payload-zitadel-plugin 0.1.6 → 0.2.1

package/README.md

@@ -2,72 +2,63 @@
 
 [![NPM](https://nodei.co/npm/payload-zitadel-plugin.png)](https://npmjs.org/package/payload-zitadel-plugin)
 
-plugin for [Payload CMS](https://payloadcms.com), which enables authentication via Zitadel IdP. It
-uses [NextAuth.js](https://next-auth.js.org) under the hood.
+plugin for [Payload CMS](https://payloadcms.com), which enables authentication via Zitadel IdP.
+
+The default use case is to fully replace PayloadCMS Auth with Zitadel.
+Thus the user collection in PayloadCMS becomes just a shadow of the information in Zitadel.
 
 :boom: :boom: :boom:   works :100: with PayloadCMS version :three:   :boom: :boom: :boom:
 
 ## Install
 
 ```shell
-pnpm add payload-zitadel-plugin@0.1.6
+pnpm add payload-zitadel-plugin@0.2.1
 ```
 
 ## Configuration
 
 Initialize the plugin in Payload Config File. Change the parameters to connect to your Zitadel Instance.
 
-#### zitadel-plugin.ts
+#### payload.config.ts
 
 ```typescript
-import {ZitadelPluginProvider} from 'payload-zitadel-plugin'
-
-export const {zitadelPlugin, nextauthHandler} = ZitadelPluginProvider({
-    // in Zitadel create a new App->Web->PKCE
-    issuerUrl: process.env.ZITADEL_URL,
-    clientId: process.env.ZITADEL_CLIENT_ID,
-
-    // interpolation text for the Login Button - "sign in with ..."
-    // externalProviderName: 'ZITADEL',
-
-    // set to true if you do not want to use the IdP Profile as the Avatar
-    // disableAvatar: true
-    
-    // set to true if you want to use your own custom login button
-    // disableDefaultLoginButton: true
+import {buildConfig} from 'payload/config'
+import {ZitadelPlugin} from 'payload-zitadel-plugin'
 
-    // set to true if you want users to only be able to sign in via Zitadel
-    // disableLocalStrategy: true,
 
-    // if you want to specify the users collection slug
-    // authSlug: 'users',
+export default buildConfig({
+    ...,
+    plugins: [
+        ZitadelPlugin({
+            // URL of your Zitadel instance
+            issuerUrl: process.env.ZITADEL_URL,
 
-    // if you want to specify the field name for the IdP Id in the users collection
-    // associatedIdFieldName: 'idp_id'
+            // in Zitadel create a new App->Web->PKCE, then copy the Client ID
+            clientId: process.env.ZITADEL_CLIENT_ID,
 
-    // change the internal name, only if you know what you are doing!!!
-    // internalProviderName = 'zitadel',
+            // interpolation text for the Login Button - "sign in with ..."
+            label: 'Zitadel',
 
-    // following properties are only needed if you want to authenticate clients for the API
-    // if you are just using the CMS you can ignore all of them
-    // in Zitadel create a new App->API->JWT
-    // enableAPI: true,
-    // apiClientId: process.env.ZITADEL_API_CLIENT_ID,
-    // apiKeyId: process.env.ZITADEL_API_KEY_ID,
-    // apiKey: process.env.ZITADEL_API_KEY
-})
+            // set the name of the CustomStrategy in PayloadCMS - usually not necessary
+            // strategyName: 'zitadel'
 
-```
+            // set to true if you do not want to use the Zitadel Profile Picture as the Avatar
+            // disableAvatar: true
 
-#### payload.config.ts
+            // set to true if you want to use your own custom login button
+            // disableDefaultLoginButton: true
 
-```typescript
-import {buildConfig} from 'payload/config'
+            // if you want to specify the field name for the Zitadel User Id in the users collection
+            // associatedIdFieldName: 'idp_id'
 
-export default buildConfig({
-    ...,
-    plugins: [
-        zitadelPlugin
+            // following properties are only needed if you want to authenticate clients for the API
+            // if you are just using the CMS you can ignore all of them
+            // in Zitadel create a new App->API->JWT
+            // enableAPI: true,
+            // apiClientId: process.env.ZITADEL_API_CLIENT_ID,
+            // apiKeyId: process.env.ZITADEL_API_KEY_ID,
+            // apiKey: process.env.ZITADEL_API_KEY
+        })
     ],
     ...
