From 88c8d24ea2a27bccbf925eb864ad41eb44cb5cc5 Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Sun, 8 Mar 2026 04:12:56 +0100
Subject: [PATCH] Rollback admin redirect overrides to root auth paths

---
 README.md           | 11 ++++-------
 indiekit.config.mjs | 10 ----------
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 880d5b42..077f6ec4 100644
--- a/README.md
+++ b/README.md
@@ -2,13 +2,11 @@
 
 ## Admin login
 
-- The IndieKit admin is expected to run behind `/admin`.
-- Set `INDIEKIT_ADMIN_URL` to the public admin base URL (example: `https://blog.giersig.eu/admin` or `https://blog.giersig.eu/admin/`).
-- When `INDIEKIT_ADMIN_URL` is set, config wires absolute auth endpoints/callback base (`/auth`, `/auth/token`, `/auth/introspect`) to that URL to keep login redirects on `/admin/*`.
+- The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`).
 - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
-- If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it.
-- If login is blocked because `PASSWORD_SECRET` is missing/invalid, set `INDIEKIT_ALLOW_PASSWORD_SETUP=1` temporarily, restart, generate a new hash via `/admin/auth/new-password`, set `PASSWORD_SECRET` to that hash, then remove `INDIEKIT_ALLOW_PASSWORD_SETUP`.
-- If login appears passwordless, first check for an existing authenticated session cookie. Use `/session/logout` (or `/admin/session/logout` behind proxy) to force a fresh login challenge.
+- If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it.
+- If login is blocked because `PASSWORD_SECRET` is missing/invalid, set `INDIEKIT_ALLOW_PASSWORD_SETUP=1` temporarily, restart, generate a new hash via `/auth/new-password`, set `PASSWORD_SECRET` to that hash, then remove `INDIEKIT_ALLOW_PASSWORD_SETUP`.
+- If login appears passwordless, first check for an existing authenticated session cookie. Use `/session/logout` to force a fresh login challenge.
 - Upstream IndieKit auto-authenticates in dev mode (`NODE_ENV=development`). This repository patches that behavior so dev auto-auth only works when `INDIEKIT_ALLOW_DEV_AUTH=1` is explicitly set.
 - Production startup now fails closed when auth/session settings are unsafe (`NODE_ENV` not `production`, `INDIEKIT_ALLOW_DEV_AUTH=1`, weak `SECRET`, missing/invalid `PASSWORD_SECRET`, or empty-password hash).
 - Post management UI should use `/posts` (`@indiekit/endpoint-posts.mountPath`).
@@ -22,7 +20,6 @@
 - Webmentions moderation + API: `/webmentions`
 - Conversations + API: `/conversations`
 - GitHub activity + API: `/github`
-- If IndieKit is reverse-proxied behind `/admin`, these become `/admin/posts`, `/admin/files`, etc.
 
 ## MongoDB
 
diff --git a/indiekit.config.mjs b/indiekit.config.mjs
index c85fa87b..a941c7ce 100644
--- a/indiekit.config.mjs
+++ b/indiekit.config.mjs
@@ -34,10 +34,6 @@ const githubActivityToken =
 const publicationBaseUrl = (
   process.env.PUBLICATION_URL || "https://blog.giersig.eu"
 ).replace(/\/+$/, "");
-const adminBaseUrl = (process.env.INDIEKIT_ADMIN_URL || "")
-  .trim()
-  .replace(/\/+$/, "");
-const adminAppUrl = adminBaseUrl ? `${adminBaseUrl}/` : "";
 const nodeEnv = (process.env.NODE_ENV || "production").toLowerCase();
 const debugEnabled = process.env.INDIEKIT_DEBUG === "1" || nodeEnv !== "production";
 
@@ -55,12 +51,6 @@ export default {
   application: {
     name: "Indiekit",
     mongodbUrl: mongoUrl,
-    ...(adminBaseUrl && {
-      url: adminAppUrl,
-      authorizationEndpoint: `${adminBaseUrl}/auth`,
-      introspectionEndpoint: `${adminBaseUrl}/auth/introspect`,
-      tokenEndpoint: `${adminBaseUrl}/auth/token`,
-    }),
   },
   publication: {
     me: publicationBaseUrl,