From 039b6ff86c3dfeaab975fdaeea59902d1fbf1e78 Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Sun, 8 Mar 2026 01:10:34 +0100
Subject: [PATCH] fix(auth): respect INDIEKIT_ADMIN_URL for login redirects

---
 README.md           | 1 +
 indiekit.config.mjs | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index dcd90548..b8e84440 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 
 - The IndieKit admin is expected to run behind `/admin`.
 - Set `INDIEKIT_ADMIN_URL` to the public admin base URL, including trailing slash (example: `https://blog.giersig.eu/admin/`).
+- When `INDIEKIT_ADMIN_URL` is set, config wires absolute auth endpoints/callback base (`/auth`, `/auth/token`, `/auth/introspect`) to that URL to keep login redirects on `/admin/*`.
 - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
 - If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it.
 - Post management UI should use `/posts` (`@indiekit/endpoint-posts.mountPath`).
diff --git a/indiekit.config.mjs b/indiekit.config.mjs
index 09ac281e..24d13d39 100644
--- a/indiekit.config.mjs
+++ b/indiekit.config.mjs
@@ -30,6 +30,9 @@ const githubActivityToken =
 const publicationBaseUrl = (
   process.env.PUBLICATION_URL || "https://blog.giersig.eu"
 ).replace(/\/+$/, "");
+const adminBaseUrl = (process.env.INDIEKIT_ADMIN_URL || "")
+  .trim()
+  .replace(/\/+$/, "");
 
 let webmentionDomain = process.env.WEBMENTION_IO_DOMAIN;
 if (!webmentionDomain) {
@@ -45,6 +48,12 @@ export default {
   application: {
     name: "Indiekit",
     mongodbUrl: mongoUrl,
+    ...(adminBaseUrl && {
+      url: adminBaseUrl,
+      authorizationEndpoint: `${adminBaseUrl}/auth`,
+      introspectionEndpoint: `${adminBaseUrl}/auth/introspect`,
+      tokenEndpoint: `${adminBaseUrl}/auth/token`,
+    }),
   },
   publication: {
     me: publicationBaseUrl,