Files
2026-07-13 13:32:57 +08:00

57 lines
1.8 KiB
TypeScript

import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
import { json } from "@remix-run/server-runtime";
import { authenticateApiRequest } from "~/services/apiAuth.server";
import { logger } from "~/services/logger.server";
import { z } from "zod";
import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
const RequestBodySchema = z.object({
claims: z
.object({
scopes: z.array(z.string()).default([]),
})
.optional(),
expirationTime: z.union([z.number(), z.string()]).optional(),
});
export async function action({ request }: LoaderFunctionArgs) {
try {
// Next authenticate the request
const authenticationResult = await authenticateApiRequest(request);
if (!authenticationResult) {
return json({ error: "Invalid or Missing API key" }, { status: 401 });
}
const parsedBody = RequestBodySchema.safeParse(await request.json());
if (!parsedBody.success) {
return json(
{ error: "Invalid request body", issues: parsedBody.error.issues },
{ status: 400 }
);
}
const claims = {
sub: authenticationResult.environment.id,
pub: true,
...parsedBody.data.claims,
};
// Sign with the environment's current canonical key, not the raw header key,
// so JWTs minted with a revoked (grace-window) key still validate — validation
// in jwtAuth.server.ts uses environment.apiKey.
const jwt = await internal_generateJWT({
secretKey: authenticationResult.environment.apiKey,
payload: claims,
expirationTime: parsedBody.data.expirationTime ?? "1h",
});
return json({ token: jwt });
} catch (error) {
if (error instanceof Response) throw error;
logger.error("Failed to mint auth jwt", { error });
return json({ error: "Internal Server Error" }, { status: 500 });
}
}