feat: add Google OAuth, remote worker system, and file browser

- Google OAuth login with JWT session cookies, per-user project isolation - Remote worker registration via WebSocket, execute_on_worker/list_workers agent tools - File browser UI in workflow view, file upload/download API - Deploy script switched to local build, added tori.euphon.cloud ingress
2026-03-17 01:57:57 +00:00
parent 186d882f35
commit 63f0582f54
26 changed files with 2338 additions and 106 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -8,7 +8,9 @@ pub mod state;
 mod template;
 mod timer;
 mod tools;
+mod worker;
 mod ws;
+mod ws_worker;

 use std::sync::Arc;
 use axum::Router;
@@ -22,6 +24,7 @@ pub struct AppState {
    pub agent_mgr: Arc<agent::AgentManager>,
    pub kb: Option<Arc<kb::KbManager>>,
    pub obj_root: String,
+    pub auth: Option<api::auth::AuthConfig>,
 }

 #[derive(Debug, Clone, serde::Deserialize)]
@@ -102,12 +105,15 @@ async fn main() -> anyhow::Result<()> {
        template::ensure_repo_ready(repo_cfg).await;
    }

+    let worker_mgr = worker::WorkerManager::new();
+
    let agent_mgr = agent::AgentManager::new(
        database.pool.clone(),
        config.llm.clone(),
        config.template_repo.clone(),
        kb_arc.clone(),
        config.jwt_private_key.clone(),
+        worker_mgr.clone(),
    );

    timer::start_timer_runner(database.pool.clone(), agent_mgr.clone());
@@ -117,21 +123,51 @@ async fn main() -> anyhow::Result<()> {

    let obj_root = std::env::var("OBJ_ROOT").unwrap_or_else(|_| "/data/obj".to_string());

+    let auth_config = match (
+        std::env::var("GOOGLE_CLIENT_ID"),
+        std::env::var("GOOGLE_CLIENT_SECRET"),
+    ) {
+        (Ok(client_id), Ok(client_secret)) => {
+            let jwt_secret = std::env::var("JWT_SECRET")
+                .unwrap_or_else(|_| uuid::Uuid::new_v4().to_string());
+            let public_url = std::env::var("PUBLIC_URL")
+                .unwrap_or_else(|_| "https://tori.euphon.cloud".to_string());
+            tracing::info!("Google OAuth enabled (public_url={})", public_url);
+            Some(api::auth::AuthConfig {
+                google_client_id: client_id,
+                google_client_secret: client_secret,
+                jwt_secret,
+                public_url,
+            })
+        }
+        _ => {
+            tracing::warn!("GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET not set, auth disabled");
+            None
+        }
+    };
+
    let state = Arc::new(AppState {
        db: database,
        config: config.clone(),
        agent_mgr: agent_mgr.clone(),
        kb: kb_arc,
        obj_root: obj_root.clone(),
+        auth: auth_config,
    });

    let app = Router::new()
-        .nest("/tori/api", api::router(state))
+        // Auth routes are public
+        .nest("/tori/api/auth", api::auth::router(state.clone()))
+        // Protected API routes
+        .nest("/tori/api", api::router(state.clone())
+            .layer(axum::middleware::from_fn_with_state(state.clone(), api::auth::require_auth))
+        )
        .nest("/api/obj", api::obj::router(obj_root.clone()))
        .route("/api/obj/", axum::routing::get({
            let r = obj_root;
            move || api::obj::root_listing(r)
        }))
+        .nest("/ws/tori/workers", ws_worker::router(worker_mgr))
        .nest("/ws/tori", ws::router(agent_mgr))
        .nest_service("/tori", ServeDir::new("web/dist").fallback(ServeFile::new("web/dist/index.html")))
        .route("/", axum::routing::get(|| async {