From 0bbeedda0782d5812f75fc665314c9d3d72055ad Mon Sep 17 00:00:00 2001
From: "DESKTOP-RTLN3BA\\$punk" <vermarohanfinal@gmail.com>
Date: Mon, 1 Jun 2026 18:33:08 -0700
Subject: [PATCH] fix(route): update backend URL handling for internal Docker
 network

- Modified backend URL assignment to ensure it resolves correctly within the internal Docker network, preventing 503 errors for authenticated Zero queries.
- Added comments to clarify the routing behavior and the necessity of using the internal backend URL.
---
 surfsense_web/app/api/zero/query/route.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/surfsense_web/app/api/zero/query/route.ts b/surfsense_web/app/api/zero/query/route.ts
index 0e64c932f..bff86c25e 100644
--- a/surfsense_web/app/api/zero/query/route.ts
+++ b/surfsense_web/app/api/zero/query/route.ts
@@ -6,7 +6,16 @@ import type { Context } from "@/types/zero";
 import { queries } from "@/zero/queries";
 import { schema } from "@/zero/schema";
 
-const backendURL = BACKEND_URL;
+// This route is invoked server-to-server by zero-cache (via ZERO_QUERY_URL),
+// so it must reach the backend over the internal Docker network
+// (e.g. http://backend:8000). The browser-facing NEXT_PUBLIC_FASTAPI_BACKEND_URL
+// (e.g. http://localhost:8929) does NOT resolve from inside the frontend
+// container and would make every authenticated Zero query fail with a 503.
+const backendURL = (
+	process.env.FASTAPI_BACKEND_INTERNAL_URL ||
+	BACKEND_URL ||
+	"http://localhost:8000"
+).replace(/\/$/, "");
 
 async function authenticateRequest(
 	request: Request