 })
@@ -110,23 +101,14 @@ const nextConfig = {
 export default withPayload(nextConfig)
 ```
 
-### create route
-
-Unfortunately you need to manually create the following NextAuth.js route in your Next.js App (using App Router):
-
-### (nextauth)/api/auth/[...nextauth]/route.ts
-
-```typescript
-import {nextauthHandler} from '@/config/zitadel-plugin'
-
-export {nextauthHandler as GET, nextauthHandler as POST}
-```
-
-### add profile picture url to accepted Next.js assets
+### further configuration
 
-If you want to use the Zitadel profile picture as the avatar in PayloadCMS (`disableAvatar != true`), 
+If you want to use the Zitadel profile picture as the avatar in PayloadCMS (`disableAvatar != true`),
 you have to manually add the asset URL to the Next.js config file.
 
+Also if you want to automatically redirect to Zitadel without asking the user to click on the login button,
+you have to add the redirect manually to the Next.js config file.
+
 #### next.config.js
 
 ```typescript
@@ -134,6 +116,8 @@ import {withPayload} from '@payloadcms/next/withPayload'
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+    // if Avatar enabled:
+    // allow loading assets like profile pictures from Zitadel
     images: {
         remotePatterns: [
             {
@@ -143,7 +127,18 @@ const nextConfig = {
                 pathname: '/assets/**'
             }
         ]
+    },
+    // optional: enable auto-redirect to Zitadel login page if no logged in
+    async redirects() {
+        return [
+            {
+                source: '/admin/login',
+                destination: '/api/users/authorize',
+                permanent: true
+            }
+        ]
     }
+
 }
 
 export default withPayload(nextConfig)

package/dist/components/Avatar.d.ts

@@ -0,0 +1,3 @@
+import * as React from 'react';
+export declare const Avatar: () => React.JSX.Element;
+//# sourceMappingURL=Avatar.d.ts.map

package/dist/components/Avatar.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Avatar.d.ts","sourceRoot":"","sources":["../../src/components/Avatar.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAA;AAM9B,eAAO,MAAM,MAAM,yBA6BlB,CAAA"}

package/dist/components/{Avatar/index.js → Avatar.js}

@@ -1,14 +1,13 @@
 'use client';
 import * as React from 'react';
-// https://github.com/vercel/next.js/issues/46078
-// import Image from 'next/image.js'
-import { useSession } from 'next-auth/react';
 import { DefaultAccountIcon } from '@payloadcms/ui/graphics/Account/Default';
-export const Avatar = ({ active })=>{
-    const session = useSession();
-    const imageUrl = session?.data?.user?.image;
-    return imageUrl ? /*#__PURE__*/ React.createElement(React.Fragment, null, /*#__PURE__*/ React.createElement("style", null, `
+import { Image } from 'next/dist/client/image-component.js';
+import { useAuth } from '@payloadcms/ui';
+export const Avatar = ()=>{
+    const { user } = useAuth();
+    return user?.image ? /*#__PURE__*/ React.createElement(React.Fragment, null, /*#__PURE__*/ React.createElement("style", null, `
                             .avatar {
+                                position: relative;
                                 height: 2rem;
                                 width: 2rem;
                             }
@@ -18,17 +17,18 @@ export const Avatar = ({ active })=>{
                             }
                             
                             .avatar img {
-                                object-fit: fill;
                                 border-radius: 100%;
