Fix reset URL: use raw .LinkURL, remove Traefik redirect hack

The replace hacks in email templates were double-prepending /reset-password/step2 since Authelia already generates the correct URL. Removed the Traefik redirectregex middleware too since it's no longer needed. Made-with: Cursor
2026-03-04 18:16:56 -05:00 · 2026-03-04 18:16:56 -05:00 · e3b9511487
parent 0f802de51d
commit e3b9511487
4 changed files with 3 additions and 12 deletions
--- a/.cursorignore
+++ b/.cursorignore
@ -1,5 +1,5 @@
 # Authelia – stable/done; keep out of context for ss-atlas and other work
-docker/authelia/
+
 authelia-dev-config.yml
 docker/mariadb/
 docker/redis/
--- a/docker/authelia/config/email_templates/IdentityVerificationJWT.html
+++ b/docker/authelia/config/email_templates/IdentityVerificationJWT.html
@ -6,7 +6,7 @@
 <p>Hi {{ .DisplayName }},</p>
 <p>You requested to set or reset your password for your <a href="https://bc.a250.ca">a250.ca</a> workspace.</p>
 <p>Click the link below to choose your password. You will also need to enable two-factor authentication or a passkey.</p>
-<p><a href="{{ replace "?token=" "/reset-password/step2?token=" (replace "%2Flogin" "/login" .LinkURL) }}">{{ .LinkText }}</a></p>
+<p><a href="{{ .LinkURL }}">{{ .LinkText }}</a></p>
 <p>If you did not request this, you can safely ignore this email &mdash; no changes will be made.</p>
 <p style="color:#888;font-size:0.85em;">Requested from {{ .RemoteIP }}.</p>
 </body>
--- a/docker/authelia/config/email_templates/IdentityVerificationJWT.txt
+++ b/docker/authelia/config/email_templates/IdentityVerificationJWT.txt
@ -6,7 +6,7 @@ You requested to set or reset your password for your a250.ca workspace (https://
 Use the link below to choose your password. You will also need to enable two-factor authentication or a passkey.
-{{ replace "?token=" "/reset-password/step2?token=" (replace "%2Flogin" "/login" .LinkURL) }}
+{{ .LinkURL }}
 If you did not request this, you can safely ignore this email — no changes will be made.
--- a/stack.yml
+++ b/stack.yml
@ -140,15 +140,6 @@ services:
        - "traefik.http.routers.authelia.entrypoints=websecure"
        - "traefik.http.routers.authelia.tls=true"
        - "traefik.http.services.authelia.loadbalancer.server.port=9091"
        - "traefik.http.middlewares.fix-reset-url.redirectregex.regex=^/login\\?token=([^&]+)$$"
        - "traefik.http.middlewares.fix-reset-url.redirectregex.replacement=https://bc.a250.ca/login/reset-password/step2?token=$${1}"
        - "traefik.http.middlewares.fix-reset-url.redirectregex.permanent=false"
        - "traefik.http.routers.authelia-reset.rule=Host(`bc.a250.ca`) && Path(`/login`) && QueryRegexp(`token`, `.+`)"
        - "traefik.http.routers.authelia-reset.priority=20"
        - "traefik.http.routers.authelia-reset.entrypoints=websecure"
        - "traefik.http.routers.authelia-reset.tls=true"
        - "traefik.http.routers.authelia-reset.middlewares=fix-reset-url@swarm"
        - "traefik.http.routers.authelia-reset.service=authelia"
        - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/login/api/authz/forward-auth?rd=https://bc.a250.ca/login/"
        - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"