payload-zitadel-plugin 0.3.9 → 0.4.1

package/README.md

@@ -12,7 +12,7 @@ Thus, the user collection in PayloadCMS becomes just a shadow of the information
 ## Install
 
 ```shell
-pnpm add payload-zitadel-plugin@0.3.9
+pnpm add payload-zitadel-plugin@0.4.1
 ```
 
 ## Configuration
@@ -23,21 +23,20 @@ Initialize the plugin in Payload Config File. Change the parameters to connect t
 
 ```typescript
 import {buildConfig} from 'payload/config'
-import {ZitadelPlugin} from 'payload-zitadel-plugin'
+import {zitadelPlugin} from 'payload-zitadel-plugin'
 
 
 export default buildConfig({
     ...,
     plugins: [
-        ZitadelPlugin({
+        zitadelPlugin({
             // URL of your Zitadel instance
-            issuerUrl: process.env.ZITADEL_URL,
+            issuerUrl: process.env.ZITADEL_URL ?? '',
 
-            // in Zitadel create a new App->Web->PKCE, then copy the Client ID
-            clientId: process.env.ZITADEL_CLIENT_ID,
-
-            // interpolation text for the Login Button - "sign in with ..."
-            label: 'Zitadel',
+            // in Zitadel create a new App->Web->PKCE in your project, then copy the Client ID
+            // DO NOT FORGET to add '{http://localhost with development mode on or https://your-domain.tld}/api/users/callback'
+            // to the allowed redirect URIs and ALSO to the post logout redirect URIs
+            clientId: process.env.ZITADEL_CLIENT_ID ?? '',
 
             // change field names, field labels and alse hide them if wanted
             /* 
@@ -52,23 +51,40 @@ export default buildConfig({
             // set the name of the CustomStrategy in PayloadCMS - usually not necessary
             // strategyName: 'zitadel'
 
-            // set to true if you do not want to use the Zitadel Profile Picture as the Avatar
-            // disableAvatar: true
+            /* 
+            avatar: {
+                // set to true if you do not want to use the Zitadel Profile Picture as the Avatar
+                disable: true
+            }
+            */
+
+
+            /* 
+            loginButton: {
+                // set to true if you want to use your own custom login button
+                disable: true,
+                
+                // interpolation text for the Login Button - "sign in with ..."
+                label: 'Zitadel'
+            }
+             */
 
-            // set to true if you want to use your own custom login button
-            // disableDefaultLoginButton: true
+            // if you want to manually control what happens after a successful login
+            // afterLogin: (req) => NextResponse.redirect('...')
 
-            // if you want to manually control what happen after a successful login
-            // state contains all URLSearchParams that were send to /authorize
-            // onSuccess: (state) => NextResponse.redirect([serverURL, state.get('redirect')].join(''))
+            // if you want to manually control what happens after a successful logout
+            // afterLogout: (req) => NextResponse.redirect('...')
 
-            // following properties are only needed if you want to authenticate clients for the API
-            // if you are just using the CMS you can ignore all of them
-            // in Zitadel create a new App->API->JWT
-            // enableAPI: true,
-            // apiClientId: process.env.ZITADEL_API_CLIENT_ID,
-            // apiKeyId: process.env.ZITADEL_API_KEY_ID,
-            // apiKey: process.env.ZITADEL_API_KEY
+            // following properties are only needed if you want to authenticate clients (e.g. a mobile app) for the API
+            // if the users are just visiting the CMS via a browser you can ignore all of them
+            // otherwise create in Zitadel a new App->API->JWT and copy the Client ID, Key ID and the Key itself
+            /* 
+            api: {
+                clientId: process.env.ZITADEL_API_CLIENT_ID ?? ''
+                keyId: process.env.ZITADEL_API_KEY_ID ?? ''
+                key: process.env.ZITADEL_API_KEY ?? ''
+            }
+             */
         })
     ],
     ...
@@ -136,16 +152,32 @@ const nextConfig = {
         ]
     },
 
-    // optional: enable auto-redirect to Zitadel login page if not logged in
     async redirects() {
         return [
+            // for proper logout
             {
-                source: '/:path((?:admin|profile).*)',
+                source: '/:path((?!api).*)',
+                destination: '/api/users/end_session?redirect=/:path*',
+                has: [
+                    {
+                        type: 'cookie',
+                        key: 'zitadel_logout'
+                    }
+                ],
+                permanent: false
+            },
+            // optional: enable auto-redirect to Zitadel login page if not logged in
+            {
+                source: '/:path((?!admin\/logout)(?:admin|profile).*)',
                 destination: '/api/users/authorize?redirect=/:path*',
                 missing: [
                     {
                         type: 'cookie',
                         key: 'zitadel_id_token'
+                    },
+                    {
+                        type: 'cookie',
+                        key: 'zitadel_logout'
                     }
                 ],
                 permanent: false

package/dist/components/server/LoginButton/index.d.ts

@@ -1,4 +1,4 @@
 import React from 'react';
 import type { ZitadelLoginButtonProps } from '../../../types.js';
-export declare const LoginButton: ({ i18n, authorizeURL, label }: ZitadelLoginButtonProps) => Promise<React.JSX.Element>;
+export declare const LoginButton: ({ payload: { config }, i18n, label }: ZitadelLoginButtonProps) => Promise<React.JSX.Element>;
 //# sourceMappingURL=index.d.ts.map

package/dist/components/server/LoginButton/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/server/LoginButton/index.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAA;AAEzB,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,mBAAmB,CAAA;AAE9D,eAAO,MAAM,WAAW,kCAAuC,uBAAuB,+BAK5E,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/server/LoginButton/index.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAA;AAGzB,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,mBAAmB,CAAA;AAG9D,eAAO,MAAM,WAAW,yCAA4C,uBAAuB,+BAKjF,CAAA"}

package/dist/components/server/LoginButton/index.js

@@ -1,13 +1,15 @@
 import React from 'react';
 import { Button } from '@payloadcms/ui';
-export const LoginButton = async ({ i18n, authorizeURL, label })=>/*#__PURE__*/ React.createElement("div", {
+import { ROUTES } from '../../../constants.js';
+import { getAuthBaseURL } from '../../../utils/index.js';
+export const LoginButton = async ({ payload: { config }, i18n, label })=>/*#__PURE__*/ React.createElement("div", {
         style: {
             display: 'flex',
             justifyContent: 'center'
         }
     }, /*#__PURE__*/ React.createElement(Button, {
         el: "anchor",
-        url: authorizeURL
+        url: getAuthBaseURL(config) + ROUTES.authorize
     }, i18n.t('zitadelPlugin:signIn', {
         label
     })));

package/dist/components/server/LoginButton/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/components/server/LoginButton/index.tsx"],"sourcesContent":["import React from 'react'\nimport {Button} from '@payloadcms/ui'\nimport type {ZitadelLoginButtonProps} from '../../../types.js'\n\nexport const LoginButton = async ({i18n, authorizeURL, label}: ZitadelLoginButtonProps) =>\n    <div style={{display: 'flex', justifyContent: 'center'}}>\n        <Button el=\"anchor\" url={authorizeURL}>\n            {i18n.t('zitadelPlugin:signIn', {label})}\n        </Button>\n    </div>"],"names":["React","Button","LoginButton","i18n","authorizeURL","label","div","style","display","justifyContent","el","url","t"],"mappings":"AAAA,OAAOA,WAAW,QAAO;AACzB,SAAQC,MAAM,QAAO,iBAAgB;AAGrC,OAAO,MAAMC,cAAc,OAAO,EAACC,IAAI,EAAEC,YAAY,EAAEC,KAAK,EAA0B,iBAClF,oBAACC;QAAIC,OAAO;YAACC,SAAS;YAAQC,gBAAgB;QAAQ;qBAClD,oBAACR;QAAOS,IAAG;QAASC,KAAKP;OACpBD,KAAKS,CAAC,CAAC,wBAAwB;QAACP;IAAK,KAExC"}
