From 863fe469d6587ebca9a2cfa0ef2a4d3a07a90651 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Fri, 27 Feb 2026 02:02:48 +0100
Subject: [PATCH] fix(gatekeeper): use GATEKEEPER_ORIGIN for login redirect URL
 in ForwardAuth verify

---
 packages/gatekeeper/src/app/api/verify/route.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/gatekeeper/src/app/api/verify/route.ts b/packages/gatekeeper/src/app/api/verify/route.ts
index fcafa22..137f39d 100644
--- a/packages/gatekeeper/src/app/api/verify/route.ts
+++ b/packages/gatekeeper/src/app/api/verify/route.ts
@@ -82,7 +82,7 @@ export async function GET(req: NextRequest) {
 
   // Traefik ForwardAuth headers
   const gatekeeperUrl =
-    process.env.NEXT_PUBLIC_BASE_URL || `${proto}://gatekeeper.${host}`;
+    process.env.GATEKEEPER_ORIGIN || process.env.NEXT_PUBLIC_BASE_URL || `${proto}://gatekeeper.${host}`;
   const absoluteOriginalUrl = `${proto}://${host}${originalUrl}`;
 
   const loginUrl = `${gatekeeperUrl}/login?redirect=${encodeURIComponent(absoluteOriginalUrl)}`;