From 79cfb655908c72b178581746465fba988c246de2 Mon Sep 17 00:00:00 2001 From: Chris Coutinho Date: Fri, 16 Jan 2026 19:42:54 +0100 Subject: [PATCH] fix(astrolabe): use internal URL for OAuth token refresh The IdpTokenRefresher was incorrectly using overwrite.cli.url (the external URL like http://localhost:8080) for internal token refresh requests. This URL is not accessible from inside Docker containers since port 8080 is only mapped on the host machine. Changed getNextcloudBaseUrl() to: - Always use http://localhost (internal port 80) by default - Added optional astrolabe_internal_url config for custom setups - Removed overwrite.cli.url usage (intended for external URLs only) This fixes 401 errors in Astrolabe semantic search when OAuth tokens need to be refreshed in containerized deployments. Co-Authored-By: Claude Opus 4.5 --- .../lib/Service/IdpTokenRefresher.php | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/third_party/astrolabe/lib/Service/IdpTokenRefresher.php b/third_party/astrolabe/lib/Service/IdpTokenRefresher.php index f7faa4c..371a33a 100644 --- a/third_party/astrolabe/lib/Service/IdpTokenRefresher.php +++ b/third_party/astrolabe/lib/Service/IdpTokenRefresher.php @@ -38,23 +38,30 @@ class IdpTokenRefresher { /** * Get Nextcloud base URL for constructing internal OIDC endpoint URLs. * - * Uses Nextcloud's CLI URL config if set (for non-containerized deployments), - * otherwise defaults to http://localhost for container environments. + * IMPORTANT: This is for INTERNAL server-to-server requests (PHP to local Apache), + * NOT for external client URLs. We must use the internal container URL, not the + * external URL that browsers see. * * Configuration priority: - * 1. overwrite.cli.url - Official Nextcloud system config for CLI operations + * 1. astrolabe_internal_url - Explicit internal URL (for custom container setups) * 2. http://localhost - Default for Docker containers (web server on port 80) * + * NOTE: We intentionally DO NOT use overwrite.cli.url here because: + * - overwrite.cli.url is the EXTERNAL URL (e.g., http://localhost:8080) + * - External URLs are not accessible from inside the container + * - This method is for internal HTTP requests to the local web server + * * @return string Base URL for internal requests (e.g., "http://localhost") */ private function getNextcloudBaseUrl(): string { - // Check for overwrite.cli.url (used in non-containerized deployments) - $cliUrl = $this->config->getSystemValue('overwrite.cli.url', ''); - if (!empty($cliUrl)) { - return rtrim($cliUrl, '/'); + // Check for explicit internal URL config (for custom container setups) + $internalUrl = $this->config->getSystemValue('astrolabe_internal_url', ''); + if (!empty($internalUrl)) { + return rtrim($internalUrl, '/'); } // Default: container environment with web server on localhost:80 + // This works because PHP runs inside the same container as Apache return 'http://localhost'; }