feat(api): add /api/userinfo handler in server.tsx

mridang · mridang · commit e2abe17a8cde · 2026-05-27T16:42:18.000+03:00
Adds a /api/userinfo GET handler to the server entry's path-match
chain. Mirrors the other 7 examples; sits next to the existing
/api/auth/* and /api/(un)?protected blocks. TanStack Start doesn't
have a file-based API route convention so this lives inline.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,9 +1,7 @@
 {
   "name": "Zitadel Example TanStack Start Auth",
   "image": "mcr.microsoft.com/devcontainers/javascript-node:22-bookworm",
-  "forwardPorts": [
-    3000
-  ],
+  "forwardPorts": [3000],
   "portsAttributes": {
     "3000": {
       "label": "Application",
@@ -18,10 +16,7 @@
   "postCreateCommand": "npx playwright install --with-deps chromium",
   "customizations": {
     "vscode": {
-      "extensions": [
-        "dbaeumer.vscode-eslint",
-        "esbenp.prettier-vscode"
-      ]
+      "extensions": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"]
     }
   }
 }
diff --git a/app/server.tsx b/app/server.tsx
@@ -147,6 +147,40 @@ async function handleRequest(request: Request): Promise<Response> {
       return withCookiesFixed(request, await handlers.POST({ request }));
   }
 
+  // GET /api/userinfo → proxy to Zitadel's OIDC userinfo endpoint using the
+  // user's access token. Demonstrates how to call Zitadel APIs from the app
+  // server. The session's JWT carries a login-time snapshot; this hits the
+  // live endpoint so callers see current roles, metadata, etc.
+  if (pathname === '/api/userinfo') {
+    if (request.method !== 'GET') {
+      return new Response(null, { status: 405, headers: { Allow: 'GET' } });
+    }
+    const session = await getSession(request);
+    if (!session?.accessToken) {
+      return Response.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+    try {
+      const upstream = await fetch(
+        `${process.env.ZITADEL_DOMAIN}/oidc/v1/userinfo`,
+        {
+          headers: { Authorization: `Bearer ${session.accessToken}` },
+        },
+      );
+      if (!upstream.ok) {
+        // noinspection ExceptionCaughtLocallyJS
+        throw new Error(`UserInfo API error: ${upstream.status}`);
+      }
+      const userInfo = await upstream.json();
+      return Response.json(userInfo);
+    } catch (error) {
+      console.error('UserInfo fetch failed:', error);
+      return Response.json(
+        { error: 'Failed to fetch user info' },
+        { status: 500 },
+      );
+    }
+  }
+
   // Public API endpoint — no authentication required.
   if (pathname === '/api/unprotected') {
     return Response.json({ ok: true });

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "Zitadel Example TanStack Start Auth",`
`3`	`3`	`"image": "mcr.microsoft.com/devcontainers/javascript-node:22-bookworm",`
`4`		`- "forwardPorts": [`
`5`		`- 3000`
`6`		`- ],`
	`4`	`+ "forwardPorts": [3000],`
`7`	`5`	`"portsAttributes": {`
`8`	`6`	`"3000": {`
`9`	`7`	`"label": "Application",`
`@@ -18,10 +16,7 @@`
`18`	`16`	`"postCreateCommand": "npx playwright install --with-deps chromium",`
`19`	`17`	`"customizations": {`
`20`	`18`	`"vscode": {`
`21`		`- "extensions": [`
`22`		`- "dbaeumer.vscode-eslint",`
`23`		`- "esbenp.prettier-vscode"`
`24`		`- ]`
	`19`	`+ "extensions": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"]`
`25`	`20`	`}`
`26`	`21`	`}`
`27`	`22`	`}`