fix(web): allow /.well-known/ paths through proxy for workflow engine on self-hosted Docker#1833
Open
oaris-dev wants to merge 1 commit into
Open
fix(web): allow /.well-known/ paths through proxy for workflow engine on self-hosted Docker#1833oaris-dev wants to merge 1 commit into
oaris-dev wants to merge 1 commit into
Conversation
The proxy.ts allow-list and matcher both block /.well-known/* paths,
which causes the @workflow/world-local queue's self-dispatch HTTP
POSTs to /.well-known/workflow/v1/{flow,step} to be 307-redirected
to /login. This silently breaks the workflow engine on self-hosted
Docker deployments, preventing video processing (transcoding,
transcription, AI generation).
Adding /.well-known/ to both the path allow-list and the matcher
exclusion lets the workflow route handlers receive requests directly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
superagent-security
Bot
added
the
contributor:verified
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On self-hosted Docker deployments (where
NEXT_PUBLIC_IS_CAPis not set),proxy.tsredirects all unrecognized paths to/login. This silently breaks the workflow engine.The
@workflow/world-localqueue dispatches steps by HTTP-POSTing to itself at/.well-known/workflow/v1/{flow,step}. Those POSTs hit the proxy's catch-all redirect to/login, get back HTML, and the queue cannot proceed.Visible symptom: video uploads complete and persist to S3, but no transcoding, transcription, or AI summary runs. The workflow run sits in
status: "running"indefinitely.Fix
Add
/.well-known/to two allow-lists inapps/web/proxy.ts:if (buildEnv.NEXT_PUBLIC_IS_CAP !== "true")config.matcherexclusion patternBoth are needed: the first prevents the redirect; the second prevents the proxy from running at all for these paths (matching how
/apiis already excluded).3 lines changed, no logic changes — purely an allow-list extension.
Relationship to #1832
I opened this after end-to-end validating #1832 against current upstream
mainon a clean self-hosted deployment. Both fixes are required for self-hosted transcription to work:With #1832 alone, transcription still hangs because the workflow can't run. With this alone, the workflow runs but hits the race. Together: self-hosted transcription works end-to-end.
Happy to fold this into #1832 as one PR if you prefer — they're independent code paths but functionally one user-visible fix. Let me know.
Validation
upstream/main, recorded a browser video, confirmedresult.mp4produced + transcription persisted totranscription.vtt+ share page renders the transcript.Risk
Very low. The change only adds two allow-list entries. Behavior change is limited to:
/.well-known/*paths now reach their route handlers instead of being redirected to/login. This is the intended behavior for hosted Cap as well (the redirect for these paths is incidental, not protective).Greptile Summary
This PR fixes self-hosted Docker deployments where the
/.well-known/paths required by the@workflow/world-localqueue were being silently redirected to/login, preventing any transcoding, transcription, or AI-summary jobs from running after a video upload.path.startsWith("/.well-known/")to the self-hosted allow-list so the catch-all/loginredirect is skipped for those paths.\.well-knownto theconfig.matcherexclusion so the middleware doesn't execute at all for those paths, consistent with how/apiis already handled.Confidence Score: 5/5
Safe to merge — the change is a minimal allow-list extension with no logic alterations and is directly analogous to the existing
/apiexclusion.Both changes are additive and narrowly scoped: a path-prefix allow-list entry and a corresponding matcher exclusion. The two-pronged approach mirrors how
/apiis already treated, the dot in the regex is correctly escaped (\\.well-known→\.well-known), and the trailing-slash guard on the allow-list (/.well-known/) prevents accidental prefix collisions. Route handlers at these paths retain responsibility for their own authentication, which is the standard pattern in this codebase. No existing behaviour is removed or altered.No files require special attention.
Important Files Changed
/.well-known/to the self-hosted path allow-list and the middleware matcher exclusion, mirroring the existing/apitreatment to let workflow-engine internal POSTs reach their route handlers.Reviews (1): Last reviewed commit: "fix(web): allow /.well-known/ paths thro..." | Re-trigger Greptile