From 35d31a984ddff0fee2bd9af91eceeade6aff3669 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Sat, 23 May 2026 13:57:47 +0000 Subject: [PATCH 1/2] fix(GRO-1592): fallback auth baseURL to window.location.origin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When VITE_API_URL is not set (e.g. in Docker/container deployments where the env var was never injected), fallback to window.location.origin so the auth client uses relative URLs and cookies are sent to the correct origin. Previously the fallback was empty string "", which caused the auth client to default to http://localhost:3000 — the nginx sub_filter workaround only handles strings baked into the JS bundle at build time, not runtime-constructed URLs. Fixes: SSO session cookie not set in browser after Authentik callback Co-Authored-By: Paperclip --- src/lib/auth-client.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/auth-client.ts b/src/lib/auth-client.ts index 6a9939a..02b7608 100644 --- a/src/lib/auth-client.ts +++ b/src/lib/auth-client.ts @@ -1,7 +1,7 @@ import { createAuthClient } from "better-auth/react"; export const authClient = createAuthClient({ - baseURL: import.meta.env.VITE_API_URL ?? "", + baseURL: import.meta.env.VITE_API_URL || (typeof window !== "undefined" ? window.location.origin : ""), }); export const { signIn, signOut, useSession, changePassword } = authClient; \ No newline at end of file From 8ee58471b25b1d31a1579ee8a5f78e7a37092752 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Sat, 23 May 2026 14:02:16 +0000 Subject: [PATCH 2/2] =?UTF-8?q?docs(UAT=5FPLAYBOOK):=20add=20TC-AUTH-5.3.4?= =?UTF-8?q?=20=E2=80=94=20SSO=20cookie=20after=20Authentik=20callback?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Documents the acceptance criteria for GRO-1592: after completing Authentik SSO login without VITE_API_URL set, the __Secure-better-auth.session_token cookie must be present in the browser and sent with subsequent /api/* calls. Updated: UAT_PLAYBOOK.md §5.3 Co-Authored-By: Paperclip --- UAT_PLAYBOOK.md | 1 + 1 file changed, 1 insertion(+) diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md index 655c505..d70c9a2 100644 --- a/UAT_PLAYBOOK.md +++ b/UAT_PLAYBOOK.md @@ -69,6 +69,7 @@ export const { signIn, signOut, useSession, changePassword } = authClient; | TC-AUTH-5.3.1 | Auth client falls back to window.location.origin | Do not set `VITE_API_URL`, load app | Auth client uses `window.location.origin` as base URL | | TC-AUTH-5.3.2 | Sign-in on localhost | Load app without `VITE_API_URL` on localhost:3000 | Auth client uses `http://localhost:3000` as base URL | | TC-AUTH-5.3.3 | Sign-in on dev environment | Load app without `VITE_API_URL` on `https://dev.groombook.dev` | Auth client uses `https://dev.groombook.dev` as base URL | +| TC-AUTH-5.3.4 | SSO cookie set after Authentik callback (GRO-1592) | Complete Authentik SSO login on UAT without `VITE_API_URL` set | `__Secure-better-auth.session_token` cookie is present in browser; subsequent `/api/*` calls include the cookie and return 200 | ### 5.4 Session Persistence