till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 21:41:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix(auth): resolve hardcoded localhost in user-settings across all web apps

Browse source 
The createUserSettingsStore was receiving a static auth URL evaluated at
module load time, before window.__PUBLIC_MANA_CORE_AUTH_URL__ was
injected by hooks.server.ts. In production this caused CSP violations
as settings API calls went to localhost:3001 instead of auth.mana.how.

Changes:
- Accept string | (() => string) for authUrl in shared-theme config
- Resolve authUrl lazily at fetch time instead of module load
- Fix fallback to empty string in non-dev environments (was localhost)
- Pass getAuthUrl as getter function in all 17 web apps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS 2026-03-25 12:40:30 +01:00
parent 1fe8f8902d
commit 3376b044bc
19 changed files with 92 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/shared-theme/src/types.ts
View file

@ -431,8 +431,8 @@ export interface UserSettingsStore {
export interface UserSettingsStoreConfig {
/** App identifier (e.g., 'calendar', 'chat') */
appId: string;
/** Auth service base URL */
authUrl: string;
/** Auth service base URL (string or getter function for lazy resolution) */
authUrl: string | (() => string);
/** Function to get current access token */
getAccessToken: () => Promise<string | null>;
/** Optional device name (auto-detected if not provided) */

6
packages/shared-theme/src/user-settings-store.svelte.ts
View file

@ -103,7 +103,9 @@ function detectDeviceName(): string {
* ```
*/
export function createUserSettingsStore(config: UserSettingsStoreConfig): UserSettingsStore {
const { appId, authUrl, getAccessToken, deviceName, deviceType } = config;
const { appId, authUrl: authUrlConfig, getAccessToken, deviceName, deviceType } = config;
const resolveAuthUrl = () =>
typeof authUrlConfig === 'function' ? authUrlConfig() : authUrlConfig;
const storageKey = `${STORAGE_KEY_PREFIX}-${appId}`;
// Device info (initialized once)
@ -202,7 +204,7 @@ export function createUserSettingsStore(config: UserSettingsStoreConfig): UserSe
}
try {
const response = await fetch(`${authUrl}/api/v1/settings${path}`, {
const response = await fetch(`${resolveAuthUrl()}/api/v1/settings${path}`, {
method,
headers: {
'Content-Type': 'application/json',