [], account) {
|
|
3
|
+
const provider = account.provider;
|
|
4
|
+
const providerAccountId = account.providerAccountId;
|
|
5
|
+
const idx = existing.findIndex((a) => a.provider === provider && a.providerAccountId === providerAccountId);
|
|
6
|
+
const nextRow = {
|
|
7
|
+
...(idx >= 0 ? existing[idx] : {}),
|
|
8
|
+
provider,
|
|
9
|
+
providerAccountId,
|
|
10
|
+
type: account.type,
|
|
11
|
+
// token fields (must match your Users.accounts[] schema)
|
|
12
|
+
access_token: account.access_token ?? null,
|
|
13
|
+
refresh_token: account.refresh_token ?? null,
|
|
14
|
+
expires_at: account.expires_at ?? null,
|
|
15
|
+
id_token: account.id_token ?? null,
|
|
16
|
+
token_type: account.token_type ?? null,
|
|
17
|
+
scope: account.scope ?? null,
|
|
18
|
+
session_state: account.session_state ?? null,
|
|
19
|
+
};
|
|
20
|
+
if (idx >= 0) {
|
|
21
|
+
const copy = [...existing];
|
|
22
|
+
copy[idx] = nextRow;
|
|
23
|
+
return copy;
|
|
24
|
+
}
|
|
25
|
+
return [...existing, nextRow];
|
|
26
|
+
}
|
|
27
|
+
export async function persistTokens(userId, account, payload) {
|
|
28
|
+
const fullUser = await payload.findByID({
|
|
29
|
+
collection: "users",
|
|
30
|
+
id: userId,
|
|
31
|
+
depth: 0,
|
|
32
|
+
});
|
|
33
|
+
const existing = fullUser.accounts ?? [];
|
|
34
|
+
const accounts = upsertAccount(existing, account);
|
|
35
|
+
let role = 'user'; // default role
|
|
36
|
+
if (account && account.access_token) {
|
|
37
|
+
const decodedJWT = decodeJwt(account.access_token);
|
|
38
|
+
const permissions = decodedJWT.resource_access?.[process.env.OAUTH_CLIENT_ID]?.roles;
|
|
39
|
+
role = permissions?.[0] || 'user';
|
|
40
|
+
}
|
|
41
|
+
await payload.update({
|
|
42
|
+
collection: "users",
|
|
43
|
+
id: userId,
|
|
44
|
+
data: { accounts, role },
|
|
45
|
+
overrideAccess: true,
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=configuration.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"configuration.js","sourceRoot":"","sources":["../../src/payload-jwt/configuration.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAIhC,SAAS,aAAa,CAAC,WAA0B,EAAE,EAAE,OAAoB;IACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;IACjC,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAA;IAEnD,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAC5B,CAAC,CAAc,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,iBAAiB,KAAK,iBAAiB,CACzF,CAAA;IAED,MAAM,OAAO,GAAG;QACd,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClC,QAAQ;QACR,iBAAiB;QACjB,IAAI,EAAE,OAAO,CAAC,IAAI;QAElB,yDAAyD;QACzD,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,IAAI;QAC1C,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;QAC5C,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,IAAI;QACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;QAClC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,IAAI;QACtC,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;QAC5B,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;KAC7C,CAAA;IAED,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAA;QAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAA;QACnB,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,CAAC,GAAG,QAAQ,EAAE,OAAO,CAAC,CAAA;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,OAAoB,EAAE,OAAgB;IAExF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC;QACtC,UAAU,EAAE,OAAO;QACnB,EAAE,EAAE,MAAM;QACV,KAAK,EAAE,CAAC;KACT,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAI,QAAiB,CAAC,QAAQ,IAAI,EAAE,CAAA;IAClD,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACjD,IAAI,IAAI,GAAG,MAAM,CAAC,CAAC,eAAe;IAClC,IAAI,OAAO,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,WAAW,GAAK,UAAU,CAAC,eAAwD,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,eAAgB,CAAC,EAAE,KAA8B,CAAC;QAC1J,IAAI,GAAG,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IACpC,CAAC;IACD,MAAM,OAAO,CAAC,MAAM,CAAC;QACnB,UAAU,EAAE,OAAO;QACnB,EAAE,EAAE,MAAM;QACV,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;QACxB,cAAc,EAAE,IAAI;KACrB,CAAC,CAAA;AACJ,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"getAccessToken.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/getAccessToken.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AAItC,wBAAsB,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,0BAkDpE"}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
export async function getAccessToken(payload, userId) {
|
|
2
|
+
const user = await payload.findByID({ collection: "users", id: userId, depth: 0 });
|
|
3
|
+
const kc = user?.accounts?.find((a) => a.provider === "keycloak");
|
|
4
|
+
if (!kc?.access_token)
|
|
5
|
+
return null;
|
|
6
|
+
const expiresAt = kc.expires_at ?? 0;
|
|
7
|
+
const stillValid = expiresAt === 0 || Date.now() < expiresAt * 1000 - 30000; // 30s skew
|
|
8
|
+
if (stillValid)
|
|
9
|
+
return kc.access_token;
|
|
10
|
+
// Refresh if needed
|
|
11
|
+
if (!kc.refresh_token)
|
|
12
|
+
return null;
|
|
13
|
+
const resp = await fetch(`${process.env.OAUTH_ISSUER}/protocol/openid-connect/token`, {
|
|
14
|
+
method: "POST",
|
|
15
|
+
headers: { "content-type": "application/x-www-form-urlencoded" },
|
|
16
|
+
body: new URLSearchParams({
|
|
17
|
+
client_id: process.env.OAUTH_CLIENT_ID,
|
|
18
|
+
client_secret: process.env.OAUTH_CLIENT_SECRET,
|
|
19
|
+
grant_type: "refresh_token",
|
|
20
|
+
refresh_token: kc.refresh_token,
|
|
21
|
+
}),
|
|
22
|
+
});
|
|
23
|
+
if (!resp.ok)
|
|
24
|
+
return null;
|
|
25
|
+
const json = await resp.json();
|
|
26
|
+
const newExpiresAt = Math.floor(Date.now() / 1000 + json.expires_in);
|
|
27
|
+
// Persist back into users.accounts[] (update your matching row logic as needed)
|
|
28
|
+
const accounts = (user.accounts ?? []).map((a) => a?.provider === "keycloak"
|
|
29
|
+
? {
|
|
30
|
+
...a,
|
|
31
|
+
access_token: json.access_token,
|
|
32
|
+
expires_at: newExpiresAt,
|
|
33
|
+
refresh_token: json.refresh_token ?? a.refresh_token,
|
|
34
|
+
}
|
|
35
|
+
: a);
|
|
36
|
+
await payload.update({
|
|
37
|
+
collection: "users",
|
|
38
|
+
id: userId,
|
|
39
|
+
data: { accounts },
|
|
40
|
+
overrideAccess: true,
|
|
41
|
+
});
|
|
42
|
+
return json.access_token;
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=getAccessToken.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"getAccessToken.js","sourceRoot":"","sources":["../../src/payload-jwt/getAccessToken.ts"],"names":[],"mappings":"AAKA,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAgB,EAAE,MAAc;IACnE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IAEnF,MAAM,EAAE,GAAI,IAAsB,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAa,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAA2B,CAAC;IAC3H,IAAI,CAAC,EAAE,EAAE,YAAY;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,SAAS,GAAG,EAAE,CAAC,UAAU,IAAI,CAAC,CAAC;IACrC,MAAM,UAAU,GAAG,SAAS,KAAK,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,GAAG,KAAM,CAAC,CAAC,WAAW;IACzF,IAAI,UAAU;QAAE,OAAO,EAAE,CAAC,YAAY,CAAC;IAEvC,oBAAoB;IACpB,IAAI,CAAC,EAAE,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,gCAAgC,EAAE;QACpF,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,eAAgB;YACvC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAoB;YAC/C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,EAAE,CAAC,aAAa;SAChC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAA0E,CAAC;IAEvG,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;IAErE,gFAAgF;IAChF,MAAM,QAAQ,GAAG,CAAE,IAAsB,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAyB,EAAE,EAAE,CAC1F,CAAC,EAAE,QAAQ,KAAK,UAAU;QACxB,CAAC,CAAC;YACE,GAAG,CAAC;YACJ,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,UAAU,EAAE,YAAY;YACxB,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,aAAa;SACrD;QACH,CAAC,CAAC,CAAC,CACN,CAAC;IAEF,MAAM,OAAO,CAAC,MAAM,CAAC;QACnB,UAAU,EAAE,OAAO;QACnB,EAAE,EAAE,MAAM;QACV,IAAI,EAAE,EAAE,QAAQ,EAAE;QAClB,cAAc,EAAE,IAAI;KACrB,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC,YAAY,CAAC;AAC3B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAA;AACtB,cAAc,uBAAuB,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAA;AACtB,cAAc,uBAAuB,CAAA;AACrC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,kBAAkB,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/payload-jwt/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAA;AACtB,cAAc,uBAAuB,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/payload-jwt/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAA;AACtB,cAAc,uBAAuB,CAAA;AACrC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,kBAAkB,CAAA"}
|
|
@@ -3,8 +3,8 @@ export interface AuthInfo {
|
|
|
3
3
|
sub: string;
|
|
4
4
|
exp: number;
|
|
5
5
|
scopes: string[];
|
|
6
|
-
resource_access?: Record<string,
|
|
7
|
-
extra?: Record<string,
|
|
6
|
+
resource_access?: Record<string, unknown>;
|
|
7
|
+
extra?: Record<string, unknown>;
|
|
8
8
|
}
|
|
9
9
|
export declare function verifySession(req: NextRequest): Promise<AuthInfo | undefined>;
|
|
10
10
|
export declare function verifyToken(bearer: string): Promise<AuthInfo | undefined>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/user.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,MAAM,WAAW,QAAQ;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/payload-jwt/user.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,MAAM,WAAW,QAAQ;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AA0CD,wBAAsB,aAAa,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CA6BnF;AAID,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CA0B/E;AAGD;;GAEG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMpE"}
|
package/dist/payload-jwt/user.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { jwtVerify, createRemoteJWKSet
|
|
1
|
+
import { jwtVerify, createRemoteJWKSet } from "jose";
|
|
2
2
|
const OIDC_ISSUER = process.env.OAUTH_ISSUER; // e.g. https://login.microsoftonline.com/<tenant>/v2.0
|
|
3
3
|
const OAUTH_DISCOVERY_URL = `${OIDC_ISSUER}/.well-known/openid-configuration`;
|
|
4
4
|
// Fetch JWKS URL from OAuth well-known configuration
|
|
@@ -38,12 +38,10 @@ function extractBearer(req) {
|
|
|
38
38
|
export async function verifySession(req) {
|
|
39
39
|
const bearer = extractBearer(req);
|
|
40
40
|
if (bearer) {
|
|
41
|
-
// for development ONLY, use a dummy token
|
|
42
41
|
try {
|
|
43
|
-
const decodedJWT = decodeJwt(bearer);
|
|
44
42
|
// Get JWKS dynamically from well-known endpoint
|
|
45
43
|
const jwks = await getJWKS();
|
|
46
|
-
const { payload
|
|
44
|
+
