fix(headless-login): honor public base url for audience checks

- resolve headless audience against BACKEND_PUBLIC_URL first - keep forwarded header support for https absolute audiences - add regression tests for https success and http mismatch rejection - write BACKEND_PUBLIC_URL into staging workflow env generation
2026-04-01 21:05:41 +09:00
parent 3186fab596
commit 71a006cd7b
8 changed files with 372 additions and 19 deletions
--- a/scripts/test_staging_workflow_env.sh
+++ b/scripts/test_staging_workflow_env.sh
@@ -17,6 +17,7 @@ do
  assert_contains "$workflow" "APP_ENV=stage"
  assert_contains "$workflow" "BACKEND_LOG_LEVEL=debug"
  assert_contains "$workflow" "CLIENT_LOG_DEBUG=true"
+  assert_contains "$workflow" 'BACKEND_PUBLIC_URL=${{ vars.BACKEND_URL }}'
 done

 echo "staging workflow env checks passed"