Phase 4: AI-driven app/database/auth lifecycle
Workspace-owned deploy infra so AI agents can create and destroy
Coolify resources without ever touching the root admin token.
vibn_workspaces
+ coolify_server_uuid, coolify_destination_uuid
+ coolify_environment_name (default "production")
+ coolify_private_key_uuid, gitea_bot_ssh_key_id
ensureWorkspaceProvisioned
+ generates an ed25519 keypair per workspace
+ pushes pubkey to the Gitea bot user (read/write scoped by team)
+ registers privkey in Coolify as a reusable deploy key
New endpoints under /api/workspaces/[slug]/
apps/ POST (private-deploy-key from Gitea repo)
apps/[uuid] PATCH, DELETE?confirm=<name>
apps/[uuid]/domains GET, PATCH (policy: *.{ws}.vibnai.com only)
databases/ GET, POST (8 types incl. postgres, clickhouse, dragonfly)
databases/[uuid] GET, PATCH, DELETE?confirm=<name>
auth/ GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens)
auth/[uuid] DELETE?confirm=<name>
MCP (/api/mcp) gains 15 new tools that mirror the REST surface and
enforce the same workspace tenancy + delete-confirm guard.
Safety: destructive ops require ?confirm=<exact-resource-name>; volumes
are kept by default (pass delete_volumes=true to drop).
Made-with: Cursor
This commit is contained in:
174
app/api/workspaces/[slug]/auth/route.ts
Normal file
174
app/api/workspaces/[slug]/auth/route.ts
Normal file
@@ -0,0 +1,174 @@
|
||||
/**
|
||||
* Workspace authentication providers.
|
||||
*
|
||||
* GET /api/workspaces/[slug]/auth — list auth-provider services
|
||||
* POST /api/workspaces/[slug]/auth — provision one of the vetted providers
|
||||
*
|
||||
* AI-callers can only create providers from an allowlist — we deliberately
|
||||
* skip the rest of Coolify's ~300 one-click templates so this endpoint
|
||||
* stays focused on "auth for my app". The allowlist:
|
||||
*
|
||||
* pocketbase — lightweight (SQLite-backed) auth + data
|
||||
* authentik — feature-rich self-hosted IDP
|
||||
* keycloak — industry-standard OIDC/SAML
|
||||
* keycloak-with-postgres
|
||||
* pocket-id — passkey-first OIDC
|
||||
* pocket-id-with-postgresql
|
||||
* logto — dev-first IDP
|
||||
* supertokens-with-postgresql — session/auth backend
|
||||
*
|
||||
* (Zitadel is not on Coolify's service catalog — callers that ask for
|
||||
* it get a descriptive 400 so the AI knows to pick a supported one.)
|
||||
*
|
||||
* POST body:
|
||||
* { provider: "pocketbase", name?: "auth" }
|
||||
*/
|
||||
|
||||
import { NextResponse } from 'next/server';
|
||||
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
|
||||
import {
|
||||
listServicesInProject,
|
||||
createService,
|
||||
getService,
|
||||
projectUuidOf,
|
||||
} from '@/lib/coolify';
|
||||
import { slugify } from '@/lib/naming';
|
||||
|
||||
/**
|
||||
* Vetted auth-provider service ids. Keys are what callers pass as
|
||||
* `provider`; values are the Coolify service-template slugs.
|
||||
*/
|
||||
const AUTH_PROVIDERS: Record<string, string> = {
|
||||
pocketbase: 'pocketbase',
|
||||
authentik: 'authentik',
|
||||
keycloak: 'keycloak',
|
||||
'keycloak-with-postgres': 'keycloak-with-postgres',
|
||||
'pocket-id': 'pocket-id',
|
||||
'pocket-id-with-postgresql': 'pocket-id-with-postgresql',
|
||||
logto: 'logto',
|
||||
'supertokens-with-postgresql': 'supertokens-with-postgresql',
|
||||
};
|
||||
|
||||
/** Anything in this set is Coolify-supported but not an auth provider (used for filtering the list view). */
|
||||
const AUTH_PROVIDER_SLUGS = new Set(Object.values(AUTH_PROVIDERS));
|
||||
|
||||
export async function GET(
|
||||
request: Request,
|
||||
{ params }: { params: Promise<{ slug: string }> }
|
||||
) {
|
||||
const { slug } = await params;
|
||||
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
|
||||
if (principal instanceof NextResponse) return principal;
|
||||
|
||||
const ws = principal.workspace;
|
||||
if (!ws.coolify_project_uuid) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Workspace has no Coolify project yet', providers: [] },
|
||||
{ status: 503 }
|
||||
);
|
||||
}
|
||||
|
||||
try {
|
||||
const all = await listServicesInProject(ws.coolify_project_uuid);
|
||||
// Coolify returns all services — we narrow to ones whose name
|
||||
// contains an auth-provider slug. We also return the full list so
|
||||
// callers can see non-auth services without a separate endpoint.
