Two issues:
1. ForwardAuth redirect used x-forwarded-host which Traefik sets to
vibnai.com (the auth service host), not theia.vibnai.com. Now
hardcodes THEIA_URL as the callbackUrl destination.
2. /auth page ignored callbackUrl and always sent users to
/marks-account/projects. Now follows callbackUrl when it points
to theia.vibnai.com, so users land in the IDE after login.
Co-authored-by: Cursor <cursoragent@cursor.com>
Firebase is not configured - auth was undefined causing the error
'Cannot read properties of undefined (reading signOut)'.
Use next-auth/react signOut with callbackUrl to redirect to /auth.
Co-authored-by: Cursor <cursoragent@cursor.com>
Without domain: .vibnai.com the cookie is scoped to vibnai.com only.
Browsers don't send it to theia.vibnai.com, so ForwardAuth sees no
token and redirects to login even when the user is already logged in.
Co-authored-by: Cursor <cursoragent@cursor.com>
db-postgres.ts query() returns T[] directly, not a QueryResult object.
result.rows was undefined, causing the session lookup to always
return null and redirect to login even with a valid session token.
Co-authored-by: Cursor <cursoragent@cursor.com>
Prisma maps sessionToken → session_token and userId → user_id
in the PostgreSQL sessions table. The forwardAuth query was using
the wrong camelCase column names.
Co-authored-by: Cursor <cursoragent@cursor.com>
Coolify writes a .env file into the build context directory which
gets COPY'd into the builder container. Next.js then loads these
env vars (including DATABASE_URL, GITEA_API_TOKEN etc.) during
the build, causing some routes that reference those vars to fail
static analysis and be silently dropped from the build output.
Exclude all .env* files from the Docker build context so the
Next.js build runs with only the vars explicitly passed as build
args or set in the Dockerfile.
Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid importing authOptions/PrismaClient in the forwardAuth endpoint.
Under --network host (Coolify's build flag), routes that import Prisma
at module evaluation time are silently dropped from the build output.
Instead, read the NextAuth session-token cookie directly and verify
it with a raw SQL query against the sessions table - the same pattern
used by other working API routes via @/lib/db-postgres.
Co-authored-by: Cursor <cursoragent@cursor.com>
next-auth/jwt subpath import causes Next.js to silently drop the
route from the standalone build output. Switch to getServerSession
which is used by all other working API routes.
Co-authored-by: Cursor <cursoragent@cursor.com>
NextAuth catches all /api/auth/* routes via [...nextauth] catch-all.
Move the Traefik forwardAuth endpoint to /api/theia-auth to avoid
the conflict. Traefik dynamic config updated to match.
Co-authored-by: Cursor <cursoragent@cursor.com>
POST /api/auth/theia-check validates the NextAuth session cookie
forwarded by Traefik. Returns 200 for authenticated users with
X-Auth-User/Email/Name headers, or 302 redirect to /auth for
unauthenticated requests — preserving the original Theia URL as
callbackUrl so users land back in the IDE after login.
Co-authored-by: Cursor <cursoragent@cursor.com>
- project layout.tsx: replace Firebase Admin SDK with direct Postgres
query to resolve project name; removes firebase/admin dependency
- overview page: full rewrite — fetches from /api/projects/:id, shows
Gitea repo + last commit, branch, clone URLs; deployment status badge;
open PRs and issues from contextSnapshot; recent commits list;
resources section; Open IDE button; context freshness timestamp
- projects list page: cards now show Gitea repo + last commit inline,
deploy status dot, IDE quick-link; updated empty state copy to reflect
auto-provisioning; removed Firebase imports
Co-authored-by: Cursor <cursoragent@cursor.com>
Add Prisma support to Docker build:
- Run 'prisma generate' during Docker build
- Copy Prisma client and schema to production image
- Remove 'prisma db push' from build script (runs at startup)
- Enable Next.js standalone output mode
- Add db-setup.sh script for runtime migrations
This fixes the deployment failure where Prisma wasn't available.
Co-authored-by: Cursor <cursoragent@cursor.com>
BREAKING CHANGE: Replace SuperTokens with NextAuth.js
Why:
- SuperTokens had persistent Traefik routing issues
- SSL certificate not issuing correctly
- Complex infrastructure (separate container)
- NextAuth runs in Next.js app (simpler, no separate service)
Changes:
- Install next-auth, @auth/prisma-adapter, prisma
- Create NextAuth API route: app/api/auth/[...nextauth]/route.ts
- Add Prisma schema for NextAuth tables (users, sessions, accounts)
- Update auth page to use NextAuth signIn()
- Remove all SuperTokens code and dependencies
- Keep same Google OAuth (just simpler integration)
Benefits:
- No separate auth service needed
- No Traefik routing issues
- Sessions stored in Montreal PostgreSQL
- Simpler configuration
- Battle-tested, widely used
All authentication data stays in Montreal!
Co-authored-by: Cursor <cursoragent@cursor.com>
- SuperTokens requires redirectURIOnProviderDashboard param
- Construct it from NEXT_PUBLIC_APP_URL or window.location.origin
- Properly encode the redirect URI in the query string
- Fixes 400 error: 'Please provide the redirectURIOnProviderDashboard'
Co-authored-by: Cursor <cursoragent@cursor.com>
- Delete app/page.tsx to let app/(marketing)/page.tsx be the root
- Full marketing page has Hero, Features, Pricing, etc.
- Much better for vibnai.com root domain
Co-authored-by: Cursor <cursoragent@cursor.com>
- Remove session check from home page (landing page doesn't need it)
- Add delayed session check in auth page to redirect logged-in users
- Handle SuperTokens not being initialized yet with proper error handling
Co-authored-by: Cursor <cursoragent@cursor.com>
