Startup Bugs: Seeding constraint error, invalid OAuth credentials, and persistent “DEV PORT” banner in production #981
Description
When deploying StackAuth in a production environment using Docker and the .env configuration below, these issues are reproducible:
| Setting | Result |
|---|---|
| STACK_SKIP_SEED_SCRIPT=false | ❌ Fails during seeding with Prisma P2003 foreign key constraint error. |
| STACK_SKIP_SEED_SCRIPT=true | |
| Any setting | 🔴 Dashboard always shows "DEV PORT: 81xx" in red, even with ENVIRONMENT=production. |
Configuration Example
.env
POSTGRES_DB=stackframe
POSTGRES_USER=stackframe
POSTGRES_PASSWORD=<REDACTED>
NEXT_PUBLIC_STACK_API_URL=https://authapi.example.com
NEXT_PUBLIC_STACK_DASHBOARD_URL=https://auth.example.com
NEXT_PUBLIC_STACK_PORT_PREFIX=81
STACK_DATABASE_CONNECTION_STRING=postgres://stackframe:<REDACTED>@stack-auth-db:5432/stackframe
STACK_DIRECT_DATABASE_CONNECTION_STRING=postgres://stackframe:<REDACTED>@stack-auth-db:5432/stackframe
STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=false
STACK_SEED_INTERNAL_PROJECT_USER_EMAIL=admin@example.com
STACK_SEED_INTERNAL_PROJECT_USER_PASSWORD=<REDACTED>
STACK_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=false
STACK_SEED_INTERNAL_PROJECT_OTP_ENABLED=false
STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=true
STACK_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS=github,google
STACK_GOOGLE_CLIENT_ID=<EXAMPLE_GOOGLE_CLIENT_ID>
STACK_GOOGLE_CLIENT_SECRET=<EXAMPLE_GOOGLE_CLIENT_SECRET>
STACK_GITHUB_CLIENT_ID=<EXAMPLE_GITHUB_CLIENT_ID>
STACK_GITHUB_CLIENT_SECRET=<EXAMPLE_GITHUB_CLIENT_SECRET>
STACK_SVIX_API_KEY=<EXAMPLE_SVIX_API_KEY>
STACK_EMAIL_HOST=mail.example.net
STACK_EMAIL_PORT=465
STACK_EMAIL_USERNAME=noreply@example.net
STACK_EMAIL_PASSWORD=<REDACTED>
STACK_EMAIL_SENDER=noreply@example.net
STACK_SERVER_SECRET=<EXAMPLE_SERVER_SECRET>
STACK_RUN_MIGRATIONS=false
STACK_SKIP_SEED_SCRIPT=false
PROJECT_ID=stack-production
OAUTH_CLIENT_ID=stack-production
OAUTH_CLIENT_SECRET=<EXAMPLE_CLIENT_SECRET>
ENVIRONMENT=production
NEXT_PUBLIC_ENVIRONMENT=production
docker-compose.yml
version: '3.8'
services:
stack-auth-db:
image: postgres:17
env_file:
- .env
volumes:
- stack-auth-db-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -p 5432 -d stackframe"]
interval: 5s
timeout: 10s
retries: 5
start_period: 10s
networks:
- stackframe-network
stack-auth:
image: stackauth/server:latest
container_name: stack-auth
env_file:
- .env
depends_on:
stack-auth-db:
condition: service_healthy
networks:
- stackframe-network
- dokploy-network
networks:
stackframe-network:
driver: bridge
dokploy-network:
external: true
volumes:
stack-auth-db-data:
Error Cases
Case 1 — Seeding enabled (STACK_SKIP_SEED_SCRIPT=false)
Error:
PrismaClientKnownRequestError: Invalid prisma.teamMemberDirectPermission.upsert() invocation:
Foreign key constraint violated on the constraint: TeamMemberDirectPermission_tenancyId_projectUserId_teamId_fkey
Details:
- The seeding script fails due to a Prisma foreign key constraint violation (P2003 error code).
- The
TeamMemberDirectPermissiontable is attempting to reference records that don't exist in the related tables (tenancyId,projectUserId, orteamId). - This suggests the seeding order is incorrect or required parent records are missing before child records are inserted.
Case 2 — Seeding disabled (STACK_SKIP_SEED_SCRIPT=true)
Error:
{
"code": "INVALID_OAUTH_CLIENT_ID_OR_SECRET",
"details": { "client_id": null },
"error": "The OAuth client ID or secret is invalid. The client ID must be equal to the project ID (potentially with a hash and a branch ID), and the client secret must be a publishable client key."
}
Details:
- OAuth initialization fails because the client ID is
null. - The error message indicates that the OAuth client ID should match the project ID (with optional hash/branch ID suffix).
- Despite setting
OAUTH_CLIENT_ID=stack-productionandPROJECT_ID=stack-productionin the environment, the application is not recognizing these values. - This could indicate the OAuth provider configuration is not being properly initialized when seeding is skipped, or the environment variables are not being read correctly during OAuth setup.