feat: add Traefik forwardAuth endpoint for Theia IDE
POST /api/auth/theia-check validates the NextAuth session cookie forwarded by Traefik. Returns 200 for authenticated users with X-Auth-User/Email/Name headers, or 302 redirect to /auth for unauthenticated requests — preserving the original Theia URL as callbackUrl so users land back in the IDE after login. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
56
app/api/auth/theia-check/route.ts
Normal file
56
app/api/auth/theia-check/route.ts
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
/**
|
||||||
|
* GET /api/auth/theia-check
|
||||||
|
*
|
||||||
|
* Traefik ForwardAuth endpoint for theia.vibnai.com.
|
||||||
|
*
|
||||||
|
* Traefik calls this URL for every request to the Theia IDE, forwarding
|
||||||
|
* the user's Cookie header via authRequestHeaders. We validate the
|
||||||
|
* NextAuth session token and return:
|
||||||
|
* 200 — session valid, Traefik lets the request through
|
||||||
|
* 302 — no session, redirect browser to Vibn login
|
||||||
|
*/
|
||||||
|
|
||||||
|
import { NextRequest, NextResponse } from 'next/server';
|
||||||
|
import { getToken } from 'next-auth/jwt';
|
||||||
|
|
||||||
|
const APP_URL = process.env.NEXTAUTH_URL ?? 'https://vibnai.com';
|
||||||
|
const THEIA_URL = 'https://theia.vibnai.com';
|
||||||
|
|
||||||
|
export async function GET(request: NextRequest) {
|
||||||
|
let token: Awaited<ReturnType<typeof getToken>> = null;
|
||||||
|
|
||||||
|
try {
|
||||||
|
token = await getToken({
|
||||||
|
req: request,
|
||||||
|
secret: process.env.NEXTAUTH_SECRET,
|
||||||
|
});
|
||||||
|
} catch {
|
||||||
|
// If token validation throws, treat as unauthenticated
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!token) {
|
||||||
|
// Build a callbackUrl so after login the user lands back in Theia
|
||||||
|
const forwardedHost = request.headers.get('x-forwarded-host');
|
||||||
|
const forwardedProto = request.headers.get('x-forwarded-proto') ?? 'https';
|
||||||
|
const forwardedUri = request.headers.get('x-forwarded-uri') ?? '/';
|
||||||
|
|
||||||
|
const destination = forwardedHost
|
||||||
|
? `${forwardedProto}://${forwardedHost}${forwardedUri}`
|
||||||
|
: THEIA_URL;
|
||||||
|
|
||||||
|
const loginUrl = `${APP_URL}/auth?callbackUrl=${encodeURIComponent(destination)}`;
|
||||||
|
|
||||||
|
return NextResponse.redirect(loginUrl, { status: 302 });
|
||||||
|
}
|
||||||
|
|
||||||
|
// Session is valid — pass user identity to Theia via response headers
|
||||||
|
// (Traefik forwards these to the upstream if authResponseHeaders is set)
|
||||||
|
return new NextResponse(null, {
|
||||||
|
status: 200,
|
||||||
|
headers: {
|
||||||
|
'X-Auth-User': token.sub ?? '',
|
||||||
|
'X-Auth-Email': (token.email as string) ?? '',
|
||||||
|
'X-Auth-Name': (token.name as string) ?? '',
|
||||||
|
},
|
||||||
|
});
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user