feat(dev): expose full auth stack on LAN IP for on-device preview
The dev stack previously mixed two hostnames (`localhost` in some places,
`keycloak` in others). That only worked because the laptop's /etc/hosts
maps `keycloak` to 127.0.0.1. Phones, tablets, or a second laptop had no
such mapping, so the OAuth flow broke the moment you tried to log in from
any non-laptop device.
Switched the SPA, Kong, GoTrue, and Keycloak client to all agree on a
single external host — the laptop's LAN IP (192.168.1.167) — so the full
Keycloak → GoTrue → Supabase → SvelteKit round-trip works from any device
on the same Wi-Fi.
Changes
.env (root, ungitignored): PUBLIC_SUPABASE_URL / PUBLIC_KEYCLOAK_URL /
PUBLIC_APP_URL now use the LAN IP (updated locally; tracked via
apps/web/.env.development below).
apps/web/.env.development: mirror the LAN IP so `$env/static/public`
resolves the same on laptop and phone.
apps/web/vite.config.ts: `server.host: true` — bind Vite to 0.0.0.0.
apps/web/playwright.config.ts: `baseURL: PUBLIC_APP_URL ?? localhost`
so E2E uses the same origin the stack is configured with.
apps/web/tests/fixtures/login.ts:
- wait for the collective button in the sidebar to render before
returning (LAN-IP latency surfaced a pre-existing race in
`handleCreate` where Enter fired before `$currentCollective`
hydrated, silently no-op'ing).
- derive expected app origin from PUBLIC_APP_URL.
apps/web/tests/e2e/items.test.ts: scope D-04 delete assertion to the
`[role="listitem"]` locator — with undoQueue enabled the toast text
"Deleted <name>" also matches `getByText(itemName)` and shadowed the
original check.
infra/docker-compose.dev.yml:
- GOTRUE_EXTERNAL_KEYCLOAK_URL and REDIRECT_URI now read from
PUBLIC_KEYCLOAK_URL / PUBLIC_SUPABASE_URL so they follow the same
host as the rest of the stack.
- NEW: GOTRUE_URI_ALLOW_LIST with `/auth/callback` on both the LAN
IP and localhost. Without an explicit allow-list GoTrue rejected
`redirect_to=.../auth/callback` and fell back to SITE_URL root,
stranding `?code=` at `/` and re-triggering signIn → infinite loop.
keycloak/realm-export.json: `colectivo-web` client gains LAN-IP
redirectUris and webOrigins (alongside the existing localhost
entries). Persisted + live-applied via admin API.
.gitignore: add .claude/ (per-project scheduler runtime state).
Verification
just test-all → 224 passed, 4 skipped:
34 pgTAP
140 Vitest integration + 2 skipped (Realtime presence, upstream bug)
11 Vitest unit
39 Playwright + 2 skipped (mobile-swipe touch, WebKit-only)
Phone sanity check: open http://192.168.1.167:5173 on a LAN device,
log in as a seed user, full RLS-respecting session.
Caveats
LAN IP (192.168.1.167) is DHCP-assigned — if it rotates, rerun the
Keycloak admin API update (realm-export.json needs a new entry) and
update the three PUBLIC_* URLs. Consider a Tailscale magic-DNS name
as a stable replacement for the prod-deploy sprint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -45,6 +45,13 @@ services:
|
||||
GOTRUE_DB_DRIVER: postgres
|
||||
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres
|
||||
GOTRUE_SITE_URL: ${PUBLIC_APP_URL:-http://localhost:5173}
|
||||
# Allow the SPA's /auth/callback subpath (where the /auth/callback +page
|
||||
# calls exchangeCodeForSession). Without this GoTrue rejects the
|
||||
# redirect_to query param and falls back to SITE_URL, stranding `?code=`
|
||||
# at `/` instead of `/auth/callback` — which then re-triggers signIn
|
||||
# and creates an infinite login loop. We also allow localhost so that
|
||||
# `just test-all` runs can still hit the app through the loopback.
|
||||
GOTRUE_URI_ALLOW_LIST: "http://192.168.1.167:5173/auth/callback,http://localhost:5173/auth/callback,http://localhost:3000/auth/callback"
|
||||
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
GOTRUE_JWT_EXP: 3600
|
||||
# Allow OIDC-based user creation (Keycloak is the gatekeeper).
|
||||
@@ -58,11 +65,15 @@ services:
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ${KEYCLOAK_CLIENT_SECRET:-gotrue-dev-secret}
|
||||
# openid is required so the access token is an OIDC token and the userinfo endpoint accepts it.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_SCOPES: "openid profile email"
|
||||
# GoTrue fetches Keycloak's OIDC discovery doc at this URL (Docker-internal hostname).
|
||||
# The browser also uses this hostname — add "127.0.0.1 keycloak" to /etc/hosts.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_URL: http://keycloak:8080/realms/colectivo
|
||||
# Keycloak redirects the browser here after login; GoTrue exchanges the code.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: http://localhost:8001/auth/v1/callback
|
||||
# Must be reachable from the browser (for the 302 to Keycloak's /auth
|
||||
# endpoint) AND from inside this container (for the server-side code→token
|
||||
# exchange). The LAN IP in PUBLIC_KEYCLOAK_URL satisfies both: Docker
|
||||
# bridge routes container→host via the default gateway, then Docker's
|
||||
# port-forward loops 8080 back to the Keycloak container.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL:-http://keycloak:8080}/realms/colectivo
|
||||
# Browser-reachable URL that Keycloak 302s back to after login. Must be
|
||||
# listed in the colectivo-web client's redirectUris in the realm.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: ${PUBLIC_SUPABASE_URL:-http://localhost:8001}/auth/v1/callback
|
||||
GOTRUE_MAILER_AUTOCONFIRM: "true"
|
||||
|
||||
# ── PostgREST ───────────────────────────────────────────────────────────────
|
||||
|
||||
Reference in New Issue
Block a user