Production URL issue #344
Comments
|
@DarkNeedle Thanks for the issue! Totally valid points, in fact we're working on improving auth experience in the self-hosted version right now. Stay tuned. Will release ASAP! |
|
Thanks. Is there an ETA or where this sits with regard to priority. I can go in and address it myself in the code but if this is something already in the works and roadmapped I'd prefer to hold off, unless it's months out. -DB |
|
Should be couple of days, although still thinking of a ways to properly structure auth when people deploy their own instances of Laminar. Do you have any thoughts on a better approach regarding user registration? Because I can imagine when someone deploys their own instance, people only want known users to use the platform. I'm now thinking whether we should pre-populate the database with existing emails or something like this? Interested in your thoughts since I assume you want to deploy your own version.
also regarding this. Can you elaborate on that? |
|
I would account for a number of options that can be tailored using an .env. You could allow blanket signup via email if EMAIL_DOMAIN is not set. If EMAIL_DOMAIN is set to a domain then restrict signups to just that domain. NextAuth supports a wide variety of options. The easiest would be just blanket signup of users via just email/password. regarding: The middleware is making an API call to ${process.env.NEXTAUTH_URL}/api/auth to verify authorization, but this URL needs to be properly configured for production. I think this the issue regarding the login issue where when a URL is specified other than localhost, may go away once full auth is implemented. -DB |
|
I think I misread the original issue. That's strange, URL change shouldn't cause any problems. Maybe something wrong with format of your url? It should be just base url without /. Can you please confirm the format of NEXTAUTH_URL you are using? |
|
This is in the docker compose Changing the URL to a domain under https should not have an impact but it seems to. First I have run in to this. -DB |
So just to clarify once again. When you try with localhost it all works, when you switch to https://yourdomain it doesn't work? My first guess is that you might have added / at the end of your https://? |
|
Yes correct but I did not add any "/" at the end. It may be related to nginx proxying this to terminate TLS. I will dig in to this further. NextAuth with nginx can have some issues in the callback. I will take a closer look. I would leave this issue open until the full authentication mechanism is implemented. thanks |
|
Hey @DarkNeedle we have implemented the full auth mechanism. Here are the docs https://docs.lmnr.ai/self-hosting/access-control-setup Let us know if the issue still persists |
Just a recommendation, the documentation needs to be updated to allow this to be run against a valid URL vs localhost. The .env variable should be called up specifically. In the docker-compose-full.yml when adjusting the URL for a domain https://.. you will get a Page not found immediately after using any email address to login.
Merely setting NEXTAUTH_URL and NEXT_PUBLIC_URL should be sufficient
In setting a proper URL other than localhost which would be standard for hosting the error pops up in the URL
https:///not-found?callbackUrl=%2Fproject%2F665df17d-a7d5-4318-8131-c16928fc6c77%2Ftraces
In middleware.ts, there's a configuration conflict:
Line 46: pages.signIn: '/not-found' - This is redirecting all unauthorized requests to /not-found
This conflicts with auth.ts which has pages.signIn: '/sign-in'
The middleware is making an API call to ${process.env.NEXTAUTH_URL}/api/auth to verify authorization, but this URL needs to be properly configured for production.
The auth flow appears to be:
User tries to access a protected route (/project/...)
Middleware checks authorization by calling /api/auth
If unauthorized, it redirects to /not-found instead of /sign-in
After login, it tries to redirect back but fails due to the middleware configuration
I have not performed a full code analysis yet but this is a fundamental issue that should have been caught. Likewise, why not enable the full Auth flow instead of processing just an email address.
-DB
The text was updated successfully, but these errors were encountered: