mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: move forwardAuth endpoint to /api/theia-auth

Browse Source 
NextAuth catches all /api/auth/* routes via [...nextauth] catch-all.
Move the Traefik forwardAuth endpoint to /api/theia-auth to avoid
the conflict. Traefik dynamic config updated to match.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Mark Henderson
2026-02-18 15:13:29 -08:00
parent 22bf34c4e0
commit 4e6fcbc566
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
app/api/auth/theia-check/route.ts
View File

@@ -1,56 +0,0 @@
/**
* GET /api/auth/theia-check
*
* Traefik ForwardAuth endpoint for theia.vibnai.com.
*
* Traefik calls this URL for every request to the Theia IDE, forwarding
* the user's Cookie header via authRequestHeaders. We validate the
* NextAuth session token and return:
* 200 — session valid, Traefik lets the request through
* 302 — no session, redirect browser to Vibn login
*/
import { NextRequest, NextResponse } from 'next/server';
import { getToken } from 'next-auth/jwt';
const APP_URL = process.env.NEXTAUTH_URL ?? 'https://vibnai.com';
const THEIA_URL = 'https://theia.vibnai.com';
export async function GET(request: NextRequest) {
let token: Awaited<ReturnType<typeof getToken>> = null;
try {
token = await getToken({
req: request,
secret: process.env.NEXTAUTH_SECRET,
});
} catch {
// If token validation throws, treat as unauthenticated
}
if (!token) {
// Build a callbackUrl so after login the user lands back in Theia
const forwardedHost = request.headers.get('x-forwarded-host');
const forwardedProto = request.headers.get('x-forwarded-proto') ?? 'https';
const forwardedUri = request.headers.get('x-forwarded-uri') ?? '/';
const destination = forwardedHost
? `${forwardedProto}://${forwardedHost}${forwardedUri}`
: THEIA_URL;
const loginUrl = `${APP_URL}/auth?callbackUrl=${encodeURIComponent(destination)}`;
return NextResponse.redirect(loginUrl, { status: 302 });
}
// Session is valid — pass user identity to Theia via response headers
// (Traefik forwards these to the upstream if authResponseHeaders is set)
return new NextResponse(null, {
status: 200,
headers: {
'X-Auth-User': token.sub ?? '',
'X-Auth-Email': (token.email as string) ?? '',
'X-Auth-Name': (token.name as string) ?? '',
},
});
}