                             }
                         `), /*#__PURE__*/ React.createElement("div", {
         className: "avatar"
-    }, /*#__PURE__*/ React.createElement("img", {
-        src: imageUrl,
-        alt: "Profile Picture"
+    }, /*#__PURE__*/ React.createElement(Image, {
+        src: user.image,
+        alt: "Profile Picture",
+        fill: true,
+        sizes: "2rem 2rem"
     }))) : /*#__PURE__*/ React.createElement(DefaultAccountIcon, {
-        active: active
+        active: false
     });
 };
 
-//# sourceMappingURL=index.js.map
+//# sourceMappingURL=Avatar.js.map

package/dist/components/Avatar.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/Avatar.tsx"],"sourcesContent":["'use client'\n\nimport * as React from 'react'\nimport {DefaultAccountIcon} from '@payloadcms/ui/graphics/Account/Default'\nimport {Image} from 'next/dist/client/image-component.js'\nimport {useAuth} from '@payloadcms/ui'\n\n\nexport const Avatar = () => {\n\n    const {user} = useAuth()\n\n    return (user?.image ?\n            <>\n                <style>\n                    {`\n                            .avatar {\n                                position: relative;\n                                height: 2rem;\n                                width: 2rem;\n                            }\n                            \n                            .avatar:hover {\n                                filter: brightness(.8);\n                            }\n                            \n                            .avatar img {\n                                border-radius: 100%;\n                            }\n                        `}\n                </style>\n                <div className=\"avatar\">\n                    <Image src={user.image} alt=\"Profile Picture\" fill sizes=\"2rem 2rem\"/>\n                </div>\n            </> :\n            <DefaultAccountIcon active={false}/>\n    )\n}"],"names":["React","DefaultAccountIcon","Image","useAuth","Avatar","user","image","style","div","className","src","alt","fill","sizes","active"],"mappings":"AAAA;AAEA,YAAYA,WAAW,QAAO;AAC9B,SAAQC,kBAAkB,QAAO,0CAAyC;AAC1E,SAAQC,KAAK,QAAO,sCAAqC;AACzD,SAAQC,OAAO,QAAO,iBAAgB;AAGtC,OAAO,MAAMC,SAAS;IAElB,MAAM,EAACC,IAAI,EAAC,GAAGF;IAEf,OAAQE,MAAMC,sBACN,wDACI,oBAACC,eACI,CAAC;;;;;;;;;;;;;;wBAcE,CAAC,iBAET,oBAACC;QAAIC,WAAU;qBACX,oBAACP;QAAMQ,KAAKL,KAAKC,KAAK;QAAEK,KAAI;QAAkBC,MAAAA;QAAKC,OAAM;yBAGjE,oBAACZ;QAAmBa,QAAQ;;AAExC,EAAC"}

package/dist/components/LoginButton.d.ts

@@ -0,0 +1,3 @@
+import React from 'react';
+export declare const LoginButton: () => React.JSX.Element;
+//# sourceMappingURL=LoginButton.d.ts.map

package/dist/components/LoginButton.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"LoginButton.d.ts","sourceRoot":"","sources":["../../src/components/LoginButton.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,OAAO,CAAA;AAKzB,eAAO,MAAM,WAAW,yBAcvB,CAAA"}

package/dist/components/LoginButton.js

@@ -0,0 +1,19 @@
+'use client';
+import React from 'react';
+import { Button, useConfig, useTranslation } from '@payloadcms/ui';
+export const LoginButton = ()=>{
+    const { t } = useTranslation();
+    const { admin: { custom: { zitadel: { label } } } } = useConfig();
+    return /*#__PURE__*/ React.createElement("div", {
+        style: {
+            display: 'flex',
+            justifyContent: 'center'
+        }
+    }, /*#__PURE__*/ React.createElement(Button, {
+        onClick: ()=>open('http://localhost/api/users/authorize', '_self')
+    }, t('oidcPlugin:signIn', {
+        label
