fix(env): fix environment variables for coder and local devcontainer (#460)

* fix(env): fix environment variables for coder and local devcontainer

This commit fixes critical environment variable issues that prevented proper
database and Redis connectivity in Coder workspaces, and adds missing
configuration for CORS and file uploads.

Root Cause:
- Coder template sets correct hostnames (db, redis) but .envrc was loading
  .devcontainer/.env which overwrote them with localhost
- Frontend couldn't reach backend in Coder (localhost in browser != workspace)
- Missing environment variables in validation and .env.example

Changes:

1. Database & Redis Hostname Handling (.devcontainer/post-create.sh):
   - Enhanced .envrc generation to save Coder env vars BEFORE loading .env
   - Restore Coder values AFTER loading .env (preserves db/redis hostnames)
   - Added POSTGRES_HOST to saved/restored variables
   - Local devcontainer continues to use localhost (network_mode: service:db)

2. Frontend-Backend Communication (apps/frontend/vite.config.js):
   - Added Vite proxy configuration to forward API calls to backend
   - Uses relative URLs so proxy works in both Coder and local
   - Eliminates need for absolute URLs (http://localhost:8080)
   - Bypass logic for frontend routes and static assets

3. Environment Variable Completeness (.devcontainer/.env.example):
   - Added missing POSTGRES_HOST and POSTGRES_PORT
   - Added CORS_ALLOWED_ORIGINS with environment-aware defaults
   - Added FILE_UPLOAD_DIR for future file upload features
   - Comprehensive documentation for each variable

4. Validation (.devcontainer/setup-env.sh):
   - Added POSTGRES_HOST and POSTGRES_PORT to REQUIRED_VARS
   - Added SPRING_DATA_REDIS_HOST and SPRING_DATA_REDIS_PORT
   - Ensures all critical variables are validated on workspace creation

5. Coder Template (.coder/template.tf):
   - Added CORS_ALLOWED_ORIGINS=https://* for Coder workspaces
   - Added FILE_UPLOAD_DIR for consistent configuration
   - Maintains all existing Coder-specific variables

6. .envrc Validation (.devcontainer/post-create.sh):
   - Added validation check after .envrc generation
   - Provides early warning if .envrc creation fails

Testing:
After workspace recreation, verify environment variables are correct in both
Coder (db, redis, https://*) and local (localhost, localhost, *) environments.

Impact:
- Database connectivity works in both Coder and local
- Redis connectivity works in both environments
- Frontend can reach backend in both environments
- Environment-aware CORS configuration
- Future-proof file upload directory configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: fix formatting for auto-generated config files

* fix(vite,cors): fix spa routing and cors configuration

Address PR review feedback:

1. Fix Vite proxy bypass to handle all SPA routes
   - Added explicit list of frontend routes (login, register, etc.)
   - Previously only handled / and /admin/* routes
   - Now direct navigation/refresh works on all SPA routes

2. Fix CORS configuration to use literal wildcard
   - Changed CORS_ALLOWED_ORIGINS from "https://*" to "*"
   - SimpleCorsFilter only treats literal "*" as wildcard
   - Pattern matching like "https://*" doesn't work (uses exact string match)
   - Updated Coder template, .env.example, and .envrc generation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Mohsin Hashmi <mhashmi@wiser.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: 3 people

