From 955357a91a944efd294453853fa6daf77153ec60 Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Mon, 8 Jun 2026 22:18:51 +0200
Subject: [PATCH] feat(apps): make environment URLs prod-ready (env-driven, not
 hardcoded .local)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The apps were wired for the dev (.local) environment. Drive the base URLs from
env so one build serves dev and prod (.eu):

- portal nuxt.config: OIDC authorization/token/userinfo/discovery URLs +
  redirectUri now derive from NUXT_PUBLIC_AUTH_URL / NUXT_PUBLIC_PORTAL_URL
  (+ PORTAL_OIDC_APP_SLUG); .local defaults keep dev working with no env.
- portal sign-out handler: end-session + post-logout URLs env-driven.
- portal scheduling page: booking base/host from runtimeConfig.public.bookingUrl
  (NUXT_PUBLIC_BOOKING_URL).
- platform-api: tenant mail domain suffix from PLATFORM_TENANT_DOMAIN (dezky.eu
  in prod), defaulting to dezky.local.

(booking needs no change — its only .local ref is the dev-server allowedHosts.)
---
 apps/portal/nuxt.config.ts                    | 19 ++++++++++++++-----
 apps/portal/pages/admin/scheduling.vue        |  5 +++--
 apps/portal/server/api/auth/sign-out.get.ts   | 10 ++++++++--
 .../src/tenants/provisioning.service.ts       |  8 +++++---
 4 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/apps/portal/nuxt.config.ts b/apps/portal/nuxt.config.ts
index 386f54c..b2d1e48 100644
--- a/apps/portal/nuxt.config.ts
+++ b/apps/portal/nuxt.config.ts
@@ -1,6 +1,14 @@
 // Nuxt 3 configuration for Dezky portal
 // https://nuxt.com/docs/api/configuration/nuxt-config
 
+// Base URLs are environment-driven so one build runs in dev (.local) and
+// production (.eu). NUXT_PUBLIC_AUTH_URL / NUXT_PUBLIC_PORTAL_URL are set at
+// BUILD (CI) and RUNTIME (fleet/apps/portal.yaml + portal-secrets); the .local
+// defaults keep local dev working with no env.
+const AUTH_URL = (process.env.NUXT_PUBLIC_AUTH_URL || 'https://auth.dezky.local').replace(/\/$/, '')
+const PORTAL_URL = (process.env.NUXT_PUBLIC_PORTAL_URL || 'https://app.dezky.local').replace(/\/$/, '')
+const PORTAL_OIDC_APP_SLUG = process.env.PORTAL_OIDC_APP_SLUG || 'dezky-portal'
+
 export default defineNuxtConfig({
   compatibilityDate: '2026-01-01',
   devtools: { enabled: true },
@@ -40,6 +48,7 @@ export default defineNuxtConfig({
     public: {
       authUrl: process.env.NUXT_PUBLIC_AUTH_URL,
       portalUrl: process.env.NUXT_PUBLIC_PORTAL_URL,
+      bookingUrl: process.env.NUXT_PUBLIC_BOOKING_URL || 'https://booking.dezky.local',
     },
   },
 
@@ -69,10 +78,10 @@ export default defineNuxtConfig({
         // NUXT_OIDC_* per-container; locally we just read them directly.
         clientId: process.env.PORTAL_OIDC_CLIENT_ID || process.env.NUXT_OIDC_CLIENT_ID || '',
         clientSecret: process.env.PORTAL_OIDC_CLIENT_SECRET || process.env.NUXT_OIDC_CLIENT_SECRET || '',
-        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || 'https://app.dezky.local/auth/oidc/callback',
-        authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
-        tokenUrl: 'https://auth.dezky.local/application/o/token/',
-        userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
+        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || `${PORTAL_URL}/auth/oidc/callback`,
+        authorizationUrl: `${AUTH_URL}/application/o/authorize/`,
+        tokenUrl: `${AUTH_URL}/application/o/token/`,
+        userInfoUrl: `${AUTH_URL}/application/o/userinfo/`,
         // Logout is handled by our custom /api/auth/sign-out endpoint, not the
         // module's RP-initiated chain. Authentik 2025.10 doesn't reliably
         // honor `post_logout_redirect_uri` from the provider invalidation
@@ -82,7 +91,7 @@ export default defineNuxtConfig({
         logoutUrl: '',
         // Discovery URL — used by id_token validation to fetch JWKS + issuer
         openIdConfiguration:
-          'https://auth.dezky.local/application/o/dezky-portal/.well-known/openid-configuration',
+          `${AUTH_URL}/application/o/${PORTAL_OIDC_APP_SLUG}/.well-known/openid-configuration`,
         // offline_access asks Authentik for a refresh token. Without it there's
         // nothing to refresh with, so session.automaticRefresh can't run and the
         // module's refresh() falls back to a full login() redirect on token
diff --git a/apps/portal/pages/admin/scheduling.vue b/apps/portal/pages/admin/scheduling.vue
index d7e7639..75377a1 100644
--- a/apps/portal/pages/admin/scheduling.vue
+++ b/apps/portal/pages/admin/scheduling.vue
@@ -49,7 +49,8 @@ const toast = useToast()
 const { tenant } = useTenant()
 const slug = computed(() => tenant.value?.slug ?? '')
 const { request } = useApiFetch()
-const bookingBase = 'https://booking.dezky.local'
+const bookingBase = (useRuntimeConfig().public.bookingUrl as string) || 'https://booking.dezky.local'
+const bookingHost = bookingBase.replace(/^https?:\/\//, '')
 
