From c455ce3c3411890c640d874860144f74836309c0 Mon Sep 17 00:00:00 2001
From: DCCONSTRUCTIONS <dcconstructions@MacBook-Pro-DCCONSTRUCTIONS-2.local>
Date: Thu, 14 May 2026 12:14:07 +0300
Subject: [PATCH] =?UTF-8?q?FIX=20-=20NAS=20DEPLOY:=20=D1=81=D1=82=D0=B0?=
 =?UTF-8?q?=D0=B1=D0=B8=D0=BB=D0=B8=D0=B7=D0=B0=D1=86=D0=B8=D1=8F=20real-d?=
 =?UTF-8?q?omain=20Tasker=20OIDC=20baseline?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../plane/authentication/views/app/oidc.py    | 58 +++++++++++++++----
 plane-src/apps/web/Dockerfile.web             |  9 +++
 plane-src/apps/web/helpers/nodedc-auth.ts     | 23 +++++++-
 3 files changed, 79 insertions(+), 11 deletions(-)

diff --git a/plane-src/apps/api/plane/authentication/views/app/oidc.py b/plane-src/apps/api/plane/authentication/views/app/oidc.py
index 2452c34..89c8dc9 100644
--- a/plane-src/apps/api/plane/authentication/views/app/oidc.py
+++ b/plane-src/apps/api/plane/authentication/views/app/oidc.py
@@ -343,19 +343,11 @@ def resolve_linked_user(claims, groups, auto_link, auto_create, sync_profile, sk
     if link is None and auto_link and email:
         user = User.objects.filter(email__iexact=email, is_active=True).first()
         if user:
-            link, _ = ExternalIdentityLink.objects.get_or_create(
-                provider=OIDC_PROVIDER,
-                subject=subject,
-                defaults={"user": user, "email": email, "groups": groups},
-            )
+            link = resolve_identity_link_for_user(user, subject, email, groups)
 
     if link is None and auto_create and email:
         user, user_created = get_or_create_oidc_user(email=email, claims=claims)
-        link, _ = ExternalIdentityLink.objects.get_or_create(
-            provider=OIDC_PROVIDER,
-            subject=subject,
-            defaults={"user": user, "email": email, "groups": groups},
-        )
+        link = resolve_identity_link_for_user(user, subject, email, groups)
         if user_created:
             logger.info(
                 "NODEDC OIDC provisioned Tasker user: user_id=%s email_hash=%s subject_hash=%s",
@@ -394,6 +386,52 @@ def resolve_linked_user(claims, groups, auto_link, auto_create, sync_profile, sk
     return user
 
 
+def resolve_identity_link_for_user(user, subject, email, groups):
+    user_link = ExternalIdentityLink.objects.select_related("user").filter(
+        provider=OIDC_PROVIDER,
+        user=user,
+    ).first()
+
+    conflicting_link = ExternalIdentityLink.objects.filter(
+        provider=OIDC_PROVIDER,
+        subject=subject,
+    ).exclude(user=user).first()
+
+    if conflicting_link:
+        logger.warning(
+            "NODEDC OIDC subject is already linked to another user: "
+            "provider=%s user_id=%s subject_hash=%s",
+            OIDC_PROVIDER,
+            conflicting_link.user_id,
+            hash_subject(subject),
+        )
+        return None
+
+    if user_link:
+        if user_link.status != ExternalIdentityLink.Status.ACTIVE:
+            logger.warning(
+                "NODEDC OIDC denied disabled external identity link during email auto-link: "
+                "provider=%s user_id=%s subject_hash=%s",
+                OIDC_PROVIDER,
+                user.id,
+                hash_subject(subject),
+            )
+            return None
+
+        user_link.subject = subject
+        user_link.email = email
+        user_link.groups = groups
+        user_link.save(update_fields=["subject", "email", "groups", "updated_at"])
+        return user_link
+
+    link, _ = ExternalIdentityLink.objects.get_or_create(
+        provider=OIDC_PROVIDER,
+        subject=subject,
+        defaults={"user": user, "email": email, "groups": groups},
+    )
+    return link
+
+
 def get_or_create_oidc_user(email, claims):
     user = User.objects.filter(email__iexact=email).first()
 
diff --git a/plane-src/apps/web/Dockerfile.web b/plane-src/apps/web/Dockerfile.web
index a827a25..9d6d80f 100644
--- a/plane-src/apps/web/Dockerfile.web
+++ b/plane-src/apps/web/Dockerfile.web
@@ -67,6 +67,15 @@ ENV VITE_SPACE_BASE_PATH=$VITE_SPACE_BASE_PATH
 ARG VITE_WEB_BASE_URL=""
 ENV VITE_WEB_BASE_URL=$VITE_WEB_BASE_URL
 
+ARG VITE_NODEDC_OIDC_LOGIN_ENABLED=""
+ENV VITE_NODEDC_OIDC_LOGIN_ENABLED=$VITE_NODEDC_OIDC_LOGIN_ENABLED
+
+ARG VITE_NODEDC_OIDC_LOGIN_URL=""
+ENV VITE_NODEDC_OIDC_LOGIN_URL=$VITE_NODEDC_OIDC_LOGIN_URL
+
+ARG VITE_NODEDC_LAUNCHER_URL=""
+ENV VITE_NODEDC_LAUNCHER_URL=$VITE_NODEDC_LAUNCHER_URL
+
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV TURBO_TELEMETRY_DISABLED=1
 
diff --git a/plane-src/apps/web/helpers/nodedc-auth.ts b/plane-src/apps/web/helpers/nodedc-auth.ts
index c80165b..4cafebd 100644
--- a/plane-src/apps/web/helpers/nodedc-auth.ts
+++ b/plane-src/apps/web/helpers/nodedc-auth.ts
@@ -30,7 +30,28 @@ export function buildNodeDCOIDCLoginUrl(nextPath?: string | null): string {
 }
 
 export function buildNodeDCLauncherUrl(): string {
-  return process.env.VITE_NODEDC_LAUNCHER_URL || "http://launcher.local.nodedc/";
+  const configuredUrl = process.env.VITE_NODEDC_LAUNCHER_URL;
+
+  if (configuredUrl) {
+    return configuredUrl;
+  }
+
+  if (typeof window === "undefined") {
+    return "http://launcher.local.nodedc/";
+  }
+
+  const hostname = window.location.hostname.toLowerCase();
+
+  if (hostname.endsWith(".nodedc.ru")) {
+    return "https://hub.nodedc.ru/";
+  }
+
+  if (hostname.endsWith(".nas.nodedc")) {
+    const port = window.location.port ? `:${window.location.port}` : "";
+    return `${window.location.protocol}//launcher.nas.nodedc${port}/`;
+  }
+
+  return "http://launcher.local.nodedc/";
 }
 
 export function buildNodeDCBrandConfigUrl(): string {