Fix CLI login URL origin

Author: jahooma

freebuff/web/src/app/api/auth/cli/code/__tests__/origin.test.ts

@@ -0,0 +1,19 @@
+import { describe, expect, test } from 'bun:test'
+
+import { getLoginUrlOrigin } from '../_origin'
+
+describe('api/auth/cli/code/_origin', () => {
+  test('uses the configured public app URL over the request origin', () => {
+    const req = new Request('https://localhost:10000/api/auth/cli/code')
+
+    expect(getLoginUrlOrigin(req, 'https://freebuff.com')).toBe(
+      'https://freebuff.com',
+    )
+  })
+
+  test('falls back to the request origin when configured URL is invalid', () => {
+    const req = new Request('http://localhost:3002/api/auth/cli/code')
+
+    expect(getLoginUrlOrigin(req, 'not a url')).toBe('http://localhost:3002')
+  })
+})

freebuff/web/src/app/api/auth/cli/code/_origin.ts

@@ -0,0 +1,10 @@
+export function getLoginUrlOrigin(
+  req: Request,
+  configuredAppUrl: string,
+): string {
+  try {
+    return new URL(configuredAppUrl).origin
+  } catch {
+    return new URL(req.url).origin
+  }
+}

freebuff/web/src/app/api/auth/cli/code/route.ts

@@ -8,6 +8,8 @@ import { z } from 'zod/v4'
 
 import { logger } from '@/util/logger'
 
+import { getLoginUrlOrigin } from './_origin'
+
 export async function POST(req: Request) {
   const reqSchema = z.object({
     fingerprintId: z.string(),
@@ -53,9 +55,10 @@ export async function POST(req: Request) {
       )
     }
 
-    // Generate login URL on the same origin that issued the auth code. This
-    // avoids bouncing between apex/www hosts during the browser OAuth flow.
-    const loginUrl = new URL('/login', new URL(req.url).origin)
+    const loginUrl = new URL(
+      '/login',
+      getLoginUrlOrigin(req, env.NEXT_PUBLIC_CODEBUFF_APP_URL),
+    )
     loginUrl.searchParams.set(
       'auth_code',
       `${fingerprintId}.${expiresAt}.${fingerprintHash}`,

web/src/app/api/auth/cli/code/__tests__/origin.test.ts

@@ -0,0 +1,19 @@
+import { describe, expect, test } from 'bun:test'
+
+import { getLoginUrlOrigin } from '../_origin'
+
+describe('api/auth/cli/code/_origin', () => {
+  test('uses the configured public app URL over the request origin', () => {
+    const req = new Request('https://localhost:10000/api/auth/cli/code')
+
+    expect(getLoginUrlOrigin(req, 'https://www.codebuff.com')).toBe(
+      'https://www.codebuff.com',
+    )
+  })
+
+  test('falls back to the request origin when configured URL is invalid', () => {
+    const req = new Request('http://localhost:3000/api/auth/cli/code')
+
+    expect(getLoginUrlOrigin(req, 'not a url')).toBe('http://localhost:3000')
+  })
+})

web/src/app/api/auth/cli/code/_origin.ts

@@ -0,0 +1,10 @@
+export function getLoginUrlOrigin(
+  req: Request,
+  configuredAppUrl: string,
+): string {
+  try {
+    return new URL(configuredAppUrl).origin
+  } catch {
+    return new URL(req.url).origin
+  }
+}

web/src/app/api/auth/cli/code/route.ts

@@ -8,6 +8,8 @@ import { z } from 'zod/v4'
 
 import { logger } from '@/util/logger'
 
+import { getLoginUrlOrigin } from './_origin'
+
 export async function POST(req: Request) {
   const reqSchema = z.object({
     fingerprintId: z.string(),
@@ -55,9 +57,10 @@ export async function POST(req: Request) {
       )
     }
 
-    // Generate login URL on the same origin that issued the auth code. This
-    // avoids bouncing between apex/www hosts during the browser OAuth flow.
-    const loginUrl = new URL('/login', new URL(req.url).origin)
+    const loginUrl = new URL(
+      '/login',
+      getLoginUrlOrigin(req, env.NEXT_PUBLIC_CODEBUFF_APP_URL),
+    )
     loginUrl.searchParams.set(
       'auth_code',
       `${fingerprintId}.${expiresAt}.${fingerprintHash}`,