+    })));
+};
+
+//# sourceMappingURL=LoginButton.js.map

package/dist/components/LoginButton.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/LoginButton.tsx"],"sourcesContent":["'use client'\n\nimport React from 'react'\nimport {NestedKeysStripped} from '@payloadcms/translations'\nimport {Button, useConfig, useTranslation} from '@payloadcms/ui'\nimport {translations} from '../translations.js'\n\nexport const LoginButton = () => {\n\n    const {t} = useTranslation<typeof translations.en, NestedKeysStripped<typeof translations.en>>()\n\n    const {admin: {custom: {zitadel: {label}}}} = useConfig()\n\n    return (\n        <div style={{display: 'flex', justifyContent: 'center'}}>\n            <Button onClick={() => open('http://localhost/api/users/authorize', '_self')}>\n                {t('oidcPlugin:signIn', {label})}\n            </Button>\n        </div>\n    )\n\n}"],"names":["React","Button","useConfig","useTranslation","LoginButton","t","admin","custom","zitadel","label","div","style","display","justifyContent","onClick","open"],"mappings":"AAAA;AAEA,OAAOA,WAAW,QAAO;AAEzB,SAAQC,MAAM,EAAEC,SAAS,EAAEC,cAAc,QAAO,iBAAgB;AAGhE,OAAO,MAAMC,cAAc;IAEvB,MAAM,EAACC,CAAC,EAAC,GAAGF;IAEZ,MAAM,EAACG,OAAO,EAACC,QAAQ,EAACC,SAAS,EAACC,KAAK,EAAC,EAAC,EAAC,EAAC,GAAGP;IAE9C,qBACI,oBAACQ;QAAIC,OAAO;YAACC,SAAS;YAAQC,gBAAgB;QAAQ;qBAClD,oBAACZ;QAAOa,SAAS,IAAMC,KAAK,wCAAwC;OAC/DV,EAAE,qBAAqB;QAACI;IAAK;AAK9C,EAAC"}

package/dist/components/index.d.ts

@@ -1,4 +1,3 @@
-export { Avatar } from './Avatar/index.js';
-export { LoginButton } from './LoginButton/index.js';
-export { Session } from './Session/index.js';
+export { Avatar } from './Avatar.js';
+export { LoginButton } from './LoginButton.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/components/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,MAAM,EAAC,MAAM,mBAAmB,CAAA;AACxC,OAAO,EAAC,WAAW,EAAC,MAAM,wBAAwB,CAAA;AAClD,OAAO,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/components/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,MAAM,EAAC,MAAM,aAAa,CAAA;AAClC,OAAO,EAAC,WAAW,EAAC,MAAM,kBAAkB,CAAA"}

package/dist/components/index.js

@@ -1,5 +1,4 @@
-export { Avatar } from './Avatar/index.js';
-export { LoginButton } from './LoginButton/index.js';
-export { Session } from './Session/index.js';
+export { Avatar } from './Avatar.js';
+export { LoginButton } from './LoginButton.js';
 
 //# sourceMappingURL=index.js.map

package/dist/components/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/components/index.ts"],"sourcesContent":["export {Avatar} from './Avatar/index.js'\nexport {LoginButton} from './LoginButton/index.js'\nexport {Session} from './Session/index.js'"],"names":["Avatar","LoginButton","Session"],"rangeMappings":";;","mappings":"AAAA,SAAQA,MAAM,QAAO,oBAAmB;AACxC,SAAQC,WAAW,QAAO,yBAAwB;AAClD,SAAQC,OAAO,QAAO,qBAAoB"}
+{"version":3,"sources":["../../src/components/index.ts"],"sourcesContent":["export {Avatar} from './Avatar.js'\nexport {LoginButton} from './LoginButton.js'"],"names":["Avatar","LoginButton"],"mappings":"AAAA,SAAQA,MAAM,QAAO,cAAa;AAClC,SAAQC,WAAW,QAAO,mBAAkB"}

package/dist/handlers/authorize.d.ts

@@ -0,0 +1,3 @@
+import { PayloadHandler } from 'payload';
+export declare const authorize: PayloadHandler;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/handlers/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/handlers/authorize.ts"],"names":[],"mappings":"AAIA,OAAO,EAAC,cAAc,EAAC,MAAM,SAAS,CAAA;AAwBtC,eAAO,MAAM,SAAS,EAAE,cAuBJ,CAAA"}

package/dist/handlers/authorize.js