|
||||
return NextResponse.json({
|
||||
workspace: { slug: ws.slug, coolifyProjectUuid: ws.coolify_project_uuid },
|
||||
providers: all
|
||||
.filter(s => AUTH_PROVIDER_SLUGS.has(deriveTypeFromName(s.name)))
|
||||
.map(s => ({
|
||||
uuid: s.uuid,
|
||||
name: s.name,
|
||||
status: s.status ?? null,
|
||||
provider: deriveTypeFromName(s.name),
|
||||
projectUuid: projectUuidOf(s),
|
||||
})),
|
||||
allowedProviders: Object.keys(AUTH_PROVIDERS),
|
||||
});
|
||||
} catch (err) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Coolify request failed', details: err instanceof Error ? err.message : String(err) },
|
||||
{ status: 502 }
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export async function POST(
|
||||
request: Request,
|
||||
{ params }: { params: Promise<{ slug: string }> }
|
||||
) {
|
||||
const { slug } = await params;
|
||||
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
|
||||
if (principal instanceof NextResponse) return principal;
|
||||
|
||||
const ws = principal.workspace;
|
||||
if (!ws.coolify_project_uuid) {
|
||||
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
|
||||
}
|
||||
|
||||
let body: { provider?: string; name?: string; description?: string; instantDeploy?: boolean } = {};
|
||||
try {
|
||||
body = await request.json();
|
||||
} catch {
|
||||
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
|
||||
}
|
||||
|
||||
const providerKey = (body.provider ?? '').toLowerCase().trim();
|
||||
const coolifyType = AUTH_PROVIDERS[providerKey];
|
||||
if (!coolifyType) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: `Unsupported provider "${providerKey}". Allowed: ${Object.keys(AUTH_PROVIDERS).join(', ')}`,
|
||||
hint: 'Zitadel is not on Coolify v4 service catalog — use keycloak or authentik instead.',
|
||||
},
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
const name = slugify(body.name ?? providerKey);
|
||||
|
||||
try {
|
||||
const created = await createService({
|
||||
projectUuid: ws.coolify_project_uuid,
|
||||
type: coolifyType,
|
||||
name,
|
||||
description: body.description ?? `AI-provisioned ${providerKey} for ${ws.slug}`,
|
||||
serverUuid: ws.coolify_server_uuid ?? undefined,
|
||||
environmentName: ws.coolify_environment_name,
|
||||
destinationUuid: ws.coolify_destination_uuid ?? undefined,
|
||||
instantDeploy: body.instantDeploy ?? true,
|
||||
});
|
||||
|
||||
const svc = await getService(created.uuid);
|
||||
return NextResponse.json(
|
||||
{
|
||||
uuid: svc.uuid,
|
||||
name: svc.name,
|
||||
provider: providerKey,
|
||||
status: svc.status ?? null,
|
||||
},
|
||||
{ status: 201 }
|
||||
);
|
||||
} catch (err) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
|
||||
{ status: 502 }
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Coolify names services "{type}-{random-suffix}" when auto-named. We
|
||||
* recover the provider slug by stripping the trailing `-\w+` if any
|
||||
* and matching against our allowlist. Falls back to empty string.
|
||||
*/
|
||||
function deriveTypeFromName(name: string): string {
|
||||
const candidates = Object.values(AUTH_PROVIDERS).sort((a, b) => b.length - a.length);
|
||||
for (const slug of candidates) {
|
||||
if (name === slug || name.startsWith(`${slug}-`) || name.startsWith(`${slug}_`)) {
|
||||
return slug;
|
||||
}
|
||||
}
|
||||
return '';
|
||||
}
|
||||
Reference in New Issue
Block a user