From e1e6319297c948144c094a77e3cace32a92c2f9e Mon Sep 17 00:00:00 2001
From: Azan Ali <azan.ali@arbisoft.com>
Date: Mon, 4 May 2026 19:23:11 +0500
Subject: [PATCH 1/2] use SMB_DASHBOARD_URL for logout redirect

---
 surfsense_web/.env.example      | 1 +
 surfsense_web/Dockerfile        | 2 ++
 surfsense_web/lib/auth-utils.ts | 5 +----
 surfsense_web/next.config.ts    | 8 ++++++++
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/surfsense_web/.env.example b/surfsense_web/.env.example
index 2313f3e56f..e07f7d8385 100644
--- a/surfsense_web/.env.example
+++ b/surfsense_web/.env.example
@@ -1,4 +1,5 @@
 NEXT_PUBLIC_FASTAPI_BACKEND_URL=http://localhost:8000
+NEXT_PUBLIC_SMB_DASHBOARD_URL=https://<dashboard-domain>
 NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=LOCAL or GOOGLE
 
 # mPass proxy auth — set when deployed behind oauth2-proxy + Traefik ForwardAuth
diff --git a/surfsense_web/Dockerfile b/surfsense_web/Dockerfile
index b16b3f066c..06ab0465f9 100644
--- a/surfsense_web/Dockerfile
+++ b/surfsense_web/Dockerfile
@@ -44,6 +44,7 @@ ARG NEXT_PUBLIC_OAUTH2_PROXY_URL=__NEXT_PUBLIC_OAUTH2_PROXY_URL__
 ARG NEXT_PUBLIC_LOGOUT_REDIRECT_URL=
 ARG NEXT_PUBLIC_OIDC_LOGOUT_URL=
 ARG NEXT_PUBLIC_OIDC_CLIENT_ID=
+ARG NEXT_PUBLIC_SMB_DASHBOARD_URL=
 
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_URL=$NEXT_PUBLIC_FASTAPI_BACKEND_URL
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=$NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE
@@ -54,6 +55,7 @@ ENV NEXT_PUBLIC_OAUTH2_PROXY_URL=$NEXT_PUBLIC_OAUTH2_PROXY_URL
 ENV NEXT_PUBLIC_LOGOUT_REDIRECT_URL=$NEXT_PUBLIC_LOGOUT_REDIRECT_URL
 ENV NEXT_PUBLIC_OIDC_LOGOUT_URL=$NEXT_PUBLIC_OIDC_LOGOUT_URL
 ENV NEXT_PUBLIC_OIDC_CLIENT_ID=$NEXT_PUBLIC_OIDC_CLIENT_ID
+ENV NEXT_PUBLIC_SMB_DASHBOARD_URL=$NEXT_PUBLIC_SMB_DASHBOARD_URL
 
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
diff --git a/surfsense_web/lib/auth-utils.ts b/surfsense_web/lib/auth-utils.ts
index aadc550d09..97efca5874 100644
--- a/surfsense_web/lib/auth-utils.ts
+++ b/surfsense_web/lib/auth-utils.ts
@@ -239,10 +239,7 @@ export async function logout(): Promise<boolean> {
 	clearAllTokens();
 
 	if (typeof window !== "undefined") {
-		// Rewrite "foss-<app>.<domain>" → "foss.<domain>" so we land on the portal
-		// (outside ForwardAuth) instead of SurfSense's own root, which would silently re-auth.
-		const portalHost = window.location.hostname.replace(/^[^.]*\./, "moneta.");
-		window.location.href = `${window.location.protocol}//${portalHost}`;
+		window.location.href = process.env.NEXT_PUBLIC_SMB_DASHBOARD_URL!;
 		return true;
 	}
 
diff --git a/surfsense_web/next.config.ts b/surfsense_web/next.config.ts
index 5414d548d7..c87ccedef4 100644
--- a/surfsense_web/next.config.ts
+++ b/surfsense_web/next.config.ts
@@ -6,6 +6,14 @@ import createNextIntlPlugin from "next-intl/plugin";
 // Create the next-intl plugin
 const withNextIntl = createNextIntlPlugin("./i18n/request.ts");
 
+// Compulsory build-time env vars
+const REQUIRED_ENV_VARS = ["NEXT_PUBLIC_SMB_DASHBOARD_URL"] as const;
+for (const key of REQUIRED_ENV_VARS) {
+	if (!process.env[key]) {
+		throw new Error(`Missing required environment variable: ${key}`);
+	}
+}
+
 // TODO: Separate app routes (/login, /dashboard) from marketing routes
 // (landing page, /contact, /pricing, /docs) so the desktop build only
 // ships what desktop users actually need.

