pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(deploy): public hosting at cannamanage.plate-software.de + fix systemic auth-token bug
CI — Build, Lint & Security Scan / backend (push) Failing after 1m4s
Details
CI — Build, Lint & Security Scan / frontend (push) Failing after 1m24s
Details
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
Details
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 21s
Details
Deploy to TrueNAS / deploy (push) Failing after 4m0s
Details

Browse Source 
Auth fix (the real unblocker):
- Add server-side proxy Route Handler app/api/backend/[...path]/route.ts that
  reads the NextAuth session via auth() and injects Authorization: Bearer on
  every API call. Method-agnostic; streams raw request body (multipart uploads)
  and upstream response body (binary PDF/CSV downloads). Replaces the static
  next.config.mjs rewrite, which could not inject a header — the root cause of
  every authenticated browser fetch hitting the backend unauthenticated.
- Expose session.accessToken in the auth.ts session() callback (+ type aug).
  Uses auth() not getToken() so cookie handling is correct across the public
  HTTPS (Apache) -> internal HTTP (container) proxy boundary.
- No service files changed; all 24 services already call /api/backend/*.
  Verified live: NextAuth login -> GET /api/backend/members -> HTTP 200.

Public hosting (same proven chain as Gitea/InspectFlow):
- docker-compose.truenas.yml: NEXTAUTH_URL/AUTH_URL -> https public origin,
  rotate AUTH_SECRET + JWT_SECRET + DB_PASSWORD off the committed dev defaults.
- deploy.yml: inject AUTH_SECRET/JWT_SECRET/DB_PASSWORD from Gitea secrets;
  reconcile the live Postgres role password (volume keeps old pw on re-deploy).
- frpc on TrueNAS tunnels frontend :3000 -> VPS frps :30010; IONOS Apache
  terminates TLS for cannamanage.plate-software.de and proxies through frp.
This commit is contained in:
Patrick Plate
2026-06-22 10:46:15 +02:00
parent 53931d9d2b
commit a686957b09
6 changed files with 208 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cannamanage-frontend/next.config.mjs
+4 -9
View File
@@ -10,15 +10,10 @@ const nextConfig = {
// Required for Docker standalone output
output: "standalone",
// Proxy API calls to the Spring Boot backend
async rewrites() {
return [
{
source: "/api/backend/:path*",
destination: `${process.env.BACKEND_URL || "http://localhost:8080"}/api/v1/:path*`,
},
]
},
// NOTE: API calls to /api/backend/* are proxied by the server-side Route
// Handler at src/app/api/backend/[...path]/route.ts, NOT by a static
// rewrite. A static rewrite cannot inject the NextAuth Bearer token; the
// route handler reads the session via auth() and forwards it. See that file.
}
export default withNextIntl(nextConfig)