Files
plainpages/compose.e2e-devstack.yml
T
lilleman 1d198acc97 Canonical host via APP_URL: stop login dumping users on /error from a host mismatch
The from-scratch dev login was broken: open the banner's http://localhost:3000, sign
in as the seeded admin, and you landed on http://127.0.0.1:3000/error "Page not found".
Root cause: the banner/APP_URL said localhost but kratos.yml hard-coded 127.0.0.1, and a
host-scoped Kratos CSRF cookie can't cross localhost<->127.0.0.1, so the cross-host login
POST lost it; Kratos redirected to its error sink, which the app had no route for (404).

Make APP_URL the single source of truth for the public host:
- Canonical-host redirect (app.ts): when APP_URL is set, an off-host GET/HEAD visitor is
  308'd to it (path+query kept) before a flow starts, so the browser, the themed forms and
  the cross-origin Kratos POST share one cookie host. After /public/ so static/health
  checks stay host-agnostic; GET/HEAD only so a 308 never replays a cross-host POST.
- Opt-in (no NODE_ENV / no magic default): unset => no redirect, so a prod deploy that
  forgets APP_URL can't bounce real users to a stale default. The dev stack sets it.
- kratos.yml browser URLs default to localhost (match APP_URL's dev value) and derive from
  ${APP_URL} via compose.override.yml; SERVE_PUBLIC_BASE_URL keeps the dev Ory port.
- Real /error page (views/error.ejs) replaces the catch-all 404 for genuine flow errors.

Tests-first: config (opt-in/validated), app (308 on mismatch, no-redirect on match, static
host-agnostic, POST untouched, /error page), updated kratos.test host pins. New devstack
regression (e2e/devstack-login.spec + compose.e2e-devstack.yml) drives the plain
docker-compose-up topology on the host network: login from localhost works and 127.0.0.1 is
canonicalised; wired into scripts/ci.sh. typecheck + 360 units + full ci.sh (visual 10 ·
auth 1 · oauth 2 · full 7 · devstack 2) green.
2026-06-21 21:52:20 +02:00

49 lines
2.5 KiB
YAML

# Dev-stack login regression — guards the from-scratch experience the banner advertises (login from
# http://localhost:3000 works, and entering on 127.0.0.1 is canonicalised). Unlike the proxied
# full-flow suite (which fronts web + Kratos on ONE origin and so can't see this class of bug), this
# runs against the *plain* `docker compose up` topology and drives the browser on the HOST network, so
# it sees http://localhost:3000 (web) and http://127.0.0.1:4433 (Kratos public) exactly as a host
# browser does. Merge the dev override so the live stack is byte-for-byte `docker compose up`:
# docker compose -f compose.yml -f compose.override.yml -f compose.e2e-devstack.yml run --build --rm e2e
# docker compose -f compose.yml -f compose.override.yml -f compose.e2e-devstack.yml down -v # tear down
services:
web:
# Pin APP_URL so the regression is deterministic regardless of any APP_URL exported in the shell
# running ci.sh (overrides the dev override's ${APP_URL:-…}); the runner's BASE_URL matches it.
environment:
APP_URL: http://localhost:3000
# Base web has no healthcheck; add one so the runner waits for a ready app (deps come via base).
healthcheck:
test: ["CMD", "wget", "-q", "-O", "-", "http://localhost:3000/public/css/styles.css"]
interval: 2s
timeout: 4s
retries: 30
# Pin Kratos' browser URLs to localhost too (literal, not ${APP_URL}) so the whole suite is
# hermetic — the 127.0.0.1 sub-test asserts canonicalisation onto localhost, which only holds if
# web AND Kratos agree on localhost regardless of the ambient shell env.
kratos:
environment:
SERVE_PUBLIC_BASE_URL: http://localhost:4433/
SELFSERVICE_DEFAULT_BROWSER_RETURN_URL: http://localhost:3000/
SELFSERVICE_ALLOWED_RETURN_URLS: http://localhost:3000
SELFSERVICE_FLOWS_ERROR_UI_URL: http://localhost:3000/error
SELFSERVICE_FLOWS_LOGIN_UI_URL: http://localhost:3000/login
SELFSERVICE_FLOWS_LOGIN_AFTER_DEFAULT_BROWSER_RETURN_URL: http://localhost:3000/auth/complete
e2e:
build:
context: .
dockerfile: Dockerfile.e2e
command: ["npx", "playwright", "test", "devstack-login.spec.ts"]
# Host network: reach the host-published ports (web 3000, Kratos public 4433) at the very
# hostnames a user types — localhost / 127.0.0.1 — so the cross-host CSRF-cookie split reproduces.
network_mode: "host"
depends_on:
web:
condition: service_healthy
environment:
BASE_URL: http://localhost:3000
volumes:
- ./e2e/artifacts:/e2e/artifacts