From e90ca299202006a4a8a257f373ea5d0cbc8cf6a0 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Sun, 5 Apr 2026 17:07:20 +0200 Subject: [PATCH] fix: centralize public hostname into single PUBLIC_HOST env var All public-facing URLs (Logto OIDC, redirect URIs, dashboard links) now derive from PUBLIC_HOST in .env instead of scattered localhost references. Resolves Docker networking ambiguity where localhost inside containers doesn't reach the host machine. Co-Authored-By: Claude Opus 4.6 (1M context) --- docker-compose.yml | 15 ++++++++------- docker/logto-bootstrap.sh | 25 +++++++++++++------------ ui/src/components/Layout.tsx | 2 +- ui/src/config.ts | 2 +- 4 files changed, 23 insertions(+), 21 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 69743cf..1dce499 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,8 +39,8 @@ services: entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"] environment: DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto - ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001} - ADMIN_ENDPOINT: ${LOGTO_ADMIN_ENDPOINT:-http://localhost:3002} + ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001 + ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002 TRUST_PROXY_HEADER: 1 healthcheck: test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""] @@ -67,7 +67,8 @@ services: environment: LOGTO_ENDPOINT: http://logto:3001 LOGTO_ADMIN_ENDPOINT: http://logto:3002 - LOGTO_PUBLIC_ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001} + LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001 + PUBLIC_HOST: ${PUBLIC_HOST:-localhost} PG_HOST: postgres PG_USER: ${POSTGRES_USER:-cameleer} PG_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev} @@ -103,9 +104,9 @@ services: SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer} SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev} LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001} - LOGTO_PUBLIC_ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001} - LOGTO_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc} - LOGTO_JWK_SET_URI: ${LOGTO_JWK_SET_URI:-http://logto:3001/oidc/jwks} + LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001 + LOGTO_ISSUER_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc + LOGTO_JWK_SET_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc/jwks LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-} LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-} CAMELEER3_SERVER_ENDPOINT: http://cameleer3-server:8081 @@ -138,7 +139,7 @@ services: CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token} CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production} CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default} - CAMELEER_OIDC_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc} + CAMELEER_OIDC_ISSUER_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local} healthcheck: test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"] diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh index 6690dc7..9e99101 100644 --- a/docker/logto-bootstrap.sh +++ b/docker/logto-bootstrap.sh @@ -40,11 +40,12 @@ SERVER_ENDPOINT="${SERVER_ENDPOINT:-http://cameleer3-server:8081}" SERVER_UI_USER="${SERVER_UI_USER:-admin}" SERVER_UI_PASS="${SERVER_UI_PASS:-admin}" -# Redirect URIs -SPA_REDIRECT_URIS='["http://localhost/callback","http://localhost:8080/callback","http://localhost:5173/callback"]' -SPA_POST_LOGOUT_URIS='["http://localhost/login","http://localhost:8080/login","http://localhost:5173/login"]' -TRAD_REDIRECT_URIS='["http://localhost:8081/oidc/callback"]' -TRAD_POST_LOGOUT_URIS='["http://localhost:8081"]' +# Redirect URIs (derived from PUBLIC_HOST) +HOST="${PUBLIC_HOST:-localhost}" +SPA_REDIRECT_URIS="[\"http://${HOST}/callback\",\"http://${HOST}:8080/callback\",\"http://${HOST}:5173/callback\"]" +SPA_POST_LOGOUT_URIS="[\"http://${HOST}/login\",\"http://${HOST}:8080/login\",\"http://${HOST}:5173/login\"]" +TRAD_REDIRECT_URIS="[\"http://${HOST}:8081/oidc/callback\"]" +TRAD_POST_LOGOUT_URIS="[\"http://${HOST}:8081\"]" log() { echo "[bootstrap] $1"; } pgpass() { PGPASSWORD="${PG_PASSWORD:-cameleer_dev}"; export PGPASSWORD; } @@ -96,14 +97,14 @@ M_DEFAULT_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \ get_admin_token() { curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -H "Host: localhost:3002" \ + -H "Host: ${HOST}:3002" \ -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all" } get_default_token() { curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -H "Host: localhost:3001" \ + -H "Host: ${HOST}:3001" \ -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all" } @@ -115,18 +116,18 @@ log "Got Management API token." # --- Helper: Logto API calls --- api_get() { - curl -s -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]" + curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]" } api_post() { - curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \ + curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3001" \ -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true } api_put() { - curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \ + curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3001" \ -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true } api_delete() { - curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true + curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true } # ============================================================ @@ -442,7 +443,7 @@ if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then -H "Content-Type: application/json" \ -d "{ \"enabled\": true, - \"issuerUri\": \"$LOGTO_ENDPOINT/oidc\", + \"issuerUri\": \"$LOGTO_PUBLIC_ENDPOINT/oidc\", \"clientId\": \"$TRAD_ID\", \"clientSecret\": \"$TRAD_SECRET\", \"autoSignup\": true, diff --git a/ui/src/components/Layout.tsx b/ui/src/components/Layout.tsx index 9e68e21..355bd70 100644 --- a/ui/src/components/Layout.tsx +++ b/ui/src/components/Layout.tsx @@ -162,7 +162,7 @@ export function Layout() { } label="View Dashboard" - onClick={() => window.open('http://localhost:8082', '_blank', 'noopener')} + onClick={() => window.open(`http://${window.location.hostname}:8082`, '_blank', 'noopener')} /> {/* User info + logout */} diff --git a/ui/src/config.ts b/ui/src/config.ts index fc866c2..cb876f2 100644 --- a/ui/src/config.ts +++ b/ui/src/config.ts @@ -22,7 +22,7 @@ export async function fetchConfig(): Promise { // Fallback to env vars (Vite dev mode) cached = { - logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || 'http://localhost:3001', + logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://${window.location.hostname}:3001`, logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '', logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '', scopes: [