TraefikFix

[MydsiIversen]

No description provided.

[Copilot]

Pull request overview

This PR removes Traefik as a reverse proxy and simplifies the VyManager deployment architecture to use direct port exposure instead. The changes aim to simplify the deployment process by eliminating Traefik configuration complexity.

Key Changes:

• Removed Traefik reverse proxy infrastructure and all related configuration files
• Simplified environment variable configuration by splitting the unified root .env into separate frontend/.env and backend/.env files
• Updated frontend API routes to use NEXT_PUBLIC_API_URL instead of INTERNAL_API_URL, and removed __Secure- cookie name handling

Reviewed changes

Copilot reviewed 22 out of 24 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
frontend/src/app/api/user-management/[...path]/route.ts	Removed INTERNAL_API_URL, now uses NEXT_PUBLIC_API_URL; simplified cookie handling
frontend/src/app/api/session/[...path]/route.ts	Removed INTERNAL_API_URL, now uses NEXT_PUBLIC_API_URL; simplified cookie handling
frontend/src/app/api/auth/[...all]/route.ts	Removed INTERNAL_API_URL, now uses NEXT_PUBLIC_API_URL
frontend/README.md	Updated quick start instructions for new .env.local approach
frontend/.env.example	New environment configuration file with database URL and auth settings
backend/routers/session/session.py	Removed __Secure- cookie handling in multiple endpoints
backend/middleware/session.py	Removed __Secure- cookie handling in middleware
backend/README.md	Updated configuration instructions, added proxy-headers note
backend/.env.example	New environment configuration file for backend-specific settings
container/vymanager-prod/env-file-docker-compose.yml	Removed Traefik service, exposed ports directly, changed env_file paths
container/vymanager-prod/docker-compose.letsencrypt.yml	Deleted entire Traefik with Let's Encrypt configuration
container/vymanager-prod/docker-compose.local-https.yml	Deleted entire Traefik with local HTTPS configuration
container/vymanager-prod/traefik/*	Deleted all Traefik static and dynamic configuration files
container/vymanager-prod/README.md	Deleted comprehensive Traefik deployment documentation
container/vymanager-dev/env-file-docker-compose.yml	Removed Traefik service, exposed ports directly, changed env_file paths
container/vymanager-dev/docker-compose.letsencrypt.yml	Deleted development Traefik configuration
container/vymanager-dev/README.md	Deleted development deployment with Traefik documentation
README.md	Updated main setup instructions to reflect simplified deployment without Traefik
.env.example	Deleted unified root environment configuration file
.gitignore	Removed Traefik acme.json references

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The default value "your-super-secret-key-change-in-production" is not secure and could be accidentally deployed. This should either be left empty with a comment requiring users to generate their own secret, or the example should include instructions to generate a secure value immediately using "openssl rand -base64 32". Having a weak default increases the risk of production deployments with compromised security.

Suggested change

	# IMPORTANT: Change this secret in production!
	BETTER_AUTH_SECRET=your-super-secret-key-change-in-production # Replace with a securely generated value
	# IMPORTANT: You MUST set this to a securely generated, random value in production.
	# Generate a secure value, for example:
	# openssl rand -base64 32
	BETTER_AUTH_SECRET=

[Copilot]

Using the weak default password "vymanager_secure_password" in both the example and potentially in production deployments is a security risk. The example should use a placeholder like "CHANGE_THIS_PASSWORD" or include instructions to generate a strong password. Even though this is in .env.example, users often copy these values directly to production.

Suggested change

	# Database (change password in production!)
	DATABASE_URL=postgresql://vymanager:vymanager_secure_password@postgres:5432/vymanager_auth
	# Database (use a strong password and CHANGE THIS in production!)
	DATABASE_URL=postgresql://vymanager:CHANGE_THIS_DB_PASSWORD@postgres:5432/vymanager_auth

[Copilot]

The example configuration mixes HTTP (BETTER_AUTH_URL=http://localhost:3000, NEXT_PUBLIC_APP_URL=http://localhost:3000) with the NODE_ENV=production and VYMANAGER_ENV=production settings. Production environments should typically use HTTPS for security. Either the NODE_ENV should be set to "development" for this example, or the URLs should use HTTPS with appropriate warnings about certificate configuration.

