feat: add authenticateIdentity to handle agents

rob-at-cortex · rob-at-cortex · commit a9911368e4fc · 2026-02-22T18:30:38.000Z
diff --git a/packages/auth/src/payload-jwt/authenticateRequest.ts b/packages/auth/src/payload-jwt/authenticateRequest.ts
@@ -22,13 +22,13 @@ function createAuthError(message: string, statusCode: number): AuthError {
 export type { AuthError };
 
 function getValidRole(permissions?: string[]): ValidRole {
-  if (!permissions || permissions.length === 0) return 'user';
-  for (const permission of permissions) {
-    if (VALID_ROLES[permission]) {
-      return VALID_ROLES[permission];
+    if (!permissions || permissions.length === 0) return 'user';
+    for (const permission of permissions) {
+        if (VALID_ROLES[permission]) {
+            return VALID_ROLES[permission];
+        }
     }
-  }
-  return 'user';
+    return 'user';
 }
 
 interface User {
@@ -91,43 +91,43 @@ export async function authenticateRequest({ req, payload }: AuthenticateRequestO
 
     if (!payload) throw createAuthError("Payload instance is required for Keycloak user normalisation", 500);
 
-    const payloadUser = (await payload.find({ 
-      collection: 'users', 
-      depth: 1, 
-      limit: 1, 
-      draft: false, 
-      overrideAccess: true, 
-      where: { email: { equals: session.extra.email } } 
+    const payloadUser = (await payload.find({
+        collection: 'users',
+        depth: 1,
+        limit: 1,
+        draft: false,
+        overrideAccess: true,
+        where: { email: { equals: session.extra.email } }
     })).docs[0];
 
     const role = getValidRole(permissions);
 
     if (!payloadUser) {
-      const newUser = await payload.create({
-        collection: 'users',
-        data: {
-          email: session.extra.email,
-          name: session.extra.name,
-          role,
-          enabled: true,
-          accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
-        },
-        draft: false,
-        overrideAccess: true,
-      });
-      console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
-      return { method: 'bearer', ...newUser };
+        const newUser = await payload.create({
+            collection: 'users',
+            data: {
+                email: session.extra.email,
+                name: session.extra.name,
+                role,
+                enabled: true,
+                accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
+            },
+            draft: false,
+            overrideAccess: true,
+        });
+        console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
+        return { method: 'bearer', ...newUser };
     }
 
     if (payloadUser.role !== role) {
-      await payload.update({
-        collection: 'users',
-        id: payloadUser.id,
-        data: { role },
-        draft: false,
-        overrideAccess: true,
-      });
-      console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
+        await payload.update({
+            collection: 'users',
+            id: payloadUser.id,
+            data: { role },
+            draft: false,
+            overrideAccess: true,
+        });
+        console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
     }
 
     return { method: 'bearer', ...payloadUser };
@@ -138,52 +138,144 @@ export async function authenticateRequestHeaders({ headers, payload }: { headers
     if (!authHeader) return null;
 
     const session = await verifyToken(authHeader.replace('Bearer ', ''));
-    if (!session?.sub || !session.extra) throw createAuthError("No valid session found", 401);
+    if (!session?.sub || !session.extra || !session.agent_id) throw createAuthError("No valid session found", 401);
 
     const OAUTH_CLIENT_ID = process.env.OAUTH_CLIENT_ID!;
     const permissions = ((session.resource_access as Record<string, { roles?: string[] }>)?.[OAUTH_CLIENT_ID]?.roles as string[] | undefined);
-    if (!permissions) throw createAuthError("User does not have permission to access this application.", 403);
+    if (!permissions) throw createAuthError("User or Agent does not have permission to access this application.", 403);
 
     if (!payload) throw createAuthError("Payload instance is required for Keycloak user normalisation", 500);
 
-    const payloadUser = (await payload.find({ 
-      collection: 'users', 
-      depth: 1, 
-      limit: 1, 
-      draft: false, 
-      overrideAccess: true, 
-      where: { email: { equals: session.extra.email } } 
+    const payloadUser = (await payload.find({
+        collection: 'users',
+        depth: 1,
+        limit: 1,
+        draft: false,
+        overrideAccess: true,
+        where: { email: { equals: session.extra.email } }
     })).docs[0];
 
     const role = getValidRole(permissions);
 
