mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
651ddf1e11ad83a805b1fe44ca44319f85139a16
vibn-frontend/lib/auth/workspace-auth.ts
Mark Henderson 651ddf1e11 Rip out Theia, ship P5.1 attach E2E + Justine UI work-in-progress 
Theia rip-out:
- Delete app/api/theia-auth/route.ts (Traefik ForwardAuth shim)
- Delete app/api/projects/[projectId]/workspace/route.ts and
  app/api/projects/prewarm/route.ts (Cloud Run Theia provisioning)
- Delete lib/cloud-run-workspace.ts and lib/coolify-workspace.ts
- Strip provisionTheiaWorkspace + theiaWorkspaceUrl/theiaAppUuid/
  theiaError from app/api/projects/create/route.ts response
- Remove Theia callbackUrl branch in app/auth/page.tsx
- Drop "Open in Theia" button + xterm/Theia PTY copy in build/page.tsx
- Drop theiaWorkspaceUrl from deployment/page.tsx Project type
- Strip Theia IDE line + theia-code-os from advisor + agent-chat
  context strings
- Scrub Theia mention from lib/auth/workspace-auth.ts comment

P5.1 (custom apex domains + DNS):
- lib/coolify.ts + lib/opensrs.ts: nameserver normalization, OpenSRS
  XML auth, Cloud DNS plumbing
- scripts/smoke-attach-e2e.ts: full prod GCP + sandbox OpenSRS +
  prod Coolify smoke covering register/zone/A/NS/PATCH/cleanup

In-progress (Justine onboarding/build, MVP setup, agent telemetry):
- New (justine)/stories, project (home) layouts, mvp-setup, run, tasks
  routes + supporting components
- Project shell + sidebar + nav refactor for the Stackless palette
- Agent session API hardening (sessions, events, stream, approve,
  retry, stop) + atlas-chat, advisor, design-surfaces refresh
- New scripts/sync-db-url-from-coolify.mjs +
  scripts/prisma-db-push.mjs + docker-compose.local-db.yml for
  local Prisma workflows
- lib/dev-bypass.ts, lib/chat-context-refs.ts, lib/prd-sections.ts
- Misc: stories CSS, debug/prisma route, modal-theme, BuildLivePlanPanel

