- Replace 8 placeholder price IDs (price_starter_monthly, etc.) with real
Stripe test-mode price IDs created via API
- Add STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, NEXT_PUBLIC_BILLING_PROVIDER,
and NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY to docker-compose.yml (build args + runtime)
- Add NEXT_PUBLIC_BILLING_PROVIDER ARG/ENV to Dockerfile
- Enable team and personal account billing (was 'false')
- Created Stripe webhook endpoint for production URL
- Created 4 Stripe products (Starter/Pro/Verband/Enterprise) with monthly+yearly prices
Checkout was crashing because:
1. STRIPE_SECRET_KEY was missing → Zod validation failed at createStripeClient()
2. STRIPE_WEBHOOK_SECRET was missing → same Zod schema rejection
3. NEXT_PUBLIC_BILLING_PROVIDER was unset → BillingProviderSchema.parse() failed
4. Price IDs were placeholders, not real Stripe price_xxx IDs
ROOT CAUSE FIX: All server-side Supabase clients (server-client, middleware-client,
server-admin-client) now use SUPABASE_INTERNAL_URL (http://supabase-kong:8000)
when available, with cookieOptions.name set to match the external URL's cookie key
(e.g. sb-myeasycms-auth-token). This gives us:
- Reliable Docker-internal networking (no hairpin NAT through Traefik)
- Correct session cookie matching between browser and server
- No more 500 errors on SSR pages that query Supabase
Reverted per-page try/catch workarounds since root cause is now fixed.
- Enable all 3 modules via NEXT_PUBLIC_ENABLE_* build args + runtime env
- Fix empty-string-to-null for date/optional columns in all module APIs:
fischerei (24 fixes), verbandsverwaltung (15 fixes), sitzungsprotokolle (2 fixes)
- CACHE_BUST=12 for full rebuild with new feature flags
Browser creates cookies keyed by the external hostname (sb-myeasycms-*),
but server was using SUPABASE_INTERNAL_URL (sb-supabase-kong-*) — different
keys = server can't find the session = infinite 'please wait' after login.
Both client and server now use the same NEXT_PUBLIC_SUPABASE_URL (external
domain). The SSR reaches Supabase via Traefik → Kong which works fine.
Server-side code (proxy.ts, SSR, API routes) now uses SUPABASE_INTERNAL_URL
(http://supabase-kong:8000) instead of the external domain. This avoids
hairpin NAT / DNS resolution issues where Docker containers can't reach
their own external domain through the reverse proxy.
Browser-side JS still uses the external URL (baked at build time).
- Restore NEXT_PUBLIC_SUPABASE_URL + NEXT_PUBLIC_SUPABASE_PUBLIC_KEY at runtime
(server code reads from process.env — needs these for SSR)
- Use external URL (API_EXTERNAL_URL) for both build and runtime
- Add NEXT_PUBLIC_DEFAULT_LOCALE=de as Dockerfile build arg so next-intl
compiles with the correct default locale (was falling back to 'en')
- CACHE_BUST=3 to force full rebuild
NEXT_PUBLIC_ vars are baked into the Next.js bundle at build time.
Setting them at runtime with Docker-internal URLs (http://supabase-kong:8000)
causes SSR to fail with 500 because RSC uses the runtime value which
is unreachable from the browser. Let the build-time value
(https://myeasycms.frontieralgorithmics.de) be used everywhere.
Dokploy injects 'networks' into all compose services for Traefik routing,
which is mutually exclusive with 'network_mode: service:supabase-kong'.
Changes:
- Remove network_mode from app service
- App server-side Supabase URL: http://supabase-kong:8000 (Docker DNS)
- App browser-side Supabase URL: ${API_EXTERNAL_URL} (external domain)
- Kong catch-all route: app:3000 instead of localhost:3000
- PostgREST: replace wget healthcheck with TCP socket check — PostgREST
v12 is a minimal image without wget/curl
- All services: add start_period to healthchecks to avoid premature
unhealthy marking during initial startup
PostgREST, Auth, Realtime, Storage, and Meta were starting before db-migrate
set role passwords. On existing volumes (where initdb didn't re-run),
these services would fail to authenticate to Postgres. Now all services
wait for db-migrate to complete successfully before starting.
Dokploy deployment fixes:
- Remove all host port bindings (Kong 8000/8443/3000, Studio 54323, Inbucket 54324,
DB 5432) — Traefik handles external routing in Dokploy, host ports conflict
with other services on the shared server
- Add idempotent ALTER ROLE password commands to db-migrate service — ensures
role passwords are set even when DB volume persists across deployments
(docker-entrypoint-initdb.d only runs on empty data dirs)
- Add catch-all app route to Kong config — proxies / to localhost:3000
(Next.js app via network_mode: service:supabase-kong)
- Dockerfile: replace hardcoded NEXT_PUBLIC env vars with ARG+ENV pattern
so the same Dockerfile works for any environment (local dev, Dokploy prod)
- docker-compose.yml: pass SUPABASE_ANON_KEY as build arg to Dockerfile
- docker-compose.yml: remove DB port 5432 exposure (not needed on server,
services communicate via Docker network)
