mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): accept workspace API key on agent session /stop route

Browse Source 
The /stop route used browser-only authSession(), so the desktop's vibn_sk_
key got a 401. The desktop treats any 401 as session-expired and signs the
user out (kicking them to the login page on Stop). Use requireWorkspacePrincipal
like the sibling create/get routes.
This commit is contained in:
mawkone
2026-05-30 19:24:42 -07:00
parent 3d07cf38b6
commit 6a688c8dd1
1 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
vibn-frontend/app/api/projects/[projectId]/agent/sessions/[sessionId]/stop/route.ts
View File

@@ -1,18 +1,30 @@
import { NextResponse } from "next/server";
import { authSession } from "@/lib/auth/session-server";
import { query } from "@/lib/db-postgres";
import { requireWorkspacePrincipal } from "@/lib/auth/workspace-auth";
import { query, queryOne } from "@/lib/db-postgres";
const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
export async function POST(
_req: Request,
req: Request,
{ params }: { params: Promise<{ projectId: string; sessionId: string }> }
) {
try {
const { projectId, sessionId } = await params;
const session = await authSession();
if (!session?.user?.email) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
// Authenticate via Workspace API key (desktop) OR browser session.
// NOTE: this must match the create/get session routes — using browser-only
// auth here caused the desktop's vibn_sk_ key to get a 401, which the
// desktop treated as "session expired" and signed the user out (→ login page).
const principal = await requireWorkspacePrincipal(req);
if (principal instanceof NextResponse) return principal;
const userRow = await queryOne<{ id: string; data: any }>(
`SELECT id, data FROM fs_users WHERE id = $1 LIMIT 1`,
[principal.userId]
);
const email = userRow?.data?.email;
if (!email) {
return NextResponse.json({ error: "User email not found" }, { status: 404 });
}
// Verify ownership
@@ -21,7 +33,7 @@ export async function POST(
JOIN fs_projects p ON p.id::text = s.project_id::text
JOIN fs_users u ON u.id = p.user_id
WHERE s.id = $1::uuid AND s.project_id::text = $2 AND u.data->>'email' = $3 LIMIT 1`,
[sessionId, projectId, session.user.email]
[sessionId, projectId, email]
);
if (rows.length === 0) {