feat: add configurable JWT issuer for local auth development (#4388)

* feat: add configurable JWT issuer for local auth development

* fix: set jwt_issuer default during config loading

* chore: build verify url from jwt issuer

* chore: build redirect uri from issuer url

---------

Co-authored-by: Qiao Han <[email protected]>

Author: cemalkilic

internal/start/start.go

@@ -482,7 +482,7 @@ EOF
 			"GOTRUE_JWT_DEFAULT_GROUP_NAME=authenticated",
 			fmt.Sprintf("GOTRUE_JWT_EXP=%v", utils.Config.Auth.JwtExpiry),
 			"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
-			"GOTRUE_JWT_ISSUER=" + utils.GetApiUrl("/auth/v1"),
+			"GOTRUE_JWT_ISSUER=" + utils.Config.Auth.JwtIssuer,
 
 			fmt.Sprintf("GOTRUE_EXTERNAL_EMAIL_ENABLED=%v", utils.Config.Auth.Email.EnableSignup),
 			fmt.Sprintf("GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED=%v", utils.Config.Auth.Email.DoubleConfirmChanges),
@@ -494,10 +494,10 @@ EOF
 
 			fmt.Sprintf("GOTRUE_SMTP_MAX_FREQUENCY=%v", utils.Config.Auth.Email.MaxFrequency),
 
-			"GOTRUE_MAILER_URLPATHS_INVITE=" + utils.GetApiUrl("/auth/v1/verify"),
-			"GOTRUE_MAILER_URLPATHS_CONFIRMATION=" + utils.GetApiUrl("/auth/v1/verify"),
-			"GOTRUE_MAILER_URLPATHS_RECOVERY=" + utils.GetApiUrl("/auth/v1/verify"),
-			"GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE=" + utils.GetApiUrl("/auth/v1/verify"),
+			fmt.Sprintf("GOTRUE_MAILER_URLPATHS_INVITE=%s/verify", utils.Config.Auth.JwtIssuer),
+			fmt.Sprintf("GOTRUE_MAILER_URLPATHS_CONFIRMATION=%s/verify", utils.Config.Auth.JwtIssuer),
+			fmt.Sprintf("GOTRUE_MAILER_URLPATHS_RECOVERY=%s/verify", utils.Config.Auth.JwtIssuer),
+			fmt.Sprintf("GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE=%s/verify", utils.Config.Auth.JwtIssuer),
 			"GOTRUE_RATE_LIMIT_EMAIL_SENT=360000",
 
 			fmt.Sprintf("GOTRUE_EXTERNAL_PHONE_ENABLED=%v", utils.Config.Auth.Sms.EnableSignup),
@@ -699,7 +699,7 @@ EOF
 
 			redirectUri := config.RedirectUri
 			if redirectUri == "" {
-				redirectUri = utils.GetApiUrl("/auth/v1/callback")
+				redirectUri = utils.Config.Auth.JwtIssuer + "/callback"
 			}
 			env = append(env, fmt.Sprintf("GOTRUE_EXTERNAL_%s_REDIRECT_URI=%s", strings.ToUpper(name), redirectUri))
 

pkg/config/auth.go

@@ -152,6 +152,7 @@ type (
 		SiteUrl                    string               `toml:"site_url"`
 		AdditionalRedirectUrls     []string             `toml:"additional_redirect_urls"`
 		JwtExpiry                  uint                 `toml:"jwt_expiry"`
+		JwtIssuer                  string               `toml:"jwt_issuer"`
 		EnableRefreshTokenRotation bool                 `toml:"enable_refresh_token_rotation"`
 		RefreshTokenReuseInterval  uint                 `toml:"refresh_token_reuse_interval"`
 		EnableManualLinking        bool                 `toml:"enable_manual_linking"`

pkg/config/config.go

@@ -583,6 +583,10 @@ func (c *config) Load(path string, fsys fs.FS, overrides ...ConfigEditor) error
 		}
 		c.Api.ExternalUrl = apiUrl.String()
 	}
+	// Set default JWT issuer if not configured
+	if len(c.Auth.JwtIssuer) == 0 {
+		c.Auth.JwtIssuer = c.Api.ExternalUrl + "/auth/v1"
+	}
 	// Update image versions
 	switch c.Db.MajorVersion {
 	case 13:

pkg/config/templates/config.toml

@@ -125,6 +125,8 @@ site_url = "http://127.0.0.1:3000"
 additional_redirect_urls = ["https://127.0.0.1:3000"]
 # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week).
 jwt_expiry = 3600
+# JWT issuer URL. If not set, defaults to the local API URL (http://127.0.0.1:<port>/auth/v1).
+# jwt_issuer = ""
 # Path to JWT signing key. DO NOT commit your signing keys file to git.
 # signing_keys_path = "./signing_keys.json"
 # If disabled, the refresh token will never expire.