Auth fix (the real unblocker):
- Add server-side proxy Route Handler app/api/backend/[...path]/route.ts that
reads the NextAuth session via auth() and injects Authorization: Bearer on
every API call. Method-agnostic; streams raw request body (multipart uploads)
and upstream response body (binary PDF/CSV downloads). Replaces the static
next.config.mjs rewrite, which could not inject a header — the root cause of
every authenticated browser fetch hitting the backend unauthenticated.
- Expose session.accessToken in the auth.ts session() callback (+ type aug).
Uses auth() not getToken() so cookie handling is correct across the public
HTTPS (Apache) -> internal HTTP (container) proxy boundary.
- No service files changed; all 24 services already call /api/backend/*.
Verified live: NextAuth login -> GET /api/backend/members -> HTTP 200.
Public hosting (same proven chain as Gitea/InspectFlow):
- docker-compose.truenas.yml: NEXTAUTH_URL/AUTH_URL -> https public origin,
rotate AUTH_SECRET + JWT_SECRET + DB_PASSWORD off the committed dev defaults.
- deploy.yml: inject AUTH_SECRET/JWT_SECRET/DB_PASSWORD from Gitea secrets;
reconcile the live Postgres role password (volume keeps old pw on re-deploy).
- frpc on TrueNAS tunnels frontend :3000 -> VPS frps :30010; IONOS Apache
terminates TLS for cannamanage.plate-software.de and proxies through frp.
- Replace VPS SSH deploy workflow with a self-contained job that runs on the
TrueNAS act_runner (host docker socket mounted). Checks out the pushed commit,
builds, and rolls out the cannamanage compose stack in-place (project=cannamanage),
then health-checks backend :8081 + frontend :3000.
- Commit docker-compose.truenas.yml (port remap 8081 + AUTH_SECRET) into the repo;
it was previously host-only, so a fresh checkout could not reproduce the deploy.
Use the !override tag for the backend ports list.
Patrick Plate