fix: register API resource in Logto for JWT access tokens

Logto returns opaque access tokens when no resource is specified.
Added API resource creation to bootstrap, included resource indicator
in /api/config, and SPA now passes resource parameter in auth request.
Also fixed issuer-uri to match Logto's public endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -16,6 +16,8 @@ PG_DB="logto"
 
 SPA_APP_NAME="Cameleer SaaS"
 M2M_APP_NAME="Cameleer SaaS Backend"
+API_RESOURCE_INDICATOR="https://api.cameleer.local"
+API_RESOURCE_NAME="Cameleer SaaS API"
 DEFAULT_USERNAME="camel"
 DEFAULT_PASSWORD="camel"
 
@@ -103,6 +105,23 @@ else
   log "Created SPA app: $SPA_ID"
 fi
 
+# --- Find or create API resource ---
+log "Checking for existing API resource..."
+EXISTING_RESOURCES=$(api_get "/api/resources")
+API_RESOURCE_ID=$(echo "$EXISTING_RESOURCES" | jq -r ".[] | select(.indicator == \"$API_RESOURCE_INDICATOR\") | .id")
+
+if [ -n "$API_RESOURCE_ID" ]; then
+  log "API resource already exists: $API_RESOURCE_ID"
+else
+  log "Creating API resource..."
+  RESOURCE_RESPONSE=$(api_post "/api/resources" "{
+    \"name\": \"$API_RESOURCE_NAME\",
+    \"indicator\": \"$API_RESOURCE_INDICATOR\"
+  }")
+  API_RESOURCE_ID=$(echo "$RESOURCE_RESPONSE" | jq -r '.id')
+  log "Created API resource: $API_RESOURCE_ID"
+fi
+
 # --- Find or create M2M app ---
 log "Checking for existing M2M app..."
 M2M_ID=$(echo "$EXISTING_APPS" | jq -r ".[] | select(.name == \"$M2M_APP_NAME\" and .type == \"MachineToMachine\") | .id")
@@ -194,6 +213,7 @@ cat > "$BOOTSTRAP_FILE" <<EOF
   "spaClientId": "$SPA_ID",
   "m2mClientId": "$M2M_ID",
   "m2mClientSecret": "$M2M_SECRET",
+  "apiResourceIndicator": "$API_RESOURCE_INDICATOR",
   "defaultUsername": "$DEFAULT_USERNAME"
 }
 EOF