Mark Henderson
0797717bc1
Workspace-owned deploy infra so AI agents can create and destroy
Coolify resources without ever touching the root admin token.
vibn_workspaces
+ coolify_server_uuid, coolify_destination_uuid
+ coolify_environment_name (default "production")
+ coolify_private_key_uuid, gitea_bot_ssh_key_id
ensureWorkspaceProvisioned
+ generates an ed25519 keypair per workspace
+ pushes pubkey to the Gitea bot user (read/write scoped by team)
+ registers privkey in Coolify as a reusable deploy key
New endpoints under /api/workspaces/[slug]/
apps/ POST (private-deploy-key from Gitea repo)
apps/[uuid] PATCH, DELETE?confirm=<name>
apps/[uuid]/domains GET, PATCH (policy: *.{ws}.vibnai.com only)
databases/ GET, POST (8 types incl. postgres, clickhouse, dragonfly)
databases/[uuid] GET, PATCH, DELETE?confirm=<name>
auth/ GET, POST (Pocketbase, Authentik, Keycloak, Pocket-ID, Logto, Supertokens)
auth/[uuid] DELETE?confirm=<name>
MCP (/api/mcp) gains 15 new tools that mirror the REST surface and
enforce the same workspace tenancy + delete-confirm guard.
Safety: destructive ops require ?confirm=<exact-resource-name>; volumes
are kept by default (pass delete_volumes=true to drop).
Made-with: Cursor
175 lines
5.9 KiB
TypeScript
175 lines
5.9 KiB
TypeScript
/**
|
|
* Workspace authentication providers.
|
|
*
|
|
* GET /api/workspaces/[slug]/auth — list auth-provider services
|
|
* POST /api/workspaces/[slug]/auth — provision one of the vetted providers
|
|
*
|
|
* AI-callers can only create providers from an allowlist — we deliberately
|
|
* skip the rest of Coolify's ~300 one-click templates so this endpoint
|
|
* stays focused on "auth for my app". The allowlist:
|
|
*
|
|
* pocketbase — lightweight (SQLite-backed) auth + data
|
|
* authentik — feature-rich self-hosted IDP
|
|
* keycloak — industry-standard OIDC/SAML
|
|
* keycloak-with-postgres
|
|
* pocket-id — passkey-first OIDC
|
|
* pocket-id-with-postgresql
|
|
* logto — dev-first IDP
|
|
* supertokens-with-postgresql — session/auth backend
|
|
*
|
|
* (Zitadel is not on Coolify's service catalog — callers that ask for
|
|
* it get a descriptive 400 so the AI knows to pick a supported one.)
|
|
*
|
|
* POST body:
|
|
* { provider: "pocketbase", name?: "auth" }
|
|
*/
|
|
|
|
import { NextResponse } from 'next/server';
|
|
import { requireWorkspacePrincipal } from '@/lib/auth/workspace-auth';
|
|
import {
|
|
listServicesInProject,
|
|
createService,
|
|
getService,
|
|
projectUuidOf,
|
|
} from '@/lib/coolify';
|
|
import { slugify } from '@/lib/naming';
|
|
|
|
/**
|
|
* Vetted auth-provider service ids. Keys are what callers pass as
|
|
* `provider`; values are the Coolify service-template slugs.
|
|
*/
|
|
const AUTH_PROVIDERS: Record<string, string> = {
|
|
pocketbase: 'pocketbase',
|
|
authentik: 'authentik',
|
|
keycloak: 'keycloak',
|
|
'keycloak-with-postgres': 'keycloak-with-postgres',
|
|
'pocket-id': 'pocket-id',
|
|
'pocket-id-with-postgresql': 'pocket-id-with-postgresql',
|
|
logto: 'logto',
|
|
'supertokens-with-postgresql': 'supertokens-with-postgresql',
|
|
};
|
|
|
|
/** Anything in this set is Coolify-supported but not an auth provider (used for filtering the list view). */
|
|
const AUTH_PROVIDER_SLUGS = new Set(Object.values(AUTH_PROVIDERS));
|
|
|
|
export async function GET(
|
|
request: Request,
|
|
{ params }: { params: Promise<{ slug: string }> }
|
|
) {
|
|
const { slug } = await params;
|
|
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
|
|
if (principal instanceof NextResponse) return principal;
|
|
|
|
const ws = principal.workspace;
|
|
if (!ws.coolify_project_uuid) {
|
|
return NextResponse.json(
|
|
{ error: 'Workspace has no Coolify project yet', providers: [] },
|
|
{ status: 503 }
|
|
);
|
|
}
|
|
|
|
try {
|
|
const all = await listServicesInProject(ws.coolify_project_uuid);
|
|
// Coolify returns all services — we narrow to ones whose name
|
|
// contains an auth-provider slug. We also return the full list so
|
|
// callers can see non-auth services without a separate endpoint.
