minimize cookie and simplify roles

2026-05-15 13:06:16 -05:00
parent 17710ab47a
commit 6424dc4e85
6 changed files with 38 additions and 47 deletions
--- a/server/api/auth/[...].ts
+++ b/server/api/auth/[...].ts
@@ -1,5 +1,6 @@
 import { NuxtAuthHandler } from '#auth'
 import ZitadelProvider from '@auth/core/providers/zitadel'
+import { jwtDecode } from 'jwt-decode'

 const config = useRuntimeConfig()

@@ -12,7 +13,7 @@ export default NuxtAuthHandler({
      pkce: true,
      authorization: {
        params: {
-            scope: `openid email profile offline_access urn:zitadel:iam:org:project:${config.projectId}:aud`
+            scope: `openid email profile offline_access urn:zitadel:iam:org:project:${config.zitadelProjectId}:aud urn:zitadel:iam:org:project:${config.zitadelProjectId}:roles`
        }
      }
    })
@@ -26,34 +27,6 @@ export default NuxtAuthHandler({
      if (account?.provider === 'zitadel') {
        token.accessToken = account.access_token
        token.idToken = account.id_token
-        token.roles = (user as any)?.roles
-
-        /* Extract org roles from ID token claims */
-        const allOrgRoles: Record<string, Record<string, Record<string, string>>> = {}
-        const idTokenClaims = (() => {
-          try {
-            const parts = (account.id_token || '').split('.')
-            if (parts.length === 3) {
-              const payload = Buffer.from(parts[1], 'base64url').toString('utf8')
-              return JSON.parse(payload) as Record<string, any>
-            }
-          } catch { /* ignore */ }
-          return null
-        })()
-        if (idTokenClaims) {
-          for (const key of Object.keys(idTokenClaims)) {
-            if (key.startsWith('urn:zitadel:iam:org:project:') && key.endsWith(':roles')) {
-              allOrgRoles[key] = idTokenClaims[key]
-            }
-          }
-        }
-        /* Also check userinfo response for org role claims */
-        for (const key of Object.keys((user as any) || {})) {
-          if (key.startsWith('urn:zitadel:iam:org:project:') && key.endsWith(':roles')) {
-            allOrgRoles[key] = (user as any)[key]
-          }
-        }
-        token.allOrgRoles = Object.keys(allOrgRoles).length > 0 ? allOrgRoles : undefined
      }
      if (user?.id) {
        token.sub = user.id
@@ -71,9 +44,18 @@ export default NuxtAuthHandler({
        user.name = token.name || undefined
        user.email = token.email || undefined
        user.image = token.image || undefined
-        user.roles = token.roles as string[] | undefined
        user.accessToken = token.accessToken as string | undefined
-        user.allOrgRoles = token.allOrgRoles as Record<string, Record<string, Record<string, string>>> | undefined
+
+        // Decode idToken and extract org roles claim
+        if (token.idToken) {
+          try {
+            const decoded = jwtDecode(token.idToken)
+            const roles = decoded[`urn:zitadel:iam:org:project:${config.zitadelProjectId}:roles`]
+            user.roles = roles
+          } catch (error) {
+            console.error('Failed to decode idToken:', error)
+          }
+        }
      }
      return session
    },