Skip to content

fix(auth): make auth redirects basePath-aware — stop bouncing confirmed users to the domain root#10

Merged
TortoiseWolfe merged 1 commit into
mainfrom
fix/8-basepath-auth-redirects
Jul 3, 2026
Merged

fix(auth): make auth redirects basePath-aware — stop bouncing confirmed users to the domain root#10
TortoiseWolfe merged 1 commit into
mainfrom
fix/8-basepath-auth-redirects

Conversation

@TortoiseWolfe

Copy link
Copy Markdown
Owner

Closes #8

Cherry-pick of the upstream template fix TortoiseWolfe/ScriptHammer#156 (upstream commit e6861e6, applied clean — the auth core here is byte-identical to the template's).

What it fixes in production: after clicking the confirmation email, new users were bounced to https://tortoisewolfe.github.io/ (the domain root, no app) instead of staying under /RescueDogs. Root cause was a template defect: every hand-built auth URL used window.location.origin or a literal '/', ignoring the basePath, and the resolved basePath never reached client code in production because the deploy workflow intentionally omits the env var. Full analysis in the upstream PR.

Verified here in the fork:

  • 42/42 unit tests green in the container (including the four new #154 regression tests)
  • type-check clean
  • production-exact build check: built with the CI detection path (GITHUB_ACTIONS + GITHUB_REPOSITORY, no env var) and confirmed the emitted client chunk carries the inlined /RescueDogs basePath — the deployed bundle will compose confirmation URLs as https://tortoisewolfe.github.io/RescueDogs/auth/callback/

Still needed after merge (dashboard, not code — details in the issue comment on #8): Site URL and redirect allow-list on the production Supabase project (cmdhajshektesctrappl) so the prefixed callback URL is allow-listed rather than falling back to Site URL.

🤖 Generated with Claude Code

…nced to domain root) (#156)

Auth flow built URLs from window.location.origin and hardcoded '/',
ignoring the GitHub Pages basePath. On a project-site deploy the
confirmation flow therefore stranded new users at the domain root.

- add getInternalUrl/getRedirectUrl to project.config (trailing-slash
  canonical, degrade to old strings when basePath is empty)
- inject the resolved basePath into the client bundle via next.config
  env (deploy workflows omit NEXT_PUBLIC_BASE_PATH on purpose, so the
  detected value never reached client code in production)
- route emailRedirectTo, OAuth redirectTo, password-reset redirectTo and
  all hard navigations through the helpers
- guard the cross-tab SIGNED_OUT redirect so it can never hijack
  /auth/callback (transient SIGNED_OUT during confirmation passes the
  token-validity check because no token exists yet)
- pin the seam with unit tests: prefixed emailRedirectTo, prefixed
  signOut/cross-tab redirects, and no redirect on the callback page

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
(cherry picked from commit e6861e6b37b18da9752cba8fddde73c44c8e24ad)
@TortoiseWolfe TortoiseWolfe merged commit d84761a into main Jul 3, 2026
18 checks passed
@TortoiseWolfe TortoiseWolfe deleted the fix/8-basepath-auth-redirects branch July 3, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Email confirmation redirect bounces to GitHub Pages domain root instead of /RescueDogs app

1 participant