fix(netbird): wait for OIDC discovery before reporting install done (#10)

Right after install the dashboard SPA opens and, if it loads before NetBird's embedded OIDC provider is serving, caches a bad auth state — the user appears logged-in but can't log out until it self-corrects. Container "running" != OIDC ready, so gate the install's Done phase on the management server's /oauth2/.well-known/openid-configuration answering (best-effort, 60s cap, never fails the install since the stack is already up). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-20 08:57:37 -04:00 · 2026-06-20 08:57:37 -04:00 · a6957a48f7
commit a6957a48f7
parent 2761f0d70f
1 changed files with 39 additions and 0 deletions
--- a/core/archipelago/src/api/rpc/package/stacks.rs
+++ b/core/archipelago/src/api/rpc/package/stacks.rs
@ -1903,6 +1903,14 @@ impl RpcHandler {

        self.set_install_phase("netbird", InstallPhase::WaitingHealthy)
            .await;
+        // Containers being "running" is NOT the same as the embedded OIDC
+        // provider being ready (#10). The dashboard SPA opens right after install
+        // and, if it loads before /oauth2/.well-known is served, caches a bad
+        // auth state — the user appears logged-in but can't log out until it
+        // self-corrects. Wait (best-effort) for OIDC discovery to answer before
+        // we report Done, so the first dashboard load sees a ready provider.
+        wait_for_netbird_oidc_ready(Duration::from_secs(60)).await;
+
        self.set_install_phase("netbird", InstallPhase::PostInstall)
            .await;
        self.set_install_phase("netbird", InstallPhase::Done).await;
@ -1918,6 +1926,37 @@ impl RpcHandler {
    }
 }

+/// Best-effort wait for NetBird's embedded OIDC provider to start serving its
+/// discovery document. The management server publishes 8086:80 on the host and
+/// is the issuer at `/oauth2`, so its `.well-known/openid-configuration` is the
+/// signal that the dashboard's login/logout flow will work. Polls until a 2xx
+/// or the timeout — NEVER fails the install (the stack is already running; this
+/// only narrows the post-install race window in #10).
+async fn wait_for_netbird_oidc_ready(timeout: Duration) {
+    let url = "http://127.0.0.1:8086/oauth2/.well-known/openid-configuration";
+    let client = match reqwest::Client::builder()
+        .timeout(Duration::from_secs(5))
+        .build()
+    {
+        Ok(c) => c,
+        Err(_) => return,
+    };
+    let deadline = tokio::time::Instant::now() + timeout;
+    loop {
+        if let Ok(resp) = client.get(url).send().await {
+            if resp.status().is_success() {
+                info!("NetBird OIDC discovery is ready");
+                return;
+            }
+        }
+        if tokio::time::Instant::now() >= deadline {
+            info!("NetBird OIDC discovery not ready within timeout — proceeding anyway");
+            return;
+        }
+        tokio::time::sleep(Duration::from_secs(2)).await;
+    }
+}
+
 async fn read_or_generate_b64_secret(name: &str) -> String {
    let path = format!("/var/lib/archipelago/secrets/{}", name);
    if let Ok(val) = tokio::fs::read_to_string(&path).await {