Suggested change

	# Leave these as default for Docker deployment
	NODE_ENV=production
	VYMANAGER_ENV=production
	# Leave these as default for local/Docker quick start.
	# For real production deployments, use HTTPS URLs and set NODE_ENV/VYMANAGER_ENV=production.
	NODE_ENV=development
	VYMANAGER_ENV=development

[Copilot]

Using NEXT_PUBLIC_API_URL for server-side API routes is problematic. NEXT_PUBLIC_* variables are exposed to the browser and intended for client-side use. For server-side Next.js API routes, this should use a separate environment variable (like INTERNAL_API_URL or API_URL) that can be set to the Docker service name "http://backend:8000" in containerized environments. The current approach will fail if NEXT_PUBLIC_API_URL is set to an external domain that's not accessible from within the Docker network.

[Copilot]

Using NEXT_PUBLIC_API_URL for server-side API routes is problematic. NEXT_PUBLIC_* variables are exposed to the browser and intended for client-side use. For server-side Next.js API routes, this should use a separate environment variable (like INTERNAL_API_URL or API_URL) that can be set to the Docker service name "http://backend:8000" in containerized environments. The current approach will fail if NEXT_PUBLIC_API_URL is set to an external domain that's not accessible from within the Docker network.

[Copilot]

The placeholder text "your-super-secret-key-change-in-production-CHANGE-THIS" should not be used as a default value, even in an example file. This could lead to users deploying with this insecure value. Instead, either leave it empty or use a comment instructing users to generate a secure value with a command like "openssl rand -base64 32".

Suggested change

	# Authentication (CHANGE THIS!)
	BETTER_AUTH_SECRET=your-super-secret-key-change-in-production-CHANGE-THIS
	# Authentication (REQUIRED - generate a strong random value, for example:
	# BETTER_AUTH_SECRET=$(openssl rand -base64 32))
	BETTER_AUTH_SECRET=

[Copilot]

Setting NEXT_PUBLIC_API_URL=http://backend:8000 in the example is problematic because "backend" is a Docker internal hostname that won't be accessible from the user's browser. For Docker deployments accessed from the host, this should be set to http://localhost:8000. For deployments accessed from other machines on the network, it should be the external IP or hostname. Consider adding comments to clarify this distinction.

Suggested change

	NEXT_PUBLIC_API_URL=http://backend:8000
	# Public API URL must be reachable from your browser:
	# - For local access from the Docker host, use localhost
	# - For access from other machines, use this server's IP/hostname (e.g. http://192.168.1.100:8000)
	NEXT_PUBLIC_API_URL=http://localhost:8000

[Copilot]

The Quick Start example config sets VYOS_VERIFY_SSL=false, which disables TLS certificate validation when the backend connects to the VyOS API. With VYOS_PROTOCOL=https and the current config_loader default of VYOS_VERIFY_SSL to false, any deployment that follows this guidance will talk to the router over HTTPS without verifying its certificate, allowing a network attacker to spoof the VyOS host and intercept or modify management traffic. Update the default behavior and documentation so that VYOS_VERIFY_SSL is true by default and only disabled temporarily for debugging, preferably encouraging users to install a trusted certificate on VyOS instead of turning verification off.

Suggested change

	VYOS_VERIFY_SSL=false
	VYOS_VERIFY_SSL=true
	# Set to "false" only temporarily for debugging with self-signed certificates.

[Copilot]

In the production environment example, BETTER_AUTH_SECURE_COOKIES is set to false while BETTER_AUTH_URL is HTTPS, which means session cookies created in frontend/src/lib/auth.ts will not be marked Secure even in production. This allows those cookies to be sent over plain HTTP if any HTTP endpoint is reachable for the same domain or if the proxy is briefly misconfigured, making it significantly easier for a network attacker to steal authentication tokens. The production docs should instead default BETTER_AUTH_SECURE_COOKIES to true and reserve false only for local HTTP development scenarios.

[Copilot]

The frontend environment template sets BETTER_AUTH_SECURE_COOKIES=false by default even though BETTER_AUTH_URL and NEXT_PUBLIC_APP_URL are HTTPS, so in production this will cause Better Auth to issue session cookies without the Secure flag. Because frontend/src/lib/auth.ts only enables useSecureCookies when BETTER_AUTH_SECURE_COOKIES === "true" and NODE_ENV === "production", any deployment that copies this file and only updates the domain will run with non-secure session cookies, exposing authentication tokens to network attackers if HTTP is ever reachable for that host. To harden defaults, set BETTER_AUTH_SECURE_COOKIES to true in this template and clearly document that it should only be turned off for local HTTP development.

Suggested change

	BETTER_AUTH_SECURE_COOKIES=false # Set to true when using HTTPS in production. Secure cookies only work in production and over HTTPS
	BETTER_AUTH_SECURE_COOKIES=true # Use true for HTTPS production so cookies are Secure; set to false ONLY for local HTTP development