The dev stack previously mixed two hostnames (`localhost` in some places,
`keycloak` in others). That only worked because the laptop's /etc/hosts
maps `keycloak` to 127.0.0.1. Phones, tablets, or a second laptop had no
such mapping, so the OAuth flow broke the moment you tried to log in from
any non-laptop device.
Switched the SPA, Kong, GoTrue, and Keycloak client to all agree on a
single external host — the laptop's LAN IP (192.168.1.167) — so the full
Keycloak → GoTrue → Supabase → SvelteKit round-trip works from any device
on the same Wi-Fi.
Changes
.env (root, ungitignored): PUBLIC_SUPABASE_URL / PUBLIC_KEYCLOAK_URL /
PUBLIC_APP_URL now use the LAN IP (updated locally; tracked via
apps/web/.env.development below).
apps/web/.env.development: mirror the LAN IP so `$env/static/public`
resolves the same on laptop and phone.
apps/web/vite.config.ts: `server.host: true` — bind Vite to 0.0.0.0.
apps/web/playwright.config.ts: `baseURL: PUBLIC_APP_URL ?? localhost`
so E2E uses the same origin the stack is configured with.
apps/web/tests/fixtures/login.ts:
- wait for the collective button in the sidebar to render before
returning (LAN-IP latency surfaced a pre-existing race in
`handleCreate` where Enter fired before `$currentCollective`
hydrated, silently no-op'ing).
- derive expected app origin from PUBLIC_APP_URL.
apps/web/tests/e2e/items.test.ts: scope D-04 delete assertion to the
`[role="listitem"]` locator — with undoQueue enabled the toast text
"Deleted <name>" also matches `getByText(itemName)` and shadowed the
original check.
infra/docker-compose.dev.yml:
- GOTRUE_EXTERNAL_KEYCLOAK_URL and REDIRECT_URI now read from
PUBLIC_KEYCLOAK_URL / PUBLIC_SUPABASE_URL so they follow the same
host as the rest of the stack.
- NEW: GOTRUE_URI_ALLOW_LIST with `/auth/callback` on both the LAN
IP and localhost. Without an explicit allow-list GoTrue rejected
`redirect_to=.../auth/callback` and fell back to SITE_URL root,
stranding `?code=` at `/` and re-triggering signIn → infinite loop.
keycloak/realm-export.json: `colectivo-web` client gains LAN-IP
redirectUris and webOrigins (alongside the existing localhost
entries). Persisted + live-applied via admin API.
.gitignore: add .claude/ (per-project scheduler runtime state).
Verification
just test-all → 224 passed, 4 skipped:
34 pgTAP
140 Vitest integration + 2 skipped (Realtime presence, upstream bug)
11 Vitest unit
39 Playwright + 2 skipped (mobile-swipe touch, WebKit-only)
Phone sanity check: open http://192.168.1.167:5173 on a LAN device,
log in as a seed user, full RLS-respecting session.
Caveats
LAN IP (192.168.1.167) is DHCP-assigned — if it rotates, rerun the
Keycloak admin API update (realm-export.json needs a new entry) and
update the three PUBLIC_* URLs. Consider a Tailscale magic-DNS name
as a stable replacement for the prod-deploy sprint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
58 lines
1.9 KiB
TypeScript
58 lines
1.9 KiB
TypeScript
import { defineConfig } from 'vite';
|
|
import { sveltekit } from '@sveltejs/kit/vite';
|
|
import { SvelteKitPWA } from '@vite-pwa/sveltekit';
|
|
import { paraglide } from '@inlang/paraglide-sveltekit/vite';
|
|
|
|
export default defineConfig({
|
|
plugins: [
|
|
paraglide({
|
|
project: './project.inlang',
|
|
outdir: './src/lib/paraglide'
|
|
}),
|
|
sveltekit(),
|
|
SvelteKitPWA({
|
|
// strategies defaults to 'generateSW' — the plugin auto-generates the service
|
|
// worker. We do NOT use 'injectManifest' here because SvelteKit's own Vite
|
|
// plugin intercepts src/service-worker.ts and blocks external imports (Workbox).
|
|
// In Fase 2b we will introduce a custom SW as src/sw.ts (a filename SvelteKit
|
|
// does not recognise as a service worker) and switch to injectManifest then.
|
|
scope: '/',
|
|
base: '/',
|
|
manifest: {
|
|
name: 'Colectivo',
|
|
short_name: 'Colectivo',
|
|
description: 'Gestión colaborativa del hogar',
|
|
theme_color: '#0f172a',
|
|
background_color: '#f7f9fb',
|
|
display: 'standalone',
|
|
orientation: 'portrait',
|
|
scope: '/',
|
|
start_url: '/',
|
|
icons: [
|
|
{ src: '/icons/icon-192.png', sizes: '192x192', type: 'image/png' },
|
|
{ src: '/icons/icon-512.png', sizes: '512x512', type: 'image/png' },
|
|
{ src: '/icons/icon-512.png', sizes: '512x512', type: 'image/png', purpose: 'maskable' }
|
|
]
|
|
},
|
|
workbox: {
|
|
globPatterns: ['client/**/*.{js,css,ico,png,svg,webp,woff,woff2}']
|
|
},
|
|
devOptions: {
|
|
enabled: true,
|
|
suppressWarnings: true,
|
|
type: 'module',
|
|
navigateFallback: '/'
|
|
}
|
|
})
|
|
],
|
|
server: {
|
|
port: 5173,
|
|
// Bind to all interfaces so the LAN (phone, tablet, other laptops on
|
|
// the same Wi-Fi) can reach the dev server at http://<LAN-IP>:5173.
|
|
// Auth flows will fail from non-laptop clients because Keycloak's
|
|
// issuer URL resolves to `keycloak:8080` only on the laptop's /etc/hosts
|
|
// — use this for layout/CSS visual checks, not for full login tests.
|
|
host: true
|
|
}
|
|
});
|