fix: return browser-accessible Logto URL from /api/config

Separate LOGTO_PUBLIC_ENDPOINT (browser-facing, defaults to http://localhost:3001) from LOGTO_ENDPOINT (Docker-internal). Also fix bootstrap M2M verification by using correct Host header for default tenant token endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 00:33:43 +02:00
parent a20d36df38
commit beb3442c07
5 changed files with 17 additions and 7 deletions
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,7 @@ POSTGRES_DB=cameleer_saas

 # Logto Identity Provider
 LOGTO_ENDPOINT=http://logto:3001
+LOGTO_PUBLIC_ENDPOINT=http://localhost:3001
 LOGTO_ISSUER_URI=http://logto:3001/oidc
 LOGTO_JWK_SET_URI=http://logto:3001/oidc/jwks
 LOGTO_DB_PASSWORD=change_me_in_production
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -92,6 +92,7 @@ services:
      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
      LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
+      LOGTO_PUBLIC_ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001}
      LOGTO_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc}
      LOGTO_JWK_SET_URI: ${LOGTO_JWK_SET_URI:-http://logto:3001/oidc/jwks}
      LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -47,15 +47,22 @@ M_DEFAULT_SECRET=$(PGPASSWORD="${PG_PASSWORD:-cameleer_dev}" psql -h "$PG_HOST"
 log "Got m-default secret."

 # --- Get Management API token ---
-get_token() {
+get_admin_token() {
  curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Host: localhost:3002" \
    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }

+get_default_token() {
+  curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -H "Host: localhost:3001" \
+    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
+}
+
 log "Getting Management API token..."
-TOKEN_RESPONSE=$(get_token "m-default" "$M_DEFAULT_SECRET")
+TOKEN_RESPONSE=$(get_admin_token "m-default" "$M_DEFAULT_SECRET")
 log "Token response: $(echo "$TOKEN_RESPONSE" | head -c 200)"
 TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ] && { log "ERROR: Failed to get token"; exit 1; }
@@ -137,7 +144,7 @@ else
      log "Assigned Management API role to M2M app."

      # Verify our M2M app works
-      VERIFY=$(get_token "$M2M_ID" "$M2M_SECRET")
+      VERIFY=$(get_default_token "$M2M_ID" "$M2M_SECRET")
      VERIFY_TOKEN=$(echo "$VERIFY" | jq -r '.access_token')
      if [ -n "$VERIFY_TOKEN" ] && [ "$VERIFY_TOKEN" != "null" ]; then
        log "Verified M2M app works."
--- a/src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java
+++ b/src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java
@@ -17,8 +17,8 @@ public class PublicConfigController {
    private static final Logger log = LoggerFactory.getLogger(PublicConfigController.class);
    private static final String BOOTSTRAP_FILE = "/data/bootstrap/logto-bootstrap.json";

-    @Value("${cameleer.identity.logto-endpoint:}")
-    private String logtoEndpoint;
+    @Value("${cameleer.identity.logto-public-endpoint:${cameleer.identity.logto-endpoint:}}")
+    private String logtoPublicEndpoint;

    @Value("${cameleer.identity.spa-client-id:}")
    private String spaClientId;
@@ -34,8 +34,8 @@ public class PublicConfigController {
            clientId = readBootstrapClientId();
        }

-        // Use external Logto endpoint for browser redirects
-        String endpoint = logtoEndpoint;
+        // Use public endpoint for browser redirects (not Docker-internal URL)
+        String endpoint = logtoPublicEndpoint;
        if (endpoint == null || endpoint.isEmpty()) {
            endpoint = "http://localhost:3001";
        }
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -35,6 +35,7 @@ cameleer:
    public-key-path: ${CAMELEER_JWT_PUBLIC_KEY_PATH:}
  identity:
    logto-endpoint: ${LOGTO_ENDPOINT:}
+    logto-public-endpoint: ${LOGTO_PUBLIC_ENDPOINT:}
    m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
    m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}
    spa-client-id: ${LOGTO_SPA_CLIENT_ID:}