From 7fb43b9ee1f0f0c91f110cafb3bb00dd0c4b5135 Mon Sep 17 00:00:00 2001 From: TerrifiedBug Date: Mon, 27 Apr 2026 13:09:11 +0100 Subject: [PATCH 1/2] fix(auth): add AUTH_TRUST_HOST to production compose for demo.vectorflow.sh Single-instance docker-compose.yml was missing AUTH_TRUST_HOST=true, which caused NextAuth UntrustedHost errors on demo.vectorflow.sh. Dev and HA composes already had it. Also clarifies NEXTAUTH_URL guidance in .env.example with an explicit demo example. --- docker/server/.env.example | 10 +++++++--- docker/server/docker-compose.yml | 1 + 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/docker/server/.env.example b/docker/server/.env.example index 9e98ef1a..8777b34c 100644 --- a/docker/server/.env.example +++ b/docker/server/.env.example @@ -20,9 +20,13 @@ NEXTAUTH_SECRET=change-me-to-a-random-32-char-string # ── Optional ────────────────────────────────────────────────── -# Set to your canonical URL in production (e.g., https://vectorflow.example.com) -# When unset, AUTH_TRUST_HOST=true infers the URL from the Host header. -#NEXTAUTH_URL=http://localhost:3000 +# Canonical public URL of this deployment (e.g., https://vectorflow.example.com). +# Required for OAuth/OIDC callback URLs and "reset password" email links to resolve +# correctly. AUTH_TRUST_HOST=true (set in docker-compose.yml) allows the server to +# infer the URL from the X-Forwarded-Host header when this is unset, but setting it +# explicitly is strongly recommended for any public deployment. +# Example for the hosted demo: NEXTAUTH_URL=https://demo.vectorflow.sh +#NEXTAUTH_URL=https://vectorflow.example.com # Server port (default: 3000) #PORT=3000 diff --git a/docker/server/docker-compose.yml b/docker/server/docker-compose.yml index e8dbe5af..fb1a1404 100644 --- a/docker/server/docker-compose.yml +++ b/docker/server/docker-compose.yml @@ -29,6 +29,7 @@ services: DATABASE_URL: postgresql://vectorflow:${POSTGRES_PASSWORD}@postgres:5432/vectorflow NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} NEXTAUTH_URL: ${NEXTAUTH_URL} + AUTH_TRUST_HOST: "true" volumes: - vfdata:/app/.vectorflow - backups:/backups From c8c5faa3fb65bbed8d8ca678acd9cb79b36537bf Mon Sep 17 00:00:00 2001 From: TerrifiedBug Date: Mon, 27 Apr 2026 13:13:36 +0100 Subject: [PATCH 2/2] feat(demo): add docker/demo compose with NEXTAUTH_URL=https://demo.vectorflow.sh Adds a dedicated docker/demo/docker-compose.yml for the hosted demo deployment at demo.vectorflow.sh. AUTH_TRUST_HOST is already true from PR #184; this compose pins NEXTAUTH_URL so auth callback URLs resolve to the correct origin and adds VF_DEMO_MODE=true so demo guards are active. Also adds docker/demo/.env.example for required secrets and clarifies the comment in docker/server/.env.example to point to the new compose. --- docker/demo/.env.example | 9 ++++++ docker/demo/docker-compose.yml | 54 ++++++++++++++++++++++++++++++++++ docker/server/.env.example | 3 +- 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 docker/demo/.env.example create mode 100644 docker/demo/docker-compose.yml diff --git a/docker/demo/.env.example b/docker/demo/.env.example new file mode 100644 index 00000000..09ac7bc6 --- /dev/null +++ b/docker/demo/.env.example @@ -0,0 +1,9 @@ +# Database password for PostgreSQL. Use a random 32+ character string. +POSTGRES_PASSWORD=change-me-to-a-random-32-char-string + +# Secret used to sign NextAuth sessions and to derive the initial encryption key. +# Use a random 32+ character string. Generate with: openssl rand -base64 32 +NEXTAUTH_SECRET=change-me-to-a-random-32-char-string + +# VF_VERSION pins the server image tag (default: latest). +#VF_VERSION=1.2.3 diff --git a/docker/demo/docker-compose.yml b/docker/demo/docker-compose.yml new file mode 100644 index 00000000..190f36bb --- /dev/null +++ b/docker/demo/docker-compose.yml @@ -0,0 +1,54 @@ +services: + postgres: + container_name: vectorflow-demo-postgres + image: timescale/timescaledb:latest-pg16 + environment: + POSTGRES_DB: vectorflow + POSTGRES_USER: vectorflow + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + volumes: + - pgdata:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U vectorflow"] + interval: 5s + timeout: 5s + retries: 5 + restart: unless-stopped + + vectorflow: + container_name: vectorflow-demo-server + image: ghcr.io/terrifiedbug/vectorflow-server:${VF_VERSION:-latest} + depends_on: + postgres: + condition: service_healthy + ports: + - "3000:3000" + environment: + DATABASE_URL: postgresql://vectorflow:${POSTGRES_PASSWORD}@postgres:5432/vectorflow + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + NEXTAUTH_URL: https://demo.vectorflow.sh + AUTH_TRUST_HOST: "true" + VF_DEMO_MODE: "true" + volumes: + - vfdata:/app/.vectorflow + - backups:/backups + healthcheck: + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/api/health/ready"] + interval: 30s + timeout: 5s + start_period: 30s + retries: 3 + deploy: + resources: + limits: + memory: 1g + cpus: "2.0" + restart: unless-stopped + +volumes: + pgdata: + name: vectorflow-demo-pgdata + vfdata: + name: vectorflow-demo-data + backups: + name: vectorflow-demo-backups diff --git a/docker/server/.env.example b/docker/server/.env.example index 8777b34c..9a27b553 100644 --- a/docker/server/.env.example +++ b/docker/server/.env.example @@ -25,7 +25,8 @@ NEXTAUTH_SECRET=change-me-to-a-random-32-char-string # correctly. AUTH_TRUST_HOST=true (set in docker-compose.yml) allows the server to # infer the URL from the X-Forwarded-Host header when this is unset, but setting it # explicitly is strongly recommended for any public deployment. -# Example for the hosted demo: NEXTAUTH_URL=https://demo.vectorflow.sh +# The hosted demo uses docker/demo/docker-compose.yml which hardcodes +# NEXTAUTH_URL=https://demo.vectorflow.sh. For all other deployments set this: #NEXTAUTH_URL=https://vectorflow.example.com # Server port (default: 3000)