kuns/claudedo-online
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: role-based access via Zitadel project roles

Browse Source 
Replace the ALLOWED_USER_IDS sub-allowlist with a Zitadel project role
check: tokens must carry the role from REQUIRED_ROLE (default "user")
in the urn:zitadel:iam:org:project[:id]:roles claim. Roles are granted
per account in Zitadel (project ClaudeDo), where access is now managed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-10 11:25:34 +00:00
parent 725f75fdd1
commit d4c734737b
6 changed files with 72 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/provision-zitadel.ts
View File

@@ -148,7 +148,7 @@ try {
humans[0] ??
owner;
} catch (e) {
console.error(`\n(could not list users: ${(e as Error).message}) — set ALLOWED_USER_IDS manually`);
console.error(`\n(could not list users: ${(e as Error).message}) — grant the "user" project role manually`);
}
const result = {
@@ -159,7 +159,8 @@ const result = {
ownerUserName: owner.userName,
env: {
ZITADEL_AUDIENCE: [webClientId, desktopClientId, projectId].filter(Boolean).join(","),
ALLOWED_USER_IDS: owner.id,
// Access is role-based: grant the project role below to each allowed account in Zitadel.
REQUIRED_ROLE: "user",
NUXT_PUBLIC_ZITADEL_CLIENT_ID: webClientId,
PROJECT_AUDIENCE_SCOPE: `urn:zitadel:iam:org:project:id:${projectId}:aud`,
},