diff --git a/internal/start/start.go b/internal/start/start.go index 22b8fa694..2fadf7e0a 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -482,7 +482,7 @@ EOF "GOTRUE_JWT_DEFAULT_GROUP_NAME=authenticated", fmt.Sprintf("GOTRUE_JWT_EXP=%v", utils.Config.Auth.JwtExpiry), "GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value, - "GOTRUE_JWT_ISSUER=" + utils.GetApiUrl("/auth/v1"), + "GOTRUE_JWT_ISSUER=" + utils.Config.Auth.JwtIssuer, fmt.Sprintf("GOTRUE_EXTERNAL_EMAIL_ENABLED=%v", utils.Config.Auth.Email.EnableSignup), fmt.Sprintf("GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED=%v", utils.Config.Auth.Email.DoubleConfirmChanges), @@ -494,10 +494,10 @@ EOF fmt.Sprintf("GOTRUE_SMTP_MAX_FREQUENCY=%v", utils.Config.Auth.Email.MaxFrequency), - "GOTRUE_MAILER_URLPATHS_INVITE=" + utils.GetApiUrl("/auth/v1/verify"), - "GOTRUE_MAILER_URLPATHS_CONFIRMATION=" + utils.GetApiUrl("/auth/v1/verify"), - "GOTRUE_MAILER_URLPATHS_RECOVERY=" + utils.GetApiUrl("/auth/v1/verify"), - "GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE=" + utils.GetApiUrl("/auth/v1/verify"), + fmt.Sprintf("GOTRUE_MAILER_URLPATHS_INVITE=%s/verify", utils.Config.Auth.JwtIssuer), + fmt.Sprintf("GOTRUE_MAILER_URLPATHS_CONFIRMATION=%s/verify", utils.Config.Auth.JwtIssuer), + fmt.Sprintf("GOTRUE_MAILER_URLPATHS_RECOVERY=%s/verify", utils.Config.Auth.JwtIssuer), + fmt.Sprintf("GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE=%s/verify", utils.Config.Auth.JwtIssuer), "GOTRUE_RATE_LIMIT_EMAIL_SENT=360000", fmt.Sprintf("GOTRUE_EXTERNAL_PHONE_ENABLED=%v", utils.Config.Auth.Sms.EnableSignup), @@ -699,7 +699,7 @@ EOF redirectUri := config.RedirectUri if redirectUri == "" { - redirectUri = utils.GetApiUrl("/auth/v1/callback") + redirectUri = utils.Config.Auth.JwtIssuer + "/callback" } env = append(env, fmt.Sprintf("GOTRUE_EXTERNAL_%s_REDIRECT_URI=%s", strings.ToUpper(name), redirectUri)) diff --git a/pkg/config/auth.go b/pkg/config/auth.go index 82fc0eef7..44edb4f50 100644 --- a/pkg/config/auth.go +++ b/pkg/config/auth.go @@ -152,6 +152,7 @@ type ( SiteUrl string `toml:"site_url"` AdditionalRedirectUrls []string `toml:"additional_redirect_urls"` JwtExpiry uint `toml:"jwt_expiry"` + JwtIssuer string `toml:"jwt_issuer"` EnableRefreshTokenRotation bool `toml:"enable_refresh_token_rotation"` RefreshTokenReuseInterval uint `toml:"refresh_token_reuse_interval"` EnableManualLinking bool `toml:"enable_manual_linking"` diff --git a/pkg/config/config.go b/pkg/config/config.go index 531bc3dea..e3ca3fc29 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -583,6 +583,10 @@ func (c *config) Load(path string, fsys fs.FS, overrides ...ConfigEditor) error } c.Api.ExternalUrl = apiUrl.String() } + // Set default JWT issuer if not configured + if len(c.Auth.JwtIssuer) == 0 { + c.Auth.JwtIssuer = c.Api.ExternalUrl + "/auth/v1" + } // Update image versions switch c.Db.MajorVersion { case 13: diff --git a/pkg/config/templates/config.toml b/pkg/config/templates/config.toml index ebdb83103..47d44d3c7 100644 --- a/pkg/config/templates/config.toml +++ b/pkg/config/templates/config.toml @@ -125,6 +125,8 @@ site_url = "http://127.0.0.1:3000" additional_redirect_urls = ["https://127.0.0.1:3000"] # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week). jwt_expiry = 3600 +# JWT issuer URL. If not set, defaults to the local API URL (http://127.0.0.1:/auth/v1). +# jwt_issuer = "" # Path to JWT signing key. DO NOT commit your signing keys file to git. # signing_keys_path = "./signing_keys.json" # If disabled, the refresh token will never expire.