fix: move tailscale setup to postStartCommand

Co-authored-by: Ona <no-reply@ona.com>

.devcontainer/devcontainer.json

@@ -11,7 +11,7 @@
 		"dockerfile": "Dockerfile"
 	},
 	"postCreateCommand": "bun install",
-	"postStartCommand": "./scripts/setup-git.sh && ./scripts/setup-nvim.sh",
+	"postStartCommand": "./scripts/setup-git.sh && ./scripts/setup-nvim.sh && ./scripts/setup-tailscale.sh",
 	// Features add additional features to your environment. See https://containers.dev/features
 	// Beware: features are not supported on all platforms and may have unintended side-effects.
 	"features": {

.ona/automations.yaml

@@ -17,3 +17,23 @@ services:
         FORWARD_URL=$(gitpod environment port open 4983 --name drizzle-studio-server | sed 's|https://||')
         echo "Drizzle Studio: https://local.drizzle.studio/?host=${FORWARD_URL}&port=443"
         cd apps/aelis-backend && bunx drizzle-kit studio --host 0.0.0.0 --port 4983
+
+  aelis-backend:
+    name: Aelis Backend
+    description: Hono API server for aelis-backend (port 3000)
+    triggeredBy:
+      - manual
+    commands:
+      start: |
+        gitpod --context environment environment port open 3000 --name "Aelis Backend" --protocol http
+        cd apps/aelis-backend && bun run dev
+
+  admin-dashboard:
+    name: Admin Dashboard
+    description: Vite dev server for admin-dashboard (port 5174)
+    triggeredBy:
+      - manual
+    commands:
+      start: |
+        gitpod --context environment environment port open 5174 --name "Admin Dashboard" --protocol http
+        cd apps/admin-dashboard && bun run dev --host

apps/admin-dashboard/src/routes/_dashboard.tsx

@@ -47,10 +47,15 @@ export const Route = createRoute({
   getParentRoute: () => rootRoute,
   id: "dashboard",
   beforeLoad: async ({ context }) => {
-    const session = await context.queryClient.ensureQueryData({
+    let session: Awaited<ReturnType<typeof getSession>> | null = null
+    try {
+      session = await context.queryClient.ensureQueryData({
         queryKey: ["session"],
         queryFn: getSession,
       })
+    } catch {
+      throw redirect({ to: "/login" })
+    }
     if (!session?.user) {
       throw redirect({ to: "/login" })
     }

apps/aelis-backend/src/auth/index.ts

@@ -16,6 +16,9 @@ export function createAuth(db: Database) {
 			provider: "pg",
 			schema,
 		}),
+		advanced: {
+			disableCSRFCheck: process.env.NODE_ENV !== "production",
+		},
 		emailAndPassword: {
 			enabled: true,
 		},

apps/aelis-backend/src/server.ts

@@ -1,4 +1,5 @@
 import { Hono } from "hono"
+import { cors } from "hono/cors"
 
 import { registerAdminHttpHandlers } from "./admin/http.ts"
 import { createRequireAdmin } from "./auth/admin-middleware.ts"
@@ -50,6 +51,34 @@ function main() {
 
 	const app = new Hono()
 
+	const isDev = process.env.NODE_ENV !== "production"
+	const allowedOrigins = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()) ?? []
+
+	function resolveOrigin(origin: string): string | undefined {
+		if (isDev) return origin
+		return allowedOrigins.includes(origin) ? origin : undefined
+	}
+
+	app.use(
+		"/api/auth/*",
+		cors({
+			origin: resolveOrigin,
+			allowHeaders: ["Content-Type", "Authorization"],
+			allowMethods: ["POST", "GET", "OPTIONS"],
+			exposeHeaders: ["Content-Length"],
+			maxAge: 600,
+			credentials: true,
+		}),
+	)
+
+	app.use(
+		"*",
+		cors({
+			origin: resolveOrigin,
+			credentials: true,
+		}),
+	)
+
 	app.get("/health", (c) => c.json({ status: "ok" }))
 
 	const authSessionMiddleware = createRequireSession(auth)

scripts/setup-tailscale.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Tailscale setup script
+# Authenticates with Tailscale if TS_AUTH_KEY is set and Tailscale is not already logged in
+
+set -e
+
+if [ -z "$TS_AUTH_KEY" ]; then
+    echo "TS_AUTH_KEY is not set, skipping Tailscale login."
+    exit 0
+fi
+
+STATUS=$(tailscale status 2>&1 || true)
+
+if echo "$STATUS" | grep -qi "logged out\|stopped"; then
+    echo "Tailscale is not authenticated. Logging in..."
+    sudo tailscale up --accept-routes --auth-key="$TS_AUTH_KEY"
+    echo "Tailscale login complete."
+else
+    echo "Tailscale is already authenticated, skipping."
+fi