Render Kratos return URLs for staging

2026-05-07 14:01:45 +09:00
parent 57a00c0236
commit 43b4bd5a83
3 changed files with 111 additions and 22 deletions
--- a/scripts/render_ory_config.sh
+++ b/scripts/render_ory_config.sh
@@ -40,6 +40,78 @@ copy_if_exists() {
  fi
 }

+json_array_to_lines() {
+  local json="$1"
+  local newline=$'\n'
+  json="${json//$'\n'/}"
+  json="${json#\[}"
+  json="${json%\]}"
+  json="${json//\",\"/$newline}"
+  json="${json//\"/}"
+  json="${json//,/$newline}"
+  printf '%s\n' "$json" | sed '/^[[:space:]]*$/d'
+}
+
+append_unique_url() {
+  local candidate="${1:-}"
+  [[ -n "$candidate" ]] || return 0
+  local existing
+  for existing in "${KRATOS_ALLOWED_RETURN_URLS[@]}"; do
+    [[ "$existing" == "$candidate" ]] && return 0
+  done
+  KRATOS_ALLOWED_RETURN_URLS+=("$candidate")
+}
+
+build_kratos_allowed_return_urls_yaml() {
+  KRATOS_ALLOWED_RETURN_URLS=()
+  if [[ -n "${KRATOS_ALLOWED_RETURN_URLS_JSON:-}" ]]; then
+    while IFS= read -r allowed_url; do
+      append_unique_url "$allowed_url"
+    done < <(json_array_to_lines "$KRATOS_ALLOWED_RETURN_URLS_JSON")
+  fi
+
+  if [[ ${#KRATOS_ALLOWED_RETURN_URLS[@]} -eq 0 ]]; then
+    local kratos_ui="${KRATOS_UI_URL:-http://localhost:5000}"
+    local userfront="${USERFRONT_URL:-http://localhost:5000}"
+    local adminfront="${ADMINFRONT_URL:-http://localhost:5173}"
+    local devfront="${DEVFRONT_URL:-http://localhost:5174}"
+    local orgfront="${ORGFRONT_URL:-http://localhost:5175}"
+
+    append_unique_url "$kratos_ui"
+    append_unique_url "$kratos_ui/"
+    append_unique_url "$userfront"
+    append_unique_url "$userfront/"
+    append_unique_url "$userfront/ko"
+    append_unique_url "$userfront/ko/"
+    append_unique_url "$userfront/en"
+    append_unique_url "$userfront/en/"
+    append_unique_url "$userfront/auth/callback"
+    append_unique_url "$userfront/ko/auth/callback"
+    append_unique_url "$userfront/en/auth/callback"
+    append_unique_url "$adminfront/auth/callback"
+    append_unique_url "$devfront/auth/callback"
+    append_unique_url "$orgfront/auth/callback"
+  fi
+
+  if [[ -n "${KRATOS_ALLOWED_RETURN_URLS_EXTRA:-}" ]]; then
+    IFS=',' read -r -a extra_urls <<<"$KRATOS_ALLOWED_RETURN_URLS_EXTRA"
+    local extra_url
+    for extra_url in "${extra_urls[@]}"; do
+      extra_url="$(printf '%s' "$extra_url" | xargs)"
+      append_unique_url "$extra_url"
+    done
+  fi
+
+  if [[ ${#KRATOS_ALLOWED_RETURN_URLS[@]} -eq 0 ]]; then
+    fail "Kratos allowed_return_urls is empty"
+  fi
+
+  KRATOS_ALLOWED_RETURN_URLS_YAML="$(
+    printf '%s\n' "${KRATOS_ALLOWED_RETURN_URLS[@]}" | sed 's/^/        - /'
+  )"
+  export KRATOS_ALLOWED_RETURN_URLS_YAML
+}
+
 if [[ -n "${ORY_CONFIG_ENV_FILES:-}" ]]; then
  IFS=':' read -r -a env_files <<<"$ORY_CONFIG_ENV_FILES"
  for env_file in "${env_files[@]}"; do
@@ -65,6 +137,8 @@ OATHKEEPER_INTROSPECT_CLIENT_SECRET="${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oath
 export KRATOS_DSN HYDRA_DSN KETO_DSN HYDRA_SYSTEM_SECRET
 export OATHKEEPER_INTROSPECT_CLIENT_ID OATHKEEPER_INTROSPECT_CLIENT_SECRET

+build_kratos_allowed_return_urls_yaml
+
 mkdir -p "$OUTPUT_DIR/kratos" "$OUTPUT_DIR/hydra" "$OUTPUT_DIR/keto" "$OUTPUT_DIR/oathkeeper"

 render_template "$TEMPLATE_ROOT/kratos/kratos.yml.template" "$OUTPUT_DIR/kratos/kratos.yml"