From 3ec94fdfdaf69bab2d86d84f3915b74dde7ddce3 Mon Sep 17 00:00:00 2001
From: jawad-khan <jawadkhan444@gmail.com>
Date: Fri, 1 May 2026 22:49:08 +0500
Subject: [PATCH 1/2] fix: fixed logout url issue

---
 docker/.env.example                | 3 +++
 docker/docker-compose.dev.yml      | 1 +
 docker/docker-compose.yml          | 1 +
 surfsense_web/.env.example         | 3 +++
 surfsense_web/Dockerfile           | 2 ++
 surfsense_web/docker-entrypoint.js | 4 ++++
 surfsense_web/lib/auth-utils.ts    | 7 +++++--
 7 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/docker/.env.example b/docker/.env.example
index 4394929a70..4bfe74abd6 100644
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -20,6 +20,9 @@ SECRET_KEY=replace_me_with_a_random_string
 # modes are not registered in this fork.
 AUTH_TYPE=SSO
 
+# First DNS label for post-logout portal redirect (web container reads SMB_NAME; default moneta)
+SMB_NAME=moneta
+
 # Allow new user registrations (TRUE or FALSE)
 # REGISTRATION_ENABLED=TRUE
 
diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml
index 666b0c642e..b717369d15 100644
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -208,6 +208,7 @@ services:
         NEXT_PUBLIC_ETL_SERVICE: ${NEXT_PUBLIC_ETL_SERVICE:-DOCLING}
         NEXT_PUBLIC_ZERO_CACHE_URL: ${NEXT_PUBLIC_ZERO_CACHE_URL:-http://localhost:${ZERO_CACHE_PORT:-4848}}
         NEXT_PUBLIC_DEPLOYMENT_MODE: ${NEXT_PUBLIC_DEPLOYMENT_MODE:-self-hosted}
+        NEXT_PUBLIC_SMB_NAME: ${SMB_NAME:-${NEXT_PUBLIC_SMB_NAME:-moneta}}
     ports:
       - "${FRONTEND_PORT:-3000}:3000"
     env_file:
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index c14cd8b091..d4eed9e820 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -198,6 +198,7 @@ services:
       NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE: ${AUTH_TYPE:-SSO}
       NEXT_PUBLIC_ETL_SERVICE: ${ETL_SERVICE:-DOCLING}
       NEXT_PUBLIC_DEPLOYMENT_MODE: ${DEPLOYMENT_MODE:-self-hosted}
+      SMB_NAME: ${SMB_NAME:-moneta}
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
     depends_on:
diff --git a/surfsense_web/.env.example b/surfsense_web/.env.example
index 2313f3e56f..08ac2ec8d3 100644
--- a/surfsense_web/.env.example
+++ b/surfsense_web/.env.example
@@ -1,6 +1,9 @@
 NEXT_PUBLIC_FASTAPI_BACKEND_URL=http://localhost:8000
 NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=LOCAL or GOOGLE
 
+# Platform portal first DNS label for post-logout redirect (SMB_NAME in Docker; default moneta)
+NEXT_PUBLIC_SMB_NAME=moneta
+
 # mPass proxy auth — set when deployed behind oauth2-proxy + Traefik ForwardAuth
 NEXT_PUBLIC_OIDC_LOGOUT_URL=https://<cognito-domain>/logout
 NEXT_PUBLIC_OIDC_CLIENT_ID=<cognito-app-client-id>
diff --git a/surfsense_web/Dockerfile b/surfsense_web/Dockerfile
index b16b3f066c..91d358f931 100644
--- a/surfsense_web/Dockerfile
+++ b/surfsense_web/Dockerfile
@@ -44,6 +44,7 @@ ARG NEXT_PUBLIC_OAUTH2_PROXY_URL=__NEXT_PUBLIC_OAUTH2_PROXY_URL__
 ARG NEXT_PUBLIC_LOGOUT_REDIRECT_URL=
 ARG NEXT_PUBLIC_OIDC_LOGOUT_URL=
 ARG NEXT_PUBLIC_OIDC_CLIENT_ID=
+ARG NEXT_PUBLIC_SMB_NAME=__NEXT_PUBLIC_SMB_NAME__
 
