fix: skip pushing site url config for localhost

pkg/config/auth.go

@@ -1,6 +1,8 @@
 package config
 
 import (
+	"net"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -217,9 +219,17 @@ type (
 	}
 )
 
+func isLoopbackURL(siteURL string) bool {
+	if parsed, err := url.Parse(siteURL); err == nil {
+		if ip := net.ParseIP(parsed.Hostname()); ip != nil {
+			return ip.IsLoopback()
+		}
+	}
+	return false
+}
+
 func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
 	body := v1API.UpdateAuthConfigBody{
-		SiteUrl:                           &a.SiteUrl,
 		UriAllowList:                      cast.Ptr(strings.Join(a.AdditionalRedirectUrls, ",")),
 		JwtExp:                            cast.UintToIntPtr(&a.JwtExpiry),
 		RefreshTokenRotationEnabled:       &a.EnableRefreshTokenRotation,
@@ -230,6 +240,9 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
 		PasswordMinLength:                 cast.UintToIntPtr(&a.MinimumPasswordLength),
 		PasswordRequiredCharacters:        cast.Ptr(a.PasswordRequirements.ToChar()),
 	}
+	if !isLoopbackURL(a.SiteUrl) {
+		body.SiteUrl = &a.SiteUrl
+	}
 	a.Hook.toAuthConfigBody(&body)
 	a.MFA.toAuthConfigBody(&body)
 	a.Sessions.toAuthConfigBody(&body)
@@ -240,7 +253,6 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
 }
 
 func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) {
-	a.SiteUrl = cast.Val(remoteConfig.SiteUrl, "")
 	a.AdditionalRedirectUrls = strToArr(cast.Val(remoteConfig.UriAllowList, ""))
 	a.JwtExpiry = cast.IntToUint(cast.Val(remoteConfig.JwtExp, 0))
 	a.EnableRefreshTokenRotation = cast.Val(remoteConfig.RefreshTokenRotationEnabled, false)
@@ -251,6 +263,9 @@ func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 	a.MinimumPasswordLength = cast.IntToUint(cast.Val(remoteConfig.PasswordMinLength, 0))
 	prc := cast.Val(remoteConfig.PasswordRequiredCharacters, "")
 	a.PasswordRequirements = NewPasswordRequirement(v1API.UpdateAuthConfigBodyPasswordRequiredCharacters(prc))
+	if !isLoopbackURL(a.SiteUrl) {
+		a.SiteUrl = cast.Val(remoteConfig.SiteUrl, "")
+	}
 	a.Hook.fromAuthConfig(remoteConfig)
 	a.MFA.fromAuthConfig(remoteConfig)
 	a.Sessions.fromAuthConfig(remoteConfig)

pkg/config/templates/config.toml

@@ -97,8 +97,9 @@ enabled = true
 # The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
 # in emails.
 site_url = "http://127.0.0.1:3000"
-# A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
-additional_redirect_urls = ["https://127.0.0.1:3000"]
+# A list of URLs that auth providers are permitted to redirect to post authentication.
+# Supports wildcard matching: "https://127.0.0.1:3000/app/**"
+additional_redirect_urls = []
 # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week).
 jwt_expiry = 3600
 # If disabled, the refresh token will never expire.

pkg/config/testdata/TestAuthDiff/local_enabled_and_disabled.diff

@@ -3,7 +3,7 @@ diff remote[auth] local[auth]
 +++ local[auth]
 @@ -1,14 +1,14 @@
  enabled = false
--site_url = ""
+ site_url = "http://127.0.0.1:3000"
 -additional_redirect_urls = ["https://127.0.0.1:3000", "https://ref.supabase.co"]
 -jwt_expiry = 0
 -enable_refresh_token_rotation = true
@@ -13,7 +13,6 @@ diff remote[auth] local[auth]
 -enable_anonymous_sign_ins = true
 -minimum_password_length = 8
 -password_requirements = "letters_digits"
-+site_url = "http://127.0.0.1:3000"
 +additional_redirect_urls = ["https://127.0.0.1:3000"]
 +jwt_expiry = 3600
 +enable_refresh_token_rotation = false