Added PUBLIC_URL alongside NEXTAUTH_URL

[breadddevv]

Summary by CodeRabbit

• Bug Fixes
  • Improved URL configuration flexibility and deployment compatibility across multiple services. Authentication handlers (Discord, Google, Roblox OAuth), policy link generation, board template downloads, CSRF validation, and webhook integration now support environment variable fallback resolution. This enhances support for diverse hosting environments and reduces configuration friction during deployments.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cb9c3a9e-40a7-4373-8860-c64d3894dd09

📥 Commits

Reviewing files that changed from the base of the PR and between 927a47d and d6f362a.

📒 Files selected for processing (10)

• pages/api/auth/discord/callback.ts
• pages/api/auth/discord/start.ts
• pages/api/auth/google/start.ts
• pages/api/auth/roblox/start.ts
• pages/api/workspace/[id]/policies/[docId]/link-info.ts
• pages/api/workspace/[id]/policies/[docId]/links.ts
• pages/api/workspace/[id]/settings/integrations/board/download.ts
• proxy.ts
• utils/csrf.ts
• utils/logs.ts

---

📝 Walkthrough

Walkthrough

Across 9 files, every reference to process.env.NEXTAUTH_URL used as a base URL is replaced with process.env.NEXTAUTH_URL || process.env.PUBLIC_URL. This affects OAuth redirect URIs (Discord, Google, Roblox), CSRF allowed-origins initialization, internal URL construction in the proxy, policy shareable link generation, board template download host resolution, and audit log avatar URL construction.

Changes

PUBLIC_URL Fallback for NEXTAUTH_URL

Layer / File(s)	Summary
Core URL and CSRF utilities proxy.ts, utils/csrf.ts	internalUrl() branches on NEXTAUTH_URL || PUBLIC_URL and strips trailing slashes from the resolved value. getAllowedOrigins() pushes NEXTAUTH_URL if set, otherwise PUBLIC_URL, widening the accepted CSRF origin set.
OAuth redirect_uri handlers pages/api/auth/discord/callback.ts, pages/api/auth/discord/start.ts, pages/api/auth/google/start.ts, pages/api/auth/roblox/start.ts	Discord token exchange body, Discord authorize URL, Google OAuth2 client constructor and generateAuthUrl, and Roblox authorize URL all replace NEXTAUTH_URL-only with NEXTAUTH_URL || PUBLIC_URL for their redirect_uri values.
Policy links, board download, and audit logs pages/api/workspace/[id]/policies/[docId]/link-info.ts, pages/api/workspace/[id]/policies/[docId]/links.ts, pages/api/workspace/[id]/settings/integrations/board/download.ts, utils/logs.ts	baseUrl derivation in link-info and all three verb handlers in links.ts switches to NEXTAUTH_URL || PUBLIC_URL. Board download inserts PUBLIC_URL before VERCEL_URL in the host fallback chain. Audit log avatar URL base uses the same fallback.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hoppy news from the warren today,
One URL wasn't enough, hip-hooray!
NEXTAUTH_URL leads, PUBLIC_URL follows,
No broken OAuth down empty hollows.
The rabbit checked each redirect with care —
Now every environment gets its fair share! 🌿

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch change/vars

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}