     if (!payloadUser) {
-      const newUser = await payload.create({
-        collection: 'users',
-        data: {
-          email: session.extra.email,
-          name: session.extra.name,
-          role,
-          enabled: true,
-          accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
-        },
-        draft: false,
-        overrideAccess: true,
-      });
-      console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
-      return { user: { ...newUser, collection: 'users' as const } };
+        const newUser = await payload.create({
+            collection: 'users',
+            data: {
+                email: session.extra.email,
+                name: session.extra.name,
+                role,
+                enabled: true,
+                accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
+            },
+            draft: false,
+            overrideAccess: true,
+        });
+        console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
+        return { user: { ...newUser, collection: 'users' as const } };
     }
 
     if (payloadUser.role !== role) {
-      await payload.update({
-        collection: 'users',
-        id: payloadUser.id,
-        data: { role },
-        draft: false,
-        overrideAccess: true,
-      });
-      console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
+        await payload.update({
+            collection: 'users',
+            id: payloadUser.id,
+            data: { role },
+            draft: false,
+            overrideAccess: true,
+        });
+        console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
     }
 
     return { user: { ...payloadUser, collection: 'users' as const } };
-}
+}
+
+export async function authenticateIdentity({
+    headers,
+    payload,
+}: {
+    headers: Headers
+    payload: Payload
+}) {
+    const authHeader = headers.get('authorization')
+    if (!authHeader) return null
+
+    const session = await verifyToken(authHeader.replace('Bearer ', ''))
+
+    if ((!session?.sub || !session.extra) && !session?.agent_id)
+        throw createAuthError('No valid session found', 401)
+
+    const OAUTH_CLIENT_ID = process.env.OAUTH_CLIENT_ID!
+    const permissions = (session.resource_access as Record<string, { roles?: string[] }>)?.[
+        OAUTH_CLIENT_ID
+    ]?.roles as string[] | undefined
+    if (!permissions)
+        throw createAuthError('User does not have permission to access this application.', 403)
+
+    if (!payload)
+        throw createAuthError('Payload instance is required for Keycloak user normalisation', 500)
+
+    let identity = null
+    let collection = 'users'
+      if (session.agent_id && 'identities' in payload.collections) { // this case is for agent authentication where we expect a preferred_username in the token in the format of service-account-{agentId} to link to an identity record with a keycloakUserId field matching the sub claim in the token
+        const identities = await payload.find({
+            collection: 'identities',
+            limit: 1,
+            where: {
+                keycloakUserId: {
+                    equals: session.sub,
+                },
+            },
+            overrideAccess: true,
+        })
+
+        identity = identities.docs[0]
+        collection = 'identities'
+        if (!identity) {
+            throw createAuthError('No identity found for authenticated user', 403)
+        }
+    } else if (session?.extra?.email) { // this case is for user authentication where we expect an email in the token to link to a Payload user record
+        const payloadUser = (
+            await payload.find({
+                collection: 'users',
+                depth: 1,
+                limit: 1,
+                draft: false,
+                overrideAccess: true,
+                where: { email: { equals: session.extra.email } },
+            })
+        ).docs[0]
+        const role = getValidRole(permissions);
+
+        if (!payloadUser) {
+            const newUser = await payload.create({
+                collection: 'users',
+                data: {
+                    email: session.extra.email,
+                    name: session.extra.name,
+                    role,
+                    enabled: true,
+                    accounts: [{ provider: 'keycloak', providerAccountId: session.sub, type: 'oidc' }],
+                },
+                draft: false,
+                overrideAccess: true,
+            });
+            console.log("Created new Payload user for Keycloak user:", newUser.id, newUser.email);
+            identity = newUser;
+            // return { user: { ...newUser, collection: 'users' as const } };
+        }
+
+        if (payloadUser && payloadUser.role !== role) {
+            await payload.update({
+                collection: 'users',
+                id: payloadUser.id,
+                data: { role },
+                draft: false,
+                overrideAccess: true,
+            });
+            console.log(`Updated Payload user role for ${payloadUser.email} to ${role}`);
+            identity = { ...payloadUser, role: role as ValidRole }
+        }
+    } else {
+        throw createAuthError('Authenticated session does not contain an agent ID', 403)
+    }
+    return { user: { ...identity, collection } }
+}
diff --git a/packages/auth/src/payload-jwt/configuration.ts b/packages/auth/src/payload-jwt/configuration.ts
@@ -140,10 +140,18 @@ const userCollectionDatabaseFields = [{
   },
 },
 { name: 'enabled', type: 'checkbox', label: 'Enabled', defaultValue: true },
+{
+  name: 'sessions', type: 'array', access: {
+    read: payloadAcl.ownOnly
+  },
+},
 {
   name: "accounts",
   type: "array",
   admin: { disabled: false }, // optional
+  access: {
+    read: payloadAcl.ownOnly
+  },
   fields: [
     { name: "provider", type: "text", required: true },
     { name: "providerAccountId", type: "text", required: true },
