docs(self-hosting): document docker webapp URL mismatch troubleshooting#28740
docs(self-hosting): document docker webapp URL mismatch troubleshooting#28740jeevan6996 wants to merge 4 commits intocalcom:mainfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="docs/self-hosting/docker.mdx">
<violation number="1" location="docs/self-hosting/docker.mdx:153">
P2: New troubleshooting guidance conflicts with existing `NEXTAUTH_URL` guidance in the same doc, creating ambiguous OAuth/auth-loop configuration.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
|
Thanks! This docs PR is ready for full CI. Could a maintainer please add the |
|
Addressed the guidance conflict around auth URLs in Docker docs and pushed an update: is documented as the public app URL, and is clarified per callback strategy (including the internal callback scenario described earlier in the doc). |
|
Correction: addressed the guidance conflict around auth URLs in Docker docs and pushed an update. NEXT_PUBLIC_WEBAPP_URL is documented as the public app URL, and NEXTAUTH_URL is clarified per callback strategy, including the internal localhost callback scenario described earlier in the doc. |
|
CI root cause identified: the failing check is gating external contributors until a maintainer adds the label. I don’t have permissions to add labels on this repo. Could a maintainer please add to trigger the full CI matrix? |
|
Correction: CI root cause identified. The failing required check is gating external contributors until a maintainer adds the run-ci label. I do not have permissions to add labels on this repo. Could a maintainer please add run-ci to trigger the full CI matrix? |
jeevan6996
force-pushed
the
docs/28712-docker-webapp-url-mismatch
branch
from
15427ec to
c31f46e
Compare
📝 WalkthroughWalkthroughDocumentation for the Docker guide was updated with expanded self-hosting troubleshooting for OAuth hostname mismatches. It instructs inspecting the build-time 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
apps/docs/content/docker.mdx (1)
111-111: Clarify when theNEXTAUTH_URL=http://localhost:3000/api/authworkaround applies.As written, this reads as a general fix, but pointing
NEXTAUTH_URLatlocalhostwill break OAuth provider callbacks for users on a real public domain (providers redirect back to the URL derived fromNEXTAUTH_URL). Consider scoping this guidance to the specific scenario in the accompanying log snippet — a container that cannot resolve its own public hostname from inside (e.g., split‑horizon DNS /testing.localhost) — and explicitly note that production deployments with a real OAuth provider should keepNEXTAUTH_URLset to the public domain.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/docs/content/docker.mdx` at line 111, Clarify that the NEXTAUTH_URL=http://localhost:3000/api/auth suggestion only applies to the specific scenario shown in the log snippet where the server/container cannot resolve its own public hostname (e.g., split‑horizon DNS, testing.localhost, or container loopback), and not to production OAuth setups; update the text to state: when the container's internal DNS cannot reach the public domain, you can set NEXTAUTH_URL to the internal callback URL (e.g., http://localhost:3000/api/auth) while keeping NEXT_PUBLIC_WEBAPP_URL on the public domain, but emphasize that for real public deployments and OAuth providers the NEXTAUTH_URL must remain the public domain so provider redirects work correctly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/docs/content/docker.mdx`:
- Line 122: The docs example for ALLOWED_HOSTNAMES is inconsistent with the
actual parsing (JSON.parse(`[${process.env.ALLOWED_HOSTNAMES || ""}]`) in
packages/lib/constants.ts); update the example in the documentation to show
ALLOWED_HOSTNAMES as a comma-separated list of quoted strings so it parses
correctly (for example:
ALLOWED_HOSTNAMES='"cal.example.com","www.cal.example.com"'), ensuring the doc
uses the same quoted-string format as .env.example.
