1d198acc97
The from-scratch dev login was broken: open the banner's http://localhost:3000, sign in as the seeded admin, and you landed on http://127.0.0.1:3000/error "Page not found". Root cause: the banner/APP_URL said localhost but kratos.yml hard-coded 127.0.0.1, and a host-scoped Kratos CSRF cookie can't cross localhost<->127.0.0.1, so the cross-host login POST lost it; Kratos redirected to its error sink, which the app had no route for (404). Make APP_URL the single source of truth for the public host: - Canonical-host redirect (app.ts): when APP_URL is set, an off-host GET/HEAD visitor is 308'd to it (path+query kept) before a flow starts, so the browser, the themed forms and the cross-origin Kratos POST share one cookie host. After /public/ so static/health checks stay host-agnostic; GET/HEAD only so a 308 never replays a cross-host POST. - Opt-in (no NODE_ENV / no magic default): unset => no redirect, so a prod deploy that forgets APP_URL can't bounce real users to a stale default. The dev stack sets it. - kratos.yml browser URLs default to localhost (match APP_URL's dev value) and derive from ${APP_URL} via compose.override.yml; SERVE_PUBLIC_BASE_URL keeps the dev Ory port. - Real /error page (views/error.ejs) replaces the catch-all 404 for genuine flow errors. Tests-first: config (opt-in/validated), app (308 on mismatch, no-redirect on match, static host-agnostic, POST untouched, /error page), updated kratos.test host pins. New devstack regression (e2e/devstack-login.spec + compose.e2e-devstack.yml) drives the plain docker-compose-up topology on the host network: login from localhost works and 127.0.0.1 is canonicalised; wired into scripts/ci.sh. typecheck + 360 units + full ci.sh (visual 10 · auth 1 · oauth 2 · full 7 · devstack 2) green.
118 lines
4.4 KiB
YAML
118 lines
4.4 KiB
YAML
# Ory Kratos — identity & self-service auth. Identity schema (email, name) +
|
|
# password login; recovery & verification run on email codes. Every self-service
|
|
# flow returns to our own themed routes (§4 renders the fields). DSN + prod
|
|
# courier/secrets come from the env. Session→JWT tokenizer wired below (signing
|
|
# key in tokenizer/jwks.json).
|
|
serve:
|
|
public:
|
|
base_url: http://localhost:4433/
|
|
cors:
|
|
enabled: false
|
|
admin:
|
|
base_url: http://kratos:4434/
|
|
|
|
selfservice:
|
|
# Browser-facing URLs default to localhost (clean clone = APP_URL's default, so the host the web app
|
|
# canonicalises to matches the host the login form POSTs to — cookies share one host). Driven by
|
|
# APP_URL: compose overrides these from ${APP_URL} (compose.override.yml), so there's one knob.
|
|
default_browser_return_url: http://localhost:3000/
|
|
allowed_return_urls:
|
|
- http://localhost:3000
|
|
methods:
|
|
password:
|
|
enabled: true
|
|
code: # email one-time code — powers recovery + verification (not login)
|
|
enabled: true
|
|
# Social sign-in, OFF by default → clean clone is password-only. Activate via env only
|
|
# (no code; the whole-array form is the only env-settable one Kratos offers); §4 derives
|
|
# the buttons from this list. SAML isn't in OSS Kratos — bridge it as OIDC (README).
|
|
# SELFSERVICE_METHODS_OIDC_ENABLED=true
|
|
# SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS=[{"id":"google","provider":"google",
|
|
# "client_id":"…","client_secret":"…","scope":["openid","email","profile"],
|
|
# "mapper_url":"file:///etc/config/kratos/oidc/claims.jsonnet"}]
|
|
oidc:
|
|
enabled: false
|
|
config:
|
|
providers: []
|
|
flows:
|
|
error:
|
|
ui_url: http://localhost:3000/error
|
|
login:
|
|
ui_url: http://localhost:3000/login
|
|
after:
|
|
# After authenticating, land on our completion route — it mints the session JWT
|
|
# (roles from Keto → metadata_public projection → tokenize) and sets our cookie (§4).
|
|
default_browser_return_url: http://localhost:3000/auth/complete
|
|
registration:
|
|
ui_url: http://localhost:3000/registration
|
|
after:
|
|
password:
|
|
hooks:
|
|
- hook: session # log in immediately after sign-up
|
|
- hook: show_verification_ui
|
|
settings:
|
|
ui_url: http://localhost:3000/settings
|
|
privileged_session_max_age: 15m
|
|
required_aal: highest_available
|
|
recovery:
|
|
enabled: true
|
|
use: code
|
|
ui_url: http://localhost:3000/recovery
|
|
verification:
|
|
enabled: true
|
|
use: code
|
|
ui_url: http://localhost:3000/verification
|
|
after:
|
|
default_browser_return_url: http://localhost:3000/
|
|
logout:
|
|
after:
|
|
default_browser_return_url: http://localhost:3000/login
|
|
|
|
# Dev mail catcher (compose.override.yml). Prod overrides via COURIER_SMTP_CONNECTION_URI.
|
|
courier:
|
|
smtp:
|
|
connection_uri: smtp://mailpit:1025/?disable_starttls=true
|
|
from_address: no-reply@plainpages.local
|
|
from_name: Plainpages
|
|
|
|
identity:
|
|
default_schema_id: default
|
|
schemas:
|
|
- id: default
|
|
url: file:///etc/config/kratos/identity.schema.json
|
|
|
|
# "Stay signed in" backbone: a long-lived Kratos session that the app re-mints the
|
|
# short-lived (~10m) JWT off (§4). Sliding refresh — an active session is extended
|
|
# back to full lifespan only once it's within earliest_possible_extend of expiry,
|
|
# so frequent users never lapse without a DB write per request.
|
|
session:
|
|
lifespan: 720h # 30 days
|
|
earliest_possible_extend: 24h
|
|
cookie:
|
|
name: plainpages_session
|
|
persistent: true # survive browser restarts
|
|
same_site: Lax
|
|
# Session→JWT tokenizer (§4): whoami(tokenize_as: plainpages) mints a short-lived,
|
|
# locally-verifiable JWT so the hot path never calls Ory. Claims come from the
|
|
# committed Jsonnet mapper (sub = identity id, email from traits, roles from the
|
|
# metadata_public projection); signed with tokenizer/jwks.json.
|
|
whoami:
|
|
tokenizer:
|
|
templates:
|
|
plainpages:
|
|
ttl: 10m
|
|
subject_source: id
|
|
claims_mapper_url: file:///etc/config/kratos/tokenizer/plainpages.jsonnet
|
|
jwks_url: file:///etc/config/kratos/tokenizer/jwks.json
|
|
|
|
# Dev throwaways — production supplies real secrets via env (§3). cipher = 32 chars.
|
|
secrets:
|
|
cookie:
|
|
- PLEASE-CHANGE-ME-dev-kratos-cookie-secret
|
|
cipher:
|
|
- 0123456789abcdef0123456789abcdef
|
|
|
|
log:
|
|
level: info
|
|
format: text
|