Skip to content

feat(auth): allow pinning the webauth callback port#1

Closed
tomaskir wants to merge 1 commit into
feat/webauth-token-name-lifetimefrom
feat/webauth-port
Closed

feat(auth): allow pinning the webauth callback port#1
tomaskir wants to merge 1 commit into
feat/webauth-token-name-lifetimefrom
feat/webauth-port

Conversation

@tomaskir

@tomaskir tomaskir commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Closing: opening against upstream phasehq/cli instead.

Browser login (--mode webauth) starts a local HTTP callback server on a
random port (8002-20002), so the port cannot be known ahead of time. That
breaks webauth inside containers, where Docker port publishing (-p) needs a
fixed port; the only workaround was --network=host, which is Linux-only and
inconsistent on Docker Desktop.

Add a --webauth-port flag and a matching PHASE_WEBAUTH_PORT env var to pin
the callback server to a caller-specified port. The resolved port is used
both for net.Listen and in the webauth payload's port field, so the Console
redirects back to the same fixed port:

    phase auth --mode webauth --webauth-port 8002
    docker run -p 8002:8002 ... phase auth --mode webauth --webauth-port 8002

Precedence is flag, then env var, then the existing random port. Omitting
both keeps today's behavior, so this is fully backward compatible. Port
resolution is extracted into a pure resolveWebAuthPort helper with unit
tests covering the flag/env/random and validation paths.

Closes phasehq#305
@tomaskir tomaskir closed this Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant