till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 19:41:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix(auth): resolve hardcoded localhost in user-settings across all web apps

Browse source 
The createUserSettingsStore was receiving a static auth URL evaluated at
module load time, before window.__PUBLIC_MANA_CORE_AUTH_URL__ was
injected by hooks.server.ts. In production this caused CSP violations
as settings API calls went to localhost:3001 instead of auth.mana.how.

Changes:
- Accept string | (() => string) for authUrl in shared-theme config
- Resolve authUrl lazily at fetch time instead of module load
- Fix fallback to empty string in non-dev environments (was localhost)
- Pass getAuthUrl as getter function in all 17 web apps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS 2026-03-25 12:40:30 +01:00
parent 1fe8f8902d
commit 3376b044bc
19 changed files with 92 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apps/skilltree/apps/web/src/lib/stores/user-settings.svelte.ts
View file

@ -6,13 +6,13 @@ function getAuthUrl(): string {
if (browser && typeof window !== 'undefined') {
const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
.__PUBLIC_MANA_CORE_AUTH_URL__;
return injectedUrl || 'http://localhost:3001';
if (injectedUrl) return injectedUrl;
}
return 'http://localhost:3001';
return import.meta.env.DEV ? 'http://localhost:3001' : '';
}
export const userSettings = createUserSettingsStore({
appId: 'skilltree',
authUrl: getAuthUrl(),
authUrl: getAuthUrl,
getAccessToken: () => authStore.getAccessToken(),
});