---
Nitpick comments:
In `@apps/docs/content/docker.mdx`:
- Line 111: Clarify that the NEXTAUTH_URL=http://localhost:3000/api/auth
suggestion only applies to the specific scenario shown in the log snippet where
the server/container cannot resolve its own public hostname (e.g., split‑horizon
DNS, testing.localhost, or container loopback), and not to production OAuth
setups; update the text to state: when the container's internal DNS cannot reach
the public domain, you can set NEXTAUTH_URL to the internal callback URL (e.g.,
http://localhost:3000/api/auth) while keeping NEXT_PUBLIC_WEBAPP_URL on the
public domain, but emphasize that for real public deployments and OAuth
providers the NEXTAUTH_URL must remain the public domain so provider redirects
work correctly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 92dac396-9e3e-4a0f-bb2c-a6919b1b6f84
📒 Files selected for processing (1)
apps/docs/content/docker.mdx
|
This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active. |
|
Thanks for the nudge — this PR is still active and ready for review.\n\nThe docs updates are complete from my side; the remaining blocker is maintainer-side CI gating for external contributors. If a maintainer can apply , I’ll address any follow-up quickly. |
|
Correction: this PR is still active and ready for review.\n\nThe docs updates are complete from my side; the remaining blocker is maintainer-side CI gating for external contributors. If a maintainer can apply the run-ci label, I’ll address any follow-up quickly. |
|
Addressed one concrete bot finding in a follow-up commit (): updated the troubleshooting example for to the quoted-string format expected by parsing logic (matching ). |
|
Correction: addressed one concrete bot finding in follow-up commit 5caa8ea. Updated the troubleshooting example for ALLOWED_HOSTNAMES to the quoted-string format expected by parsing logic, matching .env.example. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/docs/content/docker.mdx`:
- Line 123: Update the documentation for NEXT_PUBLIC_WEBAPP_URL to state it must
be a full URL including the scheme (e.g., https://cal.example.com) rather than
just a hostname; change the phrase "public domain" to something like "full
public URL (including http:// or https://)" so derived auth URLs are not
malformed and readers know to include the scheme.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: abcd6a58-62d0-44bb-8e70-4e157804116f
📒 Files selected for processing (1)
apps/docs/content/docker.mdx
| If OAuth loops and logs show messages like `Match of WEBAPP_URL with ALLOWED_HOSTNAMES failed`, verify all of the following: | ||
|
|
||
| 1. `ALLOWED_HOSTNAMES` is set as a comma-separated list of quoted hostnames (for example, `ALLOWED_HOSTNAMES='"cal.example.com","www.cal.example.com"'`). | ||
| 2. `NEXT_PUBLIC_WEBAPP_URL` is set to your public domain. |
There was a problem hiding this comment.
Clarify NEXT_PUBLIC_WEBAPP_URL as a full URL (with scheme).
Line 123 says “public domain,” which can be read as hostname-only. Please make it explicit that this must be a full URL (for example, https://cal.example.com) to avoid malformed derived auth URLs.
✏️ Suggested doc tweak
-2. `NEXT_PUBLIC_WEBAPP_URL` is set to your public domain.
+2. `NEXT_PUBLIC_WEBAPP_URL` is set to your public URL (for example, `https://cal.example.com`).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@apps/docs/content/docker.mdx` at line 123, Update the documentation for
NEXT_PUBLIC_WEBAPP_URL to state it must be a full URL including the scheme
(e.g., https://cal.example.com) rather than just a hostname; change the phrase
"public domain" to something like "full public URL (including http:// or
https://)" so derived auth URLs are not malformed and readers know to include
the scheme.
|
Quick status update: docs changes are complete and I addressed the actionable bot feedback in the latest commit. The current blocker is the required external-contributor CI gate; if a maintainer can apply the run-ci label, I can address any follow-up quickly. |
1 participant
Summary
NEXT_PUBLIC_WEBAPP_URLWEBAPP_URL/ALLOWED_HOSTNAMESmismatch and OAuth redirect loopsALLOWED_HOSTNAMESformat and a quickBUILT_NEXT_PUBLIC_WEBAPP_URLverification commandWhy
Issue #28712 reports OAuth loops caused by hostname mismatch even when runtime env vars look correct. The missing piece is usually image build-time values, not runtime-only config.
Fixes #28712