docs: update architecture for custom sign-in UI and CI pipeline
- CLAUDE.md: add custom sign-in UI section, update routing table, document auto-redirect, CI-built images, no local builds, dev override without volume mounts - Design spec: reflect final implementation — custom Logto image, no CUSTOM_UI_PATH, no init containers, bundled favicon Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
19
CLAUDE.md
19
CLAUDE.md
@@ -35,12 +35,23 @@ All services on one hostname. Two env vars control everything: `PUBLIC_HOST` + `
|
||||
| `/platform/*` | cameleer-saas:8080 | SPA + API (`server.servlet.context-path: /platform`) |
|
||||
| `/server/*` | cameleer3-server-ui:80 | Server dashboard (strip-prefix + `BASE_PATH=/server`) |
|
||||
| `/` | redirect → `/platform/` | Via `docker/traefik-dynamic.yml` |
|
||||
| `/*` (catch-all) | logto:3001 (priority=1) | Sign-in, OIDC, interaction, assets |
|
||||
| `/*` (catch-all) | cameleer-logto:3001 (priority=1) | Custom sign-in UI, OIDC, interaction |
|
||||
|
||||
- SPA assets at `/_app/` (Vite `assetsDir: '_app'`) to avoid conflict with Logto's `/assets/`
|
||||
- Logto `ENDPOINT` = `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}` (same domain, same origin)
|
||||
- TLS: self-signed cert init container (`traefik-certs`) for dev, ACME for production
|
||||
- Root `/` → `/platform/` redirect via Traefik file provider (`docker/traefik-dynamic.yml`)
|
||||
- LoginPage auto-redirects to Logto OIDC (no intermediate button)
|
||||
|
||||
### Custom sign-in UI (`ui/sign-in/`)
|
||||
|
||||
Separate Vite+React SPA replacing Logto's default sign-in page. Visually matches cameleer3-server LoginPage.
|
||||
|
||||
- Built as custom Logto Docker image (`cameleer-logto`): `ui/sign-in/Dockerfile` = node build stage + `FROM ghcr.io/logto-io/logto:latest` + COPY dist over `/etc/logto/packages/experience/dist/`
|
||||
- Uses `@cameleer/design-system` components (Card, Input, Button, FormField, Alert)
|
||||
- Authenticates via Logto Experience API (4-step: init → verify password → identify → submit → redirect)
|
||||
- `CUSTOM_UI_PATH` env var does NOT work for Logto OSS — must volume-mount or replace the experience dist directory
|
||||
- Favicon bundled in `ui/sign-in/public/favicon.svg` (served by Logto, not SaaS)
|
||||
|
||||
### Auth enforcement
|
||||
|
||||
@@ -83,7 +94,11 @@ SaaS admin credentials (`SAAS_ADMIN_USER`/`SAAS_ADMIN_PASS`) work for both the S
|
||||
- Gitea-hosted: `gitea.siegeln.net/cameleer/`
|
||||
- CI: `.gitea/workflows/` — Gitea Actions
|
||||
- K8s target: k3s cluster at 192.168.50.86
|
||||
- Docker builds: multi-stage, buildx with registry cache, `--provenance=false` for Gitea compatibility
|
||||
- Docker images: CI builds and pushes all images — Dockerfiles use multi-stage builds, no local builds needed
|
||||
- `cameleer-saas` — SaaS app (frontend + JAR baked in)
|
||||
- `cameleer-logto` — custom Logto with sign-in UI baked in
|
||||
- Docker builds: `--no-cache`, `--provenance=false` for Gitea compatibility
|
||||
- `docker-compose.dev.yml` — exposes ports for direct access, sets `SPRING_PROFILES_ACTIVE: dev`. No volume mounts — all artifacts come from CI-built images
|
||||
- Design system: import from `@cameleer/design-system` (Gitea npm registry)
|
||||
|
||||
## Disabled Skills
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Custom Logto Sign-In UI
|
||||
# Custom Logto Sign-In UI — IMPLEMENTED
|
||||
|
||||
## Problem
|
||||
|
||||
@@ -10,7 +10,7 @@ Replace Logto's sign-in UI with a custom React SPA that visually matches the cam
|
||||
|
||||
## Scope
|
||||
|
||||
**MVP**: Username/password sign-in only.
|
||||
**MVP (implemented)**: Username/password sign-in only.
|
||||
**Later**: Sign-up, forgot password, social login, MFA.
|
||||
|
||||
## Architecture
|
||||
@@ -21,19 +21,22 @@ Separate Vite+React app at `ui/sign-in/`. Own `package.json`, shares `@cameleer/
|
||||
|
||||
### Build
|
||||
|
||||
Added as a Docker build stage in the SaaS `Dockerfile`. The dist is copied into the SaaS image at `/app/sign-in-dist/`.
