250796dd0c
- Token exchange now happens entirely in the browser via @azure/msal-browser (PKCE, no client_secret — correct for Azure SPA registrations) - Browser stays on /hp-prod-tracker/login throughout; the /api/auth/callback URL never appears in the address bar - New /api/auth/sso route validates the id_token (jose + Azure JWKS), creates User/Account/Session in Prisma, and sets the authjs session cookie - Auth.js retained only for session reading (auth()) and signOut() - Fix dev bypass safety gate: use NODE_ENV !== production instead of absence of AUTH_MICROSOFT_ENTRA_ID_SECRET - Rename env vars: AUTH_MICROSOFT_ENTRA_ID_ID → AZURE_CLIENT_ID, AUTH_MICROSOFT_ENTRA_ID_TENANT_ID → AZURE_TENANT_ID, remove AUTH_URL - Remove /api/auth Apache proxy rule (no longer needed) - Delete OAuthRelay.tsx, add MsalLogin.tsx Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
21 lines
1.1 KiB
Text
21 lines
1.1 KiB
Text
# ── HP Prod Tracker — Next.js standalone at :3001 ─────────────────────────
|
|
# Managed by deploy.sh — edit this file and redeploy instead of editing
|
|
# /etc/apache2/sites-available/optical-dev.oliver.solutions.conf directly.
|
|
|
|
# Large uploads: video files up to 500 MB (overrides the global 100 MB limit)
|
|
<Location /hp-prod-tracker>
|
|
LimitRequestBody 524288000
|
|
</Location>
|
|
|
|
# WebSocket passthrough (Next.js real-time features)
|
|
RewriteCond %{HTTP:Upgrade} websocket [NC]
|
|
RewriteCond %{HTTP:Connection} upgrade [NC]
|
|
RewriteRule ^/hp-prod-tracker/(.*) ws://127.0.0.1:3001/hp-prod-tracker/$1 [P,L]
|
|
|
|
# Chat + AI endpoints: long timeout for streaming responses
|
|
ProxyPass /hp-prod-tracker/api/chat http://127.0.0.1:3001/hp-prod-tracker/api/chat timeout=300
|
|
ProxyPassReverse /hp-prod-tracker/api/chat http://127.0.0.1:3001/hp-prod-tracker/api/chat
|
|
|
|
# All other routes (must come after more-specific paths above)
|
|
ProxyPass /hp-prod-tracker http://127.0.0.1:3001/hp-prod-tracker
|
|
ProxyPassReverse /hp-prod-tracker http://127.0.0.1:3001/hp-prod-tracker
|