fix(auth): correct callbackUrl and auto-redirect to Authentik

- Use NEXTAUTH_URL instead of request.url for callbackUrl (was 0.0.0.0:3000)
- Add custom /auth/signin page that auto-calls signIn("authentik")
- Skip the intermediate "Sign in with Authentik" button page
- Exclude /auth/signin from middleware matcher

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/middleware.ts

@@ -27,9 +27,13 @@ export async function middleware(request: NextRequest) {
     );
   }
 
-  // Page routes: redirect to NextAuth sign-in with callbackUrl
-  const signInUrl = new URL("/api/auth/signin", request.url);
-  signInUrl.searchParams.set("callbackUrl", request.url);
+  // Use NEXTAUTH_URL as base (request.url uses container's internal 0.0.0.0:3000)
+  const baseUrl = process.env.NEXTAUTH_URL || "https://tools.beletage.ro";
+  const callbackUrl = `${baseUrl}${pathname}${request.nextUrl.search}`;
+
+  // Redirect to custom sign-in page (auto-forwards to Authentik)
+  const signInUrl = new URL("/auth/signin", baseUrl);
+  signInUrl.searchParams.set("callbackUrl", callbackUrl);
   return NextResponse.redirect(signInUrl);
 }
 
@@ -42,6 +46,6 @@ export const config = {
      * - /favicon.ico, /robots.txt, /sitemap.xml
      * - Files with extensions (images, fonts, etc.)
      */
-    "/((?!api/auth|_next|favicon\\.ico|robots\\.txt|sitemap\\.xml|.*\\..*).*)",
+    "/((?!api/auth|auth/signin|_next|favicon\\.ico|robots\\.txt|sitemap\\.xml|.*\\..*).*)",
   ],
 };