fix(federation): enrollment URL derives from BETTER_AUTH_URL instead of the gateway base URL #684
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
POST /api/admin/federation/grants/:id/tokensconstructs the federation enrollment URL fromBETTER_AUTH_URL, but that env var is the Better Auth origin (typically the web app), not the gateway's own listening address. In any deployment where the web origin differs from the gateway base URL (the normal case), the returnedenrollmentUrlpoints at the wrong host/port, so a peer cannot redeem the token without manual URL surgery.Location
apps/gateway/src/federation/federation.controller.ts:145Why it is wrong
BETTER_AUTH_URLis the Better Auth issuer/origin (web app URL). The enrollment endpoint lives on the gateway (/api/federation/enrollment/:token). Reusing the auth origin conflates two unrelated hosts. The fallbackhttp://localhost:14242is also a web-tier port, not the gateway.Impact
enrollmentUrlpointing at the web origin instead of the gateway, breaking the out-of-band enrollment hand-off in real deployments.tools/federation-harness/) already has to work around this: the compose file setsBETTER_AUTH_URL: http://gateway-b:3000to coax an in-cluster-reachable URL, andseed.tsthen rewrites the host portion of the returned URL to the host-accessible base before redeeming. Seetools/federation-harness/README.md-> "Known Limitations -> BETTER_AUTH_URL enrollment URL bug" for the documented workaround.Suggested fix
Derive the enrollment base URL from the gateway's own listening address rather than
BETTER_AUTH_URL— e.g. a dedicatedFEDERATION_ENROLLMENT_BASE_URL(preferred, explicit) or aGATEWAY_BASE_URLenv var, falling back to the gateway's configured host/port. Once fixed, the harness workaround (composeBETTER_AUTH_URLoverride + seed URL rewrite) can be removed.Notes
86e106fc).