docs(auth): document APP_URL requirement for reverse-proxied deployments #99
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#99
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
When Carol runs behind a reverse proxy (the common self-hoster shape — Caddy / Traefik / nginx / Cloudflare in front of the container on
0.0.0.0:3000), OAuth and OIDC sign-in flows produce aredirect_uriofhttp://0.0.0.0:3000/...instead of the public URL. The IdP then either refuses the request (redirect_uri doesn't match what's registered) or completes consent and tries to redirect the browser to an unreachable internal URL.The mechanism is
appOrigin()in/api/auth/oauth/startand/api/auth/oauth/callback/[provider]:req.nextUrl.originreflects the bind address inside the container.APP_URLis the escape hatch. This is documented as a one-liner in ADR-0015 §2 (Redirect-URI) but isn't called out in any self-hoster-facing doc, so the first thing a self-hoster encounters is "OIDC didn't work" with a confusing0.0.0.0:3000callback URL.Hit while deploying #85 (OIDC) to
carol.int.wynning.tech.Scope
Pure docs. No code change.
docs/oidc-self-hoster-guide.md: add anAPP_URLprerequisite paragraph at the top before the recipes. Spell out the exact format (https://<your-host>, no trailing slash) and that it must match what's registered as the callback URL prefix in the IdP.docs/oidc-self-hoster-guide.md"Troubleshooting": add an entry for "Sign-in redirects tohttp://0.0.0.0:3000" → setAPP_URL.README.mddeployment section (if one exists) orCLAUDE.md"Working in this repo" — short note thatAPP_URLis required for any deployment behind a reverse proxy. Cross-reference the self-hoster guide.appOrigin()helper) and mention it in the prerequisite paragraph so the self-hoster knows it applies to both GitHub and OIDC.Out of scope
Auto-deriving the public URL from
X-Forwarded-Proto+X-Forwarded-Host/Forwardedheaders. That's a defensible code change (would remove the env-var-required failure mode for the standard reverse-proxy case) but it widens the trust surface — the proxy must be configured to strip incomingX-Forwarded-*from external requests, otherwise an attacker can forge aredirect_uri. If we revisit this it deserves its own ticket + ADR amendment to ADR-0015 §2.