Canonical host via APP_URL: stop login dumping users on /error from a host mismatch

The from-scratch dev login was broken: open the banner's http://localhost:3000, sign
in as the seeded admin, and you landed on http://127.0.0.1:3000/error "Page not found".
Root cause: the banner/APP_URL said localhost but kratos.yml hard-coded 127.0.0.1, and a
host-scoped Kratos CSRF cookie can't cross localhost<->127.0.0.1, so the cross-host login
POST lost it; Kratos redirected to its error sink, which the app had no route for (404).

Make APP_URL the single source of truth for the public host:
- Canonical-host redirect (app.ts): when APP_URL is set, an off-host GET/HEAD visitor is
  308'd to it (path+query kept) before a flow starts, so the browser, the themed forms and
  the cross-origin Kratos POST share one cookie host. After /public/ so static/health
  checks stay host-agnostic; GET/HEAD only so a 308 never replays a cross-host POST.
- Opt-in (no NODE_ENV / no magic default): unset => no redirect, so a prod deploy that
  forgets APP_URL can't bounce real users to a stale default. The dev stack sets it.
- kratos.yml browser URLs default to localhost (match APP_URL's dev value) and derive from
  ${APP_URL} via compose.override.yml; SERVE_PUBLIC_BASE_URL keeps the dev Ory port.
- Real /error page (views/error.ejs) replaces the catch-all 404 for genuine flow errors.

Tests-first: config (opt-in/validated), app (308 on mismatch, no-redirect on match, static
host-agnostic, POST untouched, /error page), updated kratos.test host pins. New devstack
regression (e2e/devstack-login.spec + compose.e2e-devstack.yml) drives the plain
docker-compose-up topology on the host network: login from localhost works and 127.0.0.1 is
canonicalised; wired into scripts/ci.sh. typecheck + 360 units + full ci.sh (visual 10 ·
auth 1 · oauth 2 · full 7 · devstack 2) green.
This commit is contained in:
2026-06-21 21:52:20 +02:00
parent 58398481ca
commit 1d198acc97
19 changed files with 346 additions and 23 deletions
+15 -12
View File
@@ -5,16 +5,19 @@
# key in tokenizer/jwks.json).
serve:
public:
base_url: http://127.0.0.1:4433/
base_url: http://localhost:4433/
cors:
enabled: false
admin:
base_url: http://kratos:4434/
selfservice:
default_browser_return_url: http://127.0.0.1:3000/
# Browser-facing URLs default to localhost (clean clone = APP_URL's default, so the host the web app
# canonicalises to matches the host the login form POSTs to — cookies share one host). Driven by
# APP_URL: compose overrides these from ${APP_URL} (compose.override.yml), so there's one knob.
default_browser_return_url: http://localhost:3000/
allowed_return_urls:
- http://127.0.0.1:3000
- http://localhost:3000
methods:
password:
enabled: true
@@ -33,37 +36,37 @@ selfservice:
providers: []
flows:
error:
ui_url: http://127.0.0.1:3000/error
ui_url: http://localhost:3000/error
login:
ui_url: http://127.0.0.1:3000/login
ui_url: http://localhost:3000/login
after:
# After authenticating, land on our completion route — it mints the session JWT
# (roles from Keto → metadata_public projection → tokenize) and sets our cookie (§4).
default_browser_return_url: http://127.0.0.1:3000/auth/complete
default_browser_return_url: http://localhost:3000/auth/complete
registration:
ui_url: http://127.0.0.1:3000/registration
ui_url: http://localhost:3000/registration
after:
password:
hooks:
- hook: session # log in immediately after sign-up
- hook: show_verification_ui
settings:
ui_url: http://127.0.0.1:3000/settings
ui_url: http://localhost:3000/settings
privileged_session_max_age: 15m
required_aal: highest_available
recovery:
enabled: true
use: code
ui_url: http://127.0.0.1:3000/recovery
ui_url: http://localhost:3000/recovery
verification:
enabled: true
use: code
ui_url: http://127.0.0.1:3000/verification
ui_url: http://localhost:3000/verification
after:
default_browser_return_url: http://127.0.0.1:3000/
default_browser_return_url: http://localhost:3000/
logout:
after:
default_browser_return_url: http://127.0.0.1:3000/login
default_browser_return_url: http://localhost:3000/login
# Dev mail catcher (compose.override.yml). Prod overrides via COURIER_SMTP_CONNECTION_URI.
courier: