0.1.112 — Casdoor signin URL uses CASDOOR_APP_NAME (not org name)
User directive verbatim:
"chech how the current version for env is configured, I checked all the casdoor backend var is correctly configured."
The user audited their Northflank env vars and confirmed the
six required CASDOOR_* vars + the new claim mapping vars are all
populated. Their sample.northflank.env shows:
CASDOOR_ORG_NAME=trance-0
CASDOOR_APP_NAME=notechondria
CASDOOR_REQUIRED_GROUPS=trance-0/app-notechondria
Two rounds ago (0.1.109) the user said:
"the final endpoint should be on https://auth.trance-0.com/login/notechondria"
At that time their CASDOOR_ORG_NAME was also notechondria,
so my 0.1.109 fix used CASDOOR_ORG_NAME and produced the
right URL by accident. Now that the user has renamed their
Casdoor organization to trance-0 (with notechondria only
as the per-app identifier), the org-themed path resolves to
/login/trance-0 — not the /login/notechondria they asked
for.
/login/<appName> is the right Casdoor convention here because
the app name is the stable identifier for the per-app login
surface. The org name only ever served as the surface URL when
a single-org Casdoor instance happened to share its name with
the app it housed.
Audit table — what each env var actually drives
| Env var | Value (per sample.northflank.env) | Where it's read |
|---|---|---|
CASDOOR_ENDPOINT | https://auth.trance-0.com/ (rstripped to no trailing slash) | _build_sdk (SDK constructor); CasdoorConfigApiView.get (response endpoint + base for signin_url) |
CASDOOR_CLIENT_ID | d24d31a88e52e81733aa | _build_sdk client_id; CasdoorConfigApiView response; OAuth audience claim during JWT verify |
CASDOOR_CLIENT_SECRET | (set) | _build_sdk client_secret only — never returned to the SPA |
CASDOOR_ORG_NAME | trance-0 | _build_sdk org_name; CasdoorConfigApiView response organization. Was wrongly used for signin_url until 0.1.112. |
CASDOOR_APP_NAME | notechondria | _build_sdk application_name; CasdoorConfigApiView response application; now used for signin_url |
CASDOOR_CERTIFICATE | PEM single-line | _build_sdk certificate (after _normalize_pem); JWT signature verification |
CASDOOR_TOKEN_CACHE_TTL | 300 | (currently unused as of 0.1.110; reserved for verifier-side cache when wired) |
CASDOOR_CLAIM_* (7 vars) | defaults preserve 0.1.96 behavior | _claim_str / _claim_groups in casdoor_auth.py |
CASDOOR_REQUIRED_GROUPS | trance-0/app-notechondria | _check_group_access — gate at authenticate() |
The configuration on Northflank is consistent with the code's expectations except for the one URL-construction fix landing in this round.
Files changed
backend/creators/api.py
CasdoorConfigApiView.get now builds signin_url from
CASDOOR_APP_NAME:
"signin_url": f"{endpoint}/login/{settings.CASDOOR_APP_NAME}",
With the user's current env, the response is now:
{
"configured": true,
"endpoint": "https://auth.trance-0.com",
"client_id": "d24d31a88e52e81733aa",
"organization": "trance-0",
"application": "notechondria",
"signin_url": "https://auth.trance-0.com/login/notechondria"
}
frontend/editor_app/lib/core/initial_data.dart + portal + planner
The Casdoor probe in all three apps used to synthesize
orgLoginUrl locally from ${endpoint}/login/${organization}
— same off-by-one as the backend: with the user's renamed org
it would have built https://auth.trance-0.com/login/trance-0
for the "Login via third party" CTA. Two changes per app:
- Switched the local synthesis to
${endpoint}/login/${application}so the fallback path matches the backend. - Prefer the backend's
signin_urlwhen present —config['signin_url']from the new response. This makes the backend the single source of truth for the URL; the frontend only synthesizes when the backend response is missing the field (older backend image, shadow mode, etc.).
Verification
python3 -m py_compileclean onbackend/creators/api.py.flutter analyzewhole-package clean foreditor_app,portal_app,planner_app— no errors, only pre-existing info-level lints.- The change is purely additive on the SPA side: when
signin_urlis present in the backend response (true after 0.1.109+ deploy), it wins; when absent (very old backend), the local fallback now usesapplicationinstead oforganization. Either way the URL resolves to/login/notechondriafor the user's current env.
Deploy reminder (still valid)
The production backend at notechondria.trance-0.com is still
404'ing on /api/v1/auth/casdoor/config/ per the user's most
recent log. That route was added in 0.1.96; this round's URL
fix is in 0.1.112. Both arrive in the same redeploy. Until the
backend image is rebuilt, neither change is live — curl https://notechondria.trance-0.com/api/v1/auth/casdoor/config/
will keep returning 404 and client.login() (from 0.1.111)
will too.
After redeploy:
curl -sS https://notechondria.trance-0.com/api/v1/auth/casdoor/config/
# Expect:
# {"configured":true,"endpoint":"https://auth.trance-0.com",
# "client_id":"...","organization":"trance-0",
# "application":"notechondria",
# "signin_url":"https://auth.trance-0.com/login/notechondria"}
The editor's Casdoor SSO button will then redirect to
https://auth.trance-0.com/login/notechondria with OAuth
params attached — matching the user's directive from 0.1.109.