sso: add PublicURL for browser authorize (split from backend MciasURL)

Lets services point the browser SSO authorize redirect at the public
MCIAS hostname while keeping the server-to-server code exchange on the
internal/Tailnet address (efficient, edge-independent). PublicURL is
optional and falls back to MciasURL.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

db/db.go

@@ -65,11 +65,11 @@ func Open(path string) (*sql.DB, error) {
 	// connection to serialize all access and eliminate busy errors.
 	database.SetMaxOpenConns(1)
 
-	// Ensure permissions are correct even if the file already existed.
+	// Best-effort permissions tightening. This may fail inside rootless
-	if err := os.Chmod(path, 0600); err != nil {
+	// podman containers where fchmod is denied in the user namespace.
-		_ = database.Close()
+	// The database still functions correctly without it.
-		return nil, fmt.Errorf("db: chmod %s: %w", path, err)
+	// See: log/2026-04-03-uid-incident.md
-	}
+	_ = os.Chmod(path, 0600)
 
 	return database, nil
 }
@@ -168,9 +168,7 @@ func Snapshot(database *sql.DB, destPath string) error {
 		return fmt.Errorf("db: snapshot: %w", err)
 	}
 
-	if err := os.Chmod(destPath, 0600); err != nil {
+	_ = os.Chmod(destPath, 0600) // best-effort; may fail in rootless containers
-		return fmt.Errorf("db: chmod snapshot %s: %w", destPath, err)
-	}
 
 	return nil
 }

sso/sso.go

@@ -39,9 +39,18 @@ const (
 // Config holds the SSO client configuration. The values must match the
 // SSO client registration in MCIAS config.
 type Config struct {
-	// MciasURL is the base URL of the MCIAS server.
+	// MciasURL is the base URL of the MCIAS server used for the
+	// server-to-server authorization-code exchange. This is typically the
+	// internal/Tailnet address so the exchange does not depend on the public
+	// edge.
 	MciasURL string
 
+	// PublicURL, when set, is the browser-facing MCIAS base URL used to build
+	// the authorize redirect. It must be resolvable and reachable by end-user
+	// browsers (e.g. the public hostname). When empty, MciasURL is used for
+	// both, which only works when MciasURL is itself browser-reachable.
+	PublicURL string
+
 	// ClientID is the registered SSO client identifier.
 	ClientID string
 
@@ -104,9 +113,19 @@ func New(cfg Config) (*Client, error) {
 	}, nil
 }
 
-// AuthorizeURL returns the MCIAS authorize URL with the given state parameter.
+// authorizeBase returns the browser-facing MCIAS base URL: PublicURL when
+// configured, otherwise MciasURL.
+func (c *Client) authorizeBase() string {
+	if c.cfg.PublicURL != "" {
+		return c.cfg.PublicURL
+	}
+	return c.cfg.MciasURL
+}
+
+// AuthorizeURL returns the MCIAS authorize URL (browser-facing) with the
+// given state parameter.
 func (c *Client) AuthorizeURL(state string) string {
-	base := strings.TrimRight(c.cfg.MciasURL, "/")
+	base := strings.TrimRight(c.authorizeBase(), "/")
 	return base + "/sso/authorize?" + url.Values{
 		"client_id":    {c.cfg.ClientID},
 		"redirect_uri": {c.cfg.RedirectURI},