+{"version":3,"sources":["../../../../src/components/server/LoginButton/index.tsx"],"sourcesContent":["import React from 'react'\nimport {Button} from '@payloadcms/ui'\nimport {ROUTES} from '../../../constants.js'\nimport type {ZitadelLoginButtonProps} from '../../../types.js'\nimport {getAuthBaseURL} from '../../../utils/index.js'\n\nexport const LoginButton = async ({payload: {config}, i18n, label}: ZitadelLoginButtonProps) =>\n    <div style={{display: 'flex', justifyContent: 'center'}}>\n        <Button el=\"anchor\" url={getAuthBaseURL(config) + ROUTES.authorize}>\n            {i18n.t('zitadelPlugin:signIn', {label})}\n        </Button>\n    </div>"],"names":["React","Button","ROUTES","getAuthBaseURL","LoginButton","payload","config","i18n","label","div","style","display","justifyContent","el","url","authorize","t"],"mappings":"AAAA,OAAOA,WAAW,QAAO;AACzB,SAAQC,MAAM,QAAO,iBAAgB;AACrC,SAAQC,MAAM,QAAO,wBAAuB;AAE5C,SAAQC,cAAc,QAAO,0BAAyB;AAEtD,OAAO,MAAMC,cAAc,OAAO,EAACC,SAAS,EAACC,MAAM,EAAC,EAAEC,IAAI,EAAEC,KAAK,EAA0B,iBACvF,oBAACC;QAAIC,OAAO;YAACC,SAAS;YAAQC,gBAAgB;QAAQ;qBAClD,oBAACX;QAAOY,IAAG;QAASC,KAAKX,eAAeG,UAAUJ,OAAOa,SAAS;OAC7DR,KAAKS,CAAC,CAAC,wBAAwB;QAACR;IAAK,KAExC"}

package/dist/constants.d.ts

@@ -1,8 +1,32 @@
+export declare const AUTHORIZE_QUERY: {
+    response_type: string;
+    scope: string;
+    code_challenge_method: string;
+};
 export declare const COMPONENTS_PATH = "payload-zitadel-plugin/components";
 export declare const COOKIES: {
-    pkce: string;
-    idToken: string;
-    state: string;
+    pkce: {
+        httpOnly: true;
+        path: string;
+        sameSite: "lax";
+        secure: boolean;
+        name: string;
+    };
+    idToken: {
+        httpOnly: true;
+        path: string;
+        sameSite: "lax";
+        secure: boolean;
+        name: string;
+    };
+    logout: {
+        httpOnly: true;
+        path: string;
+        sameSite: "lax";
+        secure: boolean;
+        name: string;
+        value: string;
+    };
 };
 export declare const DEFAULT_CONFIG: {
     fields: {
@@ -64,16 +88,16 @@ export declare const DEFAULT_CONFIG: {
     strategyName: string;
     label: string;
 };
-export declare const ERROR_MESSAGES: {
-    issuerURL: string;
-    clientId: string;
-    apiClientId: string;
-    apiKeyId: string;
-    apiKey: string;
+export declare const ENDPOINT_PATHS: {
+    authorize: string;
+    introspect: string;
+    token: string;
+    end_session: string;
 };
+export declare const ROLES_KEY = "urn:zitadel:iam:org:project:roles";
 export declare const ROUTES: {
     authorize: string;
     callback: string;
-    redirect: string;
+    end_session: string;
 };
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,eAAe,sCAAsC,CAAA;AAElE,eAAO,MAAM,OAAO;;;;CAInB,CAAA;AAED,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsC1B,CAAA;AAED,eAAO,MAAM,cAAc;;;;;;CAM1B,CAAA;AACD,eAAO,MAAM,MAAM;;;;CAIlB,CAAA"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,eAAe;;;;CAI3B,CAAA;AAED,eAAO,MAAM,eAAe,sCAAsC,CAAA;AASlE,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;CAcnB,CAAA;AAED,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsC1B,CAAA;AAED,eAAO,MAAM,cAAc;;;;;CAK1B,CAAA;AAED,eAAO,MAAM,SAAS,sCAAsC,CAAA;AAE5D,eAAO,MAAM,MAAM;;;;CAIlB,CAAA"}

package/dist/constants.js

@@ -1,8 +1,29 @@
+export const AUTHORIZE_QUERY = {
+    response_type: 'code',
+    scope: 'openid email profile',
+    code_challenge_method: 'S256'
+};
 export const COMPONENTS_PATH = 'payload-zitadel-plugin/components';
+const COOKIE_CONFIG = {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV == 'production'
+};
 export const COOKIES = {
-    pkce: 'zitadel_pkce_code_verifier',
-    idToken: 'zitadel_id_token',
-    state: 'zitadel_state'
+    pkce: {
+        name: 'zitadel_pkce_code_verifier',
+        ...COOKIE_CONFIG
+    },
+    idToken: {
+        name: 'zitadel_id_token',
+        ...COOKIE_CONFIG
+    },
+    logout: {
+        name: 'zitadel_logout',
+        value: 'true',
+        ...COOKIE_CONFIG
+    }
 };
 export const DEFAULT_CONFIG = {
     fields: {
@@ -64,17 +85,17 @@ export const DEFAULT_CONFIG = {
     strategyName: 'zitadel',
     label: 'Zitadel'
 };
-export const ERROR_MESSAGES = {
-    issuerURL: 'ZITADEL-PLUGIN: ISSUER-URL IS EMPTY',
-    clientId: 'ZITADEL-PLUGIN: CLIENT-ID IS EMPTY',
-    apiClientId: 'ZITADEL-PLUGIN: API ENABLED, BUT API-CLIENT-ID IS EMPTY',
-    apiKeyId: 'ZITADEL-PLUGIN: API ENABLED, BUT API-KEY-ID IS EMPTY',
-    apiKey: 'ZITADEL-PLUGIN: API ENABLED, BUT API-KEY IS EMPTY'
+export const ENDPOINT_PATHS = {
+    authorize: '/oauth/v2/authorize',
+    introspect: '/oauth/v2/introspect',
+    token: '/oauth/v2/token',
+    end_session: '/oidc/v1/end_session'
 };
+export const ROLES_KEY = 'urn:zitadel:iam:org:project:roles';
 export const ROUTES = {
     authorize: '/authorize',
     callback: '/callback',
-    redirect: '/redirect'
+    end_session: '/end_session'
 };
 
