Mark Henderson
acb63a2a5a
Adds logical multi-tenancy on top of Coolify + Gitea so every Vibn
account gets its own isolated tenant boundary, and exposes that
boundary to AI agents (Cursor, Claude Code, scripts) through
per-workspace bearer tokens.
Schema (additive, idempotent — run /api/admin/migrate once after deploy)
- vibn_workspaces: slug, name, owner, coolify_project_uuid,
coolify_team_id (reserved for when Coolify ships POST /teams),
gitea_org, provision_status
- vibn_workspace_members: room for multi-user workspaces later
- vibn_workspace_api_keys: sha256-hashed bearer tokens
- fs_projects.vibn_workspace_id: nullable FK linking projects
to their workspace
Provisioning
- On first sign-in, ensureWorkspaceForUser() inserts the row
(no network calls — keeps signin fast).
- On first project create, ensureWorkspaceProvisioned() lazily
creates a Coolify Project (vibn-ws-{slug}) and a Gitea org
(vibn-{slug}). Failures are recorded on the row, not thrown,
and POST /api/workspaces/{slug}/provision retries.
Auth surface
- lib/auth/workspace-auth.ts: requireWorkspacePrincipal() accepts
either a NextAuth session or "Authorization: Bearer vibn_sk_...".
The bearer key is hard-pinned to one workspace — it cannot
reach any other tenant.
- mintWorkspaceApiKey / listWorkspaceApiKeys / revokeWorkspaceApiKey
Routes
- GET /api/workspaces list
- GET /api/workspaces/[slug] details
- POST /api/workspaces/[slug]/provision retry provisioning
- GET /api/workspaces/[slug]/keys list keys
- POST /api/workspaces/[slug]/keys mint key (token shown once)
- DELETE /api/workspaces/[slug]/keys/[keyId] revoke
UI
- components/workspace/WorkspaceKeysPanel.tsx: identity card,
keys CRUD with one-time secret reveal, and a "Connect Cursor"
block with copy/download for:
.cursor/rules/vibn-workspace.mdc — rule telling the agent
about the API + workspace IDs + house rules
~/.cursor/mcp.json — MCP server registration with key
embedded (server URL is /api/mcp; HTTP MCP route lands next)
.env.local — VIBN_API_KEY + smoke-test curl
- Slotted into existing /[workspace]/settings between Workspace
and Notifications cards (no other layout changes).
projects/create
- Resolves the user's workspace (creating + provisioning lazily).
- Repos go under workspace.gitea_org (falls back to GITEA_ADMIN_USER
for backwards compat).
- Coolify services are created inside workspace.coolify_project_uuid
(renamed {slug}-{appName} to stay unique within the namespace) —
no more per-Vibn-project Coolify Project sprawl.
- Stamps vibn_workspace_id on fs_projects.
lib/gitea
- createOrg, getOrg, addOrgOwner, getUser
- createRepo now routes /orgs/{owner}/repos when owner != admin
Also includes prior-turn auth hardening that was already in
authOptions.ts (CredentialsProvider for dev-local, isLocalNextAuth
cookie config) bundled in to keep the auth layer in one consistent
state.
.env.example
- Documents GITEA_API_URL / GITEA_API_TOKEN / GITEA_ADMIN_USER /
GITEA_WEBHOOK_SECRET and COOLIFY_URL / COOLIFY_API_TOKEN /
COOLIFY_SERVER_UUID, with the canonical hostnames
(git.vibnai.com, coolify.vibnai.com).
Post-deploy
- Run once: curl -X POST https://vibnai.com/api/admin/migrate \\
-H "x-admin-secret: \$ADMIN_MIGRATE_SECRET"
- Existing users get a workspace row on next sign-in.
- Existing fs_projects keep working (legacy gitea owner + their
own per-project Coolify Projects); new projects use the
workspace-scoped path.
Not in this commit (follow-ups)
- Wiring requireWorkspacePrincipal into the rest of /api/projects/*
so API keys can drive existing routes
- HTTP MCP server at /api/mcp (the mcp.json snippet already
points at the right URL — no client re-setup when it lands)
- Backfill script to assign legacy fs_projects to a workspace
Made-with: Cursor
170 lines
5.4 KiB
TypeScript
170 lines
5.4 KiB
TypeScript
import { NextAuthOptions } from "next-auth";
|
|
import CredentialsProvider from "next-auth/providers/credentials";
|
|
import GoogleProvider from "next-auth/providers/google";
|
|
import { PrismaAdapter } from "@next-auth/prisma-adapter";
|
|
import { PrismaClient } from "@prisma/client";
|
|
import { query } from "@/lib/db-postgres";
|
|
import { ensureWorkspaceForUser } from "@/lib/workspaces";
|
|
|
|
const prisma = new PrismaClient();
|
|
|
|
const nextAuthUrl = (process.env.NEXTAUTH_URL ?? "").trim();
|
|
const isLocalNextAuth =
|
|
nextAuthUrl.startsWith("http://localhost") ||