.auto-claude-security.json

@@ -0,0 +1,230 @@
+{
+  "base_commands": [
+    ".",
+    "[",
+    "[[",
+    "ag",
+    "awk",
+    "basename",
+    "bash",
+    "bc",
+    "break",
+    "cat",
+    "cd",
+    "chmod",
+    "clear",
+    "cmp",
+    "column",
+    "comm",
+    "command",
+    "continue",
+    "cp",
+    "curl",
+    "cut",
+    "date",
+    "df",
+    "diff",
+    "dig",
+    "dirname",
+    "du",
+    "echo",
+    "egrep",
+    "env",
+    "eval",
+    "exec",
+    "exit",
+    "expand",
+    "export",
+    "expr",
+    "false",
+    "fd",
+    "fgrep",
+    "file",
+    "find",
+    "fmt",
+    "fold",
+    "gawk",
+    "gh",
+    "git",
+    "grep",
+    "gunzip",
+    "gzip",
+    "head",
+    "help",
+    "host",
+    "iconv",
+    "id",
+    "jobs",
+    "join",
+    "jq",
+    "kill",
+    "killall",
+    "less",
+    "let",
+    "ln",
+    "ls",
+    "lsof",
+    "man",
+    "mkdir",
+    "mktemp",
+    "more",
+    "mv",
+    "nl",
+    "paste",
+    "pgrep",
+    "ping",
+    "pkill",
+    "popd",
+    "printenv",
+    "printf",
+    "ps",
+    "pushd",
+    "pwd",
+    "read",
+    "readlink",
+    "realpath",
+    "reset",
+    "return",
+    "rev",
+    "rg",
+    "rm",
+    "rmdir",
+    "sed",
+    "seq",
+    "set",
+    "sh",
+    "shuf",
+    "sleep",
+    "sort",
+    "source",
+    "split",
+    "stat",
+    "tail",
+    "tar",
+    "tee",
+    "test",
+    "time",
+    "timeout",
+    "touch",
+    "tr",
+    "tree",
+    "true",
+    "type",
+    "uname",
+    "unexpand",
+    "uniq",
+    "unset",
+    "unzip",
+    "watch",
+    "wc",
+    "wget",
+    "whereis",
+    "which",
+    "whoami",
+    "xargs",
+    "yes",
+    "yq",
+    "zip",
+    "zsh"
+  ],
+  "stack_commands": [
+    "ant",
+    "ar",
+    "clang",
+    "clang++",
+    "cmake",
+    "composer",
+    "eslint",
+    "g++",
+    "gcc",
+    "gradle",
+    "gradlew",
+    "ipython",
+    "jar",
+    "java",
+    "javac",
+    "jupyter",
+    "k9s",
+    "kubeadm",
+    "kubectl",
+    "kubectx",
+    "kubens",
+    "kubeseal",
+    "kustomize",
+    "ld",
+    "make",
+    "maven",
+    "meson",
+    "mvn",
+    "ninja",
+    "nm",
+    "node",
+    "notebook",
+    "npm",
+    "npx",
+    "objdump",
+    "pdb",
+    "php",
+    "pip",
+    "pip3",
+    "pipx",
+    "prettier",
+    "pudb",
+    "python",
+    "python3",
+    "sbt",
+    "scala",
+    "scalac",
+    "strip",
+    "terraform",
+    "terragrunt",
+    "tflint",
+    "tfsec",
+    "ts-node",
+    "tsc",
+    "tsx"
+  ],
+  "script_commands": ["bun", "npm", "pnpm", "yarn"],
+  "custom_commands": [],
+  "detected_stack": {
+    "languages": ["python", "javascript", "typescript", "php", "java", "scala", "c"],
+    "package_managers": ["npm"],
+    "frameworks": ["eslint", "prettier"],
+    "databases": [],
+    "infrastructure": ["kubernetes", "terraform"],
+    "cloud_providers": [],
+    "code_quality_tools": [],
+    "version_managers": []
+  },
+  "custom_scripts": {
+    "npm_scripts": [
+      "frontend",
+      "frontend:build",
+      "backend:build",
+      "backend:run",
+      "test",
+      "test:frontend",
+      "test:frontend:e2e",
+      "test:frontend:e2e:auth",
+      "test:frontend:e2e:registration",
+      "test:frontend:e2e:reset-password",
+      "test:backend",
+      "lint",
+      "format",
+      "format:check",
+      "pre-pr-check",
+      "validate",
+      "validate:frontend",
+      "validate:backend",
+      "fix",
+      "prepare"
+    ],
+    "make_targets": [],
+    "poetry_scripts": [],
+    "cargo_aliases": [],
+    "shell_scripts": []
+  },
+  "project_dir": "/Users/moshinhashmi/github/SimpleAccounts-UAE",
+  "created_at": "2026-01-03T20:15:47.759444",
+  "project_hash": "f2d9508fb3b2791ecb12bb3571c63899"
+}

