From 3b29248845be9997fcd75f7d6d3bdc3d8156a29a Mon Sep 17 00:00:00 2001 From: Jean-Luc Makiola Date: Wed, 8 Apr 2026 22:16:59 +0200 Subject: [PATCH] fix: return database user ID from /api/auth/me instead of Logto sub The /me endpoint was returning auth.sub (Logto's opaque string) as the user ID, but the frontend and other API endpoints expect numeric DB IDs. This caused "can't access property 'id', w[0] is undefined" after login. Also documents Logto OIDC setup requirements (scopes, env vars) in CLAUDE.md. Co-Authored-By: Claude Opus 4.6 (1M context) --- CLAUDE.md | 19 ++++++++++++++++--- src/server/routes/auth.ts | 5 ++++- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index f9c12ad..7914ae1 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -109,13 +109,26 @@ Always use existing components instead of rebuilding with plain HTML. Check `src ## Authentication -- **First run**: No users exist. Visit `/login` to create your admin account. -- **Web UI**: Cookie-based sessions (`gearbox_session`), 30-day expiry, auto-refreshed. +- **OIDC via Logto**: Authentication is handled by an external Logto instance via `@hono/oidc-auth`. Users are redirected to Logto for login, and sessions are managed via OIDC cookies. - **Programmatic access**: API keys created in Settings > API Keys. Pass via `X-API-Key` header. - **Public read**: All GET endpoints work without auth. POST/PUT/DELETE require auth. -- **Auth routes**: `/api/auth/login`, `/api/auth/logout`, `/api/auth/setup`, `/api/auth/me`, `/api/auth/password`, `/api/auth/keys`. +- **Auth routes**: `/api/auth/me`, `/api/auth/keys`, `/api/auth/profile`. - **MCP OAuth**: OAuth 2.1 + PKCE for Claude mobile/web. Endpoints at `/oauth/*`. Uses existing GearBox credentials. +### Logto Setup + +The Logto application must be configured with the correct scopes. In the Logto admin console, go to the application settings and ensure the following **User Scopes** are granted: `openid`, `profile`, `email` (matching the `OIDC_SCOPES` env var). + +**Required env vars:** +```bash +OIDC_ISSUER=https://your-logto-domain/oidc # Logto OIDC issuer URL +OIDC_CLIENT_ID= # From Logto app settings +OIDC_CLIENT_SECRET= # From Logto app settings +OIDC_AUTH_SECRET= # Session encryption key +OIDC_SCOPES="openid profile email" # Must match Logto app scopes +OIDC_REDIRECT_URI=https://your-app/callback # Must match Logto redirect URI +``` + ## MCP Server GearBox includes a built-in MCP server for integration with Claude Code and Claude Desktop. Enabled by default, disable with `GEARBOX_MCP=false`. Authenticated via API key or OAuth 2.1 Bearer token. diff --git a/src/server/routes/auth.ts b/src/server/routes/auth.ts index 5b98ab7..7d7dd53 100644 --- a/src/server/routes/auth.ts +++ b/src/server/routes/auth.ts @@ -8,6 +8,7 @@ import { requireAuth } from "../middleware/auth.ts"; import { createApiKey, deleteApiKey, + getOrCreateUser, listApiKeys, } from "../services/auth.service.ts"; import { updateProfile } from "../services/profile.service.ts"; @@ -23,8 +24,10 @@ const app = new Hono(); app.get("/me", async (c) => { const auth = await getAuth(c); if (auth) { + const db = c.get("db"); + const user = await getOrCreateUser(db, auth.sub); return c.json({ - user: { id: auth.sub, email: auth.email }, + user: { id: user.id, email: auth.email }, authenticated: true, }); }