fix: move Logto to auth.localhost subdomain to avoid /assets path conflict

Logto's login page references /assets/* which conflicts with the SPA's assets at the same path. Using Host-based routing (auth.localhost) gives Logto its own namespace - all paths on that subdomain go to Logto, eliminating the conflict. *.localhost resolves to 127.0.0.1 and is a secure context. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 17:42:17 +02:00
parent c58ca34b2c
commit 0472528cd6
3 changed files with 12 additions and 12 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -39,7 +39,7 @@ services:
    entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
    environment:
      DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
-      ENDPOINT: http://${PUBLIC_HOST:-localhost}
+      ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
      ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
      TRUST_PROXY_HEADER: 1
    healthcheck:
@@ -50,7 +50,7 @@ services:
      start_period: 15s
    labels:
      - traefik.enable=true
-      - traefik.http.routers.logto.rule=PathPrefix(`/oidc`) || PathPrefix(`/interaction`)
+      - traefik.http.routers.logto.rule=Host(`auth.${PUBLIC_HOST:-localhost}`)
      - traefik.http.services.logto.loadbalancer.server.port=3001
    networks:
      - cameleer
@@ -67,7 +67,7 @@ services:
    environment:
      LOGTO_ENDPOINT: http://logto:3001
      LOGTO_ADMIN_ENDPOINT: http://logto:3002
-      LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}
+      LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
      PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
      PG_HOST: postgres
      PG_USER: ${POSTGRES_USER:-cameleer}
@@ -104,8 +104,8 @@ services:
      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
      LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
-      LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}
-      LOGTO_ISSUER_URI: http://${PUBLIC_HOST:-localhost}/oidc
+      LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost}
+      LOGTO_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc
      LOGTO_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks
      LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
      LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
@@ -139,7 +139,7 @@ services:
      CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
      CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production}
      CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default}
-      CAMELEER_OIDC_ISSUER_URI: http://${PUBLIC_HOST:-localhost}/oidc
+      CAMELEER_OIDC_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc
      CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local}
    healthcheck:
      test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"]
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -104,7 +104,7 @@ get_admin_token() {
 get_default_token() {
  curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
-    -H "Host: ${HOST}" \
+    -H "Host: auth.${HOST}" \
    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }

@@ -116,18 +116,18 @@ log "Got Management API token."

 # --- Helper: Logto API calls ---
 api_get() {
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: auth.${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 api_post() {
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: auth.${HOST}" \
    -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_put() {
-  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
+  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: auth.${HOST}" \
    -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_delete() {
-  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: auth.${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }

 # ============================================================
--- a/ui/src/config.ts
+++ b/ui/src/config.ts
@@ -22,7 +22,7 @@ export async function fetchConfig(): Promise<AppConfig> {

  // Fallback to env vars (Vite dev mode)
  cached = {
-    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://${window.location.hostname}`,
+    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://auth.${window.location.hostname}`,
    logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '',
    logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '',
    scopes: [