From e3b95114872c8220405b76096f8f0287804f3a9e Mon Sep 17 00:00:00 2001 From: Leopere Date: Wed, 4 Mar 2026 18:16:56 -0500 Subject: [PATCH] Fix reset URL: use raw .LinkURL, remove Traefik redirect hack The replace hacks in email templates were double-prepending /reset-password/step2 since Authelia already generates the correct URL. Removed the Traefik redirectregex middleware too since it's no longer needed. Made-with: Cursor --- .cursorignore | 2 +- .../config/email_templates/IdentityVerificationJWT.html | 2 +- .../config/email_templates/IdentityVerificationJWT.txt | 2 +- stack.yml | 9 --------- 4 files changed, 3 insertions(+), 12 deletions(-) diff --git a/.cursorignore b/.cursorignore index 2c8af5a..8060623 100644 --- a/.cursorignore +++ b/.cursorignore @@ -1,5 +1,5 @@ # Authelia – stable/done; keep out of context for ss-atlas and other work -docker/authelia/ + authelia-dev-config.yml docker/mariadb/ docker/redis/ \ No newline at end of file diff --git a/docker/authelia/config/email_templates/IdentityVerificationJWT.html b/docker/authelia/config/email_templates/IdentityVerificationJWT.html index 2af2718..e0152fa 100644 --- a/docker/authelia/config/email_templates/IdentityVerificationJWT.html +++ b/docker/authelia/config/email_templates/IdentityVerificationJWT.html @@ -6,7 +6,7 @@

Hi {{ .DisplayName }},

You requested to set or reset your password for your a250.ca workspace.

Click the link below to choose your password. You will also need to enable two-factor authentication or a passkey.

-

{{ .LinkText }}

+

{{ .LinkText }}

If you did not request this, you can safely ignore this email — no changes will be made.

Requested from {{ .RemoteIP }}.

diff --git a/docker/authelia/config/email_templates/IdentityVerificationJWT.txt b/docker/authelia/config/email_templates/IdentityVerificationJWT.txt index 15724ae..8c12ba9 100644 --- a/docker/authelia/config/email_templates/IdentityVerificationJWT.txt +++ b/docker/authelia/config/email_templates/IdentityVerificationJWT.txt @@ -6,7 +6,7 @@ You requested to set or reset your password for your a250.ca workspace (https:// Use the link below to choose your password. You will also need to enable two-factor authentication or a passkey. -{{ replace "?token=" "/reset-password/step2?token=" (replace "%2Flogin" "/login" .LinkURL) }} +{{ .LinkURL }} If you did not request this, you can safely ignore this email — no changes will be made. diff --git a/stack.yml b/stack.yml index 9122c4a..ba6698a 100644 --- a/stack.yml +++ b/stack.yml @@ -140,15 +140,6 @@ services: - "traefik.http.routers.authelia.entrypoints=websecure" - "traefik.http.routers.authelia.tls=true" - "traefik.http.services.authelia.loadbalancer.server.port=9091" - - "traefik.http.middlewares.fix-reset-url.redirectregex.regex=^/login\\?token=([^&]+)$$" - - "traefik.http.middlewares.fix-reset-url.redirectregex.replacement=https://bc.a250.ca/login/reset-password/step2?token=$${1}" - - "traefik.http.middlewares.fix-reset-url.redirectregex.permanent=false" - - "traefik.http.routers.authelia-reset.rule=Host(`bc.a250.ca`) && Path(`/login`) && QueryRegexp(`token`, `.+`)" - - "traefik.http.routers.authelia-reset.priority=20" - - "traefik.http.routers.authelia-reset.entrypoints=websecure" - - "traefik.http.routers.authelia-reset.tls=true" - - "traefik.http.routers.authelia-reset.middlewares=fix-reset-url@swarm" - - "traefik.http.routers.authelia-reset.service=authelia" - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/login/api/authz/forward-auth?rd=https://bc.a250.ca/login/" - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"