feat(google): warn and prompt for publicUrl during OAuth connect when running behind a reverse proxy #169
Description
Problem
When canonry is deployed behind a reverse proxy (e.g. Caddy + Tailscale), canonry google connect generates an OAuth redirect URI pointing to http://localhost:4100. The browser cannot reach localhost on the server, so:
- The initial OAuth flow fails silently (browser hits a dead URL after Google redirect)
- When the token eventually expires, there is no way to reauth via CLI — the generated URL is unusable from a remote browser
The fix (publicUrl in config.yaml) already exists in the codebase, but there is no prompt or warning to set it.
Steps to Reproduce
- Deploy canonry behind a reverse proxy with a public URL (e.g.
https://myserver.example.com/canonry) - Do not set
publicUrlin config.yaml - Run
canonry google connect <project> - Observe: redirect URI is
http://localhost:4100/api/v1/google/callback— unusable from a remote browser
Expected Behavior
One or more of the following:
- During
canonry init: prompt forpublicUrlwith a note that it is required for reverse-proxy deployments - During
canonry google connect: ifpublicUrlis not set andapiUrldoes not match the redirect URI host, print a clear warning and prompt the user to setpublicUrlbefore continuing - Detection heuristic: if
apiUrlhost differs fromlocalhostbutpublicUrlis unset, warn at startup or at connect time
Workaround
Add publicUrl: https://<your-public-host>/canonry to ~/.canonry/config.yaml and restart the server. The canonry google connect command will then generate the correct redirect URI.
Also ensure the redirect URI (https://<your-public-host>/canonry/api/v1/google/callback) is listed in the Google Cloud Console OAuth client's authorized redirect URIs.
Environment
- Deployment: canonry behind Caddy reverse proxy, accessed via Tailscale
- Impact: any self-hosted canonry instance behind a reverse proxy with a non-localhost public URL