PR #16757 — SUPABASE_OAUTH_REDIRECT_URI required

fix(backend): Add missing urls and require SUPABASE_OAUTH_REDIRECT_URI env var · 2026-05-26
Summary of Change

Removed the http://localhost:3001/cloud/oauth/supabase/callback default for SUPABASE_OAUTH_REDIRECT_URI in apps/backend/config/envsSchema.ts. The variable is now required at backend startup — boot fails fast if it is missing rather than silently misrouting OAuth callbacks to localhost.

The PR also adds the correct per-instance redirect URI to 18 env files (adrian, andres, beaver, coffee, design, develop, development, enterprise, mark, muskrat, qa, staging, stagingpro, steve, testing, testone, thanoswasright, workshop). Matching redirects were configured on the Supabase side for the corresponding OAuth apps.

Risk Areas
  • Backend startup regression (HIGH): the envsSchema url() validator with no default now throws on missing env. Any deployed instance that doesn't have SUPABASE_OAUTH_REDIRECT_URI set will fail to boot. The PR covers all 18 instance env files in the repo, but any instance whose env file is managed elsewhere (k8s secrets, ArgoCD overlays) needs the variable injected separately.
  • OAuth callback mismatch (MEDIUM): each instance's redirect URI must match what Supabase has registered for that OAuth app. A typo on either side (Thunkable env file or Supabase dashboard) produces a confusing OAuth failure mid-flow rather than a startup error.
  • Local development friction (LOW): apps/backend/env/.env.development is the only file with a localhost:3001 value. Devs running locally without that file won't be able to boot.
Existing Test Coverage
  • No direct unit or E2E coverage of envsSchema validation behavior.
  • Supabase OAuth flow itself: no existing Cypress or Playwright spec touches /cloud/oauth/supabase/callback. Hikari Cloud feature with thin automation today.
Automation Gaps
  • A backend smoke test that starts the server with each env file (or a representative subset) and asserts no validation errors would catch missing required env vars proactively. Gap — no such test exists.
  • A Playwright spec walking the Supabase OAuth connect flow on develop-ai-instance would close the OAuth-callback-mismatch risk. Gap.
Deployment Risk
  • Backend-only change — no companion app coupling. iOS App Store approval is not a factor.
  • All env files covered in the repo, but k8s secret stores or ArgoCD overlays for production-grade instances (stagingpro, develop, prod) must have the variable injected. Confirm with infra/devops before promoting to prod.
  • Recommended deploy strategy: deploy to develop-ai-instance first, verify boot + OAuth flow, then promote to staging, then prod.
Suggested Manual Checks

P0 — must pass

  • Backend boots on develop: Deploy this PR to develop-ai-instance. Confirm the backend pod starts cleanly with no env validation errors. Check logs for SUPABASE_OAUTH_REDIRECT_URI references during startup.
  • Supabase OAuth login on develop: From develop-ai-instance.thunkable.com, initiate a Supabase OAuth connection from a Hikari project. Complete the full flow (authorize on Supabase → redirect back → project shows connected). Confirm no callback URL errors.
  • Callback URL matches Supabase dashboard: Verify the SUPABASE_OAUTH_REDIRECT_URI in .env.develop (https://develop-ai-instance.thunkable.com/cloud/oauth/supabase/callback) exactly matches the redirect URI registered for the develop OAuth app in the Supabase dashboard.

P1 — important

  • Local development boot: Pull the branch locally, run npm run start:hikari against .env.development. Confirm boot succeeds (the localhost:3001 value in that file should keep local dev working).
  • Staging instance boot: After deploying to stagingpro, confirm the backend pod is healthy and the Supabase OAuth flow works end-to-end against x-staging-pro-ai.thunkable.com.
  • Other AI instances: Spot-check at least two other instances (e.g., beaver, mark, design) by deploying and confirming boot is clean. No need to test OAuth on all 18 — startup success is the long pole.

P2 — nice to have

  • Invalid URI shape: Manually set SUPABASE_OAUTH_REDIRECT_URI=not-a-url in a local env file and confirm the backend fails with a clear validation error (not a confusing OAuth runtime failure later).
  • Missing var locally: Temporarily remove the variable from .env.development and confirm npm run start:hikari fails at startup with a clear "missing required env var" message, not a runtime crash mid-request.