.claude_settings.json

@@ -0,0 +1,34 @@
+{
+  "sandbox": {
+    "enabled": true,
+    "autoAllowBashIfSandboxed": true
+  },
+  "permissions": {
+    "defaultMode": "acceptEdits",
+    "allow": [
+      "Read(./**)",
+      "Write(./**)",
+      "Edit(./**)",
+      "Glob(./**)",
+      "Grep(./**)",
+      "Read(/Users/moshinhashmi/github/SimpleAccounts-UAE/**)",
+      "Write(/Users/moshinhashmi/github/SimpleAccounts-UAE/**)",
+      "Edit(/Users/moshinhashmi/github/SimpleAccounts-UAE/**)",
+      "Glob(/Users/moshinhashmi/github/SimpleAccounts-UAE/**)",
+      "Grep(/Users/moshinhashmi/github/SimpleAccounts-UAE/**)",
+      "Read(/Users/moshinhashmi/github/SimpleAccounts-UAE/.auto-claude/ideation/**)",
+      "Write(/Users/moshinhashmi/github/SimpleAccounts-UAE/.auto-claude/ideation/**)",
+      "Edit(/Users/moshinhashmi/github/SimpleAccounts-UAE/.auto-claude/ideation/**)",
+      "Bash(*)",
+      "WebFetch(*)",
+      "WebSearch(*)",
+      "mcp__context7__resolve-library-id(*)",
+      "mcp__context7__get-library-docs(*)",
+      "mcp__graphiti-memory__search_nodes(*)",
+      "mcp__graphiti-memory__search_facts(*)",
+      "mcp__graphiti-memory__add_episode(*)",
+      "mcp__graphiti-memory__get_episodes(*)",
+      "mcp__graphiti-memory__get_entity_edge(*)"
+    ]
+  }
+}

.coder/template.tf

@@ -418,6 +418,12 @@ resource "docker_container" "workspace" {
     "SPRING_DATA_REDIS_PORT=6379",
     # Application host
     "SIMPLEACCOUNTS_HOST=http://localhost:8080",
+    # CORS configuration (allow all origins in dev environment)
+    # Note: SimpleCorsFilter only treats literal "*" as wildcard (not pattern matching)
+    # For production, this should be set to specific domain(s)
+    "CORS_ALLOWED_ORIGINS=*",
+    # File upload directory (for user uploads)
+    "FILE_UPLOAD_DIR=/tmp/simpleaccounts-uploads",
     # Application settings
     "PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1",
     "PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium",

.devcontainer/.env.example

@@ -9,11 +9,25 @@
 POSTGRES_USER=simpleaccounts
 POSTGRES_PASSWORD=simpleaccounts_dev
 POSTGRES_DB=simpleaccounts
+POSTGRES_HOST=localhost
+POSTGRES_PORT=5432
 
 # =============================================================================
 # Backend Spring Boot Configuration
 # These variables are used by application.properties
-# Note: Use localhost because all services share network via network_mode: service:db
+# =============================================================================
+# IMPORTANT: Hostname resolution differs by environment:
+#
+# LOCAL DEVCONTAINER:
+#   - Use 'localhost' because all services share network via network_mode: service:db
+#   - The .envrc file will use these localhost values directly
+#
+# CODER WORKSPACES:
+#   - Coder template sets SIMPLEACCOUNTS_DB_HOST=db and SPRING_DATA_REDIS_HOST=redis
+#   - The .envrc file automatically preserves Coder's values and ignores localhost
+#   - This happens via CODER_AGENT_TOKEN detection in .envrc
+#
+# TL;DR: Keep these as localhost - Coder environments override automatically
 # =============================================================================
 SIMPLEACCOUNTS_DB_HOST=localhost
 SIMPLEACCOUNTS_DB_PORT=5432
@@ -31,6 +45,25 @@ SPRING_DATA_REDIS_PORT=6379
 # Application Host
 SIMPLEACCOUNTS_HOST=http://localhost:8080
 
+# =============================================================================
+# CORS Configuration
+# =============================================================================
+# SimpleCorsFilter only treats literal "*" as wildcard (not pattern matching)
+# For development (local and Coder), use "*" to allow all origins
+# For production, this should be set to specific domain(s) (comma-separated)
+# Examples:
+#   Development: CORS_ALLOWED_ORIGINS=*
+#   Production:  CORS_ALLOWED_ORIGINS=https://app.example.com,https://www.example.com
+CORS_ALLOWED_ORIGINS=*
+
+# =============================================================================
+# File Upload Configuration
+# =============================================================================
+# Directory for user file uploads (if feature is implemented)
+# Defaults to /tmp/simpleaccounts-uploads if not set
+# Note: Currently the app only reads sample files from classpath
+FILE_UPLOAD_DIR=/tmp/simpleaccounts-uploads
+
 # =============================================================================
 # SonarQube (for MCP)
 # =============================================================================