From 992bd76fcd9bb762876617e7083cec2db686862a Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Sun, 8 Mar 2026 04:06:56 +0100
Subject: [PATCH] Fix IndieAuth redirects behind /admin path

---
 README.md           | 2 +-
 indiekit.config.mjs | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index ff5f779c..880d5b42 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 ## Admin login
 
 - The IndieKit admin is expected to run behind `/admin`.
-- Set `INDIEKIT_ADMIN_URL` to the public admin base URL, including trailing slash (example: `https://blog.giersig.eu/admin/`).
+- Set `INDIEKIT_ADMIN_URL` to the public admin base URL (example: `https://blog.giersig.eu/admin` or `https://blog.giersig.eu/admin/`).
 - When `INDIEKIT_ADMIN_URL` is set, config wires absolute auth endpoints/callback base (`/auth`, `/auth/token`, `/auth/introspect`) to that URL to keep login redirects on `/admin/*`.
 - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
 - If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it.
diff --git a/indiekit.config.mjs b/indiekit.config.mjs
index f9e8ed1b..c85fa87b 100644
--- a/indiekit.config.mjs
+++ b/indiekit.config.mjs
@@ -37,6 +37,7 @@ const publicationBaseUrl = (
 const adminBaseUrl = (process.env.INDIEKIT_ADMIN_URL || "")
   .trim()
   .replace(/\/+$/, "");
+const adminAppUrl = adminBaseUrl ? `${adminBaseUrl}/` : "";
 const nodeEnv = (process.env.NODE_ENV || "production").toLowerCase();
 const debugEnabled = process.env.INDIEKIT_DEBUG === "1" || nodeEnv !== "production";
 
@@ -55,7 +56,7 @@ export default {
     name: "Indiekit",
     mongodbUrl: mongoUrl,
     ...(adminBaseUrl && {
-      url: adminBaseUrl,
+      url: adminAppUrl,
       authorizationEndpoint: `${adminBaseUrl}/auth`,
       introspectionEndpoint: `${adminBaseUrl}/auth/introspect`,
       tokenEndpoint: `${adminBaseUrl}/auth/token`,