@@ -0,0 +1,28 @@
+'use server';
+import { cookies } from 'next/headers.js';
+import process from 'node:process';
+import { NextResponse } from 'next/server.js';
+const genCodeChallenge = async ()=>{
+    const code_verifier = Buffer.from(crypto.getRandomValues(new Uint8Array(24))).toString('base64url');
+    cookies().set({
+        name: 'pkce_code_verifier',
+        value: code_verifier,
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 300,
+        secure: process.env.NODE_ENV == 'production'
+    });
+    return Buffer.from(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(code_verifier))).toString('base64url');
+};
+export const authorize = async ({ payload: { config: { admin: { custom: { zitadel: { issuerURL, clientId, redirectURL } } } } } })=>NextResponse.redirect(`${issuerURL}/oauth/v2/authorize?${new URLSearchParams({
+        client_id: clientId,
+        redirect_uri: redirectURL,
+        response_type: 'code',
+        scope: 'openid email profile',
+        state: '',
+        code_challenge: await genCodeChallenge(),
+        code_challenge_method: 'S256'
+    }).toString()}`);
+
+//# sourceMappingURL=authorize.js.map

package/dist/handlers/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/handlers/authorize.ts"],"sourcesContent":["'use server'\n\nimport {cookies} from 'next/headers.js'\nimport process from 'node:process'\nimport {PayloadHandler} from 'payload'\nimport {NextResponse} from 'next/server.js'\n\nconst genCodeChallenge = async () => {\n\n    const code_verifier = Buffer.from(crypto.getRandomValues(new Uint8Array(24)))\n        .toString('base64url')\n\n    cookies().set({\n        name: 'pkce_code_verifier',\n        value: code_verifier,\n        httpOnly: true,\n        sameSite: 'lax',\n        path: '/',\n        maxAge: 300,\n        secure: process.env.NODE_ENV == 'production'\n    })\n\n    return Buffer.from(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(code_verifier)))\n        .toString('base64url')\n\n}\n\n\nexport const authorize: PayloadHandler = async ({\n                                                    payload: {\n                                                        config: {\n                                                            admin: {\n                                                                custom: {\n                                                                    zitadel: {\n                                                                        issuerURL,\n                                                                        clientId,\n                                                                        redirectURL\n                                                                    }\n                                                                }\n                                                            }\n                                                        }\n                                                    }\n                                                }) =>\n    NextResponse.redirect(`${issuerURL}/oauth/v2/authorize?