From 220938b0734500c966511b96edd7e768e21ead91 Mon Sep 17 00:00:00 2001
From: awais786 <awais.qureshi@arbisoft.com>
Date: Fri, 1 May 2026 19:59:22 +0500
Subject: [PATCH 1/4] fix(logout): drive portal-host prefix from required
 SMB_NAME env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The logout redirect hardcoded "foss." as the portal-host prefix in
auth.cljs. That broke silently when the deployment moved from foss.*
to moneta.* in the askii.ai cutover.

Make the prefix env-driven via a required SMB_NAME var (no default
under SSO — nginx-entrypoint.sh exits non-zero at startup if
AUTH_TYPE=SSO and SMB_NAME is unset, instead of silently rendering
the wrong portal host at logout).

Same Pattern B2 plumbing as MPASS_SIGNOUT_URL:
- config.js: //var penpotSmbName = "" placeholder
- nginx-entrypoint.sh: update_smb_name substitutes from $SMB_NAME
- app.config: (def smb-name (obj/get global "penpotSmbName"))
- app.main.data.auth: read cf/smb-name and interpolate into the regex

Container env name (SMB_NAME) is uniform across every devstack app
behind ForwardAuth. See sso-rules RULES.md section 1 Logout.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docker/images/files/config.js           |  1 +
 docker/images/files/nginx-entrypoint.sh | 17 +++++++++++++++++
 frontend/src/app/config.cljs            |  6 ++++++
 frontend/src/app/main/data/auth.cljs    | 10 ++++++++--
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/docker/images/files/config.js b/docker/images/files/config.js
index a9f444caa64..bfb17d140e0 100644
--- a/docker/images/files/config.js
+++ b/docker/images/files/config.js
@@ -1,3 +1,4 @@
 // Frontend configuration
 //var penpotFlags = "";
 //var penpotMpassSignoutUrl = "";
+//var penpotSmbName = "";
diff --git a/docker/images/files/nginx-entrypoint.sh b/docker/images/files/nginx-entrypoint.sh
index 034a001fed6..228ef0cb206 100644
--- a/docker/images/files/nginx-entrypoint.sh
+++ b/docker/images/files/nginx-entrypoint.sh
@@ -34,8 +34,25 @@ update_mpass_signout_url() {
   fi
 }
 
+update_smb_name() {
+  # Required when AUTH_TYPE=SSO. Portal hostname prefix for the SPA
+  # logout redirect (<prefix>-<app>.<domain> → <prefix>.<domain>).
+  # Same env name across every devstack app — see sso-rules RULES.md
+  # §1 Logout. No default — startup fails loudly if unset under SSO.
+  if [ -n "$SMB_NAME" ]; then
+    echo "$(sed \
+      -e "s|^//var penpotSmbName = .*;|var penpotSmbName = \"$SMB_NAME\";|g" \
+      "$1")" > "$1"
+  elif [ "$AUTH_TYPE" = "SSO" ]; then
+    echo "ERROR: SMB_NAME env is required when AUTH_TYPE=SSO." >&2
+    echo "       Set it to the portal hostname prefix (e.g. 'moneta')." >&2
+    exit 1
+  fi
+}
+
 update_flags /var/www/app/js/config.js
 update_mpass_signout_url /var/www/app/js/config.js
+update_smb_name /var/www/app/js/config.js
 
