From 33787399678faa4a46c8d236d23dbcc80bce529f Mon Sep 17 00:00:00 2001
From: David Barroso <dbarrosop@dravetech.com>
Date: Thu, 2 Oct 2025 11:13:05 +0200
Subject: [PATCH] fix(cli): disable tls on AUTH_SERVER_URL when auth uses
 custom port (#3549)

---
 cli/dockercompose/auth.go      |  2 +-
 cli/dockercompose/auth_test.go | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cli/dockercompose/auth.go b/cli/dockercompose/auth.go
index d50981728..78a452126 100644
--- a/cli/dockercompose/auth.go
+++ b/cli/dockercompose/auth.go
@@ -41,7 +41,7 @@ func auth( //nolint:funlen
 	envars, err := appconfig.HasuraAuthEnv(
 		cfg,
 		"http://graphql:8080/v1/graphql",
-		URL(subdomain, "auth", httpPort, useTLS)+"/v1",
+		URL(subdomain, "auth", httpPort, useTLS && exposePort == 0)+"/v1",
 		"postgres://nhost_hasura@postgres:5432/local",
 		"postgres://nhost_auth_admin@postgres:5432/local",
 		&model.ConfigSmtp{
diff --git a/cli/dockercompose/auth_test.go b/cli/dockercompose/auth_test.go
index 0336321f2..815ef5575 100644
--- a/cli/dockercompose/auth_test.go
+++ b/cli/dockercompose/auth_test.go
@@ -132,7 +132,7 @@ func expectedAuth() *Service {
 			"AUTH_RATE_LIMIT_SMS_INTERVAL":              "5m",
 			"AUTH_REFRESH_TOKEN_EXPIRES_IN":             "99",
 			"AUTH_REQUIRE_ELEVATED_CLAIM":               "required",
-			"AUTH_SERVER_URL":                           "http://dev.auth.local.nhost.run:1336/v1",
+			"AUTH_SERVER_URL":                           "https://dev.auth.local.nhost.run:1336/v1",
 			"AUTH_SMS_PASSWORDLESS_ENABLED":             "true",
 			"AUTH_SMS_PROVIDER":                         "twilio",
 			"AUTH_SMS_TWILIO_ACCOUNT_SID":               "smsAccountSid",
@@ -186,7 +186,7 @@ func expectedAuth() *Service {
 			"traefik.http.routers.auth.entrypoints":               "web",
 			"traefik.http.routers.auth.rule":                      "(HostRegexp(`^.+\\.auth\\.local\\.nhost\\.run$`) || Host(`local.auth.nhost.run`))",
 			"traefik.http.routers.auth.service":                   "auth",
-			"traefik.http.routers.auth.tls":                       "false",
+			"traefik.http.routers.auth.tls":                       "true",
 			"traefik.http.services.auth.loadbalancer.server.port": "4000",
 		},
 		Ports:   nil,
@@ -216,7 +216,7 @@ func TestAuth(t *testing.T) {
 		{
 			name:       "default",
 			cfg:        getConfig,
-			useTlS:     false,
+			useTlS:     true,
 			exposePort: 0,
 			expected:   expectedAuth,
 		},
@@ -227,7 +227,7 @@ func TestAuth(t *testing.T) {
 				cfg.Auth.Version = ptr("0.21.3")
 				return cfg
 			},
-			useTlS:     false,
+			useTlS:     true,
 			exposePort: 0,
 			expected: func() *Service {
 				svc := expectedAuth()
@@ -243,7 +243,7 @@ func TestAuth(t *testing.T) {
 		{
 			name:       "custom port",
 			cfg:        getConfig,
-			useTlS:     false,
+			useTlS:     true,
 			exposePort: 8080,
 			expected: func() *Service {
 				svc := expectedAuth()