From eaefdd326bbe2c8cf6c9b3eb00f69ec9342aa345 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Tue, 24 Feb 2026 01:06:44 +0000
Subject: [PATCH] Fix healthcheck + external URL in silent auth middleware

- Add /health endpoint, update healthcheck to use it
- Use configured base URL instead of internal Docker URL
- Add /health to skip prefixes for silent auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/__init__.py     | 17 ++++++++++++++---
 app/routers/home.py |  6 ++++++
 docker-compose.yml  |  2 +-
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 4ea0281..c600f20 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -19,11 +19,22 @@ from artdag_common.middleware.auth import get_user_from_cookie
 from .config import settings
 
 # Paths that should never trigger a silent auth check
-_SKIP_PREFIXES = ("/auth/", "/static/", "/api/", "/ipfs/", "/download/", "/inbox")
+_SKIP_PREFIXES = ("/auth/", "/static/", "/api/", "/ipfs/", "/download/", "/inbox", "/health")
 _SILENT_CHECK_COOLDOWN = 300  # 5 minutes
 _DEVICE_COOKIE = "artdag_did"
 _DEVICE_COOKIE_MAX_AGE = 30 * 24 * 3600  # 30 days
 
+# Derive external base URL from oauth_redirect_uri (e.g. https://celery-artdag.rose-ash.com)
+_EXTERNAL_BASE = settings.oauth_redirect_uri.rsplit("/auth/callback", 1)[0]
+
+
+def _external_url(request: Request) -> str:
+    """Build external URL from request path + query, using configured base domain."""
+    url = f"{_EXTERNAL_BASE}{request.url.path}"
+    if request.url.query:
+        url += f"?{request.url.query}"
+    return url
+
 
 def create_app() -> FastAPI:
     """
@@ -80,7 +91,7 @@ def create_app() -> FastAPI:
                             auth_ts = r.get(f"did_auth:{device_id}")
                             if auth_ts and float(auth_ts) > pnone_ts:
                                 # Login happened since our last check — retry
-                                current_url = str(request.url)
+                                current_url = _external_url(request)
                                 return RedirectResponse(
                                     url=f"/auth/login?prompt=none&next={quote(current_url, safe='')}",
                                     status_code=302,
@@ -92,7 +103,7 @@ def create_app() -> FastAPI:
                 pass
 
         # Redirect to silent OAuth check
-        current_url = str(request.url)
+        current_url = _external_url(request)
         return RedirectResponse(
             url=f"/auth/login?prompt=none&next={quote(current_url, safe='')}",
             status_code=302,
diff --git a/app/routers/home.py b/app/routers/home.py
index 8786e22..4b89b94 100644
--- a/app/routers/home.py
+++ b/app/routers/home.py
@@ -16,6 +16,12 @@ from ..dependencies import get_templates, get_current_user
 router = APIRouter()
 
 
+@router.get("/health")
+async def health():
+    """Health check endpoint — always returns 200."""
+    return {"status": "ok"}
+
+
 async def get_user_stats(actor_id: str) -> dict:
     """Get stats for a user."""
     import database
diff --git a/docker-compose.yml b/docker-compose.yml
index 3cca086..9b7b6ca 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -76,7 +76,7 @@ services:
       # DATABASE_URL, ADMIN_TOKEN, ARTDAG_CLUSTER_KEY,
       # L2_SERVER, L2_DOMAIN, IPFS_GATEWAY_URL from .env file
     healthcheck:
-      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8100/')"]
+      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8100/health')"]
       interval: 10s
       timeout: 5s
       retries: 3