|
||||
Custom Logto Docker image (`cameleer-logto`). `ui/sign-in/Dockerfile` has a multi-stage build: node stage builds the SPA, then copies dist over Logto's built-in experience directory at `/etc/logto/packages/experience/dist/`. CI builds and pushes the image.
|
||||
|
||||
**Note**: `CUSTOM_UI_PATH` env var does NOT work for Logto OSS — it's a Logto Cloud-only feature. The correct approach for self-hosted is replacing the experience dist directory.
|
||||
|
||||
### Deploy
|
||||
|
||||
SaaS entrypoint (`docker/saas-entrypoint.sh`) copies the built sign-in dist to a shared Docker volume (`signinui`). Logto reads from that volume via `CUSTOM_UI_PATH=/etc/logto/custom-ui`.
|
||||
`docker-compose.yml` pulls the pre-built `cameleer-logto` image. No init containers, no shared volumes, no local builds needed.
|
||||
|
||||
### Flow
|
||||
### Auth Flow
|
||||
|
||||
```
|
||||
User visits /platform/ → SaaS redirects to Logto OIDC
|
||||
User visits /platform/ → LoginPage auto-redirects to Logto OIDC
|
||||
→ Logto sets interaction cookie, serves custom sign-in UI
|
||||
→ User enters credentials → Experience API 4-step flow
|
||||
→ Logto redirects back to /platform/callback with auth code
|
||||
→ SaaS app exchanges code for token, user lands on dashboard
|
||||
```
|
||||
|
||||
## Experience API
|
||||
@@ -60,39 +63,22 @@ Matches cameleer3-server LoginPage exactly:
|
||||
- `Alert` for errors
|
||||
- Background: `var(--bg-base)` (light beige)
|
||||
- Dark mode support via design-system tokens
|
||||
- Favicon bundled in `ui/sign-in/public/favicon.svg` (served by Logto, not SaaS)
|
||||
|
||||
## Files
|
||||
|
||||
### New
|
||||
|
||||
| File | Purpose |
|
||||
|------|---------|
|
||||
| `ui/sign-in/Dockerfile` | Multi-stage: node build + FROM logto:latest + COPY dist |
|
||||
| `ui/sign-in/package.json` | React 19 + @cameleer/design-system + Vite 6 |
|
||||
| `ui/sign-in/.npmrc` | Gitea npm registry for @cameleer scope |
|
||||
| `ui/sign-in/tsconfig.json` | TypeScript config |
|
||||
| `ui/sign-in/vite.config.ts` | Vite build config |
|
||||
| `ui/sign-in/index.html` | Entry HTML |
|
||||
| `ui/sign-in/src/main.tsx` | React mount + design-system CSS import |
|
||||
| `ui/sign-in/src/App.tsx` | App shell |
|
||||
| `ui/sign-in/src/SignInPage.tsx` | Login form with Experience API integration |
|
||||
| `ui/sign-in/src/SignInPage.module.css` | CSS Modules (matches server LoginPage) |
|
||||
| `ui/sign-in/src/experience-api.ts` | Typed Experience API client |
|
||||
| `docker/saas-entrypoint.sh` | Copies sign-in dist to shared volume |
|
||||
| `.gitattributes` | LF line endings |
|
||||
|
||||
### Modified
|
||||
|
||||
| File | Change |
|
||||
|------|--------|
|
||||
| `Dockerfile` | Add `sign-in-frontend` build stage, copy dist to runtime image |
|
||||
| `docker-compose.yml` | Add `CUSTOM_UI_PATH` to Logto, `signinui` shared volume |
|
||||
|
||||
## Docker Timing
|
||||
|
||||
Logto starts before SaaS (dependency chain: postgres → logto → logto-bootstrap → cameleer-saas). The `CUSTOM_UI_PATH` volume is initially empty. This is acceptable because:
|
||||
1. Nobody hits the sign-in page until redirected from `/platform/`
|
||||
2. By that time, SaaS has started and copied the dist files
|
||||
3. Logto serves static files at request time, not startup time
|
||||
| `ui/sign-in/src/experience-api.ts` | Typed Experience API client (4-step flow) |
|
||||
| `ui/sign-in/src/main.tsx` | React mount + design-system CSS import |
|
||||
| `ui/sign-in/public/favicon.svg` | Cameleer camel logo (bundled in dist) |
|
||||
| `ui/src/auth/LoginPage.tsx` | Auto-redirects to Logto OIDC (no button) |
|
||||
| `.gitea/workflows/ci.yml` | Builds and pushes `cameleer-logto` image |
|
||||
| `docker-compose.yml` | Uses `cameleer-logto` image (no build directive) |
|
||||
|
||||
## Future Extensions
|
||||
|
||||
|
||||
Reference in New Issue
Block a user