feat: zitadel token auth middleware

2026-06-10 07:53:42 +00:00
parent 50173a3809
commit 394bceca5f
3 changed files with 142 additions and 0 deletions
--- a/server/middleware/1.auth.ts
+++ b/server/middleware/1.auth.ts
@@ -0,0 +1,18 @@
+// Gates every /api/** route. Static SPA assets stay public.
+export default defineEventHandler(async (event) => {
+  const path = getRequestURL(event).pathname;
+  if (!path.startsWith("/api/")) return;
+
+  // CORS preflight is answered (and short-circuited) by 0.cors.ts before this runs.
+  const header = getHeader(event, "authorization") || "";
+  const token = header.startsWith("Bearer ") ? header.slice(7).trim() : "";
+  if (!token) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
+
+  try {
+    event.context.user = await getVerifier()(token);
+  } catch {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
+});