fix(dev): route Supabase same-origin via /__supabase proxy

app-dev built with --mode production was baking the PROD Supabase URL (.env) into the bundle, so browser auth went cross-origin to supa.classroomcopilot.ai and was CORS-blocked (and hit the wrong user store). Mirror the /__ccapi fix: - Dockerfile: nginx /__supabase/ -> dev Supabase .94:8000 (+WS upgrade for realtime) - supabaseClient.ts: resolve a leading-slash VITE_SUPABASE_URL against window.location.origin so supabase-js gets an absolute same-origin URL - docker-compose.dev.yml: bake VITE_SUPABASE_URL=/__supabase (like VITE_API_BASE) Browser now talks only to the app host (Tailscale or LAN), no CORS, dev .94 store. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-07 21:20:57 +00:00 · 2026-06-07 21:20:57 +00:00 · 2ccfb9ccd6
commit 2ccfb9ccd6
parent ef13a124dd
3 changed files with 25 additions and 3 deletions
--- a/9
+++ b/9
@ -67,6 +67,15 @@ RUN echo 'server { \
    proxy_set_header X-Real-IP $remote_addr; \
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; \
    } \
+    location /__supabase/ { \
+    proxy_pass http://192.168.0.94:8000/; \
+    proxy_set_header Host $host; \
+    proxy_set_header X-Real-IP $remote_addr; \
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; \
+    proxy_set_header Upgrade $http_upgrade; \
+    proxy_set_header Connection "upgrade"; \
+    proxy_http_version 1.1; \
+    } \
    location /api/ { \
    proxy_pass http://192.168.0.64:18000/api/; \
    proxy_set_header Host $host; \
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -20,16 +20,21 @@ services:
        # same-origin and pass through Dockerfile's /__ccapi proxy. The proxy
        # strips that prefix before forwarding, preserving mixed backend routes
        # such as /api/exam, /me/bootstrap, and /database/timetable.
-        # .env.dev still points at the LAN API for local Vite/dev tooling.
+        # Supabase is likewise routed same-origin via Dockerfile's /__supabase
+        # proxy -> dev Supabase .94 (no CORS, browser-network-agnostic). The
+        # leading-slash URL is resolved against window.location.origin in
+        # supabaseClient.ts. Provide the matching .94 anon key as a build arg
+        # (VITE_SUPABASE_ANON_KEY) so it pairs with the .94 backend.
+        # .env.dev still points at the LAN API/Supabase for local Vite/dev tooling.
        VITE_API_BASE: /__ccapi
        VITE_API_URL: /__ccapi
+        VITE_SUPABASE_URL: /__supabase
        VITE_APP_NAME: ${VITE_APP_NAME:-Classroom Copilot}
        VITE_APP_HMR_URL: ${VITE_APP_HMR_URL:-}
        VITE_DEV: ${VITE_DEV:-false}
        VITE_FRONTEND_SITE_URL: ${VITE_FRONTEND_SITE_URL:-}
        VITE_SEARCH_URL: ${VITE_SEARCH_URL:-}
        VITE_SUPABASE_ANON_KEY: ${VITE_SUPABASE_ANON_KEY:-}
-        VITE_SUPABASE_URL: ${VITE_SUPABASE_URL:-}
        VITE_SUPER_ADMIN_EMAIL: ${VITE_SUPER_ADMIN_EMAIL:-}
        VITE_TLSYNC_URL: ${VITE_TLSYNC_URL:-}
        VITE_WHISPERLIVE_URL: ${VITE_WHISPERLIVE_URL:-}
--- a/src/supabaseClient.ts
+++ b/src/supabaseClient.ts
@ -1,9 +1,17 @@
 import { createClient, SupabaseClient } from '@supabase/supabase-js';
 import { logger } from './debugConfig';

-const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
+const rawSupabaseUrl = import.meta.env.VITE_SUPABASE_URL;
 const supabaseAnonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;

+// Same-origin proxy support: a leading-slash value (e.g. "/__supabase") is
+// resolved against the current browser origin so supabase-js receives an
+// absolute URL while every request stays same-origin (no CORS) and routes
+// through the app host's /__supabase nginx proxy to the backend Supabase.
+const supabaseUrl = rawSupabaseUrl?.startsWith('/')
+  ? `${window.location.origin}${rawSupabaseUrl}`
+  : rawSupabaseUrl;
+
 if (!supabaseUrl || !supabaseAnonKey) {
  throw new Error('Missing Supabase configuration');
 }