Conversation
Centralizes resolution of the public app origin in `getAppOrigin()` and
defensively strips a trailing `/auth/callback` (and trailing slashes) from
NEXT_PUBLIC_APP_URL / APP_URL.
A misconfigured env var on Render had the path `/auth/callback` baked in,
so `${appUrl}/auth/callback` in send-magic-link produced an
`emailRedirectTo` of `https://www.diamondos.app/auth/callback/auth/callback`.
Supabase passed that through as `redirect_to`, the verify endpoint 302'd
the user there with the session tokens in the hash, and the doubled path
404'd in Next.js. Users blamed the magic link; the bug was config feeding
into a string concat.
The new helper makes the bug unreachable: any reasonable env-var shape
(`https://host`, `https://host/`, `https://host/auth/callback`,
`https://host/auth/callback/`) collapses to the bare origin before the
callsite appends `/auth/callback` again.
Applied at all four auth callsites that touch the env var:
- send-magic-link (was the doubling bug)
- player-signup (same shape, would have hit the same bug)
- callback (used as redirect base)
- set-session (used as expected-origin for CSRF check)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 25 minutes and 45 seconds.Comment |
1 participant
Summary
getAppOrigin()helper that defensively strips any trailing/auth/callback(and trailing slashes) fromNEXT_PUBLIC_APP_URL/APP_URL./auth/callbackpath.${appUrl}/auth/callbackin send-magic-link produced anemailRedirectToofhttps://www.diamondos.app/auth/callback/auth/callback. After Supabase's verify endpoint 302'd the user to that URL with the session tokens in the hash, Next.js 404'd because no route matches the doubled path.send-magic-link,player-signup,auth/callback,set-session.Why this matters
The previous PR (#174) added diagnostic logging to investigate a session-cookie bounce — and the diagnostics surfaced this earlier-stage 404 first. The 404 means the auth callback never even runs, so all the cookie-boundary instrumentation downstream is irrelevant until this is fixed. After this lands, redeploy and the magic-link flow should reach
/auth/callbackcleanly; the diagnostic logs from #174 will then tell us whether there's still a session-cookie problem to solve, or whether this fix resolves the user-facing bug entirely.Test plan
https://www.diamondos.app/loginhttps://www.diamondos.app/auth/callback?token_hash=…(single/auth/callback)/dashboard, no 404[auth/callback] setAll,[auth/callback] returning redirect, and[middleware] /dashboard … user: <uuid> error: nullNEXT_PUBLIC_APP_URL=https://www.diamondos.appon Render and confirm Supabase Site URL =https://www.diamondos.appso other parts of the system that don't go throughgetAppOriginare also correct)Follow-up
Once the bounce is fully resolved end-to-end, open a small revert PR to remove the
// TEMP DIAGlog statements added in #174.🤖 Generated with Claude Code