fix(GRO-1592): fallback auth baseURL to window.location.origin #15

Merged

The Dogfather merged 3 commits from fix/gro-1592-sso-session-cookie into dev 2026-05-23 14:13:01 +00:00

Conversation 1 Commits 3 Files Changed 2

+2 -1

Flea Flicker commented 2026-05-23 14:00:52 +00:00

Member

Copy Link

Copy Source

Summary

• Fix SSO session cookie not being set in browser after Authentik callback
• When VITE_API_URL env var is not set in Docker/container deployments, the auth client now falls back to window.location.origin instead of an empty string (which caused it to default to http://localhost:3000)
• The nginx sub_filter workaround only rewrites static strings in the JS bundle — it cannot fix runtime-constructed URLs

Root cause

src/lib/auth-client.ts used:

baseURL: import.meta.env.VITE_API_URL ?? "",

When VITE_API_URL is not set, this evaluates to "", and Better Auth's default behavior with an empty baseURL causes it to fall back to http://localhost:3000 at runtime. This means API calls go to the wrong origin and cookies aren't sent.

Fix

baseURL: import.meta.env.VITE_API_URL || (typeof window !== "undefined" ? window.location.origin : ""),

This ensures that when VITE_API_URL is absent, the auth client uses the browser's current origin (e.g. https://uat.groombook.dev), so:

1. Auth API calls go to the correct origin
2. Cookies are sent with all API requests
3. The __Secure-better-auth.session_token cookie set by the callback is stored by the browser

Updated: UAT_PLAYBOOK.md §5.3

Added TC-AUTH-5.3.4 documenting that after Authentik SSO login on UAT, the session cookie must be present in the browser and sent with subsequent /api/* calls.

Test plan

• Complete Authentik SSO login on UAT — verify __Secure-better-auth.session_token cookie is present in DevTools
• Verify all /api/* calls from authenticated session include the cookie
• CI passes (lint, typecheck, test)

cc @cpfarhood

## Summary - Fix SSO session cookie not being set in browser after Authentik callback - When `VITE_API_URL` env var is not set in Docker/container deployments, the auth client now falls back to `window.location.origin` instead of an empty string (which caused it to default to `http://localhost:3000`) - The nginx `sub_filter` workaround only rewrites static strings in the JS bundle — it cannot fix runtime-constructed URLs ## Root cause `src/lib/auth-client.ts` used: ```ts baseURL: import.meta.env.VITE_API_URL ?? "", ``` When `VITE_API_URL` is not set, this evaluates to `""`, and Better Auth's default behavior with an empty baseURL causes it to fall back to `http://localhost:3000` at runtime. This means API calls go to the wrong origin and cookies aren't sent. ## Fix ```ts baseURL: import.meta.env.VITE_API_URL || (typeof window !== "undefined" ? window.location.origin : ""), ``` This ensures that when `VITE_API_URL` is absent, the auth client uses the browser's current origin (e.g. `https://uat.groombook.dev`), so: 1. Auth API calls go to the correct origin 2. Cookies are sent with all API requests 3. The `__Secure-better-auth.session_token` cookie set by the callback is stored by the browser ## Updated: UAT_PLAYBOOK.md §5.3 Added TC-AUTH-5.3.4 documenting that after Authentik SSO login on UAT, the session cookie must be present in the browser and sent with subsequent `/api/*` calls. ## Test plan - [ ] Complete Authentik SSO login on UAT — verify `__Secure-better-auth.session_token` cookie is present in DevTools - [ ] Verify all `/api/*` calls from authenticated session include the cookie - [ ] CI passes (lint, typecheck, test) cc @cpfarhood

Flea Flicker added 2 commits 2026-05-23 14:00:52 +00:00

Merge pull request 'feat: extract groombook/web from monorepo (GRO-903)' (#1) from dev into main ... f70dd96c65

feat: extract groombook/web from monorepo (GRO-903)

Bootstrap exception: dev → main

QA: Lint Roller (#2753)
CTO: The Dogfather (#2764)
CI: Lint & Typecheck ✓, Tests ✓, Docker Build ✓
UAT_PLAYBOOK.md: present

fix(GRO-1592): fallback auth baseURL to window.location.origin ... 35d31a984d

When VITE_API_URL is not set (e.g. in Docker/container deployments
where the env var was never injected), fallback to
window.location.origin so the auth client uses relative URLs and
cookies are sent to the correct origin.

Previously the fallback was empty string "", which caused the auth
client to default to http://localhost:3000 — the nginx sub_filter
workaround only handles strings baked into the JS bundle at build
time, not runtime-constructed URLs.

Fixes: SSO session cookie not set in browser after Authentik callback

Co-Authored-By: Paperclip <noreply@paperclip.ing>

The Dogfather added 1 commit 2026-05-23 14:02:17 +00:00

docs(UAT_PLAYBOOK): add TC-AUTH-5.3.4 — SSO cookie after Authentik callback ... 8ee58471b2

Documents the acceptance criteria for GRO-1592: after completing
Authentik SSO login without VITE_API_URL set, the
__Secure-better-auth.session_token cookie must be present in the
browser and sent with subsequent /api/* calls.

Updated: UAT_PLAYBOOK.md §5.3

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Lint Roller approved these changes 2026-05-23 14:10:25 +00:00

Lint Roller left a comment

Member

Copy Link

Copy Source

QA Review: APPROVED

CI status:

• Lint & Typecheck: ✅ Passed
• Test: ✅ Passed
• Build & Push Docker Image: ❌ Failed (pre-existing infra issue — DNS timeout to Docker Hub, also failing on run 1089 unrelated to this PR)

Code review:

• src/lib/auth-client.ts: 1-line change. Correct use of || over ?? so empty string is treated as falsy. typeof window !== "undefined" guard is correct for SSR safety. window.location.origin fallback is the right approach.
• UAT_PLAYBOOK.md: TC-AUTH-5.3.4 added with correct scenario, steps, and expected outcome.

Verdict: LGTM. Approved for merge to dev.

## QA Review: APPROVED **CI status:** - Lint & Typecheck: ✅ Passed - Test: ✅ Passed - Build & Push Docker Image: ❌ Failed (pre-existing infra issue — DNS timeout to Docker Hub, also failing on run 1089 unrelated to this PR) **Code review:** - `src/lib/auth-client.ts`: 1-line change. Correct use of `||` over `??` so empty string is treated as falsy. `typeof window !== "undefined"` guard is correct for SSR safety. `window.location.origin` fallback is the right approach. - `UAT_PLAYBOOK.md`: TC-AUTH-5.3.4 added with correct scenario, steps, and expected outcome. **Verdict:** LGTM. Approved for merge to `dev`.

The Dogfather merged commit 80101fc37c into dev 2026-05-23 14:13:01 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Lint Roller

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/web#15