From db4a79e61771f5955dada16e6a317707e50fd3f4 Mon Sep 17 00:00:00 2001
From: josedario87 <jodarioel87@gmail.com>
Date: Sat, 11 Oct 2025 18:47:41 -0600
Subject: [PATCH] Add internal Authentik URL for server-to-server communication

This fixes ETIMEDOUT errors when exchanging OAuth tokens. The container
now uses the Docker internal service name (authentiknucleo-server-1:9000)
for server-to-server API calls while keeping the public URL for browser
redirects.

Changes:
- Add NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL env var
- Use internal URL for token exchange and userinfo endpoints
- Update docker-compose.yml and Gitea workflow
---
 .gitea/workflows/build-and-deploy.yml      |  1 +
 docker-compose.yml                         |  1 +
 nuxt4-app/nuxt.config.ts                   |  1 +
 nuxt4-app/server/api/auth/authentik.get.ts | 10 ++++++----
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/build-and-deploy.yml b/.gitea/workflows/build-and-deploy.yml
index 8a76b0c..878e316 100644
--- a/.gitea/workflows/build-and-deploy.yml
+++ b/.gitea/workflows/build-and-deploy.yml
@@ -37,6 +37,7 @@ jobs:
       NUXT_OAUTH_AUTHENTIK_CLIENT_ID: ${{ secrets.NUXT_OAUTH_AUTHENTIK_CLIENT_ID }}
       NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET: ${{ secrets.NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET }}
       NUXT_OAUTH_AUTHENTIK_SERVER_URL: ${{ vars.NUXT_OAUTH_AUTHENTIK_SERVER_URL }}
+      NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL: ${{ vars.NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL }}
       NUXT_OAUTH_AUTHENTIK_REDIRECT_URL: ${{ vars.NUXT_OAUTH_AUTHENTIK_REDIRECT_URL }}
       NUXT_PUBLIC_APP_URL: ${{ vars.NUXT_PUBLIC_APP_URL }}
       NUXT_SESSION_PASSWORD: ${{ secrets.NUXT_SESSION_PASSWORD }}
diff --git a/docker-compose.yml b/docker-compose.yml
index 38c09b1..c4d9c6a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       - NUXT_OAUTH_AUTHENTIK_CLIENT_ID=${NUXT_OAUTH_AUTHENTIK_CLIENT_ID}
       - NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET=${NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET}
       - NUXT_OAUTH_AUTHENTIK_SERVER_URL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL}
+      - NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL}
       - NUXT_OAUTH_AUTHENTIK_REDIRECT_URL=${NUXT_OAUTH_AUTHENTIK_REDIRECT_URL}
       # Public URL
       - NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL}
diff --git a/nuxt4-app/nuxt.config.ts b/nuxt4-app/nuxt.config.ts
index e63d2a4..73b072a 100644
--- a/nuxt4-app/nuxt.config.ts
+++ b/nuxt4-app/nuxt.config.ts
@@ -17,6 +17,7 @@ export default defineNuxtConfig({
         clientId: process.env.NUXT_OAUTH_AUTHENTIK_CLIENT_ID || '',
         clientSecret: process.env.NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET || '',
         serverUrl: process.env.NUXT_OAUTH_AUTHENTIK_SERVER_URL || '',
+        serverUrlInternal: process.env.NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL || '',
         redirectURL: process.env.NUXT_OAUTH_AUTHENTIK_REDIRECT_URL || ''
       }
     },
diff --git a/nuxt4-app/server/api/auth/authentik.get.ts b/nuxt4-app/server/api/auth/authentik.get.ts
index 646ac64..a874afa 100644
--- a/nuxt4-app/server/api/auth/authentik.get.ts
+++ b/nuxt4-app/server/api/auth/authentik.get.ts
@@ -16,12 +16,14 @@ export default defineEventHandler(async (event) => {
     clientId: runtimeConfig.oauth.authentik.clientId,
     clientSecret: runtimeConfig.oauth.authentik.clientSecret,
     serverUrl: runtimeConfig.oauth.authentik.serverUrl,
+    serverUrlInternal: runtimeConfig.oauth.authentik.serverUrlInternal || runtimeConfig.oauth.authentik.serverUrl,
     redirectURL: runtimeConfig.oauth.authentik.redirectURL,
     scope: ['openid', 'profile', 'email'],
   }
 
   console.log('OAuth Authentik - Iniciando flujo:', {
     serverUrl: config.serverUrl,
+    serverUrlInternal: config.serverUrlInternal,
     redirectURL: config.redirectURL,
     hasCode: !!query.code
   })
@@ -29,8 +31,8 @@ export default defineEventHandler(async (event) => {
   // Handle OAuth callback
   if (query.code) {
     try {
-      // Exchange code for tokens
-      const tokenUrl = `${config.serverUrl}/application/o/token/`
+      // Exchange code for tokens (usar URL interna para comunicación servidor-a-servidor)
+      const tokenUrl = `${config.serverUrlInternal}/application/o/token/`
       const tokenResponse = await $fetch(tokenUrl, {
         method: 'POST',
         headers: {
@@ -47,8 +49,8 @@ export default defineEventHandler(async (event) => {
 
       const tokens = tokenResponse as any
 
-      // Get user info
-      const userInfoUrl = `${config.serverUrl}/application/o/userinfo/`
+      // Get user info (usar URL interna para comunicación servidor-a-servidor)
+      const userInfoUrl = `${config.serverUrlInternal}/application/o/userinfo/`
       const user = await $fetch(userInfoUrl, {
         headers: {
           Authorization: `Bearer ${tokens.access_token}`,