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_URL=$NEXT_PUBLIC_FASTAPI_BACKEND_URL
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=$NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE
@@ -54,6 +55,7 @@ ENV NEXT_PUBLIC_OAUTH2_PROXY_URL=$NEXT_PUBLIC_OAUTH2_PROXY_URL
 ENV NEXT_PUBLIC_LOGOUT_REDIRECT_URL=$NEXT_PUBLIC_LOGOUT_REDIRECT_URL
 ENV NEXT_PUBLIC_OIDC_LOGOUT_URL=$NEXT_PUBLIC_OIDC_LOGOUT_URL
 ENV NEXT_PUBLIC_OIDC_CLIENT_ID=$NEXT_PUBLIC_OIDC_CLIENT_ID
+ENV NEXT_PUBLIC_SMB_NAME=$NEXT_PUBLIC_SMB_NAME
 
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
diff --git a/surfsense_web/docker-entrypoint.js b/surfsense_web/docker-entrypoint.js
index b71264550f..1b8ebe54a5 100644
--- a/surfsense_web/docker-entrypoint.js
+++ b/surfsense_web/docker-entrypoint.js
@@ -28,6 +28,10 @@ const replacements = [
 	],
 	["__NEXT_PUBLIC_DEPLOYMENT_MODE__", process.env.NEXT_PUBLIC_DEPLOYMENT_MODE || "self-hosted"],
 	["__NEXT_PUBLIC_OAUTH2_PROXY_URL__", process.env.NEXT_PUBLIC_OAUTH2_PROXY_URL || ""],
+	[
+		"__NEXT_PUBLIC_SMB_NAME__",
+		(process.env.SMB_NAME || process.env.NEXT_PUBLIC_SMB_NAME || "moneta").trim() || "moneta",
+	],
 ];
 
 let filesProcessed = 0;
diff --git a/surfsense_web/lib/auth-utils.ts b/surfsense_web/lib/auth-utils.ts
index aadc550d09..7dcdcb7862 100644
--- a/surfsense_web/lib/auth-utils.ts
+++ b/surfsense_web/lib/auth-utils.ts
@@ -239,9 +239,12 @@ export async function logout(): Promise<boolean> {
 	clearAllTokens();
 
 	if (typeof window !== "undefined") {
-		// Rewrite "foss-<app>.<domain>" → "foss.<domain>" so we land on the portal
+		// Rewrite "<app>.<rest>" → "<SMB_NAME>.<rest>" so we land on the platform portal
 		// (outside ForwardAuth) instead of SurfSense's own root, which would silently re-auth.
-		const portalHost = window.location.hostname.replace(/^[^.]*\./, "moneta.");
+		// Docker: set SMB_NAME on the container; docker-entrypoint substitutes NEXT_PUBLIC_SMB_NAME.
+		// Local dev: set NEXT_PUBLIC_SMB_NAME in .env (default moneta).
+		const smbLabel = process.env.NEXT_PUBLIC_SMB_NAME?.trim() || "moneta";
+		const portalHost = window.location.hostname.replace(/^[^.]*\./, `${smbLabel}.`);
 		window.location.href = `${window.location.protocol}//${portalHost}`;
 		return true;
 	}

From e4a266c7bb5c50894295a5a49c034d56895905cc Mon Sep 17 00:00:00 2001
From: awais786 <awais.qureshi@arbisoft.com>
Date: Sat, 2 May 2026 20:47:08 +0500
Subject: [PATCH 2/2] fix(logout): derive portal prefix from hostname instead
 of SMB_NAME env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drops the SMB_NAME / NEXT_PUBLIC_SMB_NAME plumbing introduced for the
post-logout portal redirect. The previous approach required threading
the value through three files (.env.example → Dockerfile build-arg →
docker-entrypoint.js placeholder substitution → bundle); any broken
link silently routed logout to the wrong host.

