feat: zero-config first-run experience with Logto bootstrap

- logto-bootstrap.sh: API-driven init script that creates SPA app, M2M app, and default user (camel/camel) via Logto Management API. Reads m-default secret from DB, then removes seeded apps with known secrets (security hardening). Idempotent. - PublicConfigController: /api/config public endpoint serves Logto client ID from bootstrap output file (runtime, not build-time) - Frontend: LoginPage + CallbackPage fetch config from /api/config instead of import.meta.env (fixes Vite build-time baking issue) - Docker Compose: logto-bootstrap init service with health-gated dependency chain, shared volume for bootstrap config - SecurityConfig: permit /api/config without auth Flow: docker compose up → bootstrap creates apps/user → SPA fetches config → login page shows → sign in with Logto → camel/camel Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 00:22:22 +02:00
parent cda7dfbaa7
commit 021b056bce
9 changed files with 371 additions and 28 deletions
--- a/ui/src/auth/CallbackPage.tsx
+++ b/ui/src/auth/CallbackPage.tsx
@@ -2,6 +2,7 @@ import { useEffect } from 'react';
 import { useNavigate } from 'react-router';
 import { useAuthStore } from './auth-store';
 import { Spinner } from '@cameleer/design-system';
+import { fetchConfig } from '../config';

 export function CallbackPage() {
  const navigate = useNavigate();
@@ -15,30 +16,30 @@ export function CallbackPage() {
      return;
    }

-    const logtoEndpoint = import.meta.env.VITE_LOGTO_ENDPOINT || 'http://localhost:3001';
-    const clientId = import.meta.env.VITE_LOGTO_CLIENT_ID || '';
    const redirectUri = `${window.location.origin}/callback`;

-    fetch(`${logtoEndpoint}/oidc/token`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body: new URLSearchParams({
-        grant_type: 'authorization_code',
-        code,
-        client_id: clientId,
-        redirect_uri: redirectUri,
-      }),
-    })
-      .then((r) => r.json())
-      .then((data) => {
-        if (data.access_token) {
-          login(data.access_token, data.refresh_token || '');
-          navigate('/');
-        } else {
-          navigate('/login');
-        }
+    fetchConfig().then((config) => {
+      fetch(`${config.logtoEndpoint}/oidc/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'authorization_code',
+          code,
+          client_id: config.logtoClientId,
+          redirect_uri: redirectUri,
+        }),
      })
-      .catch(() => navigate('/login'));
+        .then((r) => r.json())
+        .then((data) => {
+          if (data.access_token) {
+            login(data.access_token, data.refresh_token || '');
+            navigate('/');
+          } else {
+            navigate('/login');
+          }
+        })
+        .catch(() => navigate('/login'));
+    });
  }, [login, navigate]);

  return (