fix: add siteUrl to resolve origin mismatch behind reverse proxies

[UpperM]

What does this PR do?

Adds a siteUrl config option that fixes a class of reverse-proxy origin mismatches affecting Node.js self-hosted deployments. When EmDash runs behind a TLS-terminating proxy (nginx, Traefik, Caddy -- typical for Coolify, Dokploy, or any Docker setup), the server sees http://localhost:4321 while browsers reach it via https://mysite.example.com. PR #225 fixed this for passkeys; this PR extends the same fix to all affected call sites.

Affected subsystems (before this fix):

• CSRF checks (form-like POSTs return 403 behind a proxy)
• Auth and setup wizard redirects (point to the internal address)
• OAuth redirect URIs (don't match the registered public URL)
• MCP/CLI well-known discovery endpoints (advertise internal URLs)
• Secure cookie flag (omitted when TLS is terminated by the proxy)
• Snapshot export, theme preview, sitemap, robots.txt, JSON-LD

What this adds:

// astro.config.mjs
emdash({
  siteUrl: "https://mysite.example.com",
})

A single getPublicOrigin(url, config) helper wraps every affected url.origin call. When siteUrl is set, it returns that; otherwise it falls back to url.origin unchanged, so non-proxied deployments are not affected. The public origin comes from operator config or environment variables, not from request headers.

Also supports EMDASH_SITE_URL / SITE_URL env vars for container deployments where the domain is only known at runtime (using process.env rather than import.meta.env so it works after the build).

Breaking: passkeyPublicOrigin is removed. Since this is pre-release, renaming felt cleaner than maintaining both. Migration is just renaming the key in astro.config.mjs.

Decision point: checkOrigin: false

This PR disables Astro's built-in security.checkOrigin and relies on EmDash's own CSRF layer (checkPublicCsrf + X-EmDash-Request header). I want to be transparent about why and open this to discussion.

The problem: Astro's checkOrigin and allowedDomains are baked into the build manifest. Behind a reverse proxy, url.origin is the internal address and Astro's origin check blocks form-like POSTs and requests without content-type with "Cross-site POST form submissions are forbidden" -- before EmDash middleware runs. (Note: application/json requests are not affected by Astro's check, but some EmDash flows use form-like content types.) The only Astro-native solutions are:

• allowedDomains scoped to a hostname -- works, but requires the domain at build time, which breaks Docker "build once, deploy anywhere" images where SITE_URL is set at runtime
• allowedDomains: [{}] wildcard -- enables host header poisoning on GET responses (login redirects, OAuth, WWW-Authenticate) when SITE_URL isn't configured

The approach: Disable checkOrigin and let EmDash handle CSRF entirely. EmDash's CSRF layer handles the proxy case that Astro's check cannot: dual-origin support and runtime siteUrl resolution via env vars. When siteUrl is known at build time, allowedDomains is still set so Astro.url reflects the public origin for user template code.

The gap: User-authored form-handling routes on the same Astro site would lose Astro's CSRF protection for form submissions. (Astro's checkOrigin only covers form-like content types and requests without content-type -- it does not protect application/json API routes regardless.) In practice, EmDash sites typically don't add custom form POST endpoints (all state changes go through EmDash's API), but this is worth flagging.

Alternatives I considered but rejected:

• Middleware interception (Astro's origin check is prepended via unshift before user middleware in the pipeline)
• Runtime manifest patching (integration can't control the adapter)
• Custom adapter (too invasive for this fix)

If you'd prefer a different approach -- keeping checkOrigin enabled and documenting that Docker users must set siteUrl at build time, or another path I haven't considered -- I'm happy to rework this.

Discussion #315 was opened before this implementation. I'm happy to adjust scope, naming, or approach based on maintainer feedback -- this can be split, renamed, or otherwise reshaped.

Related: #210, #225, #253, #393

Type of change

• Bug fix
• Feature (requires approved Discussion)
• Refactor (no behavior change)
• Documentation
• Performance improvement
• Tests
• Chore (dependencies, CI, tooling)

Checklist

• I have read CONTRIBUTING.md
• pnpm typecheck passes
• pnpm --silent lint:json | jq '.diagnostics | length' returns 0
• pnpm test passes (or targeted tests for my change)
• pnpm format has been run
• I have added/updated tests for my changes (if applicable)
• I have added a changeset (if this PR changes a published package)
• New features link to an approved Discussion: siteUrl: fix origin mismatch for everything behind a reverse proxy #315

AI-generated code disclosure

• This PR includes AI-generated code

Screenshots / test output

Test output

115 test files passed (2132 tests)
✓ packages/core/tests/unit/api/public-url.test.ts
✓ packages/core/tests/unit/api/csrf.test.ts
✓ packages/core/tests/unit/auth/passkey-config.test.ts
✓ packages/core/tests/unit/auth/discovery-endpoints.test.ts

[changeset-bot]

🦋 Changeset detected

Latest commit: 3cb6035

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 9 packages

Name	Type
emdash	Minor
@emdash-cms/cloudflare	Patch
@emdash-cms/plugin-ai-moderation	Major
@emdash-cms/plugin-atproto	Patch
@emdash-cms/plugin-audit-log	Patch
@emdash-cms/plugin-color	Major
@emdash-cms/plugin-embeds	Major
@emdash-cms/plugin-forms	Major
@emdash-cms/plugin-webhook-notifier	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[github-actions]

Scope check

This PR changes 552 lines across 37 files. Large PRs are harder to review and more likely to be closed without review.

If this scope is intentional, no action needed. A maintainer will review it. If not, please consider splitting this into smaller PRs.

See CONTRIBUTING.md for contribution guidelines.

[UpperM]

I have read the CLA Document and I hereby sign the CLA

[github-actions]

Overlapping PRs

This PR modifies files that are also changed by other open PRs:

• feat(auth): add Google Authenticator 2FA flows and setup options #73 (3 shared files)
• chore: tighten EmDash core and adapter type safety #310 (3 shared files)
• Fix page metadata titles without the site-name suffix #209 (3 shared files)

This may cause merge conflicts or duplicated work. A maintainer will coordinate.