Working version 6.2

2026-04-10 14:44:03 +02:00
parent d526c1ff4a
commit f20d5f09ae
28 changed files with 1231 additions and 1554 deletions
--- a/src/app/api/tenants/[name]/route.ts
+++ b/src/app/api/tenants/[name]/route.ts
@@ -1,35 +1,25 @@
 import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/lib/auth";
+import { getSessionUser } from "@/lib/session";
 import { getTenant, patchTenantSpec } from "@/lib/k8s";

-function isPlatformRole(roles: string[]): boolean {
-  return roles.some((r) =>
-    ["platform_admin", "platform_operator"].includes(r)
-  );
-}
-
 export async function GET(
  _req: NextRequest,
  { params }: { params: Promise<{ name: string }> }
 ) {
-  const session = await auth();
-  if (!session?.user) {
+  const user = await getSessionUser();
+  if (!user)
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }

  const { name } = await params;
-  const { orgId, roles } = session.user as any;

  try {
    const tenant = await getTenant(name);
-    if (!tenant) {
+    if (!tenant)
      return NextResponse.json({ error: "Not found" }, { status: 404 });
-    }

-    // Scope check: non-platform users can only see their own org's tenants
    if (
-      !isPlatformRole(roles || []) &&
-      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+      !user.isPlatform &&
+      tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
    ) {
      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
    }
@@ -37,7 +27,7 @@ export async function GET(
    return NextResponse.json(tenant);
  } catch (e: any) {
    return NextResponse.json(
-      { error: "K8s API error", detail: e.message },
+      { error: e.message },
      { status: e.statusCode || 500 }
    );
  }
@@ -47,35 +37,29 @@ export async function PATCH(
  req: NextRequest,
  { params }: { params: Promise<{ name: string }> }
 ) {
-  const session = await auth();
-  if (!session?.user) {
+  const user = await getSessionUser();
+  if (!user)
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }

-  const { name } = await params;
-  const { orgId, roles } = session.user as any;
-  const body = await req.json();
-  const userRoles = roles || [];
-
-  // Only owner or platform roles can patch
-  if (!isPlatformRole(userRoles) && !userRoles.includes("owner")) {
+  if (!user.isPlatform && !user.roles.includes("owner")) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

+  const { name } = await params;
+  const body = await req.json();
+
  try {
-    // Ownership check
    const existing = await getTenant(name);
-    if (!existing) {
+    if (!existing)
      return NextResponse.json({ error: "Not found" }, { status: 404 });
-    }
+
    if (
-      !isPlatformRole(userRoles) &&
-      existing.metadata?.labels?.["zitadel-org-id"] !== orgId
+      !user.isPlatform &&
+      existing.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
    ) {
      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
    }

-    // Build partial spec — only allow specific fields
    const specPatch: Record<string, any> = {};
    if (body.packages !== undefined) specPatch.packages = body.packages;
    if (body.workspaceFiles !== undefined)
@@ -88,7 +72,7 @@ export async function PATCH(
    return NextResponse.json(updated);
  } catch (e: any) {
    return NextResponse.json(
-      { error: "Patch failed", detail: e.message },
+      { error: e.message },
      { status: e.statusCode || 500 }
    );
  }