Made-with: Cursor
2026-04-22 18:05:01 -07:00

248 lines
7.3 KiB
TypeScript
Raw Blame History

/**
* Workspace-scoped auth.
*
* Two principal types are accepted on `/api/...` routes:
* 1. NextAuth session (browser users) — `authSession()`
* 2. Per-workspace bearer API key (`Authorization: Bearer vibn_sk_...`)
*
* Either way we resolve a `WorkspacePrincipal` that is scoped to one
* workspace. Routes that touch Coolify/Gitea must call
* `requireWorkspacePrincipal()` and use `principal.workspace` to fetch
* the right Coolify Project / Gitea org.
*/
import { createHash, randomBytes } from 'crypto';
import { NextResponse } from 'next/server';
import { authSession } from '@/lib/auth/session-server';
import { query, queryOne } from '@/lib/db-postgres';
import {
type VibnWorkspace,
getWorkspaceById,
getWorkspaceBySlug,
getWorkspaceByOwner,
userHasWorkspaceAccess,
} from '@/lib/workspaces';
const KEY_PREFIX = 'vibn_sk_';
const KEY_RANDOM_BYTES = 32; // 256-bit secret
export interface WorkspacePrincipal {
/** "session" = browser user; "api_key" = automated/AI client */
source: 'session' | 'api_key';
workspace: VibnWorkspace;
/** fs_users.id of the human ultimately responsible for this request */
userId: string;
/** When source = "api_key", which key id was used */
apiKeyId?: string;
}
/**
* Resolve the workspace principal from either a NextAuth session or a
* `Bearer vibn_sk_...` token. Optional `targetSlug` enforces that the
* principal is for the requested workspace.
*
* Returns:
* - principal on success
* - NextResponse on failure (401 / 403) — return it directly from the route
*/
export async function requireWorkspacePrincipal(
request: Request,
opts: { targetSlug?: string; targetId?: string } = {},
): Promise<WorkspacePrincipal | NextResponse> {
const apiKey = extractApiKey(request);
if (apiKey) {
const principal = await resolveApiKey(apiKey);
if (!principal) {
return NextResponse.json({ error: 'Invalid or revoked API key' }, { status: 401 });
}
if (!matchesTarget(principal.workspace, opts)) {
return NextResponse.json({ error: 'API key not authorized for this workspace' }, { status: 403 });
}
return principal;
}
// Fall through to NextAuth session
const session = await authSession();
if (!session?.user?.email) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const userRow = await queryOne<{ id: string }>(
`SELECT id FROM fs_users WHERE data->>'email' = $1 LIMIT 1`,
[session.user.email]
);
if (!userRow) {
return NextResponse.json({ error: 'No fs_users row for session' }, { status: 401 });
}
let workspace: VibnWorkspace | null = null;
if (opts.targetSlug) workspace = await getWorkspaceBySlug(opts.targetSlug);
else if (opts.targetId) workspace = await getWorkspaceById(opts.targetId);
else workspace = await getWorkspaceByOwner(userRow.id);
if (!workspace) {
return NextResponse.json({ error: 'Workspace not found' }, { status: 404 });
}
const ok = await userHasWorkspaceAccess(userRow.id, workspace.id);
if (!ok) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
return { source: 'session', workspace, userId: userRow.id };
}
function matchesTarget(
workspace: VibnWorkspace,
opts: { targetSlug?: string; targetId?: string }
): boolean {
if (opts.targetSlug && workspace.slug !== opts.targetSlug) return false;
if (opts.targetId && workspace.id !== opts.targetId) return false;
return true;
}
function extractApiKey(request: Request): string | null {
const auth = request.headers.get('authorization');
if (!auth) return null;
const m = /^Bearer\s+(.+)$/i.exec(auth.trim());
if (!m) return null;
const token = m[1].trim();
if (!token.startsWith(KEY_PREFIX)) return null;
return token;
}
async function resolveApiKey(token: string): Promise<WorkspacePrincipal | null> {
const hash = hashKey(token);
const row = await queryOne<{
id: string;
workspace_id: string;
created_by: string;
revoked_at: Date | null;
}>(
`SELECT id, workspace_id, created_by, revoked_at
FROM vibn_workspace_api_keys
WHERE key_hash = $1
LIMIT 1`,
[hash]
);
if (!row || row.revoked_at) return null;
const workspace = await getWorkspaceById(row.workspace_id);
if (!workspace) return null;
// Touch last_used_at without blocking
void query(
`UPDATE vibn_workspace_api_keys SET last_used_at = now() WHERE id = $1`,
[row.id]
).catch(() => undefined);
return {
source: 'api_key',
workspace,
userId: row.created_by,
apiKeyId: row.id,
};
}
// ──────────────────────────────────────────────────
// Key minting + hashing
// ──────────────────────────────────────────────────
export interface MintedApiKey {
id: string;
/** Full plaintext key — shown once at creation, never stored. */
token: string;
prefix: string;
workspace_id: string;
name: string;
created_at: Date;
}
export async function mintWorkspaceApiKey(opts: {
workspaceId: string;
name: string;
createdBy: string;
scopes?: string[];
}): Promise<MintedApiKey> {
const random = randomBytes(KEY_RANDOM_BYTES).toString('base64url');
const token = `${KEY_PREFIX}${random}`;
const hash = hashKey(token);
const prefix = token.slice(0, 12); // e.g. "vibn_sk_AbCd"
const inserted = await query<{ id: string; created_at: Date }>(
`INSERT INTO vibn_workspace_api_keys
(workspace_id, name, key_prefix, key_hash, scopes, created_by)
VALUES ($1, $2, $3, $4, $5::jsonb, $6)
RETURNING id, created_at`,
[
opts.workspaceId,
opts.name,
prefix,
hash,
JSON.stringify(opts.scopes ?? ['workspace:*']),
opts.createdBy,
]
);
return {
id: inserted[0].id,
token,
prefix,
workspace_id: opts.workspaceId,
name: opts.name,
created_at: inserted[0].created_at,
};
}
export async function listWorkspaceApiKeys(workspaceId: string): Promise<Array<{
id: string;
name: string;
prefix: string;
scopes: string[];
created_by: string;
last_used_at: Date | null;
revoked_at: Date | null;
created_at: Date;
}>> {
const rows = await query<{
id: string;
name: string;
key_prefix: string;
scopes: string[];
created_by: string;
last_used_at: Date | null;
revoked_at: Date | null;
created_at: Date;
}>(
`SELECT id, name, key_prefix, scopes, created_by, last_used_at, revoked_at, created_at
FROM vibn_workspace_api_keys
WHERE workspace_id = $1
ORDER BY created_at DESC`,
[workspaceId]
);
return rows.map(r => ({
id: r.id,
name: r.name,
prefix: r.key_prefix,
scopes: r.scopes,
created_by: r.created_by,
last_used_at: r.last_used_at,
revoked_at: r.revoked_at,
created_at: r.created_at,
}));
}
export async function revokeWorkspaceApiKey(workspaceId: string, keyId: string): Promise<boolean> {
const updated = await query<{ id: string }>(
`UPDATE vibn_workspace_api_keys
SET revoked_at = now()
WHERE id = $1 AND workspace_id = $2 AND revoked_at IS NULL
RETURNING id`,
[keyId, workspaceId]
);
return updated.length > 0;
}
function hashKey(token: string): string {
return createHash('sha256').update(token).digest('hex');
}
Reference in New Issue View Git Blame Copy Permalink