const { payload } = await jwtVerify(bearer, jwks, {
|
|
47
45
|
issuer: OIDC_ISSUER,
|
|
48
46
|
algorithms: ["RS256"],
|
|
49
47
|
});
|
|
@@ -60,17 +58,15 @@ export async function verifySession(req) {
|
|
|
60
58
|
return undefined;
|
|
61
59
|
}
|
|
62
60
|
}
|
|
63
|
-
// fallback: NextAuth session (optional)
|
|
64
61
|
return undefined;
|
|
65
62
|
}
|
|
66
63
|
export async function verifyToken(bearer) {
|
|
67
64
|
if (bearer) {
|
|
68
65
|
// for development ONLY, use a dummy token
|
|
69
66
|
try {
|
|
70
|
-
const decodedJWT = decodeJwt(bearer);
|
|
71
67
|
// Get JWKS dynamically from well-known endpoint
|
|
72
68
|
const jwks = await getJWKS();
|
|
73
|
-
const { payload
|
|
69
|
+
const { payload } = await jwtVerify(bearer, jwks, {
|
|
74
70
|
issuer: OIDC_ISSUER,
|
|
75
71
|
algorithms: ["RS256"],
|
|
76
72
|
});
|
|
@@ -78,6 +74,7 @@ export async function verifyToken(bearer) {
|
|
|
78
74
|
sub: payload.sub ?? "unknown",
|
|
79
75
|
exp: payload.exp ?? 0,
|
|
80
76
|
scopes: typeof payload.scp === "string" ? payload.scp.split(" ") : [],
|
|
77
|
+
resource_access: payload.resource_access,
|
|
81
78
|
extra: { email: payload.email, name: payload.name },
|
|
82
79
|
};
|
|
83
80
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/payload-jwt/user.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,
|
|
1
|
+
{"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/payload-jwt/user.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,MAAM,CAAC;AAYrD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAa,CAAC,CAAC,uDAAuD;AACtG,MAAM,mBAAmB,GAAG,GAAG,WAAW,mCAAmC,CAAC;AAE9E,qDAAqD;AACrD,KAAK,UAAU,UAAU;IACrB,MAAM,YAAY,GAAG,mBAAmB,CAAC;IACzC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA0B,CAAC;QAC7D,OAAO,MAAM,CAAC,QAAQ,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAC3D,iCAAiC;QACjC,MAAM,WAAW,GAAG,GAAG,mBAAmB,sBAAsB,CAAC;QACjE,OAAO,WAAW,CAAC;IACvB,CAAC;AACL,CAAC;AAED,oDAAoD;AACpD,IAAI,IAAI,GAAiD,IAAI,CAAC;AAE9D,KAAK,UAAU,OAAO;IAClB,IAAI,CAAC,IAAI,EAAE,CAAC;QACR,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;QACnC,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IAC/B,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC3C,IAAI,CAAC,CAAC;QAAE,OAAO;IACf,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ;QAAE,OAAO;IAC9C,OAAO,KAAK,CAAC;AACjB,CAAC;AAED,0CAA0C;AAE1C,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAgB;IAEhD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,MAAM,EAAE,CAAC;QACT,IAAI,CAAC;YAGD,gDAAgD;YAChD,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAC;YAE7B,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE;gBAC9C,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,CAAC,OAAO,CAAC;aACxB,CAAC,CAAC;YAEH,OAAO;gBACH,GAAG,EAAG,OAAO,CAAC,GAAc,IAAI,SAAS;gBACzC,GAAG,EAAG,OAAO,CAAC,GAAc,IAAI,CAAC;gBACjC,MAAM,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;gBACrE,eAAe,EAAE,OAAO,CAAC,eAAsD;gBAC/E,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE;aACtD,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAS,CAAC;QACrB,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC;AACrB,CAAC;AAID,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAc;IAC5C,IAAI,MAAM,EAAE,CAAC;QACT,0CAA0C;QAC1C,IAAI,CAAC;YAED,gDAAgD;YAChD,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAC;YAE7B,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE;gBAC9C,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,CAAC,OAAO,CAAC;aACxB,CAAC,CAAC;YAEH,OAAO;gBACH,GAAG,EAAG,OAAO,CAAC