kuns/claudedo-online
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: role-based access via Zitadel project roles

Browse Source 
Replace the ALLOWED_USER_IDS sub-allowlist with a Zitadel project role
check: tokens must carry the role from REQUIRED_ROLE (default "user")
in the urn:zitadel:iam:org:project[:id]:roles claim. Roles are granted
per account in Zitadel (project ClaudeDo), where access is now managed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-10 11:25:34 +00:00
parent 725f75fdd1
commit d4c734737b
6 changed files with 72 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/middleware/1.auth.ts
View File

@@ -27,14 +27,15 @@ export default defineEventHandler(async (event) => {
let claims: Record<string, unknown> = {};
try {
const c = decodeJwt(token);
claims = { iss: c.iss, sub: c.sub, aud: c.aud, azp: c.azp, exp: c.exp, alg_present: true };
const roleClaims = Object.keys(c).filter((k) => k.includes(":project:") && k.endsWith(":roles"));
claims = { iss: c.iss, sub: c.sub, aud: c.aud, azp: c.azp, exp: c.exp, roleClaims, alg_present: true };
} catch (de) {
claims = { not_a_jwt: String(de).slice(0, 80) };
}
console.error(
"[auth] verify failed:", (e as Error).message,
"| claims:", JSON.stringify(claims),
"| ALLOWED_USER_IDS:", process.env.ALLOWED_USER_IDS,
"| REQUIRED_ROLE:", process.env.REQUIRED_ROLE || "user",
"| ZITADEL_AUDIENCE:", process.env.ZITADEL_AUDIENCE,
);
}