diff --git a/.cursor/rules/protect-authelia-bypass-routes.mdc b/.cursor/rules/protect-authelia-bypass-routes.mdc new file mode 100644 index 0000000..84aac86 --- /dev/null +++ b/.cursor/rules/protect-authelia-bypass-routes.mdc @@ -0,0 +1,19 @@ +--- +description: Never remove /success or other Stripe/auth bypass routes from Authelia +alwaysApply: true +--- + +# Authelia bypass routes must not be reverted + +**Recurring issue:** After Stripe checkout, users are sent to `https://bc.a250.ca/success?session_id=...`. If `/success` is **not** in Authelia's **bypass** list, they get sent to login instead of the success page and provisioning breaks. + +**Do not:** + +- Remove `/success` from the bypass `resources` in `stack.yml` (the Authelia command that writes `configuration.acl.yml`). +- Remove or merge the bypass block that contains: `^/$$`, `^/subscribe/?$$`, `^/success(/|\\?.*)?$$`, `^/webhook/stripe/?$$`, `^/resend-reset/?$$`, `^/health/?$$`, `^/version/?$$`, `^/admin/delete-user/?$$`. +- Change the regex for success to something that no longer matches `/success?session_id=...`. + +**Required bypass resources for bc.a250.ca (second bypass block):** +`/`, `/subscribe`, `/success` (with optional query), `/webhook/stripe`, `/resend-reset`, `/health`, `/version`, `/admin/delete-user`. + +**If editing `stack.yml` Authelia section:** keep the entire bypass block and all of these resources; only add new paths when the user explicitly asks. diff --git a/.cursor/rules/protect-subscribe-settings.mdc b/.cursor/rules/protect-subscribe-settings.mdc index e41f0e2..7a1f79f 100644 --- a/.cursor/rules/protect-subscribe-settings.mdc +++ b/.cursor/rules/protect-subscribe-settings.mdc @@ -5,14 +5,15 @@ alwaysApply: true # Subscribe / Stripe configuration is off-limits +**Do not use .env.** All config is in `stack.yml`; do not add or rely on `.env` for deploy. + **Do not under any circumstance:** - Remove, comment out, reorder, or rename the `STRIPE_*` or subscribe-related environment variables in `stack.yml` (the `ss-atlas` service `environment:` block). -- Remove or alter the same variables in `.env`. -- Stash, replace, or overwrite `stack.yml` or `.env` in a way that drops or changes the Stripe/subscribe env vars. -- Add logic that clears or overwrites these values at deploy or runtime. +- Stash, replace, or overwrite `stack.yml` in a way that drops or changes the Stripe/subscribe env vars. +- Add logic that loads config from `.env` or clears these values at deploy or runtime. **Required subscribe-related vars in `stack.yml` for `ss-atlas`:** `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_PRICE_ID`, `STRIPE_PRICE_ID_FREE`, `STRIPE_PRICE_ID_YEAR`, `STRIPE_PRICE_ID_MONTH_100`, `STRIPE_PRICE_ID_MONTH_200`, `STRIPE_PAYMENT_LINK`, `FREE_TIER_LIMIT`, `YEAR_TIER_LIMIT`, `MAX_SIGNUPS`. -**If editing `stack.yml` or deploy flow:** preserve the full `ss-atlas` environment section exactly; only add new vars or change non-Stripe defaults when the user explicitly asks. +**If editing `stack.yml` or deploy flow:** preserve the