From 7b4eaeeb920ed41e132d0720026716371905c876 Mon Sep 17 00:00:00 2001
From: Ruslan Bakiev <572431+veikab@users.noreply.github.com>
Date: Tue, 21 Apr 2026 12:55:19 +0700
Subject: [PATCH] fix(auth): avoid cabinet redirect loop and use teams access
 token

---
 app/middleware/auth-oidc.ts |  6 ++++--
 server/middleware/me.ts     | 19 +++++++++++++------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/app/middleware/auth-oidc.ts b/app/middleware/auth-oidc.ts
index d7e2d23..82829b4 100644
--- a/app/middleware/auth-oidc.ts
+++ b/app/middleware/auth-oidc.ts
@@ -12,8 +12,10 @@ export default defineNuxtRouteMiddleware(async (to) => {
   }
 
   const { loggedIn } = useAuth()
+  const localePath = useLocalePath()
+  const logtoUser = useState<Record<string, unknown> | null>('logto-user', () => null)
 
-  if (!loggedIn.value) {
-    return navigateTo('/sign-in')
+  if (!loggedIn.value && !logtoUser.value) {
+    return navigateTo(localePath('/sign-in'))
   }
 })
diff --git a/server/middleware/me.ts b/server/middleware/me.ts
index 3debcc4..f53da30 100644
--- a/server/middleware/me.ts
+++ b/server/middleware/me.ts
@@ -32,14 +32,21 @@ export default defineEventHandler(async (event) => {
   const client = event.context.logtoClient as LogtoClient | undefined
   if (!client) return
 
-  let idToken: string | null = null
+  const logtoUser = event.context.logtoUser as { organizations?: string[] } | undefined
+  const organizationId = event.context.logtoOrgId || logtoUser?.organizations?.[0]
+
+  let token: string | null = null
   try {
-    idToken = await client.getIdToken()
+    token = await client.getAccessToken('https://teams.optovia.ru', organizationId)
   } catch {
-    return
+    try {
+      token = await client.getIdToken()
+    } catch {
+      return
+    }
   }
 
-  if (!idToken) return
+  if (!token) return
 
   try {
     const { GetMeDocument, GetMeProfileDocument } = await import('~/composables/graphql/user/teams-generated')
@@ -48,12 +55,12 @@ export default defineEventHandler(async (event) => {
     const [meResponse, profileResponse] = await Promise.all([
       $fetch<{ data?: { me?: MePayload } }>(endpoint, {
         method: 'POST',
-        headers: { Authorization: `Bearer ${idToken}` },
+        headers: { Authorization: `Bearer ${token}` },
         body: { query: print(GetMeDocument) }
       }),
       $fetch<{ data?: { me?: MePayload } }>(endpoint, {
         method: 'POST',
-        headers: { Authorization: `Bearer ${idToken}` },
+        headers: { Authorization: `Bearer ${token}` },
         body: { query: print(GetMeProfileDocument) }
       })
     ])