From f276953b033df1704965da0f7b7171b6c1428df3 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 23:59:49 +0200
Subject: [PATCH] fix: revert ADMIN_ENDPOINT to HTTP, remove X-Forwarded-Proto

Internal Docker traffic is HTTP. Traefik handles TLS termination
for external access. TRUST_PROXY_HEADER lets Logto detect HTTPS
from Traefik's forwarded headers automatically.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml        |  2 +-
 docker/logto-bootstrap.sh | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8c51158..2d2e1ae 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -67,7 +67,7 @@ services:
     environment:
       DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
       ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
-      ADMIN_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:3002
+      ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
       TRUST_PROXY_HEADER: 1
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""]
diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index db838d5..3b0f269 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -99,7 +99,7 @@ get_admin_token() {
   curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Host: ${HOST}:3002" \
-    -H "X-Forwarded-Proto: https" \
+    \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
@@ -392,7 +392,7 @@ else
   ADMIN_TOKEN_RESPONSE=$(curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Host: ${HOST}:3002" \
-    -H "X-Forwarded-Proto: https" \
+    \
     -d "grant_type=client_credentials&client_id=m-admin&client_secret=${M_ADMIN_SECRET}&resource=${ADMIN_MGMT_RESOURCE}&scope=all")
   ADMIN_TOKEN=$(echo "$ADMIN_TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 
@@ -404,14 +404,14 @@ else
 
     # Admin-tenant API helpers (port 3002, admin token)
     admin_api_get() {
-      curl -s -H "Authorization: Bearer $ADMIN_TOKEN" -H "Host: ${HOST}:3002" -H "X-Forwarded-Proto: https" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+      curl -s -H "Authorization: Bearer $ADMIN_TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
     }
     admin_api_post() {
-      curl -s -X POST -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" -H "X-Forwarded-Proto: https" \
+      curl -s -X POST -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
         -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
     }
     admin_api_patch() {
-      curl -s -X PATCH -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" -H "X-Forwarded-Proto: https" \
+      curl -s -X PATCH -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
         -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
     }