ui/src/auth/useAuth.ts

import { useLogto } from '@logto/react';
import { useState, useEffect, useCallback } from 'react';
import { useOrgStore } from './useOrganization';

interface IdTokenClaims {
  sub?: string;
  email?: string;
  name?: string;
  username?: string;
  roles?: string[];
  organization_id?: string;
  [key: string]: unknown;
}

export function useAuth() {
  const { isAuthenticated, isLoading, getIdTokenClaims, signOut, signIn } = useLogto();
  const [claims, setClaims] = useState<IdTokenClaims | null>(null);
  const { currentTenantId, isPlatformAdmin } = useOrgStore();

  useEffect(() => {
    if (isAuthenticated) {
      getIdTokenClaims().then((c) => setClaims(c as IdTokenClaims));
    } else {
      setClaims(null);
    }
  }, [isAuthenticated, getIdTokenClaims]);

  const username = claims?.username ?? claims?.name ?? claims?.email ?? claims?.sub ?? null;
  const roles = (claims?.roles as string[]) ?? [];
  // tenantId is the DB UUID from the org store (set by OrgResolver after /api/me)
  const tenantId = currentTenantId;

  const logout = useCallback(() => {
    signOut(window.location.origin + '/login');
  }, [signOut]);

  return {
    isAuthenticated,
    isLoading,
    username,
    roles,
    tenantId,
    isPlatformAdmin,
    logout,
    signIn,
  };
}
refactor: replace hand-rolled OIDC with @logto/react SDK The hand-rolled OIDC flow (manual PKCE, token exchange, URL construction) was fragile and accumulated multiple bugs. Replaced with the official @logto/react SDK which handles PKCE, token exchange, storage, and refresh automatically. - Add @logto/react SDK dependency - Add LogtoProvider with runtime config in main.tsx - Add TokenSync component bridging SDK tokens to API client - Add useAuth hook replacing Zustand auth store - Simplify LoginPage to signIn(), CallbackPage to useHandleSignInCallback() - Delete pkce.ts and auth-store.ts (replaced by SDK) - Fix react-router-dom → react-router imports in page files - All 17 React Query hooks unchanged (token provider pattern) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 01:17:47 +02:00			`import { useLogto } from '@logto/react';`
			`import { useState, useEffect, useCallback } from 'react';`
feat: bootstrap 2 users, tenant, org-scoped tokens, platform admin UI Bootstrap script now creates: - SaaS Owner (admin/admin) with platform-admin role - Tenant Admin (camel/camel) in Example Tenant org - Traditional Web App for cameleer3-server OIDC - DB records: tenant, default environment, license - Configures cameleer3-server OIDC via its admin API All credentials configurable via env vars. Backend: - Fix LogtoManagementClient resource URL (https://default.logto.app/api) - Add getUserRoles/getUserOrganizations to LogtoManagementClient - Add GET /api/me endpoint (user info, platform admin status, tenants) - Add GET /api/tenants list-all for platform admins - Remove insecure X-header forwarding from Traefik Frontend: - Org-scoped tokens: getAccessToken(resource, orgId) for tenant context - OrgResolver component populates org store from /api/me - useOrganization Zustand store (currentOrgId + currentTenantId) - Platform admin sidebar section + AdminTenantsPage - View Dashboard link points to cameleer3-server on port 8081 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 02:50:51 +02:00			`import { useOrgStore } from './useOrganization';`
refactor: replace hand-rolled OIDC with @logto/react SDK The hand-rolled OIDC flow (manual PKCE, token exchange, URL construction) was fragile and accumulated multiple bugs. Replaced with the official @logto/react SDK which handles PKCE, token exchange, storage, and refresh automatically. - Add @logto/react SDK dependency - Add LogtoProvider with runtime config in main.tsx - Add TokenSync component bridging SDK tokens to API client - Add useAuth hook replacing Zustand auth store - Simplify LoginPage to signIn(), CallbackPage to useHandleSignInCallback() - Delete pkce.ts and auth-store.ts (replaced by SDK) - Fix react-router-dom → react-router imports in page files - All 17 React Query hooks unchanged (token provider pattern) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 01:17:47 +02:00
			`interface IdTokenClaims {`
			`sub?: string;`
			`email?: string;`
			`name?: string;`
			`username?: string;`
			`roles?: string[];`
			`organization_id?: string;`
			`[key: string]: unknown;`
			`}`

