8 changed files with 26 additions and 65 deletions
--- a/.cursorignore
+++ b/.cursorignore
@ -1,5 +1,5 @@
 # Authelia – stable/done; keep out of context for ss-atlas and other work
-
+docker/authelia/
 authelia-dev-config.yml
 docker/mariadb/
 docker/redis/
--- a/docker/authelia/config/email_templates/IdentityVerificationJWT.html
+++ b/docker/authelia/config/email_templates/IdentityVerificationJWT.html
@ -6,7 +6,7 @@
 <p>Hi {{ .DisplayName }},</p>
 <p>You requested to set or reset your password for your <a href="https://bc.a250.ca">a250.ca</a> workspace.</p>
 <p>Click the link below to choose your password. You will also need to enable two-factor authentication or a passkey.</p>
-{{ $parts := splitList "token=" .LinkURL }}<p><a href="https://bc.a250.ca/login/reset-password/step2?token={{ index $parts 1 }}">{{ .LinkText }}</a></p>
+<p><a href="{{ replace "?token=" "/reset-password/step2?token=" (replace "%2Flogin" "/login" .LinkURL) }}">{{ .LinkText }}</a></p>
 <p>If you did not request this, you can safely ignore this email &mdash; no changes will be made.</p>
 <p style="color:#888;font-size:0.85em;">Requested from {{ .RemoteIP }}.</p>
 </body>
--- a/docker/authelia/config/email_templates/IdentityVerificationJWT.txt
+++ b/docker/authelia/config/email_templates/IdentityVerificationJWT.txt
@ -6,7 +6,7 @@ You requested to set or reset your password for your a250.ca workspace (https://

 Use the link below to choose your password. You will also need to enable two-factor authentication or a passkey.

-{{ $parts := splitList "token=" .LinkURL }}https://bc.a250.ca/login/reset-password/step2?token={{ index $parts 1 }}
+{{ replace "?token=" "/reset-password/step2?token=" (replace "%2Flogin" "/login" .LinkURL) }}

 If you did not request this, you can safely ignore this email — no changes will be made.

--- a/docker/ss-atlas/internal/handlers/authelia.go
+++ b/docker/ss-atlas/internal/handlers/authelia.go
@ -4,9 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io"
 	"log"
-	"net"
 	"net/http"
 	"strconv"
 	"strings"
@ -31,7 +29,7 @@ func (a *App) handleResendReset(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := a.triggerPasswordReset(r, username); err != nil {
+	if err := a.triggerPasswordReset(username); err != nil {
 		log.Printf("resend-reset: failed for %s: %v", username, err)
 		respondResendError(w, http.StatusInternalServerError, "failed to send email", 0)
 		return
@ -55,33 +53,19 @@ func respondResendError(w http.ResponseWriter, code int, msg string, retryAfter
 	json.NewEncoder(w).Encode(body)
 }

-func clientIP(r *http.Request) string {
-	if s := r.Header.Get("X-Forwarded-For"); s != "" {
-		if idx := strings.Index(s, ","); idx > 0 {
-			return strings.TrimSpace(s[:idx])
-		}
-		return strings.TrimSpace(s)
-	}
-	if s := r.Header.Get("X-Real-IP"); s != "" {
-		return s
-	}
-	if host, _, err := net.SplitHostPort(r.RemoteAddr); err == nil {
-		return host
-	}
-	return r.RemoteAddr
-}
-
-func (a *App) triggerPasswordReset(r *http.Request, username string) error {
-	url := a.cfg.AutheliaInternalURL + "/api/reset-password/identity/start"
+func (a *App) triggerPasswordReset(username string) error {
 	body, _ := json.Marshal(map[string]string{"username": username})

-	log.Printf("triggerPasswordReset: POST %s for user %q", url, username)
-
-	req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(body))
+	req, err := http.NewRequest(
+		http.MethodPost,
+		a.cfg.AutheliaInternalURL+"/api/reset-password/identity/start",
+		bytes.NewReader(body),
+	)
 	if err != nil {
 		return fmt.Errorf("authelia reset build request: %w", err)
 	}

