fix(sign_up): fix incorrect tenant url on devise emails

[adi-herwana-nus]

• refactored keycloak admin API functions from Instance to separate class
• add Devise::Mailer subclass to override email
• override Instance.host with domain substitution logic in non-prod environments
• updated documentation

Before this, Devise was unaware of our multitenancy model, so Devise emails were sent with URLs pointing back to the default tenant. This can lead to non-default-tenant users signing up to the wrong tenant, causing unnecessary confusion.

There is likely a separate issue on FE redirection, which specifies the default tenant as a fallback redirect uri, leading to occasional unexpected redirects.
A reproducible method to trigger this fallback mechanism is still under investigation.

[Copilot]

Pull request overview

This PR fixes multi-tenant URL generation in Devise emails so links (e.g., confirmation/reset password) point to the current tenant instead of the default instance, and refactors Keycloak admin update logic into a dedicated service with updated rake task, specs, and documentation.

Changes:

• Add a custom DeviseMailer and pass tenant host through Devise async notifications to generate tenant-correct URLs in Devise emails.
• Refactor Keycloak redirect URI / base URL updates from Instance model logic into KeycloakAdminService, and update the keycloak:push_redirect_uris rake task accordingly.
• Update and add specs + documentation reflecting the new behavior.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
spec/services/keycloak_admin_service_spec.rb	New spec coverage for Keycloak admin update service behavior.
spec/models/user_spec.rb	Adds regression test ensuring reset-password email includes current tenant host.
spec/models/instance_spec.rb	Removes old Keycloak push specs from Instance model tests (logic moved to service).
spec/mailers/devise_mailer_spec.rb	Adds mailer spec coverage for tenant host override vs fallback behavior.
README.md	Updates local HTTPS / lvh.me guidance for multitenant + Keycloak.
lib/tasks/keycloak/push_redirect_uris.rake	Updates rake task to use KeycloakAdminService and config-based host override.
lib/extensions/devise_async_email/devise/models/authenticatable.rb	Passes tenant host into Devise notifications sent asynchronously.
config/initializers/devise.rb	Configures Devise to use the new DeviseMailer.
authentication/README.md	Updates Keycloak credential setup documentation.
app/services/keycloak_admin_service.rb	Introduces service for pushing Keycloak redirect URIs and base URL.
app/models/instance.rb	Uses KeycloakAdminService after commit; updates host substitution logic.
app/mailers/devise_mailer.rb	New mailer subclass to apply tenant-specific host for Devise-generated URLs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.