From bada693e76b5d84239dbc2efbd1e9c15c235f46d Mon Sep 17 00:00:00 2001
From: Albert <albert@noreply.git.vaporware.studio>
Date: Sun, 9 Nov 2025 04:50:47 +0000
Subject: [PATCH] fix: Preserve original host in OAuth callback redirects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixed OAuth callback to preserve the original host (localhost vs 127.0.0.1)
by using request headers instead of request.url as the base URL for redirects.

This ensures that if a user accesses the app via 127.0.0.1, they will be
redirected back to 127.0.0.1 after OAuth, and vice versa for localhost.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 app/api/auth/callback/route.ts | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/api/auth/callback/route.ts b/app/api/auth/callback/route.ts
index 4abd65e..2e6ba12 100644
--- a/app/api/auth/callback/route.ts
+++ b/app/api/auth/callback/route.ts
@@ -24,13 +24,18 @@ import Surreal from 'surrealdb';
 export async function GET(request: NextRequest) {
   const { searchParams } = new URL(request.url);
 
+  // Get base URL from request headers to preserve the original host
+  const protocol = request.headers.get('x-forwarded-proto') || 'http';
+  const host = request.headers.get('host') || 'localhost:3000';
+  const baseUrl = `${protocol}://${host}`;
+
   // Check for error from OAuth provider
   const error = searchParams.get('error');
   if (error) {
     const errorDescription = searchParams.get('error_description') || 'Unknown error';
     console.error('[OAuth Callback] Error from provider:', error, errorDescription);
     return NextResponse.redirect(
-      new URL(`/login?error=${encodeURIComponent(errorDescription)}`, request.url)
+      new URL(`/login?error=${encodeURIComponent(errorDescription)}`, baseUrl)
     );
   }
 
@@ -105,7 +110,7 @@ export async function GET(request: NextRequest) {
     }
 
     // Create redirect response
-    const response = NextResponse.redirect(new URL(returnTo, request.url));
+    const response = NextResponse.redirect(new URL(returnTo, baseUrl));
 
     // Set SurrealDB JWT cookie (for our app's authorization)
     response.cookies.set('ponderants-auth', surrealJwt, {
@@ -130,20 +135,20 @@ export async function GET(request: NextRequest) {
     if (error instanceof Error) {
       if (error.message.includes('Invalid state')) {
         return NextResponse.redirect(
-          new URL('/login?error=Invalid or expired session', request.url)
+          new URL('/login?error=Invalid or expired session', baseUrl)
         );
       }
 
       if (error.message.includes('DPoP')) {
         console.error('[OAuth Callback] DPoP error - this should not happen with the library!', error);
         return NextResponse.redirect(
-          new URL('/login?error=Authentication protocol error', request.url)
+          new URL('/login?error=Authentication protocol error', baseUrl)
         );
       }
     }
 
     return NextResponse.redirect(
-      new URL('/login?error=Authentication failed', request.url)
+      new URL('/login?error=Authentication failed', baseUrl)
     );
   }
 }