${new URLSearchParams({\n        client_id: clientId,\n        redirect_uri: redirectURL,\n        response_type: 'code',\n        scope: 'openid email profile',\n        state: '',\n        code_challenge: await genCodeChallenge(),\n        code_challenge_method: 'S256'\n    }).toString()}`)"],"names":["cookies","process","NextResponse","genCodeChallenge","code_verifier","Buffer","from","crypto","getRandomValues","Uint8Array","toString","set","name","value","httpOnly","sameSite","path","maxAge","secure","env","NODE_ENV","subtle","digest","TextEncoder","encode","authorize","payload","config","admin","custom","zitadel","issuerURL","clientId","redirectURL","redirect","URLSearchParams","client_id","redirect_uri","response_type","scope","state","code_challenge","code_challenge_method"],"mappings":"AAAA;AAEA,SAAQA,OAAO,QAAO,kBAAiB;AACvC,OAAOC,aAAa,eAAc;AAElC,SAAQC,YAAY,QAAO,iBAAgB;AAE3C,MAAMC,mBAAmB;IAErB,MAAMC,gBAAgBC,OAAOC,IAAI,CAACC,OAAOC,eAAe,CAAC,IAAIC,WAAW,MACnEC,QAAQ,CAAC;IAEdV,UAAUW,GAAG,CAAC;QACVC,MAAM;QACNC,OAAOT;QACPU,UAAU;QACVC,UAAU;QACVC,MAAM;QACNC,QAAQ;QACRC,QAAQjB,QAAQkB,GAAG,CAACC,QAAQ,IAAI;IACpC;IAEA,OAAOf,OAAOC,IAAI,CAAC,MAAMC,OAAOc,MAAM,CAACC,MAAM,CAAC,WAAW,IAAIC,cAAcC,MAAM,CAACpB,iBAC7EM,QAAQ,CAAC;AAElB;AAGA,OAAO,MAAMe,YAA4B,OAAO,EACIC,SAAS,EACLC,QAAQ,EACJC,OAAO,EACHC,QAAQ,EACJC,SAAS,EACLC,SAAS,EACTC,QAAQ,EACRC,WAAW,EACd,EACJ,EACJ,EACJ,EACJ,EACJ,GAC7C/B,aAAagC,QAAQ,CAAC,CAAC,EAAEH,UAAU,oBAAoB,EAAE,IAAII,gBAAgB;QACzEC,WAAWJ;QACXK,cAAcJ;QACdK,eAAe;QACfC,OAAO;QACPC,OAAO;QACPC,gBAAgB,MAAMtC;QACtBuC,uBAAuB;IAC3B,GAAGhC,QAAQ,GAAG,CAAC,EAAC"}

package/dist/handlers/callback.d.ts

@@ -0,0 +1,3 @@
+import { PayloadHandler } from 'payload';
+export declare const callback: PayloadHandler;
+//# sourceMappingURL=callback.d.ts.map

package/dist/handlers/callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../src/handlers/callback.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAAC,MAAM,SAAS,CAAA;AAMtC,eAAO,MAAM,QAAQ,EAAE,cAyDtB,CAAA"}

package/dist/handlers/callback.js

@@ -0,0 +1,50 @@
+import { cookies } from 'next/headers.js';
+import process from 'node:process';
+import jwt from 'jsonwebtoken';
+export const callback = async ({ payload, query: { code } })=>{
+    const { secret, admin: { custom: { zitadel: { issuerURL, clientId, redirectURL } } } } = payload.config;
+    const cookieStore = cookies();
+    const code_verifier = cookieStore.get('pkce_code_verifier')?.value;
+    if (code_verifier) {
+        const response = await fetch(new URL(`${issuerURL}/oauth/v2/token`), {
+            method: 'POST',
+            body: new URLSearchParams({
+                grant_type: 'authorization_code',
+                code: code,
+                redirect_uri: redirectURL,
+                client_id: clientId,
+                code_verifier
+            })
+        });
+        if (response.ok) {
+            const { id_token } = await response.json();
+            if (id_token) {
+                cookieStore.set({
+                    name: 'id_token',
+                    value: jwt.sign(jwt.decode(id_token), secret),
+                    httpOnly: true,
+                    path: '/',
+                    sameSite: 'strict',
+                    maxAge: 900,
+                    secure: process.env.NODE_ENV == 'production'
+                });
+                cookieStore.delete('pkce_code_verifier');
+                return Response.redirect(new URL(redirectURL).origin);
+            }
+            return Response.json({
+                status: 'error',
+                message: 'token could not be retrieved from the response'
+            });
+        }
+        return Response.json({
+            status: 'error',
+            message: 'error while communicating with token endpoint'
+        });
+    }
+    return Response.json({
+        status: 'error',
+        message: 'code verifier not found (associated http-only cookie is empty)'
+    });
+};
+
+//# sourceMappingURL=callback.js.map