 const base = computed(() => `/api/tenants/${slug.value}/scheduling`)
 
@@ -894,7 +895,7 @@ const maskSecret = (s: string) => (s.length > 12 ? `${s.slice(0, 9)}…${s.slice
               <template v-if="!hostForm.slug">Used in the public booking link.</template>
               <template v-else-if="!slugValid">Lowercase letters, numbers and hyphens (2–40 chars).</template>
               <template v-else-if="slugTaken">“{{ hostForm.slug }}” is already taken.</template>
-              <template v-else>booking.dezky.local/{{ slug }}/{{ hostForm.slug }} · available ✓</template>
+              <template v-else>{{ bookingHost }}/{{ slug }}/{{ hostForm.slug }} · available ✓</template>
             </span>
           </label>
           <label class="field"><Eyebrow>Timezone</Eyebrow>
diff --git a/apps/portal/server/api/auth/sign-out.get.ts b/apps/portal/server/api/auth/sign-out.get.ts
index 0f57324..8f78481 100644
--- a/apps/portal/server/api/auth/sign-out.get.ts
+++ b/apps/portal/server/api/auth/sign-out.get.ts
@@ -24,8 +24,14 @@
 
 import { getUserSession, clearUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
 
-const END_SESSION = 'https://auth.dezky.local/application/o/dezky-portal/end-session/'
-const POST_LOGOUT_REDIRECT = 'https://app.dezky.local/signed-out'
+// Environment-driven so one build serves dev (.local) and prod (.eu). The
+// public runtime config carries authUrl/portalUrl (NUXT_PUBLIC_AUTH_URL /
+// NUXT_PUBLIC_PORTAL_URL); fall back to the dev hosts.
+const AUTH_URL = (process.env.NUXT_PUBLIC_AUTH_URL || 'https://auth.dezky.local').replace(/\/$/, '')
+const PORTAL_URL = (process.env.NUXT_PUBLIC_PORTAL_URL || 'https://app.dezky.local').replace(/\/$/, '')
+const OIDC_APP_SLUG = process.env.PORTAL_OIDC_APP_SLUG || 'dezky-portal'
+const END_SESSION = `${AUTH_URL}/application/o/${OIDC_APP_SLUG}/end-session/`
+const POST_LOGOUT_REDIRECT = `${PORTAL_URL}/signed-out`
 
 export default defineEventHandler(async (event) => {
   const session = await getUserSession(event).catch(() => ({} as any))
diff --git a/services/platform-api/src/tenants/provisioning.service.ts b/services/platform-api/src/tenants/provisioning.service.ts
index 42b4a0e..df45d43 100644
--- a/services/platform-api/src/tenants/provisioning.service.ts
+++ b/services/platform-api/src/tenants/provisioning.service.ts
@@ -94,10 +94,12 @@ export class ProvisioningService {
     }
   }
 
-  // Maps tenant slug → mail domain. Production should use a real registered
-  // domain (e.g. acme.dezky.com); locally we use the .local hierarchy.
+  // Maps tenant slug → mail domain. The base is environment-driven
+  // (PLATFORM_TENANT_DOMAIN, e.g. dezky.eu in prod); defaults to the .local
+  // hierarchy for local dev.
   private domainFor(slug: string): string {
-    return `${slug}.dezky.local`
+    const base = process.env.PLATFORM_TENANT_DOMAIN || 'dezky.local'
+    return `${slug}.${base}`
   }
 
   // Best-effort cleanup. Called when a tenant is hard-deleted (not soft-deleted).