+	// Strip scheme from AutheliaURL to get the host for forwarding headers
 	externalHost := strings.TrimPrefix(strings.TrimPrefix(a.cfg.AutheliaURL, "https://"), "http://")
 	proto := "http"
 	if strings.HasPrefix(a.cfg.AutheliaURL, "https://") {
@ -91,7 +75,7 @@ func (a *App) triggerPasswordReset(r *http.Request, username string) error {
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("X-Forwarded-Host", externalHost)
 	req.Header.Set("X-Forwarded-Proto", proto)
-	req.Header.Set("X-Forwarded-For", clientIP(r))
+	req.Header.Set("X-Forwarded-For", "127.0.0.1")

 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
@ -99,19 +83,8 @@ func (a *App) triggerPasswordReset(r *http.Request, username string) error {
 	}
 	defer resp.Body.Close()

-	respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
-	log.Printf("triggerPasswordReset: status=%d body=%s", resp.StatusCode, string(respBody))
-
 	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("authelia reset returned %d: %s", resp.StatusCode, string(respBody))
+		return fmt.Errorf("authelia reset returned %d", resp.StatusCode)
 	}
-
-	var result struct {
-		Status string `json:"status"`
-	}
-	if json.Unmarshal(respBody, &result) == nil && result.Status == "KO" {
-		return fmt.Errorf("authelia reset rejected: %s", string(respBody))
-	}
-
 	return nil
 }
--- a/docker/ss-atlas/internal/handlers/subscription.go
+++ b/docker/ss-atlas/internal/handlers/subscription.go
@ -36,8 +36,7 @@ func (a *App) handleLanding(w http.ResponseWriter, r *http.Request) {
 	tier := pricing.ForCustomer(count, a.cfg.FreeTierLimit, a.cfg.YearTierLimit)

 	useForm := a.cfg.StripePriceID != "" || a.cfg.StripePriceIDFree != "" ||
-		a.cfg.StripePriceIDYear != "" || a.cfg.StripePriceIDMonth100 != "" ||
-		a.cfg.StripePriceIDMonth200 != ""
+		a.cfg.StripePriceIDYear != "" || a.cfg.StripePriceIDMonth200 != ""
 	data := map[string]any{
 		"AppURL":            a.cfg.AppURL,
 		"Commit":            version.Commit,
@ -90,7 +89,7 @@ func (a *App) handleCreateCheckout(w http.ResponseWriter, r *http.Request) {
 	sess, err := a.stripe.CreateCheckoutSession(email, domain, phone, count)
 	if err != nil {
 		if errors.Is(err, stripe.ErrNoPriceForTier) {
-			http.Error(w, "pricing not configured for current tier — set STRIPE_PRICE_ID or tier prices in env", http.StatusServiceUnavailable)
+			http.Error(w, "pricing not configured for current tier", http.StatusServiceUnavailable)
 			return
 		}
 		log.Printf("stripe checkout error: %v", err)
@ -153,7 +152,7 @@ func (a *App) handleSuccess(w http.ResponseWriter, r *http.Request) {

 	if result.IsNew || !inGroup {
 		// New or lapsed: send password email, show success page.
-		if err := a.triggerPasswordReset(r, result.Username); err != nil {
+		if err := a.triggerPasswordReset(result.Username); err != nil {
 			log.Printf("authelia reset trigger failed for %s: %v", username, err)
 		} else {
 			resendRateLimiter.record(result.Username)
@ -214,7 +213,7 @@ func (a *App) handleResubscribe(w http.ResponseWriter, r *http.Request) {
 	sess, err := a.stripe.CreateCheckoutForCustomer(customerID, count)
 	if err != nil {
 		if errors.Is(err, stripe.ErrNoPriceForTier) {
-			http.Error(w, "pricing not configured for current tier — set STRIPE_PRICE_ID or tier prices in env", http.StatusServiceUnavailable)
+			http.Error(w, "pricing not configured for current tier", http.StatusServiceUnavailable)
 			return
 		}
 		log.Printf("stripe resubscribe error: %v", err)
--- a/docker/ss-atlas/internal/ldap/client.go
+++ b/docker/ss-atlas/internal/ldap/client.go
@ -58,7 +58,6 @@ func (c *Client) ProvisionUser(username, email, stripeCustomerID, phone string)
 		if phone != "" {
 			_ = c.SetCustomerPhone(username, phone)
 		}
-		_ = c.ensureDisplayName(conn, username, email)
 		return &ProvisionResult{Username: username, IsNew: false}, nil
 	}

