stack icon indicating copy to clipboard operation
stack copied to clipboard
verified publisher icon stack-auth

Startup Bugs: Seeding constraint error, invalid OAuth credentials, and persistent “DEV PORT” banner in production

Open wail-asad opened this issue 2 months ago • 0 comments

When deploying StackAuth in a production environment using Docker and the .env configuration below, these issues are reproducible:

Setting Result
STACK_SKIP_SEED_SCRIPT=false ❌ Fails during seeding with Prisma P2003 foreign key constraint error.
STACK_SKIP_SEED_SCRIPT=true ⚠️ Starts, but OAuth initialization fails with INVALID_OAUTH_CLIENT_ID_OR_SECRET.
Any setting 🔴 Dashboard always shows "DEV PORT: 81xx" in red, even with ENVIRONMENT=production.

Configuration Example

.env

POSTGRES_DB=stackframe
POSTGRES_USER=stackframe
POSTGRES_PASSWORD=<REDACTED>
NEXT_PUBLIC_STACK_API_URL=https://authapi.example.com
NEXT_PUBLIC_STACK_DASHBOARD_URL=https://auth.example.com
NEXT_PUBLIC_STACK_PORT_PREFIX=81
STACK_DATABASE_CONNECTION_STRING=postgres://stackframe:<REDACTED>@stack-auth-db:5432/stackframe
STACK_DIRECT_DATABASE_CONNECTION_STRING=postgres://stackframe:<REDACTED>@stack-auth-db:5432/stackframe
STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=false
[email protected]
STACK_SEED_INTERNAL_PROJECT_USER_PASSWORD=<REDACTED>
STACK_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=false
STACK_SEED_INTERNAL_PROJECT_OTP_ENABLED=false
STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=true
STACK_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS=github,google
STACK_GOOGLE_CLIENT_ID=<EXAMPLE_GOOGLE_CLIENT_ID>
STACK_GOOGLE_CLIENT_SECRET=<EXAMPLE_GOOGLE_CLIENT_SECRET>
STACK_GITHUB_CLIENT_ID=<EXAMPLE_GITHUB_CLIENT_ID>
STACK_GITHUB_CLIENT_SECRET=<EXAMPLE_GITHUB_CLIENT_SECRET>
STACK_SVIX_API_KEY=<EXAMPLE_SVIX_API_KEY>
STACK_EMAIL_HOST=mail.example.net
STACK_EMAIL_PORT=465
[email protected]
STACK_EMAIL_PASSWORD=<REDACTED>
[email protected]
STACK_SERVER_SECRET=<EXAMPLE_SERVER_SECRET>
STACK_RUN_MIGRATIONS=false
STACK_SKIP_SEED_SCRIPT=false
PROJECT_ID=stack-production
OAUTH_CLIENT_ID=stack-production
OAUTH_CLIENT_SECRET=<EXAMPLE_CLIENT_SECRET>
ENVIRONMENT=production
NEXT_PUBLIC_ENVIRONMENT=production

docker-compose.yml

version: '3.8'
services:
  stack-auth-db:
    image: postgres:17
    env_file:
      - .env
    volumes:
      - stack-auth-db-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -p 5432 -d stackframe"]
      interval: 5s
      timeout: 10s
      retries: 5
      start_period: 10s
    networks:
      - stackframe-network
  stack-auth:
    image: stackauth/server:latest
    container_name: stack-auth
    env_file:
      - .env
    depends_on:
      stack-auth-db:
        condition: service_healthy
    networks:
      - stackframe-network
      - dokploy-network
networks:
  stackframe-network:
    driver: bridge
  dokploy-network:
    external: true
volumes:
  stack-auth-db-data:

Error Cases

Case 1 — Seeding enabled (STACK_SKIP_SEED_SCRIPT=false)

Error:

PrismaClientKnownRequestError: Invalid prisma.teamMemberDirectPermission.upsert() invocation:
Foreign key constraint violated on the constraint: TeamMemberDirectPermission_tenancyId_projectUserId_teamId_fkey

Details:

  • The seeding script fails due to a Prisma foreign key constraint violation (P2003 error code).
  • The TeamMemberDirectPermission table is attempting to reference records that don't exist in the related tables (tenancyId, projectUserId, or teamId).
  • This suggests the seeding order is incorrect or required parent records are missing before child records are inserted.

Case 2 — Seeding disabled (STACK_SKIP_SEED_SCRIPT=true)

Error:

{ 
  "code": "INVALID_OAUTH_CLIENT_ID_OR_SECRET",
  "details": { "client_id": null },
  "error": "The OAuth client ID or secret is invalid. The client ID must be equal to the project ID (potentially with a hash and a branch ID), and the client secret must be a publishable client key."
}

Details:

  • OAuth initialization fails because the client ID is null.
  • The error message indicates that the OAuth client ID should match the project ID (with optional hash/branch ID suffix).
  • Despite setting OAUTH_CLIENT_ID=stack-production and PROJECT_ID=stack-production in the environment, the application is not recognizing these values.
  • This could indicate the OAuth provider configuration is not being properly initialized when seeding is skipped, or the environment variables are not being read correctly during OAuth setup.

wail-asad avatar Oct 25 '25 19:10 wail-asad