Skip to content

feat: allow requests from more than one web client URL to work properly #1709

New issue
New issue
Open
Task
Open
feat: allow requests from more than one web client URL to work properly#1709
Task
Assignees
garobrik
Labels
Engineering
@garobrik

Description

@garobrik
garobrik
opened on Jun 17, 2025

Description

Currently the backend makes an assumption that it will be visited by clients from only one address (i.e., app.terraso.org for prod and app.staging.terraso.net for staging). This is problematic for two reasons:

  • it makes it impossible to use branch preview deployments for web client PRs (since they would each need to live at a unique URL)
  • it could pose a problem in the future if, as part of making storymaps "standalone", we want to host it at a different URL than app.terraso.org

The branch preview deployment case is more pressing for now, so we could initially solve in a way that is acceptable for that use case before figuring out how to make it work properly on prod.

Additional context

Current ways that the backend encodes this assumption:

  • CORS headers: we use the CORS_HEADERS_WHITELIST setting for the django-cors-headers package to allow a specific list of URLs. we would need to also use CORS_ALLOWED_ORIGIN_REGEXES to allow preview branches.
  • WEB_CLIENT_URL: the backend has an environment variable WEB_CLIENT_URL which it uses to determine how to construct valid client URLs in the following scenarios:
    • when redirecting after a login
    • when redirecting because a page requires login?
    • when sending events to plausible
    • when generating share links
    • when sending email notifications
  • LOGIN_URL: i'm not sure if this needs to change. it's related to where the backend redirects you for login, but it seems to correctly redirect you as is without changing anything
  • AUTH_COOKIE_DOMAIN: also hardcoded to a particular domain, and would need to be changed

Needs some forethought around if there's any security risks around doing this, but I think as long as the CORS headers still restrict to only domains we control we should be good!

Relevant files/folders

  • terraso_backend/apps/auth/services.py
  • terraso_backend/apps/auth/views.py
  • terraso_backend/config/settings.py
  • terraso_backend/apps/notifications/email.py
  • terraso_backend/apps/core/models/shared_resources.py
  • terraso_backend/apps/story_map/notifications.py

Progress

  • CORS part is done
  • the login redirect part is a bit tricksy. we're already using the state parameter of the oauth process to pass along a string related to redirecting to a specific page after login. since we need to pass more than one parameter

Metadata

Metadata

Assignees

Labels

Engineering

Type

Task

Projects

Terraso

Status

In Review

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions