fix(auth): resolve hardcoded localhost in user-settings across all web apps

The createUserSettingsStore was receiving a static auth URL evaluated at module load time, before window.__PUBLIC_MANA_CORE_AUTH_URL__ was injected by hooks.server.ts. In production this caused CSP violations as settings API calls went to localhost:3001 instead of auth.mana.how. Changes: - Accept string | (() => string) for authUrl in shared-theme config - Resolve authUrl lazily at fetch time instead of module load - Fix fallback to empty string in non-dev environments (was localhost) - Pass getAuthUrl as getter function in all 17 web apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-23 21:36:41 +02:00 · 2026-03-25 12:40:30 +01:00 · 2026-03-25 12:40:30 +01:00 · 3376b044bc
commit 3376b044bc
parent 1fe8f8902d
19 changed files with 92 additions and 50 deletions
--- a/apps/calendar/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/calendar/apps/web/src/lib/stores/user-settings.svelte.ts
@ -16,13 +16,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'calendar',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/chat/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/chat/apps/web/src/lib/stores/user-settings.svelte.ts
@ -7,13 +7,21 @@
 * - localStorage caching for offline support
 */
 import { browser } from '$app/environment';
 import { createUserSettingsStore } from '@manacore/shared-theme';
 import { authStore } from './auth.svelte';
-const MANA_AUTH_URL = 'http://localhost:3001';
+function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
 		if (injectedUrl) return injectedUrl;
 	}
 	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'chat',
-	authUrl: MANA_AUTH_URL,
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/clock/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/clock/apps/web/src/lib/stores/user-settings.svelte.ts
@ -16,13 +16,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'clock',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/contacts/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/contacts/apps/web/src/lib/stores/user-settings.svelte.ts
@ -16,13 +16,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'contacts',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/context/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/context/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'context',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/manacore/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/manacore/apps/web/src/lib/stores/user-settings.svelte.ts
@ -16,13 +16,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'manacore',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/manadeck/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/manadeck/apps/web/src/lib/stores/user-settings.svelte.ts
@ -7,13 +7,21 @@
 * - localStorage caching for offline support
 */
 import { browser } from '$app/environment';
 import { createUserSettingsStore } from '@manacore/shared-theme';
 import { authStore } from './auth.svelte';
-const MANA_AUTH_URL = 'http://localhost:3001';
+function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
 		if (injectedUrl) return injectedUrl;
 	}
 	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'manadeck',
-	authUrl: MANA_AUTH_URL,
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/mukke/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/mukke/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'mukke',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getValidToken(),
 });
--- a/apps/photos/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/photos/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'photos',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/picture/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/picture/apps/web/src/lib/stores/user-settings.svelte.ts
@ -7,13 +7,21 @@
 * - localStorage caching for offline support
 */
 import { browser } from '$app/environment';
 import { createUserSettingsStore } from '@manacore/shared-theme';
 import { authStore } from './auth.svelte';
-const MANA_AUTH_URL = 'http://localhost:3001';
+function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
 		if (injectedUrl) return injectedUrl;
 	}
 	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'picture',
-	authUrl: MANA_AUTH_URL,
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/planta/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/planta/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'planta',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getValidToken(),
 });
--- a/apps/presi/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/presi/apps/web/src/lib/stores/user-settings.svelte.ts
@ -7,13 +7,21 @@
 * - localStorage caching for offline support
 */
 import { browser } from '$app/environment';
 import { createUserSettingsStore } from '@manacore/shared-theme';
 import { auth } from './auth.svelte';
-const MANA_AUTH_URL = 'http://localhost:3001';
+function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
 		if (injectedUrl) return injectedUrl;
 	}
 	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'presi',
-	authUrl: MANA_AUTH_URL,
+	authUrl: getAuthUrl,
 	getAccessToken: () => auth.getAccessToken(),
 });
--- a/apps/questions/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/questions/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'questions',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getValidToken(),
 });
--- a/apps/skilltree/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/skilltree/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'skilltree',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/storage/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/storage/apps/web/src/lib/stores/user-settings.svelte.ts
@ -7,13 +7,21 @@
 * - localStorage caching for offline support
 */
 import { browser } from '$app/environment';
 import { createUserSettingsStore } from '@manacore/shared-theme';
 import { authStore } from './auth.svelte';
-const MANA_AUTH_URL = 'http://localhost:3001';
+function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
 		if (injectedUrl) return injectedUrl;
 	}
 	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'storage',
-	authUrl: MANA_AUTH_URL,
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/todo/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/todo/apps/web/src/lib/stores/user-settings.svelte.ts
@ -7,13 +7,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'todo',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/apps/zitare/apps/web/src/lib/stores/user-settings.svelte.ts
+++ b/apps/zitare/apps/web/src/lib/stores/user-settings.svelte.ts
@ -6,13 +6,13 @@ function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		if (injectedUrl) return injectedUrl;
 	}
-	return 'http://localhost:3001';
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
 }
 export const userSettings = createUserSettingsStore({
 	appId: 'zitare',
-	authUrl: getAuthUrl(),
+	authUrl: getAuthUrl,
 	getAccessToken: () => authStore.getAccessToken(),
 });
--- a/packages/shared-theme/src/types.ts
+++ b/packages/shared-theme/src/types.ts
@ -431,8 +431,8 @@ export interface UserSettingsStore {
 export interface UserSettingsStoreConfig {
 	/** App identifier (e.g., 'calendar', 'chat') */
 	appId: string;
-	/** Auth service base URL */
+	/** Auth service base URL (string or getter function for lazy resolution) */
-	authUrl: string;
+	authUrl: string | (() => string);
 	/** Function to get current access token */
 	getAccessToken: () => Promise<string | null>;
 	/** Optional device name (auto-detected if not provided) */
--- a/packages/shared-theme/src/user-settings-store.svelte.ts
+++ b/packages/shared-theme/src/user-settings-store.svelte.ts
@ -103,7 +103,9 @@ function detectDeviceName(): string {
 * ```
 */
 export function createUserSettingsStore(config: UserSettingsStoreConfig): UserSettingsStore {
-	const { appId, authUrl, getAccessToken, deviceName, deviceType } = config;
+	const { appId, authUrl: authUrlConfig, getAccessToken, deviceName, deviceType } = config;
 	const resolveAuthUrl = () =>
 		typeof authUrlConfig === 'function' ? authUrlConfig() : authUrlConfig;
 	const storageKey = `${STORAGE_KEY_PREFIX}-${appId}`;
 	// Device info (initialized once)
@ -202,7 +204,7 @@ export function createUserSettingsStore(config: UserSettingsStoreConfig): UserSe
 		}
 		try {
-			const response = await fetch(`${authUrl}/api/v1/settings${path}`, {
+			const response = await fetch(`${resolveAuthUrl()}/api/v1/settings${path}`, {
 				method,
 				headers: {
 					'Content-Type': 'application/json',