From 28dc956f403eb87ffe7402349c1c911ea018e39d Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Mon, 20 Jan 2025 15:22:14 +0100
Subject: [PATCH] token util

---
 .changeset/twenty-clouds-prove.md   |  5 +++++
 apps/login/src/lib/api.ts           | 15 ++++++---------
 packages/zitadel-client/src/node.ts | 22 ++++++++++++++++------
 turbo.json                          |  3 ++-
 4 files changed, 29 insertions(+), 16 deletions(-)
 create mode 100644 .changeset/twenty-clouds-prove.md

diff --git a/.changeset/twenty-clouds-prove.md b/.changeset/twenty-clouds-prove.md
new file mode 100644
index 0000000000..58877517c6
--- /dev/null
+++ b/.changeset/twenty-clouds-prove.md
@@ -0,0 +1,5 @@
+---
+"@zitadel/client": patch
+---
+
+dynamic properties for system token utility
diff --git a/apps/login/src/lib/api.ts b/apps/login/src/lib/api.ts
index 0f10c4addd..6bde583f82 100644
--- a/apps/login/src/lib/api.ts
+++ b/apps/login/src/lib/api.ts
@@ -1,4 +1,4 @@
-import { importPKCS8, SignJWT } from "jose";
+import { newSystemToken } from "@zitadel/client/node";
 import { getInstanceDomainByHost } from "./zitadel";
 
 export async function getInstanceUrl(host: string): Promise<string> {
@@ -30,14 +30,11 @@ export async function systemAPIToken() {
 
   const decodedToken = Buffer.from(key, "base64").toString("utf-8");
 
-  const token = new SignJWT({})
-    .setProtectedHeader({ alg: "RS256" })
-    .setIssuedAt()
-    .setExpirationTime("1h")
-    .setIssuer(userID)
-    .setSubject(userID)
-    .setAudience(audience)
-    .sign(await importPKCS8(decodedToken, "RS256"));
+  const token = newSystemToken({
+    audience: audience,
+    subject: userID,
+    key: decodedToken,
+  });
 
   return token;
 }
diff --git a/packages/zitadel-client/src/node.ts b/packages/zitadel-client/src/node.ts
index 8f70a4edf1..db7838ebc3 100644
--- a/packages/zitadel-client/src/node.ts
+++ b/packages/zitadel-client/src/node.ts
@@ -27,13 +27,23 @@ export function createClientTransport(token: string, opts: GrpcTransportOptions)
   });
 }
 
-export async function newSystemToken() {
+export async function newSystemToken({
+  audience,
+  subject,
+  key,
+  expirationTime,
+}: {
+  audience: string;
+  subject: string;
+  key: string;
+  expirationTime?: number | string | Date;
+}) {
   return await new SignJWT({})
     .setProtectedHeader({ alg: "RS256" })
     .setIssuedAt()
-    .setExpirationTime("1h")
-    .setIssuer(process.env.ZITADEL_SYSTEM_API_USERID ?? "")
-    .setSubject(process.env.ZITADEL_SYSTEM_API_USERID ?? "")
-    .setAudience(process.env.ZITADEL_ISSUER ?? "")
-    .sign(await importPKCS8(process.env.ZITADEL_SYSTEM_API_KEY ?? "", "RS256"));
+    .setExpirationTime(expirationTime ?? "1h")
+    .setIssuer(subject)
+    .setSubject(subject)
+    .setAudience(audience)
+    .sign(await importPKCS8(key, "RS256"));
 }
diff --git a/turbo.json b/turbo.json
index ca14a23035..65e4603081 100644
--- a/turbo.json
+++ b/turbo.json
@@ -11,7 +11,8 @@
     "SYSTEM_USER_PRIVATE_KEY",
     "ZITADEL_API_URL",
     "ZITADEL_USER_ID",
-    "ZITADEL_USER_TOKEN"
+    "ZITADEL_USER_TOKEN",
+    "ZITADEL_SYSTEM_API_USERID"
   ],
   "tasks": {
     "generate": {