package/dist/handlers/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/handlers/callback.ts"],"sourcesContent":["import {PayloadHandler} from 'payload'\nimport {cookies} from 'next/headers.js'\nimport process from 'node:process'\nimport jwt from 'jsonwebtoken'\nimport {ZitadelIdToken} from '../types.js'\n\nexport const callback: PayloadHandler = async ({payload, query: {code}}) => {\n\n    const {secret, admin: {custom: {zitadel: {issuerURL, clientId, redirectURL}}}} = payload.config\n\n    const cookieStore = cookies()\n\n    const code_verifier = cookieStore.get('pkce_code_verifier')?.value\n\n    if (code_verifier) {\n\n        const response = await fetch(new URL(`${issuerURL}/oauth/v2/token`), {\n            method: 'POST',\n            body: new URLSearchParams({\n                grant_type: 'authorization_code',\n                code: code as string,\n                redirect_uri: redirectURL,\n                client_id: clientId,\n                code_verifier\n            })\n        })\n\n        if (response.ok) {\n            const {id_token} = await response.json()\n\n            if (id_token) {\n                cookieStore.set({\n                    name: 'id_token',\n                    value: jwt.sign(jwt.decode(id_token) as ZitadelIdToken, secret),\n                    httpOnly: true,\n                    path: '/',\n                    sameSite: 'strict',\n                    maxAge: 900,\n                    secure: process.env.NODE_ENV == 'production'\n                })\n                cookieStore.delete('pkce_code_verifier')\n\n                return Response.redirect(new URL(redirectURL).origin)\n            }\n\n            return Response.json({\n                status: 'error',\n                message: 'token could not be retrieved from the response'\n            })\n        }\n\n        return Response.json({\n            status: 'error',\n            message: 'error while communicating with token endpoint'\n        })\n\n    }\n\n    return Response.json({\n        status: 'error',\n        message: 'code verifier not found (associated http-only cookie is empty)'\n    })\n\n}"],"names":["cookies","process","jwt","callback","payload","query","code","secret","admin","custom","zitadel","issuerURL","clientId","redirectURL","config","cookieStore","code_verifier","get","value","response","fetch","URL","method","body","URLSearchParams","grant_type","redirect_uri","client_id","ok","id_token","json","set","name","sign","decode","httpOnly","path","sameSite","maxAge","secure","env","NODE_ENV","delete","Response","redirect","origin","status","message"],"mappings":"AACA,SAAQA,OAAO,QAAO,kBAAiB;AACvC,OAAOC,aAAa,eAAc;AAClC,OAAOC,SAAS,eAAc;AAG9B,OAAO,MAAMC,WAA2B,OAAO,EAACC,OAAO,EAAEC,OAAO,EAACC,IAAI,EAAC,EAAC;IAEnE,MAAM,EAACC,MAAM,EAAEC,OAAO,EAACC,QAAQ,EAACC,SAAS,EAACC,SAAS,EAAEC,QAAQ,EAAEC,WAAW,EAAC,EAAC,EAAC,EAAC,GAAGT,QAAQU,MAAM;IAE/F,MAAMC,cAAcf;IAEpB,MAAMgB,gBAAgBD,YAAYE,GAAG,CAAC,uBAAuBC;IAE7D,IAAIF,eAAe;QAEf,MAAMG,WAAW,MAAMC,MAAM,IAAIC,IAAI,CAAC,EAAEV,UAAU,eAAe,CAAC,GAAG;YACjEW,QAAQ;YACRC,MAAM,IAAIC,gBAAgB;gBACtBC,YAAY;gBACZnB,MAAMA;gBACNoB,cAAcb;gBACdc,WAAWf;gBACXI;YACJ;QACJ;QAEA,IAAIG,SAASS,EAAE,EAAE;YACb,MAAM,EAACC,QAAQ,EAAC,GAAG,MAAMV,SAASW,IAAI;YAEtC,IAAID,UAAU;gBACVd,YAAYgB,GAAG,CAAC;oBACZC,MAAM;oBACNd,OAAOhB,IAAI+B,IAAI,CAAC/B,IAAIgC,MAAM,CAACL,WAA6BtB;oBACxD4B,UAAU;oBACVC,MAAM;oBACNC,UAAU;oBACVC,QAAQ;oBACRC,QAAQtC,QAAQuC,GAAG,CAACC,QAAQ,IAAI;gBACpC;gBACA1B,YAAY2B,MAAM,CAAC;gBAEnB,OAAOC,SAASC,QAAQ,CAAC,IAAIvB,IAAIR,aAAagC,MAAM;YACxD;YAEA,OAAOF,SAASb,IAAI,CAAC;gBACjBgB,QAAQ;gBACRC,SAAS;YACb;QACJ;QAEA,OAAOJ,SAASb,IAAI,CAAC;YACjBgB,QAAQ;YACRC,SAAS;QACb;IAEJ;IAEA,OAAOJ,SAASb,IAAI,CAAC;QACjBgB,QAAQ;QACRC,SAAS;IACb;AAEJ,EAAC"}

