From 0472528cd6dafcfbe5ba6b54fadab1154838b2e2 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Sun, 5 Apr 2026 17:42:17 +0200 Subject: [PATCH] fix: move Logto to auth.localhost subdomain to avoid /assets path conflict Logto's login page references /assets/* which conflicts with the SPA's assets at the same path. Using Host-based routing (auth.localhost) gives Logto its own namespace - all paths on that subdomain go to Logto, eliminating the conflict. *.localhost resolves to 127.0.0.1 and is a secure context. Co-Authored-By: Claude Opus 4.6 (1M context) --- docker-compose.yml | 12 ++++++------ docker/logto-bootstrap.sh | 10 +++++----- ui/src/config.ts | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 45630a9..8ecf426 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,7 +39,7 @@ services: entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"] environment: DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto - ENDPOINT: http://${PUBLIC_HOST:-localhost} + ENDPOINT: http://auth.${PUBLIC_HOST:-localhost} ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002 TRUST_PROXY_HEADER: 1 healthcheck: @@ -50,7 +50,7 @@ services: start_period: 15s labels: - traefik.enable=true - - traefik.http.routers.logto.rule=PathPrefix(`/oidc`) || PathPrefix(`/interaction`) + - traefik.http.routers.logto.rule=Host(`auth.${PUBLIC_HOST:-localhost}`) - traefik.http.services.logto.loadbalancer.server.port=3001 networks: - cameleer @@ -67,7 +67,7 @@ services: environment: LOGTO_ENDPOINT: http://logto:3001 LOGTO_ADMIN_ENDPOINT: http://logto:3002 - LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost} + LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost} PUBLIC_HOST: ${PUBLIC_HOST:-localhost} PG_HOST: postgres PG_USER: ${POSTGRES_USER:-cameleer} @@ -104,8 +104,8 @@ services: SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer} SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev} LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001} - LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost} - LOGTO_ISSUER_URI: http://${PUBLIC_HOST:-localhost}/oidc + LOGTO_PUBLIC_ENDPOINT: http://auth.${PUBLIC_HOST:-localhost} + LOGTO_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc LOGTO_JWK_SET_URI: ${LOGTO_ENDPOINT:-http://logto:3001}/oidc/jwks LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-} LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-} @@ -139,7 +139,7 @@ services: CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token} CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production} CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default} - CAMELEER_OIDC_ISSUER_URI: http://${PUBLIC_HOST:-localhost}/oidc + CAMELEER_OIDC_ISSUER_URI: http://auth.${PUBLIC_HOST:-localhost}/oidc CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local} healthcheck: test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"] diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh index 231dcad..eac0000 100644 --- a/docker/logto-bootstrap.sh +++ b/docker/logto-bootstrap.sh @@ -104,7 +104,7 @@ get_admin_token() { get_default_token() { curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -H "Host: ${HOST}" \ + -H "Host: auth.${HOST}" \ -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all" } @@ -116,18 +116,18 @@ log "Got Management API token." # --- Helper: Logto API calls --- api_get() { - curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]" + curl -s -H "Authorization: Bearer $TOKEN" -H "Host: auth.${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]" } api_post() { - curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \ + curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: auth.${HOST}" \ -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true } api_put() { - curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \ + curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: auth.${HOST}" \ -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true } api_delete() { - curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true + curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: auth.${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true } # ============================================================ diff --git a/ui/src/config.ts b/ui/src/config.ts index fb32c44..c0de35a 100644 --- a/ui/src/config.ts +++ b/ui/src/config.ts @@ -22,7 +22,7 @@ export async function fetchConfig(): Promise { // Fallback to env vars (Vite dev mode) cached = { - logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://${window.location.hostname}`, + logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://auth.${window.location.hostname}`, logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '', logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '', scopes: [