44 lines
1.6 KiB
TypeScript
44 lines
1.6 KiB
TypeScript
import { decodeJwt } from "jose";
|
|
|
|
// Gates every /api/** route. Static SPA assets stay public.
|
|
export default defineEventHandler(async (event) => {
|
|
const path = getRequestURL(event).pathname;
|
|
if (!path.startsWith("/api/")) return;
|
|
|
|
// Dev-only bypass for local smoke tests. `import.meta.dev` is false in production
|
|
// builds, so this branch is dead-code-eliminated and can never run when deployed.
|
|
if (import.meta.dev && process.env.AUTH_DEV_BYPASS === "1") {
|
|
event.context.user = { sub: "dev" };
|
|
return;
|
|
}
|
|
|
|
// CORS preflight is answered (and short-circuited) by 0.cors.ts before this runs.
|
|
const header = getHeader(event, "authorization") || "";
|
|
const token = header.startsWith("Bearer ") ? header.slice(7).trim() : "";
|
|
if (!token) {
|
|
if (process.env.AUTH_DEBUG === "1") console.error("[auth] no bearer token on", path);
|
|
throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
|
|
}
|
|
|
|
try {
|
|
event.context.user = await getVerifier()(token);
|
|
} catch (e) {
|
|
if (process.env.AUTH_DEBUG === "1") {
|
|
let claims: Record<string, unknown> = {};
|
|
try {
|
|
const c = decodeJwt(token);
|
|
claims = { iss: c.iss, sub: c.sub, aud: c.aud, azp: c.azp, exp: c.exp, alg_present: true };
|
|
} catch (de) {
|
|
claims = { not_a_jwt: String(de).slice(0, 80) };
|
|
}
|
|
console.error(
|
|
"[auth] verify failed:", (e as Error).message,
|
|
"| claims:", JSON.stringify(claims),
|
|
"| ALLOWED_USER_IDS:", process.env.ALLOWED_USER_IDS,
|
|
"| ZITADEL_AUDIENCE:", process.env.ZITADEL_AUDIENCE,
|
|
);
|
|
}
|
|
throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
|
|
}
|
|
});
|