From 346ddfa3a4ac0b96018813575539fddcc84c6042 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Mon, 11 May 2026 10:38:32 +0200
Subject: [PATCH] fix(proxy): strip Node-RED ingress bases

Keep the two external ingress flows at /in/public and /in/kiosk while allowing Node-RED routes to stay path-local, such as /test1.
---
 CLAUDE.md                            | 4 ++++
 deploy/README.md                     | 9 +++++++++
 deploy/angie/betterframe.docker.conf | 4 ++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 3f4882a..2c19517 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -68,6 +68,10 @@
     - public `/in/public/*` `/s/*` — rate-limited
     - kiosk-key `/api/kiosk/*` `/in/kiosk/*` `/dash/*` (kiosks)
     - admin session+TOTP `/admin/*` `/api/admin/*` `/nrdp/*` `/dash/*` (humans)
+    Node-RED external HTTP-in has exactly two ingress bases: `/in/public/*`
+    for user webhooks/actions and `/in/kiosk/*` for kiosk-authenticated data.
+    Angie strips that base before proxying, so a Node-RED route `/test1` is
+    called as `/in/public/test1` or `/in/kiosk/test1`.
 11. **labels** = routing primitive. cams+layouts+kiosks carry labels. 2 binding kinds:
     - `consume`: any kiosk w/label may render
     - `operate`: exactly ONE kiosk authoritative (composite PK incl role)
diff --git a/deploy/README.md b/deploy/README.md
index 0094c54..803c429 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -35,6 +35,15 @@ Node-RED is reachable only through:
 http://<pi-ip>/nrdp/
 ```
 
+Node-RED HTTP-in routes have two public base URLs:
+
+- Public webhook/user actions: `http://<pi-ip>/in/public/<node-red-path>`
+- Kiosk-authenticated ingress: `http://<pi-ip>/in/kiosk/<node-red-path>`
+
+For example, a Node-RED `http in` node at `/test1` is called as
+`http://<pi-ip>/in/public/test1` for public traffic, or
+`http://<pi-ip>/in/kiosk/test1` for kiosk-authenticated traffic.
+
 Do not publish `18080`, `18081`, `18082`, or `1880` on the host.
 
 If migrating from an older native install, stop the old host daemons first:
diff --git a/deploy/angie/betterframe.docker.conf b/deploy/angie/betterframe.docker.conf
index 96fb8e5..4c204b3 100644
--- a/deploy/angie/betterframe.docker.conf
+++ b/deploy/angie/betterframe.docker.conf
@@ -75,13 +75,13 @@ server {
 
     location /in/public/ {
         limit_req zone=bf_public burst=20 nodelay;
-        rewrite ^/in/public/(.*) /public/$1 break;
+        rewrite ^/in/public/(.*) /$1 break;
         proxy_pass http://betterframe_nodered;
     }
 
     location /in/kiosk/ {
         auth_request /api/kiosk/_check;
-        rewrite ^/in/kiosk/(.*) /kiosk/$1 break;
+        rewrite ^/in/kiosk/(.*) /$1 break;
         proxy_pass http://betterframe_nodered;
     }