feat: role-based access via Zitadel project roles
Replace the ALLOWED_USER_IDS sub-allowlist with a Zitadel project role check: tokens must carry the role from REQUIRED_ROLE (default "user") in the urn:zitadel:iam:org:project[:id]:roles claim. Roles are granted per account in Zitadel (project ClaudeDo), where access is now managed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -6,8 +6,8 @@ DATABASE_URL=postgres://mika:CHANGEME@l8kogcggsc80sgcgk8kswww4:5432/claudedo
|
||||
ZITADEL_ISSUER=https://auth.kuns.dev
|
||||
# Comma-separated accepted audiences: web client id, desktop client id, project id
|
||||
ZITADEL_AUDIENCE=
|
||||
# Comma-separated owner Zitadel user ids (the single owner's `sub`)
|
||||
ALLOWED_USER_IDS=
|
||||
# Zitadel project role required for API access (default: user)
|
||||
REQUIRED_ROLE=user
|
||||
# CORS: the web client origin (the app's own origin)
|
||||
WEB_ORIGIN=https://claudedo.kuns.dev
|
||||
|
||||
|
||||
Reference in New Issue
Block a user