chg: pkg: new version release !skipChangelog

.env.dist

@@ -6,6 +6,9 @@
 APP_ENV=dev
 APP_SECRET=changethis
 APP_NAME=mineseeker
+# APP_PUBLIC_HOSTNAME: The public hostname for your application (used for generating absolute URLs in emails)
+# For production, set this to your domain (e.g., mineseeker.com)
+APP_PUBLIC_HOSTNAME=localhost
 # TRUSTED_PROXIES: Only needed for bare-metal dev behind a reverse proxy
 # For Docker development, this is set in compose.override.yaml
 # For production, set in PROD_ENV_FILE Gitea secret (use 172.18.0.0/16 initially)

compose.yaml

@@ -11,6 +11,7 @@ services:
       SERVER_NAME: ${SERVER_NAME:-:80}
       APP_ENV: prod
       APP_SECRET: ${APP_SECRET}
+      APP_PUBLIC_HOSTNAME: ${APP_PUBLIC_HOSTNAME:-localhost}
       APP_CONTACT_MAIL_ADDRESS: ${APP_CONTACT_MAIL_ADDRESS:-7system7@gmail.com}
       DATABASE_URL: >-
         postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}?serverVersion=${POSTGRES_VERSION}&charset=utf8

config/packages/framework.yaml

@@ -8,6 +8,13 @@ framework:
   session:
     handler_id: ~
 
+  # Trust headers from reverse proxy (Caddy)
+  # This ensures absolute_url() uses HTTPS scheme when behind a reverse proxy
+  # Production: TRUSTED_PROXIES from .env (Gitea secret)
+  # Development: TRUSTED_PROXIES from compose.override.yaml
+  trusted_proxies: '%env(TRUSTED_PROXIES)%'
+  trusted_headers: ['x-forwarded-for', 'x-forwarded-proto', 'x-forwarded-host', 'x-forwarded-port']
+
   #esi: true
   #fragments: true
   php_errors:

config/packages/prod/framework.yaml

@@ -0,0 +1,8 @@
+framework:
+  # In production with FrankenPHP, the reverse proxy (Caddy) is in the same container
+  # Requests come from 127.0.0.1, so we must trust that IP to process X-Forwarded-Proto headers
+  # TRUSTED_PROXIES is set in the .env file (stored in Gitea secrets)
+  # Typical value for Docker: 172.18.0.0/16 (or the specific Docker network CIDR)
+  # This must be provided by the PROD_ENV_FILE secret in Gitea
+  trusted_proxies: '%env(TRUSTED_PROXIES)%'
+  trusted_headers: ['x-forwarded-for', 'x-forwarded-proto', 'x-forwarded-host', 'x-forwarded-port']

src/Controller/SecurityController.php

@@ -92,6 +92,11 @@ class SecurityController extends AbstractController
                 UrlGeneratorInterface::ABSOLUTE_URL,
             );
 
+            // Ensure HTTPS scheme in production
+            if ($this->getParameter('kernel.environment') === 'prod') {
+                $activationUrl = str_replace('http://', 'https://', $activationUrl);
+            }
+
             $mailer->send(
                 new TemplatedEmail()
                     ->from('noreply@mineseeker.hu')
@@ -143,6 +148,11 @@ class SecurityController extends AbstractController
                     UrlGeneratorInterface::ABSOLUTE_URL,
                 );
 
+                // Ensure HTTPS scheme in production
+                if ($this->getParameter('kernel.environment') === 'prod') {
+                    $resetUrl = str_replace('http://', 'https://', $resetUrl);
+                }
+
                 $mailer->send(
                     new TemplatedEmail()
                         ->from('noreply@mineseeker.hu')

templates/emails/activation.html.twig

@@ -77,7 +77,7 @@
 <body>
 <div class="wrapper">
     <div class="logo">
-        <img src="{{ absolute_url(asset('images/mine-logo-txt.png')) }}" alt="MineSeeker"/>
+        <img src="{{ absolute_url(asset('images/mine-logo-txt.png')) | replace({'http://': 'https://'}) }}" alt="MineSeeker"/>
     </div>
     <div class="card">
         <h1>One step to go</h1>
@@ -100,4 +100,4 @@
     </div>
 </div>
 </body>
-</html>
+</html>

templates/emails/reset_password.html.twig

@@ -91,7 +91,7 @@
 <body>
 <div class="wrapper">
   <div class="logo">
-    <img src="{{ absolute_url(asset('images/mine-logo-txt.png')) }}" alt="MineSeeker"/>
+    <img src="{{ absolute_url(asset('images/mine-logo-txt.png')) | replace({'http://': 'https://'}) }}" alt="MineSeeker"/>
   </div>
   <div class="card">
     <h1>Reset your password</h1>