Working version 6.2

2026-04-10 14:44:03 +02:00
parent d526c1ff4a
commit f20d5f09ae
28 changed files with 1231 additions and 1554 deletions
--- a/src/app/api/tenants/[name]/route.ts
+++ b/src/app/api/tenants/[name]/route.ts
@@ -1,35 +1,25 @@
 import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/lib/auth";
+import { getSessionUser } from "@/lib/session";
 import { getTenant, patchTenantSpec } from "@/lib/k8s";

-function isPlatformRole(roles: string[]): boolean {
-  return roles.some((r) =>
-    ["platform_admin", "platform_operator"].includes(r)
-  );
-}
-
 export async function GET(
  _req: NextRequest,
  { params }: { params: Promise<{ name: string }> }
 ) {
-  const session = await auth();
-  if (!session?.user) {
+  const user = await getSessionUser();
+  if (!user)
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }

  const { name } = await params;
-  const { orgId, roles } = session.user as any;

  try {
    const tenant = await getTenant(name);
-    if (!tenant) {
+    if (!tenant)
      return NextResponse.json({ error: "Not found" }, { status: 404 });
-    }

-    // Scope check: non-platform users can only see their own org's tenants
    if (
-      !isPlatformRole(roles || []) &&
-      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+      !user.isPlatform &&
+      tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
    ) {
      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
    }
@@ -37,7 +27,7 @@ export async function GET(
    return NextResponse.json(tenant);
  } catch (e: any) {
    return NextResponse.json(
-      { error: "K8s API error", detail: e.message },
+      { error: e.message },
      { status: e.statusCode || 500 }
    );
  }
@@ -47,35 +37,29 @@ export async function PATCH(
  req: NextRequest,
  { params }: { params: Promise<{ name: string }> }
 ) {
-  const session = await auth();
-  if (!session?.user) {
+  const user = await getSessionUser();
+  if (!user)
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }

-  const { name } = await params;
-  const { orgId, roles } = session.user as any;
-  const body = await req.json();
-  const userRoles = roles || [];
-
-  // Only owner or platform roles can patch
-  if (!isPlatformRole(userRoles) && !userRoles.includes("owner")) {
+  if (!user.isPlatform && !user.roles.includes("owner")) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

+  const { name } = await params;
+  const body = await req.json();
+
  try {
-    // Ownership check
    const existing = await getTenant(name);
-    if (!existing) {
+    if (!existing)
      return NextResponse.json({ error: "Not found" }, { status: 404 });
-    }
+
    if (
-      !isPlatformRole(userRoles) &&
-      existing.metadata?.labels?.["zitadel-org-id"] !== orgId
+      !user.isPlatform &&
+      existing.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
    ) {
      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
    }

-    // Build partial spec — only allow specific fields
    const specPatch: Record<string, any> = {};
    if (body.packages !== undefined) specPatch.packages = body.packages;
    if (body.workspaceFiles !== undefined)
@@ -88,7 +72,7 @@ export async function PATCH(
    return NextResponse.json(updated);
  } catch (e: any) {
    return NextResponse.json(
-      { error: "Patch failed", detail: e.message },
+      { error: e.message },
      { status: e.statusCode || 500 }
    );
  }
--- a/src/app/api/tenants/[name]/secrets/route.ts
+++ b/src/app/api/tenants/[name]/secrets/route.ts
@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/lib/auth";
+import { getSessionUser } from "@/lib/session";
 import { getTenant } from "@/lib/k8s";
 import { writePackageSecrets } from "@/lib/openbao";
 import { getPackageDef } from "@/lib/packages";
@@ -8,23 +8,15 @@ export async function POST(
  req: NextRequest,
  { params }: { params: Promise<{ name: string }> }
 ) {
-  const session = await auth();
-  if (!session?.user) {
+  const user = await getSessionUser();
+  if (!user)
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }

-  const { name } = await params;
-  const { orgId, roles } = session.user as any;
-  const userRoles = roles || [];
-
-  const isPlatform = userRoles.some((r: string) =>
-    ["platform_admin", "platform_operator"].includes(r)
-  );
-
-  if (!isPlatform && !userRoles.includes("owner")) {
+  if (!user.isPlatform && !user.roles.includes("owner")) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

+  const { name } = await params;
  const body = await req.json();
  const { packageId, secrets } = body as {
    packageId: string;
@@ -38,63 +30,43 @@ export async function POST(
    );
  }

-  // Validate package exists and requires secrets
  const pkgDef = getPackageDef(packageId);
-  if (!pkgDef) {
-    return NextResponse.json(
-      { error: "Unknown package" },
-      { status: 400 }
-    );
-  }
-  if (!pkgDef.requiresSecrets) {
+  if (!pkgDef)
+    return NextResponse.json({ error: "Unknown package" }, { status: 400 });
+  if (!pkgDef.requiresSecrets)
    return NextResponse.json(
      { error: "Package does not require secrets" },
      { status: 400 }
    );
-  }

-  // Verify all required secret keys are present
  const requiredKeys = (pkgDef.secrets || []).map((s) => s.key);
-  const missingKeys = requiredKeys.filter((k) => !secrets[k]?.trim());
-  if (missingKeys.length > 0) {
+  const missing = requiredKeys.filter((k) => !secrets[k]?.trim());
+  if (missing.length > 0) {
    return NextResponse.json(
-      { error: `Missing required secrets: ${missingKeys.join(", ")}` },
+      { error: `Missing: ${missing.join(", ")}` },
      { status: 400 }
    );
  }

-  // Verify tenant ownership
  try {
    const tenant = await getTenant(name);
-    if (!tenant) {
-      return NextResponse.json(
-        { error: "Tenant not found" },
-        { status: 404 }
-      );
-    }
+    if (!tenant)
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+
    if (
-      !isPlatform &&
-      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+      !user.isPlatform &&
+      tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
    ) {
      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
    }
-  } catch (e: any) {
-    return NextResponse.json(
-      { error: "Tenant lookup failed" },
-      { status: e.statusCode || 500 }
-    );
-  }

-  // Write to OpenBao
-  try {
    await writePackageSecrets(name, packageId, secrets);
-  } catch (err: any) {
-    console.error("OpenBao write error:", err.message);
+    return NextResponse.json({ ok: true });
+  } catch (e: any) {
+    console.error("Secret write error:", e.message);
    return NextResponse.json(
      { error: "Failed to store secrets" },
      { status: 500 }
    );
  }
-
-  return NextResponse.json({ ok: true });
 }