fix: add X-Forwarded-Proto to bootstrap admin endpoint calls

Logto's ADMIN_ENDPOINT is now HTTPS but bootstrap calls the internal HTTP endpoint directly. TRUST_PROXY_HEADER needs X-Forwarded-Proto to resolve the correct scheme. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 23:53:29 +02:00
parent 73388e15e2
commit 5f560e9f33
1 changed files with 5 additions and 3 deletions
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -99,6 +99,7 @@ get_admin_token() {
  curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Host: ${HOST}:3002" \
+    -H "X-Forwarded-Proto: https" \
    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }

@@ -391,6 +392,7 @@ else
  ADMIN_TOKEN_RESPONSE=$(curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Host: ${HOST}:3002" \
+    -H "X-Forwarded-Proto: https" \
    -d "grant_type=client_credentials&client_id=m-admin&client_secret=${M_ADMIN_SECRET}&resource=${ADMIN_MGMT_RESOURCE}&scope=all")
  ADMIN_TOKEN=$(echo "$ADMIN_TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)

@@ -402,14 +404,14 @@ else

    # Admin-tenant API helpers (port 3002, admin token)
    admin_api_get() {
-      curl -s -H "Authorization: Bearer $ADMIN_TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+      curl -s -H "Authorization: Bearer $ADMIN_TOKEN" -H "Host: ${HOST}:3002" -H "X-Forwarded-Proto: https" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
    }
    admin_api_post() {
-      curl -s -X POST -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
+      curl -s -X POST -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" -H "X-Forwarded-Proto: https" \
        -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
    }
    admin_api_patch() {
-      curl -s -X PATCH -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
+      curl -s -X PATCH -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" -H "X-Forwarded-Proto: https" \
        -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
    }