|
|
nextAuthUrl.startsWith("http://127.0.0.1") ||
|
|
(process.env.NODE_ENV === "development" && !nextAuthUrl);
|
|
|
|
/** Set in .env.local (server + client): one email for local dev bypass. */
|
|
const devLocalEmail = (process.env.NEXT_PUBLIC_DEV_LOCAL_AUTH_EMAIL ?? "").trim();
|
|
const devLocalSecret = (process.env.DEV_LOCAL_AUTH_SECRET ?? "").trim();
|
|
const devLocalAuthEnabled =
|
|
process.env.NODE_ENV === "development" && devLocalEmail.length > 0;
|
|
|
|
function isLocalhostHost(host: string): boolean {
|
|
const h = host.split(":")[0]?.toLowerCase() ?? "";
|
|
return (
|
|
h === "localhost" ||
|
|
h === "127.0.0.1" ||
|
|
h === "[::1]" ||
|
|
h === "::1"
|
|
);
|
|
}
|
|
|
|
export const authOptions: NextAuthOptions = {
|
|
debug: process.env.NODE_ENV === "development",
|
|
adapter: PrismaAdapter(prisma),
|
|
providers: [
|
|
...(devLocalAuthEnabled
|
|
? [
|
|
CredentialsProvider({
|
|
id: "dev-local",
|
|
name: "Local dev",
|
|
credentials: {
|
|
password: { label: "Dev secret", type: "password" },
|
|
},
|
|
async authorize(credentials, req) {
|
|
const headers = (req as { headers?: Headers } | undefined)?.headers;
|
|
const host =
|
|
headers && typeof headers.get === "function"
|
|
? (headers.get("host") ?? "")
|
|
: "";
|
|
|
|
if (devLocalSecret) {
|
|
if ((credentials?.password ?? "") !== devLocalSecret) {
|
|
return null;
|
|
}
|
|
} else if (!isLocalhostHost(host)) {
|
|
return null;
|
|
}
|
|
|
|
const name =
|
|
(process.env.DEV_LOCAL_AUTH_NAME ?? "").trim() || "Local dev";
|
|
|
|
const user = await prisma.user.upsert({
|
|
where: { email: devLocalEmail },
|
|
create: {
|
|
email: devLocalEmail,
|
|
name,
|
|
emailVerified: new Date(),
|
|
},
|
|
update: { name },
|
|
});
|
|
|
|
return {
|
|
id: user.id,
|
|
email: user.email,
|
|
name: user.name,
|
|
image: user.image,
|
|
};
|
|
},
|
|
}),
|
|
]
|
|
: []),
|
|
GoogleProvider({
|
|
clientId: process.env.GOOGLE_CLIENT_ID || "",
|
|
clientSecret: process.env.GOOGLE_CLIENT_SECRET || "",
|
|
}),
|
|
],
|
|
pages: {
|
|
signIn: "/auth",
|
|
error: "/auth",
|
|
},
|
|
callbacks: {
|
|
async session({ session, user }) {
|
|
if (session.user && "id" in user && user.id) {
|
|
(session.user as { id: string }).id = user.id;
|
|
}
|
|
return session;
|
|
},
|
|
async signIn({ user }) {
|
|
if (!user?.email) return true;
|
|
try {
|
|
const workspace =
|
|
user.email.split("@")[0].toLowerCase().replace(/[^a-z0-9]+/g, "-") + "-account";
|
|
const data = JSON.stringify({
|
|
email: user.email,
|
|
name: user.name,
|
|
image: user.image,
|
|
workspace,
|
|
});
|
|
|
|
// Two-step upsert avoids relying on ON CONFLICT expression matching
|
|
const existing = await query<{ id: string }>(
|
|
`SELECT id FROM fs_users WHERE data->>'email' = $1 LIMIT 1`,
|
|
[user.email]
|
|
);
|
|
let fsUserId: string;
|
|
if (existing.length === 0) {
|
|
const inserted = await query<{ id: string }>(
|
|
`INSERT INTO fs_users (id, user_id, data)
|
|
VALUES (gen_random_uuid()::text, $1, $2::jsonb)
|
|
RETURNING id`,
|
|
[user.id, data]
|
|
);
|
|
fsUserId = inserted[0].id;
|
|
} else {
|
|
await query(
|
|
`UPDATE fs_users SET user_id = $1, data = data || $2::jsonb, updated_at = NOW() WHERE id = $3`,
|
|
[user.id, data, existing[0].id]
|
|
);
|
|
fsUserId = existing[0].id;
|
|
}
|
|
|
|
// Ensure a Vibn workspace exists for this user. We DO NOT
|
|
// provision Coolify/Gitea here — that happens lazily on first
|
|
// project create so signin stays fast and resilient to outages.
|
|
try {
|
|
await ensureWorkspaceForUser({
|
|
userId: fsUserId,
|
|
email: user.email,
|
|
displayName: user.name ?? null,
|
|
});
|
|
} catch (wsErr) {
|
|
console.error("[signIn] Failed to ensure workspace:", wsErr);
|
|
}
|
|
} catch (e) {
|
|
console.error("[signIn] Failed to upsert fs_user:", e);
|
|
}
|
|
return true;
|
|
},
|
|
},
|
|
session: {
|
|
strategy: "database",
|
|
maxAge: 30 * 24 * 60 * 60, // 30 days
|
|
},
|
|
secret: process.env.NEXTAUTH_SECRET,
|
|
cookies: {
|
|
sessionToken: {
|
|
// __Secure- prefix requires Secure; localhost HTTP needs plain name + secure: false
|
|
name: isLocalNextAuth ? "next-auth.session-token" : "__Secure-next-auth.session-token",
|
|
options: {
|
|
httpOnly: true,
|
|
sameSite: "lax",
|
|
path: "/",
|
|
secure: !isLocalNextAuth,
|
|
...(isLocalNextAuth ? {} : { domain: ".vibnai.com" }),
|
|
},
|
|
},
|
|
},
|
|
};
|