fix(auth): respect INDIEKIT_ADMIN_URL for login redirects

README.md

@@ -4,6 +4,7 @@
 
 - The IndieKit admin is expected to run behind `/admin`.
 - Set `INDIEKIT_ADMIN_URL` to the public admin base URL, including trailing slash (example: `https://blog.giersig.eu/admin/`).
+- When `INDIEKIT_ADMIN_URL` is set, config wires absolute auth endpoints/callback base (`/auth`, `/auth/token`, `/auth/introspect`) to that URL to keep login redirects on `/admin/*`.
 - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
 - If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it.
 - Post management UI should use `/posts` (`@indiekit/endpoint-posts.mountPath`).

indiekit.config.mjs

@@ -30,6 +30,9 @@ const githubActivityToken =
 const publicationBaseUrl = (
   process.env.PUBLICATION_URL || "https://blog.giersig.eu"
 ).replace(/\/+$/, "");
+const adminBaseUrl = (process.env.INDIEKIT_ADMIN_URL || "")
+  .trim()
+  .replace(/\/+$/, "");
 
 let webmentionDomain = process.env.WEBMENTION_IO_DOMAIN;
 if (!webmentionDomain) {
@@ -45,6 +48,12 @@ export default {
   application: {
     name: "Indiekit",
     mongodbUrl: mongoUrl,
+    ...(adminBaseUrl && {
+      url: adminBaseUrl,
+      authorizationEndpoint: `${adminBaseUrl}/auth`,
+      introspectionEndpoint: `${adminBaseUrl}/auth/introspect`,
+      tokenEndpoint: `${adminBaseUrl}/auth/token`,
+    }),
   },
   publication: {
     me: publicationBaseUrl,