			`export function useAuth() {`
			`const { isAuthenticated, isLoading, getIdTokenClaims, signOut, signIn } = useLogto();`
			`const [claims, setClaims] = useState<IdTokenClaims \| null>(null);`
feat: bootstrap 2 users, tenant, org-scoped tokens, platform admin UI Bootstrap script now creates: - SaaS Owner (admin/admin) with platform-admin role - Tenant Admin (camel/camel) in Example Tenant org - Traditional Web App for cameleer3-server OIDC - DB records: tenant, default environment, license - Configures cameleer3-server OIDC via its admin API All credentials configurable via env vars. Backend: - Fix LogtoManagementClient resource URL (https://default.logto.app/api) - Add getUserRoles/getUserOrganizations to LogtoManagementClient - Add GET /api/me endpoint (user info, platform admin status, tenants) - Add GET /api/tenants list-all for platform admins - Remove insecure X-header forwarding from Traefik Frontend: - Org-scoped tokens: getAccessToken(resource, orgId) for tenant context - OrgResolver component populates org store from /api/me - useOrganization Zustand store (currentOrgId + currentTenantId) - Platform admin sidebar section + AdminTenantsPage - View Dashboard link points to cameleer3-server on port 8081 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 02:50:51 +02:00			`const { currentTenantId, isPlatformAdmin } = useOrgStore();`
refactor: replace hand-rolled OIDC with @logto/react SDK The hand-rolled OIDC flow (manual PKCE, token exchange, URL construction) was fragile and accumulated multiple bugs. Replaced with the official @logto/react SDK which handles PKCE, token exchange, storage, and refresh automatically. - Add @logto/react SDK dependency - Add LogtoProvider with runtime config in main.tsx - Add TokenSync component bridging SDK tokens to API client - Add useAuth hook replacing Zustand auth store - Simplify LoginPage to signIn(), CallbackPage to useHandleSignInCallback() - Delete pkce.ts and auth-store.ts (replaced by SDK) - Fix react-router-dom → react-router imports in page files - All 17 React Query hooks unchanged (token provider pattern) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 01:17:47 +02:00
			`useEffect(() => {`
			`if (isAuthenticated) {`
			`getIdTokenClaims().then((c) => setClaims(c as IdTokenClaims));`
			`} else {`
			`setClaims(null);`
			`}`
			`}, [isAuthenticated, getIdTokenClaims]);`

			`const username = claims?.username ?? claims?.name ?? claims?.email ?? claims?.sub ?? null;`
			`const roles = (claims?.roles as string[]) ?? [];`
feat: bootstrap 2 users, tenant, org-scoped tokens, platform admin UI Bootstrap script now creates: - SaaS Owner (admin/admin) with platform-admin role - Tenant Admin (camel/camel) in Example Tenant org - Traditional Web App for cameleer3-server OIDC - DB records: tenant, default environment, license - Configures cameleer3-server OIDC via its admin API All credentials configurable via env vars. Backend: - Fix LogtoManagementClient resource URL (https://default.logto.app/api) - Add getUserRoles/getUserOrganizations to LogtoManagementClient - Add GET /api/me endpoint (user info, platform admin status, tenants) - Add GET /api/tenants list-all for platform admins - Remove insecure X-header forwarding from Traefik Frontend: - Org-scoped tokens: getAccessToken(resource, orgId) for tenant context - OrgResolver component populates org store from /api/me - useOrganization Zustand store (currentOrgId + currentTenantId) - Platform admin sidebar section + AdminTenantsPage - View Dashboard link points to cameleer3-server on port 8081 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 02:50:51 +02:00			`// tenantId is the DB UUID from the org store (set by OrgResolver after /api/me)`
			`const tenantId = currentTenantId;`
refactor: replace hand-rolled OIDC with @logto/react SDK The hand-rolled OIDC flow (manual PKCE, token exchange, URL construction) was fragile and accumulated multiple bugs. Replaced with the official @logto/react SDK which handles PKCE, token exchange, storage, and refresh automatically. - Add @logto/react SDK dependency - Add LogtoProvider with runtime config in main.tsx - Add TokenSync component bridging SDK tokens to API client - Add useAuth hook replacing Zustand auth store - Simplify LoginPage to signIn(), CallbackPage to useHandleSignInCallback() - Delete pkce.ts and auth-store.ts (replaced by SDK) - Fix react-router-dom → react-router imports in page files - All 17 React Query hooks unchanged (token provider pattern) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 01:17:47 +02:00
			`const logout = useCallback(() => {`
			`signOut(window.location.origin + '/login');`
			`}, [signOut]);`

			`return {`
			`isAuthenticated,`
			`isLoading,`
			`username,`
			`roles,`
			`tenantId,`
feat: bootstrap 2 users, tenant, org-scoped tokens, platform admin UI Bootstrap script now creates: - SaaS Owner (admin/admin) with platform-admin role - Tenant Admin (camel/camel) in Example Tenant org - Traditional Web App for cameleer3-server OIDC - DB records: tenant, default environment, license - Configures cameleer3-server OIDC via its admin API All credentials configurable via env vars. Backend: - Fix LogtoManagementClient resource URL (https://default.logto.app/api) - Add getUserRoles/getUserOrganizations to LogtoManagementClient - Add GET /api/me endpoint (user info, platform admin status, tenants) - Add GET /api/tenants list-all for platform admins - Remove insecure X-header forwarding from Traefik Frontend: - Org-scoped tokens: getAccessToken(resource, orgId) for tenant context - OrgResolver component populates org store from /api/me - useOrganization Zustand store (currentOrgId + currentTenantId) - Platform admin sidebar section + AdminTenantsPage - View Dashboard link points to cameleer3-server on port 8081 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 02:50:51 +02:00			`isPlatformAdmin,`
refactor: replace hand-rolled OIDC with @logto/react SDK The hand-rolled OIDC flow (manual PKCE, token exchange, URL construction) was fragile and accumulated multiple bugs. Replaced with the official @logto/react SDK which handles PKCE, token exchange, storage, and refresh automatically. - Add @logto/react SDK dependency - Add LogtoProvider with runtime config in main.tsx - Add TokenSync component bridging SDK tokens to API client - Add useAuth hook replacing Zustand auth store - Simplify LoginPage to signIn(), CallbackPage to useHandleSignInCallback() - Delete pkce.ts and auth-store.ts (replaced by SDK) - Fix react-router-dom → react-router imports in page files - All 17 React Query hooks unchanged (token provider pattern) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 01:17:47 +02:00			`logout,`
			`signIn,`
			`};`
			`}`