From 72227b5aab731b5d65816f73bcf51b24d399effa Mon Sep 17 00:00:00 2001
From: Zaid Marzguioui <zaid.marzguioui@outlook.de>
Date: Wed, 1 Apr 2026 11:42:00 +0200
Subject: [PATCH] =?UTF-8?q?fix(auth):=20revert=20SUPABASE=5FINTERNAL=5FURL?=
 =?UTF-8?q?=20=E2=80=94=20cookie=20name=20mismatch?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Browser creates cookies keyed by the external hostname (sb-myeasycms-*),
but server was using SUPABASE_INTERNAL_URL (sb-supabase-kong-*) — different
keys = server can't find the session = infinite 'please wait' after login.

Both client and server now use the same NEXT_PUBLIC_SUPABASE_URL (external
domain). The SSR reaches Supabase via Traefik → Kong which works fine.
---
 Dockerfile                                        |  2 +-
 docker-compose.yml                                |  4 +---
 packages/supabase/src/get-supabase-client-keys.ts | 12 +-----------
 3 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index cb93a5727..7a6923212 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@ WORKDIR /app
 # --- Install + Build in one stage ---
 FROM base AS builder
 # CACHE_BUST: change this value to force a full rebuild (busts Docker layer cache)
-ARG CACHE_BUST=9
+ARG CACHE_BUST=10
 RUN echo "Cache bust: ${CACHE_BUST}"
 COPY . .
 RUN pnpm install --no-frozen-lockfile
diff --git a/docker-compose.yml b/docker-compose.yml
index d22bbcf07..9a5306e68 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -321,12 +321,10 @@ services:
     environment:
       NODE_ENV: production
       NEXT_PUBLIC_SITE_URL: ${SITE_URL:-http://localhost:3000}
-      # Browser-side: external domain (baked at build time, re-stated here for SSR)
+      # Same URL for browser AND server — keeps Supabase cookie names consistent
       NEXT_PUBLIC_SUPABASE_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
       NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
       NEXT_PUBLIC_DEFAULT_LOCALE: de
-      # Server-side: Docker-internal URL (avoids hairpin NAT / DNS issues)
-      SUPABASE_INTERNAL_URL: http://supabase-kong:8000
       SUPABASE_SECRET_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
       SUPABASE_DB_WEBHOOK_SECRET: ${DB_WEBHOOK_SECRET:-webhooksecret}
       EMAIL_SENDER: ${EMAIL_SENDER:-noreply@myeasycms.de}
diff --git a/packages/supabase/src/get-supabase-client-keys.ts b/packages/supabase/src/get-supabase-client-keys.ts
index 3afab122e..1f3a3eee9 100644
--- a/packages/supabase/src/get-supabase-client-keys.ts
+++ b/packages/supabase/src/get-supabase-client-keys.ts
@@ -2,18 +2,8 @@ import * as z from 'zod';
 
 /**
  * Returns and validates the Supabase client keys from the environment.
- *
- * On the server, prefers SUPABASE_INTERNAL_URL (Docker-internal)
- * over NEXT_PUBLIC_SUPABASE_URL (external domain) to avoid
- * hairpin NAT / DNS issues in containerized deployments.
  */
 export function getSupabaseClientKeys() {
-  const isServer = typeof window === 'undefined';
-
-  const url = isServer
-    ? (process.env.SUPABASE_INTERNAL_URL || process.env.NEXT_PUBLIC_SUPABASE_URL)
-    : process.env.NEXT_PUBLIC_SUPABASE_URL;
-
   return z
     .object({
       url: z.string({
@@ -24,7 +14,7 @@ export function getSupabaseClientKeys() {
       }),
     })
     .parse({
-      url,
+      url: process.env.NEXT_PUBLIC_SUPABASE_URL,
       publicKey: process.env.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY,
     });
 }