From e24c6da025b76dbdbb12d4c6835287afa8b29d86 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 10 Apr 2026 11:54:57 +0200
Subject: [PATCH] feat: grant vendor user Logto admin console access during
 bootstrap

When VENDOR_SEED_ENABLED=true, the vendor user is now also created
in the Logto admin tenant with user + default:admin roles, giving
them access to the Logto admin console at port 3002.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/logto-bootstrap.sh | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 86cff8c..8e19f9e 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -658,6 +658,35 @@ if [ "$VENDOR_SEED_ENABLED" = "true" ]; then
     log "  Added to org '$SEED_ORG_NAME' with owner role."
   done
 
+  # Grant vendor user Logto console access (admin tenant, port 3002)
+  if [ -n "$ADMIN_TOKEN" ] && [ "$ADMIN_TOKEN" != "null" ]; then
+    log "Granting vendor Logto console access..."
+    VENDOR_CONSOLE_USER_ID=$(admin_api_get "/api/users?search=$VENDOR_USER" | jq -r ".[] | select(.username == \"$VENDOR_USER\") | .id" 2>/dev/null)
+    if [ -z "$VENDOR_CONSOLE_USER_ID" ] || [ "$VENDOR_CONSOLE_USER_ID" = "null" ]; then
+      VENDOR_CONSOLE_RESPONSE=$(admin_api_post "/api/users" "{
+        \"username\": \"$VENDOR_USER\",
+        \"password\": \"$VENDOR_PASS\",
+        \"name\": \"$VENDOR_NAME\"
+      }")
+      VENDOR_CONSOLE_USER_ID=$(echo "$VENDOR_CONSOLE_RESPONSE" | jq -r '.id')
+      log "Created vendor console user: $VENDOR_CONSOLE_USER_ID"
+    else
+      log "Vendor console user exists: $VENDOR_CONSOLE_USER_ID"
+    fi
+    if [ -n "$VENDOR_CONSOLE_USER_ID" ] && [ "$VENDOR_CONSOLE_USER_ID" != "null" ]; then
+      ADMIN_USER_ROLE_ID=$(admin_api_get "/api/roles" | jq -r '.[] | select(.name == "user") | .id')
+      ADMIN_ROLE_ID=$(admin_api_get "/api/roles" | jq -r '.[] | select(.name == "default:admin") | .id')
+      V_ROLE_IDS="[]"
+      [ -n "$ADMIN_USER_ROLE_ID" ] && [ "$ADMIN_USER_ROLE_ID" != "null" ] && V_ROLE_IDS=$(echo "$V_ROLE_IDS" | jq ". + [\"$ADMIN_USER_ROLE_ID\"]")
+      [ -n "$ADMIN_ROLE_ID" ] && [ "$ADMIN_ROLE_ID" != "null" ] && V_ROLE_IDS=$(echo "$V_ROLE_IDS" | jq ". + [\"$ADMIN_ROLE_ID\"]")
+      [ "$V_ROLE_IDS" != "[]" ] && admin_api_post "/api/users/$VENDOR_CONSOLE_USER_ID/roles" "{\"roleIds\": $V_ROLE_IDS}" >/dev/null 2>&1
+      admin_api_post "/api/organizations/t-default/users" "{\"userIds\": [\"$VENDOR_CONSOLE_USER_ID\"]}" >/dev/null 2>&1
+      log "Vendor granted Logto console access."
+    fi
+  else
+    log "Skipping vendor console access (no admin token)."
+  fi
+
   log "Vendor seed complete."
 fi