Switching to a regex on window.location.hostname removes the env
dependency and works for any `<prefix>-<app>.<domain>` shape:
- foss-research.local.moneta.dev → foss.local.moneta.dev
- moneta-research.askii.ai       → moneta.askii.ai

Reverts: docker/.env.example, docker/docker-compose*.yml,
surfsense_web/{.env.example,Dockerfile,docker-entrypoint.js} to upstream.
---
 docker/.env.example                | 3 ---
 docker/docker-compose.dev.yml      | 1 -
 docker/docker-compose.yml          | 1 -
 surfsense_web/.env.example         | 3 ---
 surfsense_web/Dockerfile           | 2 --
 surfsense_web/docker-entrypoint.js | 4 ----
 surfsense_web/lib/auth-utils.ts    | 9 +++------
 7 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/docker/.env.example b/docker/.env.example
index 4bfe74abd6..4394929a70 100644
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -20,9 +20,6 @@ SECRET_KEY=replace_me_with_a_random_string
 # modes are not registered in this fork.
 AUTH_TYPE=SSO
 
-# First DNS label for post-logout portal redirect (web container reads SMB_NAME; default moneta)
-SMB_NAME=moneta
-
 # Allow new user registrations (TRUE or FALSE)
 # REGISTRATION_ENABLED=TRUE
 
diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml
index b717369d15..666b0c642e 100644
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -208,7 +208,6 @@ services:
         NEXT_PUBLIC_ETL_SERVICE: ${NEXT_PUBLIC_ETL_SERVICE:-DOCLING}
         NEXT_PUBLIC_ZERO_CACHE_URL: ${NEXT_PUBLIC_ZERO_CACHE_URL:-http://localhost:${ZERO_CACHE_PORT:-4848}}
         NEXT_PUBLIC_DEPLOYMENT_MODE: ${NEXT_PUBLIC_DEPLOYMENT_MODE:-self-hosted}
-        NEXT_PUBLIC_SMB_NAME: ${SMB_NAME:-${NEXT_PUBLIC_SMB_NAME:-moneta}}
     ports:
       - "${FRONTEND_PORT:-3000}:3000"
     env_file:
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index d4eed9e820..c14cd8b091 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -198,7 +198,6 @@ services:
       NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE: ${AUTH_TYPE:-SSO}
       NEXT_PUBLIC_ETL_SERVICE: ${ETL_SERVICE:-DOCLING}
       NEXT_PUBLIC_DEPLOYMENT_MODE: ${DEPLOYMENT_MODE:-self-hosted}
-      SMB_NAME: ${SMB_NAME:-moneta}
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
     depends_on:
diff --git a/surfsense_web/.env.example b/surfsense_web/.env.example
index 08ac2ec8d3..2313f3e56f 100644
--- a/surfsense_web/.env.example
+++ b/surfsense_web/.env.example
@@ -1,9 +1,6 @@
 NEXT_PUBLIC_FASTAPI_BACKEND_URL=http://localhost:8000
 NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=LOCAL or GOOGLE
 
-# Platform portal first DNS label for post-logout redirect (SMB_NAME in Docker; default moneta)
-NEXT_PUBLIC_SMB_NAME=moneta
-
 # mPass proxy auth — set when deployed behind oauth2-proxy + Traefik ForwardAuth
 NEXT_PUBLIC_OIDC_LOGOUT_URL=https://<cognito-domain>/logout
 NEXT_PUBLIC_OIDC_CLIENT_ID=<cognito-app-client-id>
diff --git a/surfsense_web/Dockerfile b/surfsense_web/Dockerfile
index 91d358f931..b16b3f066c 100644
--- a/surfsense_web/Dockerfile
+++ b/surfsense_web/Dockerfile
@@ -44,7 +44,6 @@ ARG NEXT_PUBLIC_OAUTH2_PROXY_URL=__NEXT_PUBLIC_OAUTH2_PROXY_URL__
 ARG NEXT_PUBLIC_LOGOUT_REDIRECT_URL=
 ARG NEXT_PUBLIC_OIDC_LOGOUT_URL=
 ARG NEXT_PUBLIC_OIDC_CLIENT_ID=
-ARG NEXT_PUBLIC_SMB_NAME=__NEXT_PUBLIC_SMB_NAME__
 
