add clientSecret as an optional

julien1619 · julien1619 · commit d51958d9109b · 2025-07-31T15:37:56.000+02:00
diff --git a/src/runtime/server/lib/oauth/zitadel.ts b/src/runtime/server/lib/oauth/zitadel.ts
@@ -2,7 +2,8 @@ import type { H3Event } from 'h3'
 import { eventHandler, getQuery, sendRedirect } from 'h3'
 import { withQuery } from 'ufo'
 import { defu } from 'defu'
-import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken, handleState, handlePkceVerifier } from '../utils'
+import type { RequestAccessTokenOptions } from '../utils'
+import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken, handleState, handlePkceVerifier, handleInvalidState } from '../utils'
 import { useRuntimeConfig, createError } from '#imports'
 import type { OAuthConfig } from '#auth-utils'
 
@@ -12,6 +13,11 @@ export interface OAuthZitadelConfig {
    * @default process.env.NUXT_OAUTH_ZITADEL_CLIENT_ID
    */
   clientId?: string
+  /**
+   * ZITADEL OAuth Client Secret
+   * @default process.env.NUXT_OAUTH_ZITADEL_CLIENT_SECRET
+   */
+  clientSecret?: string
   /**
    * ZITADEL OAuth Domain
    * @example <your-zitadel-instance>.zitadel.cloud
@@ -90,15 +96,25 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
       handleInvalidState(event, 'zitadel', onError)
     }
 
-    const tokens = await requestAccessToken(tokenURL, {
+    const request: RequestAccessTokenOptions = {
       body: {
         grant_type: 'authorization_code',
         client_id: config.clientId,
         redirect_uri: redirectURL,
         code: query.code,
         code_verifier: verifier.code_verifier,
       },
-    })
+    }
+
+    if (config.clientSecret) {
+      const basicAuthorization = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64')
+      request.headers = {
+        'Authorization': `Basic ${basicAuthorization}`,
+        'Content-Type': 'application/x-www-form-urlencoded',
+      }
+    }
+
+    const tokens = await requestAccessToken(tokenURL, request)
 
     if (tokens.error) {
       return handleAccessTokenErrorResponse(event, 'zitadel', tokens, onError)
diff --git a/src/runtime/server/lib/utils.ts b/src/runtime/server/lib/utils.ts
@@ -27,7 +27,7 @@ export interface RequestAccessTokenBody {
   [key: string]: string | undefined
 }
 
-interface RequestAccessTokenOptions {
+export interface RequestAccessTokenOptions {
   body?: RequestAccessTokenBody
   params?: Record<string, string | undefined>
   headers?: Record<string, string>

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ export interface RequestAccessTokenBody {`
`27`	`27`	`[key: string]: string \| undefined`
`28`	`28`	`}`
`29`	`29`
`30`		`-interface RequestAccessTokenOptions {`
	`30`	`+export interface RequestAccessTokenOptions {`
`31`	`31`	`body?: RequestAccessTokenBody`
`32`	`32`	`params?: Record<string, string \| undefined>`
`33`	`33`	`headers?: Record<string, string>`