Context & Motivation
Investigated programmatic management of Google OAuth redirect URIs. Confirmed no API exists. Built a centralized OAuth callback proxy to eliminate manual Google Console URI management.
Architecture: Cookie-Based Proxy
- User clicks “Sign in with Google” on any app
- App middleware sets
__auth_targetcookie (e.g.,/finance) - Auth.js redirects to Google with
redirect_uri=https://pezant.ca/api/auth/callback/google - Google redirects back; Apache routes
/api/auth/to auth-proxy (port 3050) - Auth-proxy reads cookie, 302 redirects to correct downstream app callback
- Downstream app handles callback normally
Key Decision: Cookie-Based vs Auth.js redirectProxyUrl
Auth.js redirectProxyUrl was tried first but silently fails for same-origin subpath deployments. It compares URL origins only, so all apps on pezant.ca always match, and the proxy redirect is skipped. Replaced with simple cookie-based routing.
Deployment Bugs Fixed
- finance-tracker: Needed prisma generate on VM after pulling new schema models
- runeval: Next.js 16 renamed middleware.ts to proxy.ts; having both causes build error
- student-transcript: Middleware matcher excluded all auth paths; added explicit signin matcher. auth() wrapper includes basePath prefix in req.nextUrl.pathname
Repos Touched
auth-proxy, finance-tracker, student-transcript, runeval, health-hub, privateContext, agentGuidance, knowledgeBase
Verification
- All 4 apps set __auth_target cookie on signin (verified via curl)
- Auth-proxy returns 400 without cookie, 302 with correct redirect when cookie present
- POST signin redirects to Google with correct redirect_uri
- All PM2 processes online
Open Items
- Full browser sign-in test needed (curl verification passed)
- runeval VM production branch divergence from main
Full closeout: privateContext/deliverables/closeouts/2026-04-24-auth-proxy-cookie-deployment.md