(id: string, audience: string)
| 404 | } |
| 405 | |
| 406 | const createGCPIAPProvider = (id: string, audience: string): Provider => { |
| 407 | return Credentials({ |
| 408 | id, |
| 409 | name: "Google Cloud IAP", |
| 410 | credentials: {}, |
| 411 | authorize: async (_credentials, req) => { |
| 412 | try { |
| 413 | const iapAssertion = req.headers?.get("x-goog-iap-jwt-assertion"); |
| 414 | if (!iapAssertion || typeof iapAssertion !== "string") { |
| 415 | logger.warn("No IAP assertion found in headers"); |
| 416 | return null; |
| 417 | } |
| 418 | |
| 419 | const oauth2Client = new OAuth2Client(); |
| 420 | |
| 421 | const { pubkeys } = await oauth2Client.getIapPublicKeys(); |
| 422 | const ticket = await oauth2Client.verifySignedJwtWithCertsAsync( |
| 423 | iapAssertion, |
| 424 | pubkeys, |
| 425 | audience, |
| 426 | ['https://cloud.google.com/iap'] |
| 427 | ); |
| 428 | |
| 429 | const payload = ticket.getPayload(); |
| 430 | if (!payload) { |
| 431 | logger.warn("Invalid IAP token payload"); |
| 432 | return null; |
| 433 | } |
| 434 | |
| 435 | const email = payload.email; |
| 436 | const name = payload.name || payload.email; |
| 437 | const image = payload.picture; |
| 438 | |
| 439 | if (!email) { |
| 440 | logger.warn("Missing email in IAP token"); |
| 441 | return null; |
| 442 | } |
| 443 | |
| 444 | const existingUser = await __unsafePrisma.user.findUnique({ |
| 445 | where: { email } |
| 446 | }); |
| 447 | |
| 448 | if (!existingUser) { |
| 449 | const newUser = await __unsafePrisma.user.create({ |
| 450 | data: { |
| 451 | email, |
| 452 | name, |
| 453 | image, |
| 454 | } |
| 455 | }); |
| 456 | |
| 457 | const authJsUser: AuthJsUser = { |
| 458 | id: newUser.id, |
| 459 | email: newUser.email, |
| 460 | name: newUser.name, |
| 461 | image: newUser.image, |
| 462 | }; |
| 463 |
no test coverage detected