package/dist/handlers/index.d.ts

@@ -0,0 +1,3 @@
+export { authorize } from './authorize.js';
+export { callback } from './callback.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/handlers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/handlers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,SAAS,EAAC,MAAM,gBAAgB,CAAA;AACxC,OAAO,EAAC,QAAQ,EAAC,MAAM,eAAe,CAAA"}

package/dist/handlers/index.js

@@ -0,0 +1,4 @@
+export { authorize } from './authorize.js';
+export { callback } from './callback.js';
+
+//# sourceMappingURL=index.js.map

package/dist/handlers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/handlers/index.ts"],"sourcesContent":["export {authorize} from './authorize.js'\nexport {callback} from './callback.js'"],"names":["authorize","callback"],"mappings":"AAAA,SAAQA,SAAS,QAAO,iBAAgB;AACxC,SAAQC,QAAQ,QAAO,gBAAe"}

package/dist/hooks/index.d.ts

@@ -0,0 +1,2 @@
+export { useCurrentUser } from './user.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/hooks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAAC,MAAM,WAAW,CAAA"}

package/dist/hooks/index.js

@@ -0,0 +1,3 @@
+export { useCurrentUser } from './user.js';
+
+//# sourceMappingURL=index.js.map

package/dist/hooks/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/hooks/index.ts"],"sourcesContent":["export {useCurrentUser} from './user.js'"],"names":["useCurrentUser"],"mappings":"AAAA,SAAQA,cAAc,QAAO,YAAW"}

package/dist/hooks/user.d.ts

@@ -0,0 +1,6 @@
+export declare const useCurrentUser: () => {
+    user: any;
+    isError: boolean;
+    isLoading: boolean;
+};
+//# sourceMappingURL=user.d.ts.map

package/dist/hooks/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/hooks/user.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,cAAc;;;;CAQ1B,CAAA"}

package/dist/hooks/user.js

@@ -0,0 +1,12 @@
+'use client';
+import { usePayloadAPI } from '@payloadcms/ui';
+export const useCurrentUser = ()=>{
+    const { data: { user }, isError, isLoading } = usePayloadAPI('/api/users/me')[0];
+    return {
+        user,
+        isError,
+        isLoading
+    };
+};
+
+//# sourceMappingURL=user.js.map

package/dist/hooks/user.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/hooks/user.ts"],"sourcesContent":["'use client'\n\nimport {usePayloadAPI} from '@payloadcms/ui'\n\nexport const useCurrentUser = () => {\n    const {data: {user}, isError, isLoading} = usePayloadAPI('/api/users/me')[0]\n\n    return {\n        user,\n        isError,\n        isLoading\n    }\n}"],"names":["usePayloadAPI","useCurrentUser","data","user","isError","isLoading"],"mappings":"AAAA;AAEA,SAAQA,aAAa,QAAO,iBAAgB;AAE5C,OAAO,MAAMC,iBAAiB;IAC1B,MAAM,EAACC,MAAM,EAACC,IAAI,EAAC,EAAEC,OAAO,EAAEC,SAAS,EAAC,GAAGL,cAAc,gBAAgB,CAAC,EAAE;IAE5E,OAAO;QACHG;QACAC;QACAC;IACJ;AACJ,EAAC"}

package/dist/index.d.ts

@@ -1,3 +1,4 @@
-import { ZitadelPluginProviderType } from './types.js';
-export declare const ZitadelPluginProvider: ZitadelPluginProviderType;
+import { ZitadelPluginType } from './types.js';
+export { getCurrentUser } from './utils/index.js';
+export declare const ZitadelPlugin: ZitadelPluginType;
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAA0B,yBAAyB,EAAC,MAAM,YAAY,CAAA;AAI7E,eAAO,MAAM,qBAAqB,EAAE,yBAoKnC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,iBAAiB,EAAC,MAAM,YAAY,CAAA;AAM5C,OAAO,EAAC,cAAc,EAAC,MAAM,kBAAkB,CAAA;AAE/C,eAAO,MAAM,aAAa,EAAE,iBA8J3B,CAAA"}