,GAAc,IAAI,SAAS;gBACzC,GAAG,EAAG,OAAO,CAAC,GAAc,IAAI,CAAC;gBACjC,MAAM,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;gBACrE,eAAe,EAAE,OAAO,CAAC,eAAsD;gBAC/E,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE;aACtD,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;YAC/C,OAAO,SAAS,CAAC;QACrB,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC;AACrB,CAAC;AAGD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa;IAChD,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAClD,OAAO,OAAO,CAAC,GAAG,GAAG,WAAW,CAAC;AACnC,CAAC"}
|
package/dist/types.d.ts
ADDED
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
export interface User {
|
|
2
|
+
id: string;
|
|
3
|
+
email: string;
|
|
4
|
+
emailVerified?: string | null;
|
|
5
|
+
name?: string | null;
|
|
6
|
+
image?: string | null;
|
|
7
|
+
/**
|
|
8
|
+
* The role of the user
|
|
9
|
+
*/
|
|
10
|
+
role: 'user' | 'admin' | 'digital-colleague';
|
|
11
|
+
enabled?: boolean | null;
|
|
12
|
+
accounts?: {
|
|
13
|
+
provider: string;
|
|
14
|
+
providerAccountId: string;
|
|
15
|
+
type: 'oidc' | 'oauth' | 'email' | 'webauthn';
|
|
16
|
+
access_token?: string | null;
|
|
17
|
+
refresh_token?: string | null;
|
|
18
|
+
expires_at?: number | null;
|
|
19
|
+
id_token?: string | null;
|
|
20
|
+
token_type?: string | null;
|
|
21
|
+
scope?: string | null;
|
|
22
|
+
session_state?: string | null;
|
|
23
|
+
id?: string | null;
|
|
24
|
+
}[] | null;
|
|
25
|
+
sessions?: {
|
|
26
|
+
sessionToken: string;
|
|
27
|
+
expires: string;
|
|
28
|
+
id?: string | null;
|
|
29
|
+
}[] | null;
|
|
30
|
+
updatedAt: string;
|
|
31
|
+
createdAt: string;
|
|
32
|
+
enableAPIKey?: boolean | null;
|
|
33
|
+
apiKey?: string | null;
|
|
34
|
+
apiKeyIndex?: string | null;
|
|
35
|
+
}
|
|
36
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB;;OAEG;IACH,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,mBAAmB,CAAC;IAC7C,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,QAAQ,CAAC,EACL;QACE,QAAQ,EAAE,MAAM,CAAC;QACjB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,UAAU,CAAC;QAC9C,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC9B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACtB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KACpB,EAAE,GACH,IAAI,CAAC;IACT,QAAQ,CAAC,EACL;QACE,YAAY,EAAE,MAAM,CAAC;QACrB,OAAO,EAAE,MAAM,CAAC;QAChB,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KACpB,EAAE,GACH,IAAI,CAAC;IACT,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B"}
|
package/dist/types.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cortex-auth",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.2.0",
|
|
4
4
|
"description": "Shared authentication utilities for Node.js and Next.js applications",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.esm.js",
|
|
@@ -19,7 +19,7 @@
|
|
|
19
19
|
},
|
|
20
20
|
"scripts": {
|
|
21
21
|
"dev": "tsc --watch",
|
|
22
|
-
"build": "tsc",
|
|
22
|
+
"build": "tsc && tsc-alias",
|
|
23
23
|
"type-check": "tsc --noEmit",
|
|
24
24
|
"lint": "eslint src/**/*.ts"
|
|
25
25
|
},
|
|
@@ -53,9 +53,11 @@
|
|
|
53
53
|
"@typescript-eslint/eslint-plugin": "^6.15.0",
|
|
54
54
|
"@typescript-eslint/parser": "^6.15.0",
|
|
55
55
|
"eslint": "^8.56.0",
|
|
56
|
+
"eslint-plugin-react": "^7.37.5",
|
|
56
57
|
"next": "^15.0.0",
|
|
57
58
|
"next-auth": "5.0.0-beta.30",
|
|
58
59
|
"payload": "^3.70.0",
|
|
60
|
+
"tsc-alias": "^1.8.10",
|
|
59
61
|
"typescript": "^5.3.3"
|
|
60
62
|
}
|
|
61
63
|
}
|