full `ss-atlas` environment section exactly; only add new vars or change values when the user explicitly asks. diff --git a/scripts/deploy-stack-dev.sh b/scripts/deploy-stack-dev.sh index 2f50443..854c67a 100755 --- a/scripts/deploy-stack-dev.sh +++ b/scripts/deploy-stack-dev.sh @@ -4,7 +4,7 @@ set -e cd "$(dirname "$0")/.." -[ -f .env ] && set -a && . .env && set +a +# Config is in stack.yml; do not use .env if [ -n "$(git status --porcelain)" ]; then echo "ERROR: Working tree is dirty. Commit your changes before deploying." >&2 diff --git a/stack.yml b/stack.yml index eaf7a6c..bcf4d41 100644 --- a/stack.yml +++ b/stack.yml @@ -180,22 +180,22 @@ services: - "traefik.http.middlewares.strip-traefik.stripprefix.prefixes=/admin/traefik" - "traefik.http.services.traefik-api.loadbalancer.server.port=8080" - # SUBSCRIBE/STRIPE: Do not remove or reorder the STRIPE_* and tier env vars below. - # They are loaded from .env at deploy time. See .cursor/rules/protect-subscribe-settings.mdc + # SUBSCRIBE/STRIPE: Do not remove or reorder. Values are in this file; do not use .env. + # See .cursor/rules/protect-subscribe-settings.mdc ss-atlas: image: atlas-ss-atlas:latest environment: - - STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-sk_test_placeholder} - - STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-whsec_placeholder} - - STRIPE_PRICE_ID=${STRIPE_PRICE_ID:-} - - STRIPE_PRICE_ID_FREE=${STRIPE_PRICE_ID_FREE:-} - - STRIPE_PRICE_ID_YEAR=${STRIPE_PRICE_ID_YEAR:-} - - STRIPE_PRICE_ID_MONTH_100=${STRIPE_PRICE_ID_MONTH_100:-} - - STRIPE_PRICE_ID_MONTH_200=${STRIPE_PRICE_ID_MONTH_200:-} - - STRIPE_PAYMENT_LINK=${STRIPE_PAYMENT_LINK:-} - - FREE_TIER_LIMIT=${FREE_TIER_LIMIT:-10} - - YEAR_TIER_LIMIT=${YEAR_TIER_LIMIT:-50} - - MAX_SIGNUPS=${MAX_SIGNUPS:-0} + - STRIPE_SECRET_KEY=sk_test_51T6uRBRfasa3uSsu1EwvRHaGKhWopjeBz15aDACaI3ectJ1przHIKTX2DAqJu7DDtsBMhIuRiyVf0MY9ivtUvzk800kEZ5advL + - STRIPE_WEBHOOK_SECRET=whsec_placeholder + - STRIPE_PRICE_ID=price_1T6v8dRfasa3uSsuCWmIC0Fn + - STRIPE_PRICE_ID_FREE=price_1T7NOURfasa3uSsuEpbKAD1h + - STRIPE_PRICE_ID_YEAR=price_1T7NOURfasa3uSsu3fB9ivyn + - STRIPE_PRICE_ID_MONTH_100=price_1T7NOVRfasa3uSsuEaxzMNno + - STRIPE_PRICE_ID_MONTH_200=price_1T7NOVRfasa3uSsucQRRlPCi + - STRIPE_PAYMENT_LINK= + - FREE_TIER_LIMIT=10 + - YEAR_TIER_LIMIT=50 + - MAX_SIGNUPS=0 - LLDAP_URL=ldap://lldap:3890 - LLDAP_ADMIN_DN=uid=admin,ou=people,dc=a250,dc=ca - LLDAP_ADMIN_PASSWORD=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= @@ -210,9 +210,9 @@ services: - CUSTOMER_DOMAIN=bc.a250.ca - TEMPLATE_PATH=/app/templates - ARCHIVE_PATH=/archives - - LANDING_TAGLINE=${LANDING_TAGLINE:-Your own workspace, ready in minutes.} - - LANDING_FEATURES=${LANDING_FEATURES:-Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime} - - ADMIN_SECRET=${ADMIN_SECRET:-} + - LANDING_TAGLINE=Your own workspace, ready in minutes. + - LANDING_FEATURES=Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime + - ADMIN_SECRET= volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - atlas_archives:/archives