feat: docker-compose for production frontend (#664)

* docker-compose for production frontend * fix: Remove external Redis port mapping for Coolify compatibility Redis should only be accessible within the internal Docker network in Coolify deployments to avoid port conflicts with other applications. * fix: Remove external port mapping for web service in Coolify Coolify handles port exposure through its proxy (Traefik), so services should not expose ports directly in the docker-compose file. * server side client envs * missing vars * nextjs experimental * fix claude 'fix' * remove build env vars compose * docker * remove ports for coolify * review * cleanup --------- Co-authored-by: Igor Loskutov <igor.loskutoff@gmail.com>
2025-12-21 04:39:06 +00:00 · 2025-09-24 11:15:27 -04:00
parent 0aaa42528a
commit 5bf64b5a41
23 changed files with 448 additions and 92 deletions
--- a/www/app/lib/authBackend.ts
+++ b/www/app/lib/authBackend.ts
@@ -18,26 +18,25 @@ import {
  deleteTokenCache,
 } from "./redisTokenCache";
 import { tokenCacheRedis, redlock } from "./redisClient";
-import { isBuildPhase } from "./next";
 import { sequenceThrows } from "./errorUtils";
 import { featureEnabled } from "./features";
+import { getNextEnvVar } from "./nextBuild";

 const TOKEN_CACHE_TTL = REFRESH_ACCESS_TOKEN_BEFORE;
-const getAuthentikClientId = () =>
-  assertExistsAndNonEmptyString(
-    process.env.AUTHENTIK_CLIENT_ID,
-    "AUTHENTIK_CLIENT_ID required",
-  );
-const getAuthentikClientSecret = () =>
-  assertExistsAndNonEmptyString(
-    process.env.AUTHENTIK_CLIENT_SECRET,
-    "AUTHENTIK_CLIENT_SECRET required",
-  );
+const getAuthentikClientId = () => getNextEnvVar("AUTHENTIK_CLIENT_ID");
+const getAuthentikClientSecret = () => getNextEnvVar("AUTHENTIK_CLIENT_SECRET");
 const getAuthentikRefreshTokenUrl = () =>
-  assertExistsAndNonEmptyString(
-    process.env.AUTHENTIK_REFRESH_TOKEN_URL,
-    "AUTHENTIK_REFRESH_TOKEN_URL required",
-  );
+  getNextEnvVar("AUTHENTIK_REFRESH_TOKEN_URL");
+
+const getAuthentikIssuer = () => {
+  const stringUrl = getNextEnvVar("AUTHENTIK_ISSUER");
+  try {
+    new URL(stringUrl);
+  } catch (e) {
+    throw new Error("AUTHENTIK_ISSUER is not a valid URL: " + stringUrl);
+  }
+  return stringUrl;
+};

 export const authOptions = (): AuthOptions =>
  featureEnabled("requireLogin")
@@ -45,16 +44,17 @@ export const authOptions = (): AuthOptions =>
        providers: [
          AuthentikProvider({
            ...(() => {
-              const [clientId, clientSecret] = sequenceThrows(
+              const [clientId, clientSecret, issuer] = sequenceThrows(
                getAuthentikClientId,
                getAuthentikClientSecret,
+                getAuthentikIssuer,
              );
              return {
                clientId,
                clientSecret,
+                issuer,
              };
            })(),
-            issuer: process.env.AUTHENTIK_ISSUER,
            authorization: {
              params: {
                scope: "openid email profile offline_access",