feat: support reverse proxy path prefix deployments (#257)

* feat: support reverse proxy path prefixes * fix: respect BASE_URL in SAML callback fallback * fix: make BASE_URL runtime configurable
2026-04-11 13:37:44 +03:00 · 2026-04-09 12:32:59 +05:30
parent c87513b648
commit 01a3b08dac
58 changed files with 552 additions and 114 deletions
--- a/src/pages/api/auth/[...all].ts
+++ b/src/pages/api/auth/[...all].ts
@@ -1,5 +1,6 @@
 import { auth } from "@/lib/auth";
 import type { APIRoute } from "astro";
+import { stripBasePath, withBase } from "@/lib/base-path";

 export const ALL: APIRoute = async (ctx) => {
  // If you want to use rate limiting, make sure to set the 'x-forwarded-for' header
@@ -9,7 +10,11 @@ export const ALL: APIRoute = async (ctx) => {
  }
  
  try {
-    return await auth.handler(ctx.request);
+    const requestUrl = new URL(ctx.request.url);
+    requestUrl.pathname = withBase(stripBasePath(requestUrl.pathname));
+    const authRequest = new Request(requestUrl, ctx.request);
+
+    return await auth.handler(authRequest);
  } catch (error) {
    console.error("Auth handler error:", error);
    
@@ -18,7 +23,7 @@ export const ALL: APIRoute = async (ctx) => {
    if (url.pathname.includes('/sso/callback')) {
      // Redirect to error page for SSO errors
      return Response.redirect(
-        `${ctx.url.origin}/auth-error?error=sso_callback_failed&error_description=${encodeURIComponent(
+        `${ctx.url.origin}${withBase('/auth-error')}?error=sso_callback_failed&error_description=${encodeURIComponent(
          error instanceof Error ? error.message : "SSO authentication failed"
        )}`,
        302
@@ -34,4 +39,4 @@ export const ALL: APIRoute = async (ctx) => {
      headers: { "Content-Type": "application/json" }
    });
  }
-};
+};
--- a/src/pages/api/auth/sso/register.ts
+++ b/src/pages/api/auth/sso/register.ts
@@ -6,6 +6,7 @@ import { db, ssoProviders } from "@/lib/db";
 import { eq } from "drizzle-orm";
 import { nanoid } from "nanoid";
 import { normalizeOidcProviderConfig, OidcConfigError } from "@/lib/sso/oidc-config";
+import { withBase } from "@/lib/base-path";

 // POST /api/auth/sso/register - Register a new SSO provider using Better Auth
 export async function POST(context: APIContext) {
@@ -87,7 +88,9 @@ export async function POST(context: APIContext) {
      registrationBody.samlConfig = {
        entryPoint,
        cert,
-        callbackUrl: callbackUrl || `${context.url.origin}/api/auth/sso/saml2/callback/${providerId}`,
+        callbackUrl:
+          callbackUrl ||
+          `${context.url.origin}${withBase(`/api/auth/sso/saml2/callback/${providerId}`)}`,
        audience: audience || context.url.origin,
        wantAssertionsSigned,
        signatureAlgorithm,