 //# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/constants.ts"],"sourcesContent":["import type {ZitadelFieldsConfig} from './types.js'\n\nexport const COMPONENTS_PATH = 'payload-zitadel-plugin/components'\n\nexport const COOKIES = {\n    pkce: 'zitadel_pkce_code_verifier',\n    idToken: 'zitadel_id_token',\n    state: 'zitadel_state'\n}\n\nexport const DEFAULT_CONFIG = {\n    fields: {\n        id: {\n            name: 'idp_id',\n            label: {\n                de: 'Identifikation im System des Identitätsanbieters',\n                en: 'Identifier in the system of the Identity Provider'\n            }\n        },\n        name: {\n            name: 'name',\n            label: {de: 'Name', en: 'Name'}\n        },\n        email: {\n            name: 'email',\n            label: {de: 'E-Mail', en: 'Email'}\n        },\n        image: {\n            name: 'image',\n            label: {de: 'Profilbild-URL', en: 'Profile picture URL'}\n        },\n        roles: {\n            name: 'roles',\n            label: {de: 'Rollen', en: 'Roles'},\n            labels: {\n                singular: {de: 'Rolle', en: 'Role'},\n                plural: {de: 'Rollen', en: 'Roles'}\n            }\n        },\n        roleFields: {\n            name: {\n                name: 'name',\n                label: {de: 'Name', en: 'Name'}\n            }\n        }\n    } satisfies ZitadelFieldsConfig,\n    strategyName: 'zitadel',\n    label: 'Zitadel'\n}\n\nexport const ERROR_MESSAGES = {\n    issuerURL: 'ZITADEL-PLUGIN: ISSUER-URL IS EMPTY',\n    clientId: 'ZITADEL-PLUGIN: CLIENT-ID IS EMPTY',\n    apiClientId: 'ZITADEL-PLUGIN: API ENABLED, BUT API-CLIENT-ID IS EMPTY',\n    apiKeyId: 'ZITADEL-PLUGIN: API ENABLED, BUT API-KEY-ID IS EMPTY',\n    apiKey: 'ZITADEL-PLUGIN: API ENABLED, BUT API-KEY IS EMPTY'\n}\nexport const ROUTES = {\n    authorize: '/authorize',\n    callback: '/callback',\n    redirect: '/redirect'\n}\n\n"],"names":["COMPONENTS_PATH","COOKIES","pkce","idToken","state","DEFAULT_CONFIG","fields","id","name","label","de","en","email","image","roles","labels","singular","plural","roleFields","strategyName","ERROR_MESSAGES","issuerURL","clientId","apiClientId","apiKeyId","apiKey","ROUTES","authorize","callback","redirect"],"mappings":"AAEA,OAAO,MAAMA,kBAAkB,oCAAmC;AAElE,OAAO,MAAMC,UAAU;IACnBC,MAAM;IACNC,SAAS;IACTC,OAAO;AACX,EAAC;AAED,OAAO,MAAMC,iBAAiB;IAC1BC,QAAQ;QACJC,IAAI;YACAC,MAAM;YACNC,OAAO;gBACHC,IAAI;gBACJC,IAAI;YACR;QACJ;QACAH,MAAM;YACFA,MAAM;YACNC,OAAO;gBAACC,IAAI;gBAAQC,IAAI;YAAM;QAClC;QACAC,OAAO;YACHJ,MAAM;YACNC,OAAO;gBAACC,IAAI;gBAAUC,IAAI;YAAO;QACrC;QACAE,OAAO;YACHL,MAAM;YACNC,OAAO;gBAACC,IAAI;gBAAkBC,IAAI;YAAqB;QAC3D;QACAG,OAAO;YACHN,MAAM;YACNC,OAAO;gBAACC,IAAI;gBAAUC,IAAI;YAAO;YACjCI,QAAQ;gBACJC,UAAU;oBAACN,IAAI;oBAASC,IAAI;gBAAM;gBAClCM,QAAQ;oBAACP,IAAI;oBAAUC,IAAI;gBAAO;YACtC;QACJ;QACAO,YAAY;YACRV,MAAM;gBACFA,MAAM;gBACNC,OAAO;oBAACC,IAAI;oBAAQC,IAAI;gBAAM;YAClC;QACJ;IACJ;IACAQ,cAAc;IACdV,OAAO;AACX,EAAC;AAED,OAAO,MAAMW,iBAAiB;IAC1BC,WAAW;IACXC,UAAU;IACVC,aAAa;IACbC,UAAU;IACVC,QAAQ;AACZ,EAAC;AACD,OAAO,MAAMC,SAAS;IAClBC,WAAW;IACXC,UAAU;IACVC,UAAU;AACd,EAAC"}
+{"version":3,"sources":["../src/constants.ts"],"sourcesContent":["import {ResponseCookie} from 'next/dist/compiled/@edge-runtime/cookies/index.js'\nimport type {ZitadelFieldsConfig} from './types.js'\n\nexport const AUTHORIZE_QUERY = {\n    response_type: 'code',\n    scope: 'openid email profile',\n    code_challenge_method: 'S256'\n}\n\nexport const COMPONENTS_PATH = 'payload-zitadel-plugin/components'\n\nconst COOKIE_CONFIG = {\n    httpOnly: true,\n    path: '/',\n    sameSite: 'lax',\n    secure: process.env.NODE_ENV == 'production'\n} satisfies Pick<ResponseCookie, 'httpOnly' | 'path' | 'sameSite' | 'secure'>\n\nexport const COOKIES = {\n    pkce: {\n        name: 'zitadel_pkce_code_verifier',\n        ...COOKIE_CONFIG\n    } satisfies Omit<ResponseCookie, 'value'>,\n    idToken: {\n        name: 'zitadel_id_token',\n        ...COOKIE_CONFIG\n    } satisfies Omit<ResponseCookie, 'value'>,\n    logout: {\n        name: 'zitadel_logout',\n        value: 'true',\n        ...COOKIE_CONFIG\n    } satisfies ResponseCookie\n}\n\nexport const DEFAULT_CONFIG = {\n    fields: {\n        id: {\n            name: 'idp_id',\n            label: {\n                de: 'Identifikation im System des Identitätsanbieters',\n                en: 'Identifier in the system of the Identity Provider'\n            }\n        },\n        name: {\n            name: 'name',\n            label: {de: 'Name', en: 'Name'}\n        },\n        email: {\n            name: 'email',\n            label: {de: 'E-Mail', en: 'Email'}\n        },\n        image: {\n            name: 'image',\n            label: {de: 'Profilbild-URL', en: 'Profile picture URL'}\n        },\n        roles: {\n            name: 'roles',\n            label: {de: 'Rollen', en: 'Roles'},\n            labels: {\n                singular: {de: 'Rolle', en: 'Role'},\n                plural: {de: 'Rollen', en: 'Roles'}\n            }\n        },\n        roleFields: {\n            name: {\n                name: 'name',\n                label: {de: 'Name', en: 'Name'}\n            }\n        }\n    } satisfies ZitadelFieldsConfig,\n    strategyName: 'zitadel',\n    label: 'Zitadel'\n}\n\nexport const ENDPOINT_PATHS = {\n    authorize: '/oauth/v2/authorize',\n    introspect: '/oauth/v2/introspect',\n    token: '/oauth/v2/token',\n    end_session: '/oidc/v1/end_session'\n}\n\nexport const ROLES_KEY = 'urn:zitadel:iam:org:project:roles'\n\nexport const ROUTES = {\n    authorize: '/authorize',\n    callback: '/callback',\n    end_session: '/end_session'\n}\n\n"],"names":["AUTHORIZE_QUERY","response_type","scope","code_challenge_method","COMPONENTS_PATH","COOKIE_CONFIG","httpOnly","path","sameSite","secure","process","env","NODE_ENV","COOKIES","pkce","name","idToken","logout","value","DEFAULT_CONFIG","fields","id","label","de","en","email","image","roles","labels","singular","plural","roleFields","strategyName","ENDPOINT_PATHS","authorize","introspect","token","end_session","ROLES_KEY","ROUTES","callback"],"mappings":"AAGA,OAAO,MAAMA,kBAAkB;IAC3BC,eAAe;IACfC,OAAO;IACPC,uBAAuB;AAC3B,EAAC;AAED,OAAO,MAAMC,kBAAkB,oCAAmC;AAElE,MAAMC,gBAAgB;IAClBC,UAAU;IACVC,MAAM;IACNC,UAAU;IACVC,QAAQC,QAAQC,GAAG,CAACC,QAAQ,IAAI;AACpC;AAEA,OAAO,MAAMC,UAAU;IACnBC,MAAM;QACFC,MAAM;QACN,GAAGV,aAAa;IACpB;IACAW,SAAS;QACLD,MAAM;QACN,GAAGV,aAAa;IACpB;IACAY,QAAQ;QACJF,MAAM;QACNG,OAAO;QACP,GAAGb,aAAa;IACpB;AACJ,EAAC;AAED,OAAO,MAAMc,iBAAiB;IAC1BC,QAAQ;QACJC,IAAI;YACAN,MAAM;YACNO,OAAO;gBACHC,IAAI;gBACJC,IAAI;YACR;QACJ;QACAT,MAAM;YACFA,MAAM;YACNO,OAAO;gBAACC,IAAI;gBAAQC,IAAI;YAAM;QAClC;QACAC,OAAO;YACHV,MAAM;YACNO,OAAO;gBAACC,IAAI;gBAAUC,IAAI;YAAO;QACrC;QACAE,OAAO;YACHX,MAAM;YACNO,OAAO;gBAACC,IAAI;gBAAkBC,IAAI;YAAqB;QAC3D;QACAG,OAAO;YACHZ,MAAM;YACNO,OAAO;gBAACC,IAAI;gBAAUC,IAAI;YAAO;YACjCI,QAAQ;gBACJC,UAAU;oBAACN,IAAI;oBAASC,IAAI;gBAAM;gBAClCM,QAAQ;oBAACP,IAAI;oBAAUC,IAAI;gBAAO;YACtC;QACJ;QACAO,YAAY;YACRhB,MAAM;gBACFA,MAAM;gBACNO,OAAO;oBAACC,IAAI;oBAAQC,IAAI;gBAAM;YAClC;QACJ;IACJ;IACAQ,cAAc;IACdV,OAAO;AACX,EAAC;AAED,OAAO,MAAMW,iBAAiB;IAC1BC,WAAW;IACXC,YAAY;IACZC,OAAO;IACPC,aAAa;AACjB,EAAC;AAED,OAAO,MAAMC,YAAY,oCAAmC;AAE5D,OAAO,MAAMC,SAAS;IAClBL,WAAW;IACXM,UAAU;IACVH,aAAa;AACjB,EAAC"}

package/dist/handlers/authorize.d.ts

@@ -1,3 +1,3 @@
-import type { PayloadHandler } from 'payload';
-export declare const authorize: PayloadHandler;
+import { ZitadelBaseHandler } from '../types.js';
+export declare const authorize: ZitadelBaseHandler;
 //# sourceMappingURL=authorize.d.ts.map

package/dist/handlers/authorize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/handlers/authorize.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,SAAS,CAAA;AAI3C,eAAO,MAAM,SAAS,EAAE,cA8BvB,CAAA"}
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/handlers/authorize.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,kBAAkB,EAAC,MAAM,aAAa,CAAA;AAG9C,eAAO,MAAM,SAAS,EAAE,kBAgBvB,CAAA"}

package/dist/handlers/authorize.js

@@ -1,30 +1,22 @@
-import process from 'node:process';
 import { cookies } from 'next/headers.js';
-import { NextResponse } from 'next/server.js';
 import { COOKIES } from '../constants.js';
-export const authorize = async ({ searchParams, payload: { config } })=>{
-    const { admin: { custom: { zitadel: { issuerURL, clientId, callbackURL } } } } = config;
-    const code_verifier = Buffer.from(crypto.getRandomValues(new Uint8Array(24))).toString('base64url');
-    const code_challenge = Buffer.from(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(code_verifier))).toString('base64url');
-    const cookieStore = await cookies();
-    cookieStore.set({
-        name: COOKIES.pkce,
-        value: code_verifier,
-        httpOnly: true,
-        sameSite: 'lax',
-        path: '/',
-        maxAge: 300,
-        secure: process.env.NODE_ENV == 'production'
-    });
-    return NextResponse.redirect(`${issuerURL}/oauth/v2/authorize?${new URLSearchParams({
-        client_id: clientId,
-        redirect_uri: callbackURL,
-        response_type: 'code',
-        scope: 'openid email profile',
-        state: btoa(searchParams.toString()),
-        code_challenge,
-        code_challenge_method: 'S256'
-    })}`);
-};
+import { requestRedirect } from '../utils/index.js';
+export const authorize = ({ issuerURL, clientId })=>async (req)=>{
+        const codeVerifier = Buffer.from(crypto.getRandomValues(new Uint8Array(24))).toString('base64url');
+        const codeChallenge = Buffer.from(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier))).toString('base64url');
+        const cookieStore = await cookies();
+        cookieStore.set({
+            ...COOKIES.pkce,
+            value: codeVerifier,
+            maxAge: 300
+        });
+        return requestRedirect({
+            req,
+            issuerURL,
+            clientId,
+            invokedBy: 'authorize',
+            codeChallenge
+        });
+    };
 
 //# sourceMappingURL=authorize.js.map

package/dist/handlers/authorize.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/handlers/authorize.ts"],"sourcesContent":["import process from 'node:process'\nimport {cookies} from 'next/headers.js'\nimport {NextResponse} from 'next/server.js'\nimport type {PayloadHandler} from 'payload'\nimport type {PayloadConfigWithZitadel} from '../types.js'\nimport {COOKIES} from '../constants.js'\n\nexport const authorize: PayloadHandler = async ({searchParams, payload: {config}}) => {\n\n    const {admin: {custom: {zitadel: {issuerURL, clientId, callbackURL}}}} = config as PayloadConfigWithZitadel\n\n    const code_verifier = Buffer.from(crypto.getRandomValues(new Uint8Array(24))).toString('base64url')\n\n    const code_challenge = Buffer.from(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(code_verifier))).toString('base64url')\n\n    const cookieStore = await cookies()\n\n    cookieStore.set({\n        name: COOKIES.pkce,\n        value: code_verifier,\n        httpOnly: true,\n        sameSite: 'lax',\n        path: '/',\n        maxAge: 300,\n        secure: process.env.NODE_ENV == 'production'\n    })\n\n    return NextResponse.redirect(`${issuerURL}/oauth/v2/authorize?${new URLSearchParams({\n        client_id: clientId,\n        redirect_uri: callbackURL,\n        response_type: 'code',\n        scope: 'openid email profile',\n        state: btoa(searchParams.toString()),\n        code_challenge,\n        code_challenge_method: 'S256'\n    })}`)\n\n}\n"],"names":["process","cookies","NextResponse","COOKIES","authorize","searchParams","payload","config","admin","custom","zitadel","issuerURL","clientId","callbackURL","code_verifier","Buffer","from","crypto","getRandomValues","Uint8Array","toString","code_challenge","subtle","digest","TextEncoder","encode","cookieStore","set","name","pkce","value","httpOnly","sameSite","path","maxAge","secure","env","NODE_ENV","redirect","URLSearchParams","client_id","redirect_uri","response_type","scope","state","btoa","code_challenge_method"],"mappings":"AAAA,OAAOA,aAAa,eAAc;AAClC,SAAQC,OAAO,QAAO,kBAAiB;AACvC,SAAQC,YAAY,QAAO,iBAAgB;AAG3C,SAAQC,OAAO,QAAO,kBAAiB;AAEvC,OAAO,MAAMC,YAA4B,OAAO,EAACC,YAAY,EAAEC,SAAS,EAACC,MAAM,EAAC,EAAC;IAE7E,MAAM,EAACC,OAAO,EAACC,QAAQ,EAACC,SAAS,EAACC,SAAS,EAAEC,QAAQ,EAAEC,WAAW,EAAC,EAAC,EAAC,EAAC,GAAGN;IAEzE,MAAMO,gBAAgBC,OAAOC,IAAI,CAACC,OAAOC,eAAe,CAAC,IAAIC,WAAW,MAAMC,QAAQ,CAAC;IAEvF,MAAMC,iBAAiBN,OAAOC,IAAI,CAAC,MAAMC,OAAOK,MAAM,CAACC,MAAM,CAAC,WAAW,IAAIC,cAAcC,MAAM,CAACX,iBAAiBM,QAAQ,CAAC;IAE5H,MAAMM,cAAc,MAAMzB;IAE1ByB,YAAYC,GAAG,CAAC;QACZC,MAAMzB,QAAQ0B,IAAI;QAClBC,OAAOhB;QACPiB,UAAU;QACVC,UAAU;QACVC,MAAM;QACNC,QAAQ;QACRC,QAAQnC,QAAQoC,GAAG,CAACC,QAAQ,IAAI;IACpC;IAEA,OAAOnC,aAAaoC,QAAQ,CAAC,GAAG3B,UAAU,oBAAoB,EAAE,IAAI4B,gBAAgB;QAChFC,WAAW5B;QACX6B,cAAc5B;QACd6B,eAAe;QACfC,OAAO;QACPC,OAAOC,KAAKxC,aAAae,QAAQ;QACjCC;QACAyB,uBAAuB;IAC3B,IAAI;AAER,EAAC"}
+{"version":3,"sources":["../../src/handlers/authorize.ts"],"sourcesContent":["import {cookies} from 'next/headers.js'\nimport {COOKIES} from '../constants.js'\nimport {ZitadelBaseHandler} from '../types.js'\nimport {requestRedirect} from '../utils/index.js'\n\nexport const authorize: ZitadelBaseHandler = ({issuerURL, clientId}) => async (req) => {\n\n    const codeVerifier = Buffer.from(crypto.getRandomValues(new Uint8Array(24))).toString('base64url')\n\n    const codeChallenge = Buffer.from(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier))).toString('base64url')\n\n    const cookieStore = await cookies()\n\n    cookieStore.set({\n        ...COOKIES.pkce,\n        value: codeVerifier,\n        maxAge: 300\n    })\n\n    return requestRedirect({req, issuerURL, clientId, invokedBy: 'authorize', codeChallenge})\n\n}\n"],"names":["cookies","COOKIES","requestRedirect","authorize","issuerURL","clientId","req","codeVerifier","Buffer","from","crypto","getRandomValues","Uint8Array","toString","codeChallenge","subtle","digest","TextEncoder","encode","cookieStore","set","pkce","value","maxAge","invokedBy"],"mappings":"AAAA,SAAQA,OAAO,QAAO,kBAAiB;AACvC,SAAQC,OAAO,QAAO,kBAAiB;AAEvC,SAAQC,eAAe,QAAO,oBAAmB;AAEjD,OAAO,MAAMC,YAAgC,CAAC,EAACC,SAAS,EAAEC,QAAQ,EAAC,GAAK,OAAOC;QAE3E,MAAMC,eAAeC,OAAOC,IAAI,CAACC,OAAOC,eAAe,CAAC,IAAIC,WAAW,MAAMC,QAAQ,CAAC;QAEtF,MAAMC,gBAAgBN,OAAOC,IAAI,CAAC,MAAMC,OAAOK,MAAM,CAACC,MAAM,CAAC,WAAW,IAAIC,cAAcC,MAAM,CAACX,gBAAgBM,QAAQ,CAAC;QAE1H,MAAMM,cAAc,MAAMnB;QAE1BmB,YAAYC,GAAG,CAAC;YACZ,GAAGnB,QAAQoB,IAAI;YACfC,OAAOf;YACPgB,QAAQ;QACZ;QAEA,OAAOrB,gBAAgB;YAACI;YAAKF;YAAWC;YAAUmB,WAAW;YAAaV;QAAa;IAE3F,EAAC"}

package/dist/handlers/callback.d.ts

@@ -1,4 +1,3 @@
-import type { PayloadHandler } from 'payload';
-import type { ZitadelOnSuccess } from '../types.js';
-export declare const callback: (onSuccess: ZitadelOnSuccess) => PayloadHandler;
+import { ZitadelCallbackHandler } from '../types.js';
+export declare const callback: ZitadelCallbackHandler;
 //# sourceMappingURL=callback.d.ts.map

package/dist/handlers/callback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../src/handlers/callback.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,SAAS,CAAA;AAC3C,OAAO,KAAK,EAA2C,gBAAgB,EAAC,MAAM,aAAa,CAAA;AAG3F,eAAO,MAAM,QAAQ,cAAe,gBAAgB,KAAG,cAoEtD,CAAA"}
+{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../src/handlers/callback.ts"],"names":[],"mappings":"AAGA,OAAO,EAAC,sBAAsB,EAAuC,MAAM,aAAa,CAAA;AAGxF,eAAO,MAAM,QAAQ,EAAE,sBAiLtB,CAAA"}

package/dist/handlers/callback.js

@@ -1,53 +1,142 @@
-import process from 'node:process';
 import { SignJWT, decodeJwt } from 'jose';
 import { cookies } from 'next/headers.js';
-import { COOKIES } from '../constants.js';
-export const callback = (onSuccess)=>async ({ payload: { config, secret }, query: { code, state } })=>{
-        const { admin: { custom: { zitadel: { issuerURL, clientId, callbackURL } } } } = config;
+import { COOKIES, ENDPOINT_PATHS, ROLES_KEY, ROUTES } from '../constants.js';
+import { getAuthBaseURL, getAuthSlug, getState } from '../utils/index.js';
+export const callback = ({ issuerURL, clientId, fields, afterLogin, afterLogout })=>async (req)=>{
+        const { payload, query } = req;
+        const { config, secret } = payload;
+        const { code } = query;
+        const state = getState(req);
         const cookieStore = await cookies();
-        const code_verifier = cookieStore.get(COOKIES.pkce)?.value;
-        if (code_verifier) {
-            const response = await fetch(new URL(`${issuerURL}/oauth/v2/token`), {
-                method: 'POST',
-                body: new URLSearchParams({
-                    grant_type: 'authorization_code',
-                    code: code,
-                    redirect_uri: callbackURL,
-                    client_id: clientId,
-                    code_verifier
-                })
-            });
-            if (response.ok) {
-                const { id_token } = await response.json();
-                if (id_token) {
-                    cookieStore.delete(COOKIES.pkce);
-                    cookieStore.set({
-                        name: COOKIES.idToken,
-                        value: await new SignJWT(decodeJwt(id_token)).setProtectedHeader({
-                            alg: 'HS256'
-                        }).setIssuedAt().sign(new TextEncoder().encode(secret)),
-                        httpOnly: true,
-                        path: '/',
-                        sameSite: 'lax',
-                        maxAge: 900,
-                        secure: process.env.NODE_ENV == 'production'
-                    });
-                    return onSuccess(new URLSearchParams(atob(state ?? '')));
+        if (state.invokedBy == 'end_session') {
+            [
+                COOKIES.logout,
+                COOKIES.idToken
+            ].forEach((cookie)=>cookieStore.delete(cookie));
+            return afterLogout(req);
+        }
+        const codeVerifier = cookieStore.get(COOKIES.pkce.name)?.value;
+        if (!code) {
+            return Response.json({
+                status: 'error',
+                message: 'no code provided to verify'
+            });