From 3afd44ff2f780d2743c627382b392cc08d5d544e Mon Sep 17 00:00:00 2001
From: Azan Ali <azan.ali@arbisoft.com>
Date: Tue, 5 May 2026 13:01:03 +0500
Subject: [PATCH 2/2] drop unused logout urls

---
 surfsense_web/.env.example      | 3 +--
 surfsense_web/Dockerfile        | 8 ++------
 surfsense_web/lib/auth-utils.ts | 2 +-
 surfsense_web/next.config.ts    | 2 +-
 4 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/surfsense_web/.env.example b/surfsense_web/.env.example
index e07f7d8385..3025202a20 100644
--- a/surfsense_web/.env.example
+++ b/surfsense_web/.env.example
@@ -1,9 +1,8 @@
 NEXT_PUBLIC_FASTAPI_BACKEND_URL=http://localhost:8000
-NEXT_PUBLIC_SMB_DASHBOARD_URL=https://<dashboard-domain>
+NEXT_PUBLIC_SIGNOUT_URL=https://<dashboard-domain>
 NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=LOCAL or GOOGLE
 
 # mPass proxy auth — set when deployed behind oauth2-proxy + Traefik ForwardAuth
-NEXT_PUBLIC_OIDC_LOGOUT_URL=https://<cognito-domain>/logout
 NEXT_PUBLIC_OIDC_CLIENT_ID=<cognito-app-client-id>
 NEXT_PUBLIC_OAUTH2_PROXY_URL=https://<subdomain-prefix>auth.<platform-domain>
 NEXT_PUBLIC_ETL_SERVICE=UNSTRUCTURED or LLAMACLOUD or DOCLING
diff --git a/surfsense_web/Dockerfile b/surfsense_web/Dockerfile
index 06ab0465f9..3156b2a4fc 100644
--- a/surfsense_web/Dockerfile
+++ b/surfsense_web/Dockerfile
@@ -41,10 +41,8 @@ ARG NEXT_PUBLIC_OAUTH2_PROXY_URL=__NEXT_PUBLIC_OAUTH2_PROXY_URL__
 # These are baked at build time (not placeholder-substituted). Next.js inlines
 # them as literal strings and terser dead-code-eliminates branches based on
 # truthiness; placeholder tokens look truthy and defeat that optimization.
-ARG NEXT_PUBLIC_LOGOUT_REDIRECT_URL=
-ARG NEXT_PUBLIC_OIDC_LOGOUT_URL=
 ARG NEXT_PUBLIC_OIDC_CLIENT_ID=
-ARG NEXT_PUBLIC_SMB_DASHBOARD_URL=
+ARG NEXT_PUBLIC_SIGNOUT_URL=
 
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_URL=$NEXT_PUBLIC_FASTAPI_BACKEND_URL
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=$NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE
@@ -52,10 +50,8 @@ ENV NEXT_PUBLIC_ETL_SERVICE=$NEXT_PUBLIC_ETL_SERVICE
 ENV NEXT_PUBLIC_ZERO_CACHE_URL=$NEXT_PUBLIC_ZERO_CACHE_URL
 ENV NEXT_PUBLIC_DEPLOYMENT_MODE=$NEXT_PUBLIC_DEPLOYMENT_MODE
 ENV NEXT_PUBLIC_OAUTH2_PROXY_URL=$NEXT_PUBLIC_OAUTH2_PROXY_URL
-ENV NEXT_PUBLIC_LOGOUT_REDIRECT_URL=$NEXT_PUBLIC_LOGOUT_REDIRECT_URL
-ENV NEXT_PUBLIC_OIDC_LOGOUT_URL=$NEXT_PUBLIC_OIDC_LOGOUT_URL
 ENV NEXT_PUBLIC_OIDC_CLIENT_ID=$NEXT_PUBLIC_OIDC_CLIENT_ID
-ENV NEXT_PUBLIC_SMB_DASHBOARD_URL=$NEXT_PUBLIC_SMB_DASHBOARD_URL
+ENV NEXT_PUBLIC_SIGNOUT_URL=$NEXT_PUBLIC_SIGNOUT_URL
 
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
diff --git a/surfsense_web/lib/auth-utils.ts b/surfsense_web/lib/auth-utils.ts
index 97efca5874..b4521c3bb9 100644
--- a/surfsense_web/lib/auth-utils.ts
+++ b/surfsense_web/lib/auth-utils.ts
@@ -239,7 +239,7 @@ export async function logout(): Promise<boolean> {
 	clearAllTokens();
 
 	if (typeof window !== "undefined") {
-		window.location.href = process.env.NEXT_PUBLIC_SMB_DASHBOARD_URL!;
+		window.location.href = process.env.NEXT_PUBLIC_SIGNOUT_URL!;
 		return true;
 	}
 
diff --git a/surfsense_web/next.config.ts b/surfsense_web/next.config.ts
index c87ccedef4..4503a6e0a6 100644
--- a/surfsense_web/next.config.ts
+++ b/surfsense_web/next.config.ts
@@ -7,7 +7,7 @@ import createNextIntlPlugin from "next-intl/plugin";
 const withNextIntl = createNextIntlPlugin("./i18n/request.ts");
 
 // Compulsory build-time env vars
-const REQUIRED_ENV_VARS = ["NEXT_PUBLIC_SMB_DASHBOARD_URL"] as const;
+const REQUIRED_ENV_VARS = ["NEXT_PUBLIC_SIGNOUT_URL"] as const;
 for (const key of REQUIRED_ENV_VARS) {
 	if (!process.env[key]) {
 		throw new Error(`Missing required environment variable: ${key}`);