@ -71,7 +70,6 @@ func (c *Client) ProvisionUser(username, email, stripeCustomerID, phone string)
 	addReq.Attribute("sn", []string{username})
 	addReq.Attribute("uid", []string{username})
 	addReq.Attribute("mail", []string{email})
-	addReq.Attribute("displayName", []string{email})
 	if phone != "" {
 		addReq.Attribute("telephoneNumber", []string{phone})
 	}
@ -100,18 +98,6 @@ func (c *Client) ProvisionUser(username, email, stripeCustomerID, phone string)
 	return &ProvisionResult{Username: username, Password: password, IsNew: true}, nil
 }

-func (c *Client) ensureDisplayName(conn *goldap.Conn, username, email string) error {
-	userDN := fmt.Sprintf("uid=%s,ou=people,%s", username, c.cfg.LDAPBaseDN)
-	modReq := goldap.NewModifyRequest(userDN, nil)
-	modReq.Replace("displayName", []string{email})
-	if err := conn.Modify(modReq); err != nil {
-		log.Printf("ldap ensure displayName for %s: %v (may already be set)", username, err)
-		return err
-	}
-	log.Printf("ldap set displayName for %s to %s", username, email)
-	return nil
-}
-
 func (c *Client) EnsureUser(username, email, stripeCustomerID, phone string) error {
 	_, err := c.ProvisionUser(username, email, stripeCustomerID, phone)
 	return err
--- a/docker/ss-atlas/internal/stripe/client.go
+++ b/docker/ss-atlas/internal/stripe/client.go
@ -45,9 +45,6 @@ func (c *Client) priceForTier(t pricing.Tier) string {
 		if c.cfg.StripePriceIDMonth200 != "" {
 			return c.cfg.StripePriceIDMonth200
 		}
-		if c.cfg.StripePriceIDMonth100 != "" {
-			return c.cfg.StripePriceIDMonth100
-		}
 	}
 	return c.cfg.StripePriceID
 }
@ -56,8 +53,6 @@ func (c *Client) CreateCheckoutSession(email, customerDomain, customerPhone stri
 	t := pricing.ForCustomer(customerCount, c.cfg.FreeTierLimit, c.cfg.YearTierLimit)
 	priceID := c.priceForTier(t)
 	if priceID == "" {
-		log.Printf("stripe: no price for tier %d (count=%d freeLimit=%d yearLimit=%d); set STRIPE_PRICE_ID or tier-specific price",
-			t, customerCount, c.cfg.FreeTierLimit, c.cfg.YearTierLimit)
 		return nil, ErrNoPriceForTier
 	}

@ -86,7 +81,6 @@ func (c *Client) CreateCheckoutForCustomer(customerID string, customerCount int)
 	t := pricing.ForCustomer(customerCount, c.cfg.FreeTierLimit, c.cfg.YearTierLimit)
 	priceID := c.priceForTier(t)
 	if priceID == "" {
-		log.Printf("stripe: no price for tier %d (count=%d); set STRIPE_PRICE_ID or tier-specific price", t, customerCount)
 		return nil, ErrNoPriceForTier
 	}

--- a/stack.yml
+++ b/stack.yml
@ -140,6 +140,15 @@ services:
        - "traefik.http.routers.authelia.entrypoints=websecure"
        - "traefik.http.routers.authelia.tls=true"
        - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+        - "traefik.http.middlewares.fix-reset-url.redirectregex.regex=^/login\\?token=([^&]+)$$"
+        - "traefik.http.middlewares.fix-reset-url.redirectregex.replacement=https://bc.a250.ca/login/reset-password/step2?token=$${1}"
+        - "traefik.http.middlewares.fix-reset-url.redirectregex.permanent=false"
+        - "traefik.http.routers.authelia-reset.rule=Host(`bc.a250.ca`) && Path(`/login`) && QueryRegexp(`token`, `.+`)"
+        - "traefik.http.routers.authelia-reset.priority=20"
+        - "traefik.http.routers.authelia-reset.entrypoints=websecure"
+        - "traefik.http.routers.authelia-reset.tls=true"
+        - "traefik.http.routers.authelia-reset.middlewares=fix-reset-url@swarm"
+        - "traefik.http.routers.authelia-reset.service=authelia"
        - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/login/api/authz/forward-auth?rd=https://bc.a250.ca/login/"
        - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"