fix(auth): avoid cabinet redirect loop and use teams access token

app/middleware/auth-oidc.ts

@@ -12,8 +12,10 @@ export default defineNuxtRouteMiddleware(async (to) => {
   }
 
   const { loggedIn } = useAuth()
+  const localePath = useLocalePath()
+  const logtoUser = useState<Record<string, unknown> | null>('logto-user', () => null)
 
-  if (!loggedIn.value) {
+  if (!loggedIn.value && !logtoUser.value) {
-    return navigateTo('/sign-in')
+    return navigateTo(localePath('/sign-in'))
   }
 })

server/middleware/me.ts

@@ -32,14 +32,21 @@ export default defineEventHandler(async (event) => {
   const client = event.context.logtoClient as LogtoClient | undefined
   if (!client) return
 
-  let idToken: string | null = null
+  const logtoUser = event.context.logtoUser as { organizations?: string[] } | undefined
+  const organizationId = event.context.logtoOrgId || logtoUser?.organizations?.[0]
+
+  let token: string | null = null
   try {
-    idToken = await client.getIdToken()
+    token = await client.getAccessToken('https://teams.optovia.ru', organizationId)
+  } catch {
+    try {
+      token = await client.getIdToken()
     } catch {
       return
     }
+  }
 
-  if (!idToken) return
+  if (!token) return
 
   try {
     const { GetMeDocument, GetMeProfileDocument } = await import('~/composables/graphql/user/teams-generated')
@@ -48,12 +55,12 @@ export default defineEventHandler(async (event) => {
     const [meResponse, profileResponse] = await Promise.all([
       $fetch<{ data?: { me?: MePayload } }>(endpoint, {
         method: 'POST',
-        headers: { Authorization: `Bearer ${idToken}` },
+        headers: { Authorization: `Bearer ${token}` },
         body: { query: print(GetMeDocument) }
       }),
       $fetch<{ data?: { me?: MePayload } }>(endpoint, {
         method: 'POST',
-        headers: { Authorization: `Bearer ${idToken}` },
+        headers: { Authorization: `Bearer ${token}` },
         body: { query: print(GetMeProfileDocument) }
       })
     ])