 #########################################
 ## Nginx Config
diff --git a/frontend/src/app/config.cljs b/frontend/src/app/config.cljs
index 8c0991358df..c29a9115038 100644
--- a/frontend/src/app/config.cljs
+++ b/frontend/src/app/config.cljs
@@ -158,6 +158,12 @@
 ;; penpot /auth/login screen so the oauth2-proxy cookie and Cognito
 ;; session are also cleared. Nil on non-SSO deployments.
 (def mpass-signout-url    (obj/get global "penpotMpassSignoutUrl"))
+
+;; Portal hostname prefix used by the SPA logout redirect. Required under
+;; SSO — read at runtime from config.js (injected via nginx-entrypoint.sh
+;; from the SMB_NAME env var). Same env name across every devstack app;
+;; see sso-rules RULES.md §1 Logout.
+(def smb-name             (obj/get global "penpotSmbName"))
 (def flex-help-uri        (obj/get global "penpotGridHelpURI" "https://help.penpot.app/user-guide/flexible-layouts/"))
 (def grid-help-uri        (obj/get global "penpotGridHelpURI" "https://help.penpot.app/user-guide/flexible-layouts/"))
 (def plugins-list-uri     (obj/get global "penpotPluginsListUri" "https://penpot.app/penpothub/plugins"))
diff --git a/frontend/src/app/main/data/auth.cljs b/frontend/src/app/main/data/auth.cljs
index 53d9f6ff061..033875d6d2e 100644
--- a/frontend/src/app/main/data/auth.cljs
+++ b/frontend/src/app/main/data/auth.cljs
@@ -259,11 +259,17 @@
     ptk/WatchEvent
     (watch [_ state _]
       (let [profile-id    (:profile-id state)
-            ;; Rewrite "foss-<app>.<domain>" → "foss.<domain>" so we land on the portal
-            ;; (outside ForwardAuth) instead of Penpot's own root, which would silently re-auth.
+            ;; Rewrite "<SMB_NAME>-<app>.<domain>" → "<SMB_NAME>.<domain>" so we land on
+            ;; the portal (outside ForwardAuth) instead of Penpot's own root, which would
+            ;; silently re-auth. SMB_NAME is required under SSO — see sso-rules RULES.md.
             host          (.-host js/location)
             protocol      (.-protocol js/location)
+<<<<<<< HEAD
             portal-host   (.replace host #"^[^.]*\." "moneta.")
+=======
+            smb-name      (.trim ^js cf/smb-name)
+            portal-host   (.replace host #"^[^.]*\." (str smb-name "."))
+>>>>>>> 770377bc5 (fix(logout): drive portal-host prefix from required SMB_NAME env)
             portal-uri    (str protocol "//" portal-host)
             logged-out-ev (logged-out {:redirect-uri portal-uri})]
         (->> (rx/interval 500)

From a874c54a99118e1add559a43d9c1406d09362e10 Mon Sep 17 00:00:00 2001
From: jawad-khan <jawadkhan444@gmail.com>
Date: Sat, 2 May 2026 14:08:41 +0500
Subject: [PATCH 2/4] fix: fixed conflicts

---
 frontend/src/app/main/data/auth.cljs | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/frontend/src/app/main/data/auth.cljs b/frontend/src/app/main/data/auth.cljs
index 033875d6d2e..334f4b3f237 100644
--- a/frontend/src/app/main/data/auth.cljs
+++ b/frontend/src/app/main/data/auth.cljs
@@ -264,12 +264,8 @@
             ;; silently re-auth. SMB_NAME is required under SSO — see sso-rules RULES.md.
             host          (.-host js/location)
             protocol      (.-protocol js/location)
-<<<<<<< HEAD
-            portal-host   (.replace host #"^[^.]*\." "moneta.")
-=======
             smb-name      (.trim ^js cf/smb-name)
             portal-host   (.replace host #"^[^.]*\." (str smb-name "."))
->>>>>>> 770377bc5 (fix(logout): drive portal-host prefix from required SMB_NAME env)
             portal-uri    (str protocol "//" portal-host)
             logged-out-ev (logged-out {:redirect-uri portal-uri})]
         (->> (rx/interval 500)

From 99f36f6d12aaba87e005b89c3092325adfb6969c Mon Sep 17 00:00:00 2001
From: awais786 <awais.qureshi@arbisoft.com>
Date: Sat, 2 May 2026 20:36:16 +0500
Subject: [PATCH 3/4] fix(logout): derive portal prefix from hostname instead
 of SMB_NAME env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drops the cf/smb-name read on the SPA logout path. The previous approach
required threading SMB_NAME through devstack docker-compose env →
nginx-entrypoint.sh substitution into config.js → cljs cf alias; any
broken link silently routed logout to the wrong host or crashed.

Switching to a regex on js/location host removes the env dependency and
works for any `<prefix>-<app>.<domain>` shape:
- foss-design.local.moneta.dev → foss.local.moneta.dev
- moneta-design.askii.ai       → moneta.askii.ai

The cf/smb-name declaration and nginx-entrypoint.sh plumbing are now
dead; will be removed in a separate cleanup pass.
---
 frontend/src/app/main/data/auth.cljs | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/frontend/src/app/main/data/auth.cljs b/frontend/src/app/main/data/auth.cljs
index 334f4b3f237..1a8fe6b843a 100644
--- a/frontend/src/app/main/data/auth.cljs
+++ b/frontend/src/app/main/data/auth.cljs
@@ -259,13 +259,12 @@
     ptk/WatchEvent
     (watch [_ state _]
       (let [profile-id    (:profile-id state)
-            ;; Rewrite "<SMB_NAME>-<app>.<domain>" → "<SMB_NAME>.<domain>" so we land on
+            ;; Rewrite "<prefix>-<app>.<domain>" → "<prefix>.<domain>" so we land on
             ;; the portal (outside ForwardAuth) instead of Penpot's own root, which would
-            ;; silently re-auth. SMB_NAME is required under SSO — see sso-rules RULES.md.
+            ;; silently re-auth.
             host          (.-host js/location)
             protocol      (.-protocol js/location)
-            smb-name      (.trim ^js cf/smb-name)
-            portal-host   (.replace host #"^[^.]*\." (str smb-name "."))
+            portal-host   (.replace host #"^([^-]+)-[^.]+\.(.+)" "$1.$2")
             portal-uri    (str protocol "//" portal-host)
             logged-out-ev (logged-out {:redirect-uri portal-uri})]
         (->> (rx/interval 500)