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_URL=$NEXT_PUBLIC_FASTAPI_BACKEND_URL
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=$NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE
@@ -55,7 +54,6 @@ ENV NEXT_PUBLIC_OAUTH2_PROXY_URL=$NEXT_PUBLIC_OAUTH2_PROXY_URL
 ENV NEXT_PUBLIC_LOGOUT_REDIRECT_URL=$NEXT_PUBLIC_LOGOUT_REDIRECT_URL
 ENV NEXT_PUBLIC_OIDC_LOGOUT_URL=$NEXT_PUBLIC_OIDC_LOGOUT_URL
 ENV NEXT_PUBLIC_OIDC_CLIENT_ID=$NEXT_PUBLIC_OIDC_CLIENT_ID
-ENV NEXT_PUBLIC_SMB_NAME=$NEXT_PUBLIC_SMB_NAME
 
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
diff --git a/surfsense_web/docker-entrypoint.js b/surfsense_web/docker-entrypoint.js
index 1b8ebe54a5..b71264550f 100644
--- a/surfsense_web/docker-entrypoint.js
+++ b/surfsense_web/docker-entrypoint.js
@@ -28,10 +28,6 @@ const replacements = [
 	],
 	["__NEXT_PUBLIC_DEPLOYMENT_MODE__", process.env.NEXT_PUBLIC_DEPLOYMENT_MODE || "self-hosted"],
 	["__NEXT_PUBLIC_OAUTH2_PROXY_URL__", process.env.NEXT_PUBLIC_OAUTH2_PROXY_URL || ""],
-	[
-		"__NEXT_PUBLIC_SMB_NAME__",
-		(process.env.SMB_NAME || process.env.NEXT_PUBLIC_SMB_NAME || "moneta").trim() || "moneta",
-	],
 ];
 
 let filesProcessed = 0;
diff --git a/surfsense_web/lib/auth-utils.ts b/surfsense_web/lib/auth-utils.ts
index 7dcdcb7862..8be985c690 100644
--- a/surfsense_web/lib/auth-utils.ts
+++ b/surfsense_web/lib/auth-utils.ts
@@ -239,12 +239,9 @@ export async function logout(): Promise<boolean> {
 	clearAllTokens();
 
 	if (typeof window !== "undefined") {
-		// Rewrite "<app>.<rest>" → "<SMB_NAME>.<rest>" so we land on the platform portal
-		// (outside ForwardAuth) instead of SurfSense's own root, which would silently re-auth.
-		// Docker: set SMB_NAME on the container; docker-entrypoint substitutes NEXT_PUBLIC_SMB_NAME.
-		// Local dev: set NEXT_PUBLIC_SMB_NAME in .env (default moneta).
-		const smbLabel = process.env.NEXT_PUBLIC_SMB_NAME?.trim() || "moneta";
-		const portalHost = window.location.hostname.replace(/^[^.]*\./, `${smbLabel}.`);
+		// Rewrite "<prefix>-<app>.<domain>" → "<prefix>.<domain>" so we land on the
+		// portal (outside ForwardAuth) instead of SurfSense's own root, which would silently re-auth.
+		const portalHost = window.location.hostname.replace(/^([^-]+)-[^.]+\.(.+)/, "$1.$2");
 		window.location.href = `${window.location.protocol}//${portalHost}`;
 		return true;
 	}