vibn-frontend/app/api/theia-auth/route.ts

/**
 * GET /api/theia-auth
 *
 * Traefik ForwardAuth endpoint for theia.vibnai.com.
 *
 * Traefik calls this URL for every request to the Theia IDE, forwarding
 * the user's Cookie header via authRequestHeaders. We validate the
 * NextAuth database session (strategy: "database") by looking up the
 * session token directly in Postgres — avoiding Prisma / authOptions
 * imports that cause build-time issues under --network host.
 *
 * Returns:
 *   200  — valid session, Traefik lets the request through
 *   302  — no/expired session, redirect browser to Vibn login
 */

import { NextRequest, NextResponse } from 'next/server';
import { query } from '@/lib/db-postgres';

export const dynamic = 'force-dynamic';

const APP_URL = process.env.NEXTAUTH_URL ?? 'https://vibnai.com';
const THEIA_URL = 'https://theia.vibnai.com';

// NextAuth v4 uses these cookie names for database sessions
const SESSION_COOKIE_NAMES = [
  '__Secure-next-auth.session-token', // HTTPS (production)
  'next-auth.session-token',          // HTTP fallback
];

export async function GET(request: NextRequest) {
  // Extract session token from cookies
  let sessionToken: string | null = null;
  for (const name of SESSION_COOKIE_NAMES) {
    const val = request.cookies.get(name)?.value;
    if (val) { sessionToken = val; break; }
  }

  if (!sessionToken) {
    return redirectToLogin(request);
  }

  // Look up session in Postgres (NextAuth stores sessions in the "sessions" table)
  let userEmail: string | null = null;
  let userName: string | null = null;

  try {
    const result = await query<{ email: string; name: string }>(
      `SELECT u.email, u.name
         FROM sessions s
         JOIN users u ON u.id = s."userId"
        WHERE s."sessionToken" = $1
          AND s.expires > NOW()
        LIMIT 1`,
      [sessionToken],
    );
    if (result.rows.length > 0) {
      userEmail = result.rows[0].email;
      userName = result.rows[0].name;
    }
  } catch {
    // DB error → treat as unauthenticated
    return redirectToLogin(request);
  }

  if (!userEmail) {
    return redirectToLogin(request);
  }

  // Session valid — pass user identity to Theia via response headers
  return new NextResponse(null, {
    status: 200,
    headers: {
      'X-Auth-Email': userEmail,
      'X-Auth-Name': userName ?? '',
    },
  });
}

function redirectToLogin(request: NextRequest): NextResponse {
  const forwardedHost = request.headers.get('x-forwarded-host');
  const forwardedProto = request.headers.get('x-forwarded-proto') ?? 'https';
  const forwardedUri = request.headers.get('x-forwarded-uri') ?? '/';

  const destination = forwardedHost
    ? `${forwardedProto}://${forwardedHost}${forwardedUri}`
    : THEIA_URL;

  const loginUrl = `${APP_URL}/auth?callbackUrl=${encodeURIComponent(destination)}`;
  return NextResponse.redirect(loginUrl, { status: 302 });
}