payload-zitadel-plugin 0.3.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +1 -1
  2. package/dist/strategy.d.ts.map +1 -1
  3. package/dist/strategy.js +5 -2
  4. package/dist/strategy.js.map +1 -1
  5. package/package.json +12 -12
package/README.md CHANGED
@@ -12,7 +12,7 @@ Thus, the user collection in PayloadCMS becomes just a shadow of the information
12
12
  ## Install
13
13
 
14
14
  ```shell
15
- pnpm add payload-zitadel-plugin@0.3.1
15
+ pnpm add payload-zitadel-plugin@0.3.2
16
16
  ```
17
17
 
18
18
  ## Configuration
package/dist/strategy.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"strategy.d.ts","sourceRoot":"","sources":["../src/strategy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,mBAAmB,EAAC,MAAM,YAAY,CAAA;AAK9D,eAAO,MAAM,eAAe,EAAE,mBA+F5B,CAAA"}
1
+ {"version":3,"file":"strategy.d.ts","sourceRoot":"","sources":["../src/strategy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,mBAAmB,EAAC,MAAM,YAAY,CAAA;AAK9D,eAAO,MAAM,eAAe,EAAE,mBAkG5B,CAAA"}
package/dist/strategy.js CHANGED
@@ -34,8 +34,11 @@ export const zitadelStrategy = ({ authSlug, fieldsConfig, strategyName, issuerUR
34
34
  }
35
35
  // in case of normal browsing
36
36
  if (!idp_id && cookieStore.has(COOKIES.idToken)) {
37
- id_token = (await jwtVerify(cookieStore.get(COOKIES.idToken)?.value ?? '', new TextEncoder().encode(payload.secret))).payload;
38
- idp_id = id_token.sub;
37
+ const { payload: jwtPayload } = await jwtVerify(cookieStore.get(COOKIES.idToken)?.value ?? '', new TextEncoder().encode(payload.secret));
38
+ if (jwtPayload.sub) {
39
+ id_token = jwtPayload;
40
+ idp_id = jwtPayload.sub;
41
+ }
39
42
  }
40
43
  // search for associated user; if not found, create one
41
44
  if (idp_id) {
package/dist/strategy.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/strategy.ts"],"sourcesContent":["import {ZitadelIdToken, ZitadelStrategyType} from './types.js'\nimport {SignJWT, jwtVerify} from 'jose'\nimport {cookies} from 'next/headers.js'\nimport {COOKIES} from './constants.js'\n\nexport const zitadelStrategy: ZitadelStrategyType = ({\n authSlug,\n fieldsConfig,\n strategyName,\n issuerURL,\n enableAPI,\n apiClientId,\n apiKeyId,\n apiKey\n }) => ({\n name: strategyName,\n authenticate: async ({headers, payload}) => {\n\n let id, idp_id, id_token\n\n const cookieStore = await cookies()\n\n if (enableAPI) {\n // in case of incoming API call from the app\n const authHeader = headers.get('Authorization')\n if (authHeader?.includes('Bearer')) {\n const introspect = await fetch(`${issuerURL}/oauth/v2/introspect`, {\n method: 'post',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded'\n },\n body: new URLSearchParams({\n 'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',\n 'client_assertion': await new SignJWT()\n .setProtectedHeader({alg: 'RS256', kid: apiKeyId})\n .setIssuer(apiClientId)\n .setAudience(issuerURL)\n .setSubject(apiClientId)\n .setIssuedAt()\n .setExpirationTime('1h')\n .sign(new TextEncoder().encode(apiKey)),\n 'token': authHeader.split(' ')[1]\n })\n })\n if (introspect.ok) {\n const data = await introspect.json()\n if (data?.active) {\n idp_id = data.sub\n }\n }\n }\n }\n\n // in case of normal browsing\n if (!idp_id && cookieStore.has(COOKIES.idToken)) {\n id_token = (await jwtVerify<ZitadelIdToken>(cookieStore.get(COOKIES.idToken)?.value ?? '', new TextEncoder().encode(payload.secret))).payload\n idp_id = id_token.sub\n }\n\n // search for associated user; if not found, create one\n if (idp_id) {\n const {docs, totalDocs} = await payload.find({\n collection: authSlug,\n where: {\n [fieldsConfig.id.name]: {\n equals: idp_id\n }\n }\n })\n id = totalDocs ? docs[0].id : (await payload.create({\n collection: authSlug,\n data: {\n [fieldsConfig.id.name]: idp_id\n }\n })).id\n }\n\n // update user information if possible\n if (id && id_token) {\n await payload.update({\n collection: authSlug,\n id,\n data: {\n [fieldsConfig.name.name]: id_token.name,\n [fieldsConfig.email.name]: id_token.email,\n [fieldsConfig.image.name]: id_token.picture,\n [fieldsConfig.roles.name]: Object.keys(id_token['urn:zitadel:iam:org:project:roles'] ?? {})\n .map(key => ({[fieldsConfig.roleFields.name.name]: key}))\n }\n })\n }\n\n return {\n user: id ? {\n collection: authSlug,\n id\n } : null\n }\n\n }\n})"],"names":["SignJWT","jwtVerify","cookies","COOKIES","zitadelStrategy","authSlug","fieldsConfig","strategyName","issuerURL","enableAPI","apiClientId","apiKeyId","apiKey","name","authenticate","headers","payload","id","idp_id","id_token","cookieStore","authHeader","get","includes","introspect","fetch","method","body","URLSearchParams","setProtectedHeader","alg","kid","setIssuer","setAudience","setSubject","setIssuedAt","setExpirationTime","sign","TextEncoder","encode","split","ok","data","json","active","sub","has","idToken","value","secret","docs","totalDocs","find","collection","where","equals","create","update","email","image","picture","roles","Object","keys","map","key","roleFields","user"],"mappings":"AACA,SAAQA,OAAO,EAAEC,SAAS,QAAO,OAAM;AACvC,SAAQC,OAAO,QAAO,kBAAiB;AACvC,SAAQC,OAAO,QAAO,iBAAgB;AAEtC,OAAO,MAAMC,kBAAuC,CAAC,EACIC,QAAQ,EACRC,YAAY,EACZC,YAAY,EACZC,SAAS,EACTC,SAAS,EACTC,WAAW,EACXC,QAAQ,EACRC,MAAM,EACT,GAAM,CAAA;QACxDC,MAAMN;QACNO,cAAc,OAAO,EAACC,OAAO,EAAEC,OAAO,EAAC;YAEnC,IAAIC,IAAIC,QAAQC;YAEhB,MAAMC,cAAc,MAAMlB;YAE1B,IAAIO,WAAW;gBACX,4CAA4C;gBAC5C,MAAMY,aAAaN,QAAQO,GAAG,CAAC;gBAC/B,IAAID,YAAYE,SAAS,WAAW;oBAChC,MAAMC,aAAa,MAAMC,MAAM,GAAGjB,UAAU,oBAAoB,CAAC,EAAE;wBAC/DkB,QAAQ;wBACRX,SAAS;4BACL,gBAAgB;wBACpB;wBACAY,MAAM,IAAIC,gBAAgB;4BACtB,yBAAyB;4BACzB,oBAAoB,MAAM,IAAI5B,UACzB6B,kBAAkB,CAAC;gCAACC,KAAK;gCAASC,KAAKpB;4BAAQ,GAC/CqB,SAAS,CAACtB,aACVuB,WAAW,CAACzB,WACZ0B,UAAU,CAACxB,aACXyB,WAAW,GACXC,iBAAiB,CAAC,MAClBC,IAAI,CAAC,IAAIC,cAAcC,MAAM,CAAC3B;4BACnC,SAASS,WAAWmB,KAAK,CAAC,IAAI,CAAC,EAAE;wBACrC;oBACJ;oBACA,IAAIhB,WAAWiB,EAAE,EAAE;wBACf,MAAMC,OAAO,MAAMlB,WAAWmB,IAAI;wBAClC,IAAID,MAAME,QAAQ;4BACd1B,SAASwB,KAAKG,GAAG;wBACrB;oBACJ;gBACJ;YACJ;YAEA,6BAA6B;YAC7B,IAAI,CAAC3B,UAAUE,YAAY0B,GAAG,CAAC3C,QAAQ4C,OAAO,GAAG;gBAC7C5B,WAAW,AAAC,CAAA,MAAMlB,UAA0BmB,YAAYE,GAAG,CAACnB,QAAQ4C,OAAO,GAAGC,SAAS,IAAI,IAAIV,cAAcC,MAAM,CAACvB,QAAQiC,MAAM,EAAC,EAAGjC,OAAO;gBAC7IE,SAASC,SAAS0B,GAAG;YACzB;YAEA,uDAAuD;YACvD,IAAI3B,QAAQ;gBACR,MAAM,EAACgC,IAAI,EAAEC,SAAS,EAAC,GAAG,MAAMnC,QAAQoC,IAAI,CAAC;oBACzCC,YAAYhD;oBACZiD,OAAO;wBACH,CAAChD,aAAaW,EAAE,CAACJ,IAAI,CAAC,EAAE;4BACpB0C,QAAQrC;wBACZ;oBACJ;gBACJ;gBACAD,KAAKkC,YAAYD,IAAI,CAAC,EAAE,CAACjC,EAAE,GAAG,AAAC,CAAA,MAAMD,QAAQwC,MAAM,CAAC;oBAChDH,YAAYhD;oBACZqC,MAAM;wBACF,CAACpC,aAAaW,EAAE,CAACJ,IAAI,CAAC,EAAEK;oBAC5B;gBACJ,EAAC,EAAGD,EAAE;YACV;YAEA,sCAAsC;YACtC,IAAIA,MAAME,UAAU;gBAChB,MAAMH,QAAQyC,MAAM,CAAC;oBACjBJ,YAAYhD;oBACZY;oBACAyB,MAAM;wBACF,CAACpC,aAAaO,IAAI,CAACA,IAAI,CAAC,EAAEM,SAASN,IAAI;wBACvC,CAACP,aAAaoD,KAAK,CAAC7C,IAAI,CAAC,EAAEM,SAASuC,KAAK;wBACzC,CAACpD,aAAaqD,KAAK,CAAC9C,IAAI,CAAC,EAAEM,SAASyC,OAAO;wBAC3C,CAACtD,aAAauD,KAAK,CAAChD,IAAI,CAAC,EAAEiD,OAAOC,IAAI,CAAC5C,QAAQ,CAAC,oCAAoC,IAAI,CAAC,GACpF6C,GAAG,CAACC,CAAAA,MAAQ,CAAA;gCAAC,CAAC3D,aAAa4D,UAAU,CAACrD,IAAI,CAACA,IAAI,CAAC,EAAEoD;4BAAG,CAAA;oBAC9D;gBACJ;YACJ;YAEA,OAAO;gBACHE,MAAMlD,KAAK;oBACPoC,YAAYhD;oBACZY;gBACJ,IAAI;YACR;QAEJ;IACJ,CAAA,EAAE"}
1
+ {"version":3,"sources":["../src/strategy.ts"],"sourcesContent":["import {ZitadelIdToken, ZitadelStrategyType} from './types.js'\nimport {SignJWT, jwtVerify} from 'jose'\nimport {cookies} from 'next/headers.js'\nimport {COOKIES} from './constants.js'\n\nexport const zitadelStrategy: ZitadelStrategyType = ({\n authSlug,\n fieldsConfig,\n strategyName,\n issuerURL,\n enableAPI,\n apiClientId,\n apiKeyId,\n apiKey\n }) => ({\n name: strategyName,\n authenticate: async ({headers, payload}) => {\n\n let id, idp_id, id_token\n\n const cookieStore = await cookies()\n\n if (enableAPI) {\n // in case of incoming API call from the app\n const authHeader = headers.get('Authorization')\n if (authHeader?.includes('Bearer')) {\n const introspect = await fetch(`${issuerURL}/oauth/v2/introspect`, {\n method: 'post',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded'\n },\n body: new URLSearchParams({\n 'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',\n 'client_assertion': await new SignJWT()\n .setProtectedHeader({alg: 'RS256', kid: apiKeyId})\n .setIssuer(apiClientId)\n .setAudience(issuerURL)\n .setSubject(apiClientId)\n .setIssuedAt()\n .setExpirationTime('1h')\n .sign(new TextEncoder().encode(apiKey)),\n 'token': authHeader.split(' ')[1]\n })\n })\n if (introspect.ok) {\n const data = await introspect.json()\n if (data?.active) {\n idp_id = data.sub\n }\n }\n }\n }\n\n // in case of normal browsing\n if (!idp_id && cookieStore.has(COOKIES.idToken)) {\n const {payload: jwtPayload} = await jwtVerify<ZitadelIdToken>(cookieStore.get(COOKIES.idToken)?.value ?? '', new TextEncoder().encode(payload.secret))\n if (jwtPayload.sub) {\n id_token = jwtPayload\n idp_id = jwtPayload.sub\n }\n }\n\n // search for associated user; if not found, create one\n if (idp_id) {\n const {docs, totalDocs} = await payload.find({\n collection: authSlug,\n where: {\n [fieldsConfig.id.name]: {\n equals: idp_id\n }\n }\n })\n id = totalDocs ? docs[0].id : (await payload.create({\n collection: authSlug,\n data: {\n [fieldsConfig.id.name]: idp_id\n }\n })).id\n }\n\n // update user information if possible\n if (id && id_token) {\n await payload.update({\n collection: authSlug,\n id,\n data: {\n [fieldsConfig.name.name]: id_token.name,\n [fieldsConfig.email.name]: id_token.email,\n [fieldsConfig.image.name]: id_token.picture,\n [fieldsConfig.roles.name]: Object.keys(id_token['urn:zitadel:iam:org:project:roles'] ?? {})\n .map(key => ({[fieldsConfig.roleFields.name.name]: key}))\n }\n })\n }\n\n return {\n user: id ? {\n collection: authSlug,\n id\n } : null\n }\n\n }\n})"],"names":["SignJWT","jwtVerify","cookies","COOKIES","zitadelStrategy","authSlug","fieldsConfig","strategyName","issuerURL","enableAPI","apiClientId","apiKeyId","apiKey","name","authenticate","headers","payload","id","idp_id","id_token","cookieStore","authHeader","get","includes","introspect","fetch","method","body","URLSearchParams","setProtectedHeader","alg","kid","setIssuer","setAudience","setSubject","setIssuedAt","setExpirationTime","sign","TextEncoder","encode","split","ok","data","json","active","sub","has","idToken","jwtPayload","value","secret","docs","totalDocs","find","collection","where","equals","create","update","email","image","picture","roles","Object","keys","map","key","roleFields","user"],"mappings":"AACA,SAAQA,OAAO,EAAEC,SAAS,QAAO,OAAM;AACvC,SAAQC,OAAO,QAAO,kBAAiB;AACvC,SAAQC,OAAO,QAAO,iBAAgB;AAEtC,OAAO,MAAMC,kBAAuC,CAAC,EACIC,QAAQ,EACRC,YAAY,EACZC,YAAY,EACZC,SAAS,EACTC,SAAS,EACTC,WAAW,EACXC,QAAQ,EACRC,MAAM,EACT,GAAM,CAAA;QACxDC,MAAMN;QACNO,cAAc,OAAO,EAACC,OAAO,EAAEC,OAAO,EAAC;YAEnC,IAAIC,IAAIC,QAAQC;YAEhB,MAAMC,cAAc,MAAMlB;YAE1B,IAAIO,WAAW;gBACX,4CAA4C;gBAC5C,MAAMY,aAAaN,QAAQO,GAAG,CAAC;gBAC/B,IAAID,YAAYE,SAAS,WAAW;oBAChC,MAAMC,aAAa,MAAMC,MAAM,GAAGjB,UAAU,oBAAoB,CAAC,EAAE;wBAC/DkB,QAAQ;wBACRX,SAAS;4BACL,gBAAgB;wBACpB;wBACAY,MAAM,IAAIC,gBAAgB;4BACtB,yBAAyB;4BACzB,oBAAoB,MAAM,IAAI5B,UACzB6B,kBAAkB,CAAC;gCAACC,KAAK;gCAASC,KAAKpB;4BAAQ,GAC/CqB,SAAS,CAACtB,aACVuB,WAAW,CAACzB,WACZ0B,UAAU,CAACxB,aACXyB,WAAW,GACXC,iBAAiB,CAAC,MAClBC,IAAI,CAAC,IAAIC,cAAcC,MAAM,CAAC3B;4BACnC,SAASS,WAAWmB,KAAK,CAAC,IAAI,CAAC,EAAE;wBACrC;oBACJ;oBACA,IAAIhB,WAAWiB,EAAE,EAAE;wBACf,MAAMC,OAAO,MAAMlB,WAAWmB,IAAI;wBAClC,IAAID,MAAME,QAAQ;4BACd1B,SAASwB,KAAKG,GAAG;wBACrB;oBACJ;gBACJ;YACJ;YAEA,6BAA6B;YAC7B,IAAI,CAAC3B,UAAUE,YAAY0B,GAAG,CAAC3C,QAAQ4C,OAAO,GAAG;gBAC7C,MAAM,EAAC/B,SAASgC,UAAU,EAAC,GAAG,MAAM/C,UAA0BmB,YAAYE,GAAG,CAACnB,QAAQ4C,OAAO,GAAGE,SAAS,IAAI,IAAIX,cAAcC,MAAM,CAACvB,QAAQkC,MAAM;gBACpJ,IAAIF,WAAWH,GAAG,EAAE;oBAChB1B,WAAW6B;oBACX9B,SAAS8B,WAAWH,GAAG;gBAC3B;YACJ;YAEA,uDAAuD;YACvD,IAAI3B,QAAQ;gBACR,MAAM,EAACiC,IAAI,EAAEC,SAAS,EAAC,GAAG,MAAMpC,QAAQqC,IAAI,CAAC;oBACzCC,YAAYjD;oBACZkD,OAAO;wBACH,CAACjD,aAAaW,EAAE,CAACJ,IAAI,CAAC,EAAE;4BACpB2C,QAAQtC;wBACZ;oBACJ;gBACJ;gBACAD,KAAKmC,YAAYD,IAAI,CAAC,EAAE,CAAClC,EAAE,GAAG,AAAC,CAAA,MAAMD,QAAQyC,MAAM,CAAC;oBAChDH,YAAYjD;oBACZqC,MAAM;wBACF,CAACpC,aAAaW,EAAE,CAACJ,IAAI,CAAC,EAAEK;oBAC5B;gBACJ,EAAC,EAAGD,EAAE;YACV;YAEA,sCAAsC;YACtC,IAAIA,MAAME,UAAU;gBAChB,MAAMH,QAAQ0C,MAAM,CAAC;oBACjBJ,YAAYjD;oBACZY;oBACAyB,MAAM;wBACF,CAACpC,aAAaO,IAAI,CAACA,IAAI,CAAC,EAAEM,SAASN,IAAI;wBACvC,CAACP,aAAaqD,KAAK,CAAC9C,IAAI,CAAC,EAAEM,SAASwC,KAAK;wBACzC,CAACrD,aAAasD,KAAK,CAAC/C,IAAI,CAAC,EAAEM,SAAS0C,OAAO;wBAC3C,CAACvD,aAAawD,KAAK,CAACjD,IAAI,CAAC,EAAEkD,OAAOC,IAAI,CAAC7C,QAAQ,CAAC,oCAAoC,IAAI,CAAC,GACpF8C,GAAG,CAACC,CAAAA,MAAQ,CAAA;gCAAC,CAAC5D,aAAa6D,UAAU,CAACtD,IAAI,CAACA,IAAI,CAAC,EAAEqD;4BAAG,CAAA;oBAC9D;gBACJ;YACJ;YAEA,OAAO;gBACHE,MAAMnD,KAAK;oBACPqC,YAAYjD;oBACZY;gBACJ,IAAI;YACR;QAEJ;IACJ,CAAA,EAAE"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "payload-zitadel-plugin",
3
- "version": "0.3.1",
3
+ "version": "0.3.2",
4
4
  "description": "plugin for Payload CMS, which enables authentication via Zitadel IdP",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -36,26 +36,26 @@
36
36
  "dist"
37
37
  ],
38
38
  "dependencies": {
39
- "@payloadcms/next": "^3.2.1",
40
- "@payloadcms/translations": "^3.2.1",
41
- "@payloadcms/ui": "^3.2.1",
39
+ "@payloadcms/next": "^3.4.0",
40
+ "@payloadcms/translations": "^3.4.0",
41
+ "@payloadcms/ui": "^3.4.0",
42
42
  "jose": "^5.9.6",
43
43
  "next": "^15.0.3",
44
- "payload": "^3.2.1",
45
- "react": "19.0.0-rc-7670501b-20241124",
46
- "react-dom": "19.0.0-rc-7670501b-20241124"
44
+ "payload": "^3.4.0",
45
+ "react": "19.0.0-rc-de68d2f4-20241204",
46
+ "react-dom": "19.0.0-rc-de68d2f4-20241204"
47
47
  },
48
48
  "devDependencies": {
49
- "@swc/cli": "^0.5.1",
50
- "@swc/core": "^1.9.3",
51
- "@types/node": "^22.10.0",
52
- "@types/react": "^18.3.12",
49
+ "@swc/cli": "^0.5.2",
50
+ "@swc/core": "^1.10.0",
51
+ "@types/node": "^22.10.1",
52
+ "@types/react": "^18.3.13",
53
53
  "@types/react-dom": "^18.3.1",
54
54
  "rimraf": "^6.0.1",
55
55
  "typescript": "^5.7.2"
56
56
  },
57
57
  "engines": {
58
- "node": "^22.11.0"
58
+ "node": "^22.12.0"
59
59
  },
60
60
  "exports": {
61
61
  ".": {