|
|
return NextResponse.json({
|
|
workspace: { slug: ws.slug, coolifyProjectUuid: ws.coolify_project_uuid },
|
|
providers: all
|
|
.filter(s => AUTH_PROVIDER_SLUGS.has(deriveTypeFromName(s.name)))
|
|
.map(s => ({
|
|
uuid: s.uuid,
|
|
name: s.name,
|
|
status: s.status ?? null,
|
|
provider: deriveTypeFromName(s.name),
|
|
projectUuid: projectUuidOf(s),
|
|
})),
|
|
allowedProviders: Object.keys(AUTH_PROVIDERS),
|
|
});
|
|
} catch (err) {
|
|
return NextResponse.json(
|
|
{ error: 'Coolify request failed', details: err instanceof Error ? err.message : String(err) },
|
|
{ status: 502 }
|
|
);
|
|
}
|
|
}
|
|
|
|
export async function POST(
|
|
request: Request,
|
|
{ params }: { params: Promise<{ slug: string }> }
|
|
) {
|
|
const { slug } = await params;
|
|
const principal = await requireWorkspacePrincipal(request, { targetSlug: slug });
|
|
if (principal instanceof NextResponse) return principal;
|
|
|
|
const ws = principal.workspace;
|
|
if (!ws.coolify_project_uuid) {
|
|
return NextResponse.json({ error: 'Workspace has no Coolify project yet' }, { status: 503 });
|
|
}
|
|
|
|
let body: { provider?: string; name?: string; description?: string; instantDeploy?: boolean } = {};
|
|
try {
|
|
body = await request.json();
|
|
} catch {
|
|
return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
|
|
}
|
|
|
|
const providerKey = (body.provider ?? '').toLowerCase().trim();
|
|
const coolifyType = AUTH_PROVIDERS[providerKey];
|
|
if (!coolifyType) {
|
|
return NextResponse.json(
|
|
{
|
|
error: `Unsupported provider "${providerKey}". Allowed: ${Object.keys(AUTH_PROVIDERS).join(', ')}`,
|
|
hint: 'Zitadel is not on Coolify v4 service catalog — use keycloak or authentik instead.',
|
|
},
|
|
{ status: 400 }
|
|
);
|
|
}
|
|
|
|
const name = slugify(body.name ?? providerKey);
|
|
|
|
try {
|
|
const created = await createService({
|
|
projectUuid: ws.coolify_project_uuid,
|
|
type: coolifyType,
|
|
name,
|
|
description: body.description ?? `AI-provisioned ${providerKey} for ${ws.slug}`,
|
|
serverUuid: ws.coolify_server_uuid ?? undefined,
|
|
environmentName: ws.coolify_environment_name,
|
|
destinationUuid: ws.coolify_destination_uuid ?? undefined,
|
|
instantDeploy: body.instantDeploy ?? true,
|
|
});
|
|
|
|
const svc = await getService(created.uuid);
|
|
return NextResponse.json(
|
|
{
|
|
uuid: svc.uuid,
|
|
name: svc.name,
|
|
provider: providerKey,
|
|
status: svc.status ?? null,
|
|
},
|
|
{ status: 201 }
|
|
);
|
|
} catch (err) {
|
|
return NextResponse.json(
|
|
{ error: 'Coolify create failed', details: err instanceof Error ? err.message : String(err) },
|
|
{ status: 502 }
|
|
);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Coolify names services "{type}-{random-suffix}" when auto-named. We
|
|
* recover the provider slug by stripping the trailing `-\w+` if any
|
|
* and matching against our allowlist. Falls back to empty string.
|
|
*/
|
|
function deriveTypeFromName(name: string): string {
|
|
const candidates = Object.values(AUTH_PROVIDERS).sort((a, b) => b.length - a.length);
|
|
for (const slug of candidates) {
|
|
if (name === slug || name.startsWith(`${slug}-`) || name.startsWith(`${slug}_`)) {
|
|
return slug;
|
|
}
|
|
}
|
|
return '';
|
|
}
|