From 9cec93abffe63b3544d7b90f088a5bcac9aca269 Mon Sep 17 00:00:00 2001
From: awais786 <awais.qureshi@arbisoft.com>
Date: Sat, 2 May 2026 20:48:48 +0500
Subject: [PATCH 4/4] fix(logout): drop now-unused SMB_NAME plumbing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cleanup follow-up to 99f36f6d1 — the regex-based portal-host derivation
no longer reads cf/smb-name, so the runtime config plumbing is dead:
- docker/images/files/config.js: remove placeholder declaration
- docker/images/files/nginx-entrypoint.sh: remove envsubst block
- frontend/src/app/config.cljs: remove smb-name def
---
 docker/images/files/config.js           |  1 -
 docker/images/files/nginx-entrypoint.sh | 17 -----------------
 frontend/src/app/config.cljs            |  6 ------
 3 files changed, 24 deletions(-)

diff --git a/docker/images/files/config.js b/docker/images/files/config.js
index bfb17d140e0..a9f444caa64 100644
--- a/docker/images/files/config.js
+++ b/docker/images/files/config.js
@@ -1,4 +1,3 @@
 // Frontend configuration
 //var penpotFlags = "";
 //var penpotMpassSignoutUrl = "";
-//var penpotSmbName = "";
diff --git a/docker/images/files/nginx-entrypoint.sh b/docker/images/files/nginx-entrypoint.sh
index 228ef0cb206..034a001fed6 100644
--- a/docker/images/files/nginx-entrypoint.sh
+++ b/docker/images/files/nginx-entrypoint.sh
@@ -34,25 +34,8 @@ update_mpass_signout_url() {
   fi
 }
 
-update_smb_name() {
-  # Required when AUTH_TYPE=SSO. Portal hostname prefix for the SPA
-  # logout redirect (<prefix>-<app>.<domain> → <prefix>.<domain>).
-  # Same env name across every devstack app — see sso-rules RULES.md
-  # §1 Logout. No default — startup fails loudly if unset under SSO.
-  if [ -n "$SMB_NAME" ]; then
-    echo "$(sed \
-      -e "s|^//var penpotSmbName = .*;|var penpotSmbName = \"$SMB_NAME\";|g" \
-      "$1")" > "$1"
-  elif [ "$AUTH_TYPE" = "SSO" ]; then
-    echo "ERROR: SMB_NAME env is required when AUTH_TYPE=SSO." >&2
-    echo "       Set it to the portal hostname prefix (e.g. 'moneta')." >&2
-    exit 1
-  fi
-}
-
 update_flags /var/www/app/js/config.js
 update_mpass_signout_url /var/www/app/js/config.js
-update_smb_name /var/www/app/js/config.js
 
 #########################################
 ## Nginx Config
diff --git a/frontend/src/app/config.cljs b/frontend/src/app/config.cljs
index c29a9115038..8c0991358df 100644
--- a/frontend/src/app/config.cljs
+++ b/frontend/src/app/config.cljs
@@ -158,12 +158,6 @@
 ;; penpot /auth/login screen so the oauth2-proxy cookie and Cognito
 ;; session are also cleared. Nil on non-SSO deployments.
 (def mpass-signout-url    (obj/get global "penpotMpassSignoutUrl"))
-
-;; Portal hostname prefix used by the SPA logout redirect. Required under
-;; SSO — read at runtime from config.js (injected via nginx-entrypoint.sh
-;; from the SMB_NAME env var). Same env name across every devstack app;
-;; see sso-rules RULES.md §1 Logout.
-(def smb-name             (obj/get global "penpotSmbName"))
 (def flex-help-uri        (obj/get global "penpotGridHelpURI" "https://help.penpot.app/user-guide/flexible-layouts/"))
 (def grid-help-uri        (obj/get global "penpotGridHelpURI" "https://help.penpot.app/user-guide/flexible-layouts/"))
 (def plugins-list-uri     (obj/get global "penpotPluginsListUri" "https://penpot.app/penpothub/plugins"))