From 9f3faf4816cc935455f2d91df0ef1e1d58c40a8a Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sat, 25 Apr 2026 08:50:16 +0200
Subject: [PATCH] fix(traefik): set Logto router priority=1 to prevent route
 hijacking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Traefik auto-calculates router priority from rule string length. When
deployed with a domain longer than 23 chars (e.g. app.cameleer.io),
Host(`app.cameleer.io`) (25 chars) outranks PathPrefix(`/platform`)
(23 chars), causing ALL requests — including /platform/* — to route
to Logto instead of the SaaS app. This breaks login because the sign-in
UI loads without an OIDC interaction session.

Setting priority=1 makes Logto a true catch-all, matching the intent
documented in docker/CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml                          | 1 +
 installer/templates/docker-compose.saas.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0a8c917..25d1757 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -94,6 +94,7 @@ services:
     labels:
       - traefik.enable=true
       - "traefik.http.routers.cameleer-logto.rule=Host(`${AUTH_HOST:-localhost}`)"
+      - traefik.http.routers.cameleer-logto.priority=1
       - traefik.http.routers.cameleer-logto.entrypoints=websecure
       - traefik.http.routers.cameleer-logto.tls=true
       - traefik.http.routers.cameleer-logto.service=cameleer-logto
diff --git a/installer/templates/docker-compose.saas.yml b/installer/templates/docker-compose.saas.yml
index 833bf1f..239d756 100644
--- a/installer/templates/docker-compose.saas.yml
+++ b/installer/templates/docker-compose.saas.yml
@@ -41,6 +41,7 @@ services:
     labels:
       - traefik.enable=true
       - "traefik.http.routers.cameleer-logto.rule=Host(`${AUTH_HOST:-localhost}`)"
+      - traefik.http.routers.cameleer-logto.priority=1
       - traefik.http.routers.cameleer-logto.entrypoints=websecure
       - traefik.http.routers.cameleer-logto.tls=true
       - traefik.http.routers.cameleer-logto.service=cameleer-logto