250796dd0c
- Token exchange now happens entirely in the browser via @azure/msal-browser (PKCE, no client_secret — correct for Azure SPA registrations) - Browser stays on /hp-prod-tracker/login throughout; the /api/auth/callback URL never appears in the address bar - New /api/auth/sso route validates the id_token (jose + Azure JWKS), creates User/Account/Session in Prisma, and sets the authjs session cookie - Auth.js retained only for session reading (auth()) and signOut() - Fix dev bypass safety gate: use NODE_ENV !== production instead of absence of AUTH_MICROSOFT_ENTRA_ID_SECRET - Rename env vars: AUTH_MICROSOFT_ENTRA_ID_ID → AZURE_CLIENT_ID, AUTH_MICROSOFT_ENTRA_ID_TENANT_ID → AZURE_TENANT_ID, remove AUTH_URL - Remove /api/auth Apache proxy rule (no longer needed) - Delete OAuthRelay.tsx, add MsalLogin.tsx Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
63 lines
2.2 KiB
YAML
63 lines
2.2 KiB
YAML
services:
|
|
# ─── PostgreSQL with pgvector ───────────────────────────
|
|
db:
|
|
image: pgvector/pgvector:pg17
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: ${DB_PASSWORD:-postgres}
|
|
POSTGRES_DB: hp_prod_tracker
|
|
ports:
|
|
- "5491:5432"
|
|
volumes:
|
|
- pgdata:/var/lib/postgresql/data
|
|
- ./docker/db-init.sql:/docker-entrypoint-initdb.d/01-pgvector.sql:ro
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
# ─── Next.js app ───────────────────────────────────────
|
|
app:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3001:3000"
|
|
environment:
|
|
DATABASE_URL: postgresql://postgres:${DB_PASSWORD:-postgres}@db:5432/hp_prod_tracker?schema=public
|
|
# Ollama — points to internal GPU server for embeddings + chat fallback
|
|
OLLAMA_HOST: ${OLLAMA_HOST:-http://10.24.42.219:11434}
|
|
OLLAMA_CHAT_HOST: ${OLLAMA_CHAT_HOST:-http://10.24.42.219:11434}
|
|
OLLAMA_CHAT_MODEL: ${OLLAMA_CHAT_MODEL:-gemma4:latest}
|
|
OLLAMA_EMBED_MODEL: ${OLLAMA_EMBED_MODEL:-nomic-embed-text}
|
|
NODE_ENV: production
|
|
AUTH_SECRET: ${AUTH_SECRET}
|
|
AUTH_TRUST_HOST: "true"
|
|
# Azure SPA registration — PKCE in browser, no client secret
|
|
AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
|
|
AZURE_TENANT_ID: ${AZURE_TENANT_ID}
|
|
AZURE_REDIRECT_URI: ${AZURE_REDIRECT_URI:-}
|
|
CRON_SECRET: ${CRON_SECRET:-change-me}
|
|
API_KEY: ${API_KEY:-}
|
|
ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
|
|
ANTHROPIC_MODEL: ${ANTHROPIC_MODEL:-}
|
|
DEV_BYPASS_AUTH: ${DEV_BYPASS_AUTH:-false}
|
|
DEV_USER_ID: ${DEV_USER_ID:-}
|
|
volumes:
|
|
- uploads_data:/data/uploads
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "wget -q --spider http://localhost:3000/api/health || exit 1"]
|
|
interval: 15s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 30s
|
|
|
|
volumes:
|
|
pgdata:
|
|
uploads_data:
|