+        }
+        if (!codeVerifier) {
+            return Response.json({
+                status: 'error',
+                message: 'code verifier not found (associated http-only cookie is empty)'
+            });
+        }
+        const tokenQueryData = {
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: getAuthBaseURL(config) + ROUTES.callback,
+            client_id: clientId,
+            code_verifier: codeVerifier
+        };
+        const tokenEndpoint = issuerURL + ENDPOINT_PATHS.token;
+        const tokenResponse = await fetch(new URL(tokenEndpoint), {
+            method: 'POST',
+            body: new URLSearchParams(tokenQueryData)
+        });
+        if (!tokenResponse.ok) {
+            return Response.json({
+                status: 'error',
+                message: 'error while communicating with token endpoint',
+                details: {
+                    tokenEndpoint,
+                    tokenQuery: tokenQueryData,
+                    tokenResponseCode: `${tokenResponse.status} - ${tokenResponse.statusText}`
+                }
+            });
+        }
+        const tokenJson = await tokenResponse.json();
+        const { id_token: idToken } = tokenJson;
+        if (!idToken) {
+            return Response.json({
+                status: 'error',
+                message: 'token could not be retrieved from this response',
+                details: {
+                    responseData: tokenJson
                 }
-                return Response.json({
-                    status: 'error',
-                    message: 'token could not be retrieved from the response'
+            });
+        }
+        let decodedIdToken;
+        try {
+            decodedIdToken = decodeJwt(idToken);
+        } catch (e) {
+            return Response.json({
+                status: 'error',
+                message: `error during decoding: ${JSON.stringify(e)}`,
+                details: {
+                    idToken
+                }
+            });
+        }
+        const idpId = decodedIdToken.sub;
+        const userData = {
+            [fields.name.name]: decodedIdToken.name,
+            [fields.email.name]: decodedIdToken.email,
+            [fields.image.name]: decodedIdToken.picture,
+            [fields.roles.name]: Object.keys(decodedIdToken[ROLES_KEY] ?? {}).map((key)=>({
+                    [fields.roleFields.name.name]: key
+                }))
+        };
+        if (!idpId) {
+            return Response.json({
+                status: 'error',
+                message: 'token is not complete (id not found)',
+                details: {
+                    idToken,
+                    decodedIdToken,
+                    idpId
+                }
+            });
+        }
+        try {
+            const authSlug = getAuthSlug(config);
+            const { docs, totalDocs } = await payload.find({
+                collection: authSlug,
+                where: {
+                    [fields.id.name]: {
+                        equals: idpId
+                    }
+                }
+            });
+            if (totalDocs) {
+                await payload.update({
+                    collection: authSlug,
+                    id: docs[0].id,
+                    data: userData
+                });
+            } else {
+                await payload.create({
+                    collection: authSlug,
+                    data: {
+                        [fields.id.name]: idpId,
+                        ...userData
+                    }
                 });
             }
+        } catch (e) {
             return Response.json({
                 status: 'error',
-                message: 'error while communicating with token endpoint'
+                message: `error while creating/updating user: ${JSON.stringify(e)}`,
+                details: {
+                    idpId
+                }
             });
         }
-        return Response.json({
-            status: 'error',
-            message: 'code verifier not found (associated http-only cookie is empty)'
+        cookieStore.delete(COOKIES.pkce);
+        cookieStore.set({
+            ...COOKIES.idToken,
+            value: await new SignJWT(decodedIdToken).setProtectedHeader({
+                alg: 'HS256'
+            }).setIssuedAt().sign(new TextEncoder().encode(secret)),
+            maxAge: 900
         });
+        return afterLogin(req);
     };
 
 //# sourceMappingURL=callback.js.map