Canonical host via APP_URL: stop login dumping users on /error from a host mismatch
The from-scratch dev login was broken: open the banner's http://localhost:3000, sign in as the seeded admin, and you landed on http://127.0.0.1:3000/error "Page not found". Root cause: the banner/APP_URL said localhost but kratos.yml hard-coded 127.0.0.1, and a host-scoped Kratos CSRF cookie can't cross localhost<->127.0.0.1, so the cross-host login POST lost it; Kratos redirected to its error sink, which the app had no route for (404). Make APP_URL the single source of truth for the public host: - Canonical-host redirect (app.ts): when APP_URL is set, an off-host GET/HEAD visitor is 308'd to it (path+query kept) before a flow starts, so the browser, the themed forms and the cross-origin Kratos POST share one cookie host. After /public/ so static/health checks stay host-agnostic; GET/HEAD only so a 308 never replays a cross-host POST. - Opt-in (no NODE_ENV / no magic default): unset => no redirect, so a prod deploy that forgets APP_URL can't bounce real users to a stale default. The dev stack sets it. - kratos.yml browser URLs default to localhost (match APP_URL's dev value) and derive from ${APP_URL} via compose.override.yml; SERVE_PUBLIC_BASE_URL keeps the dev Ory port. - Real /error page (views/error.ejs) replaces the catch-all 404 for genuine flow errors. Tests-first: config (opt-in/validated), app (308 on mismatch, no-redirect on match, static host-agnostic, POST untouched, /error page), updated kratos.test host pins. New devstack regression (e2e/devstack-login.spec + compose.e2e-devstack.yml) drives the plain docker-compose-up topology on the host network: login from localhost works and 127.0.0.1 is canonicalised; wired into scripts/ci.sh. typecheck + 360 units + full ci.sh (visual 10 · auth 1 · oauth 2 · full 7 · devstack 2) green.
This commit is contained in:
+25
-2
@@ -5,6 +5,11 @@ services:
|
||||
command: node --watch src/server.ts
|
||||
# Dev overrides the base toggles: live template edits, dev-throwaway secrets allowed.
|
||||
environment:
|
||||
# Canonical public URL — the ONE knob. The web app redirects off-host visitors here, so
|
||||
# localhost / 127.0.0.1 / any alias all funnel to one cookie host (Kratos' browser URLs below
|
||||
# derive from it too). Override for a non-default host and the stack follows; see the note on
|
||||
# kratos.SERVE_PUBLIC_BASE_URL for the single dev caveat (the published Ory port).
|
||||
APP_URL: ${APP_URL:-http://localhost:3000}
|
||||
CACHE_TEMPLATES: "false"
|
||||
LOG_FORMAT: "text" # human-readable logs in dev (base sets json for prod log pipelines)
|
||||
REQUIRE_SECURE_SECRETS: "false"
|
||||
@@ -33,11 +38,29 @@ services:
|
||||
restart: unless-stopped
|
||||
|
||||
# Ory Kratos dev: expose the public API so the browser can POST self-service flows to
|
||||
# flow.ui.action (kratos.yml base_url = 127.0.0.1:4433). Prod fronts Ory same-origin,
|
||||
# so the base file publishes no Ory ports.
|
||||
# flow.ui.action. Prod fronts Ory same-origin, so the base file publishes no Ory ports.
|
||||
kratos:
|
||||
ports:
|
||||
- "4433:4433"
|
||||
# Every browser-facing Kratos URL derives from APP_URL — one knob, no second place to edit (the
|
||||
# localhost-vs-127.0.0.1 disagreement that broke login was exactly this drift). Env overrides the
|
||||
# kratos.yml defaults (Ory: env wins over config files).
|
||||
environment:
|
||||
# The public API the login form POSTs to. Its HOST must match APP_URL's (cookies are host-scoped,
|
||||
# port-agnostic) but its PORT is the published Ory one (4433), so it can't be APP_URL verbatim.
|
||||
# This is the ONE dev value to also change for a non-localhost APP_URL host (e.g. a LAN IP).
|
||||
SERVE_PUBLIC_BASE_URL: ${KRATOS_PUBLIC_BROWSER_URL:-http://localhost:4433/}
|
||||
SELFSERVICE_DEFAULT_BROWSER_RETURN_URL: ${APP_URL:-http://localhost:3000}/
|
||||
SELFSERVICE_ALLOWED_RETURN_URLS: ${APP_URL:-http://localhost:3000}
|
||||
SELFSERVICE_FLOWS_ERROR_UI_URL: ${APP_URL:-http://localhost:3000}/error
|
||||
SELFSERVICE_FLOWS_LOGIN_UI_URL: ${APP_URL:-http://localhost:3000}/login
|
||||
SELFSERVICE_FLOWS_LOGIN_AFTER_DEFAULT_BROWSER_RETURN_URL: ${APP_URL:-http://localhost:3000}/auth/complete
|
||||
SELFSERVICE_FLOWS_REGISTRATION_UI_URL: ${APP_URL:-http://localhost:3000}/registration
|
||||
SELFSERVICE_FLOWS_SETTINGS_UI_URL: ${APP_URL:-http://localhost:3000}/settings
|
||||
SELFSERVICE_FLOWS_RECOVERY_UI_URL: ${APP_URL:-http://localhost:3000}/recovery
|
||||
SELFSERVICE_FLOWS_VERIFICATION_UI_URL: ${APP_URL:-http://localhost:3000}/verification
|
||||
SELFSERVICE_FLOWS_VERIFICATION_AFTER_DEFAULT_BROWSER_RETURN_URL: ${APP_URL:-http://localhost:3000}/
|
||||
SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL: ${APP_URL:-http://localhost:3000}/login
|
||||
|
||||
# Ory Hydra dev: --dev permits the http issuer/redirect URLs; expose the public port
|
||||
# so OAuth2 flows reach the host. Prod (base file) drops --dev for an https issuer.
|
||||
|
||||
Reference in New Issue
Block a user