feat(15-01): add Logto service to Docker Compose and create init script
- Add Logto OIDC provider to docker-compose.yml and docker-compose.dev.yml - Create docker/init-logto-db.sql to initialize separate Logto database on Postgres - Add OIDC env vars (issuer, client ID/secret, auth secret) to app service - Document all required env vars in .env.example
This commit is contained in:
@@ -0,0 +1,72 @@
|
||||
# Phase 15: External Authentication - Discussion Log
|
||||
|
||||
> **Audit trail only.** Do not use as input to planning, research, or execution agents.
|
||||
> Decisions are captured in CONTEXT.md — this log preserves the alternatives considered.
|
||||
|
||||
**Date:** 2026-04-04
|
||||
**Phase:** 15-external-authentication
|
||||
**Areas discussed:** Auth Provider Choice, Session Migration Strategy, Login Flow UX, Existing User Migration
|
||||
**Mode:** --auto --batch (all decisions auto-selected)
|
||||
|
||||
---
|
||||
|
||||
## Auth Provider Choice
|
||||
|
||||
| Option | Description | Selected |
|
||||
|--------|-------------|----------|
|
||||
| Logto | Lightweight, purpose-built auth, no Redis, first-class OIDC, simpler deployment | ✓ |
|
||||
| Authentik | Full IdP suite, more features but heavier, may need Redis, more complex setup | |
|
||||
|
||||
**User's choice:** Logto (auto-selected)
|
||||
**Notes:** Matches project's "no Redis" out-of-scope constraint. Logto is simpler to deploy and maintain for a single-app use case.
|
||||
|
||||
---
|
||||
|
||||
## Session Migration Strategy
|
||||
|
||||
| Option | Description | Selected |
|
||||
|--------|-------------|----------|
|
||||
| Replace with OIDC session management | Logto handles sessions, remove users/sessions tables from GearBox | ✓ |
|
||||
| Hybrid — keep GearBox sessions populated from OIDC | Validate OIDC on login, create local session for subsequent requests | |
|
||||
| Token-only — validate OIDC token on every request | No local sessions, every request validates against Logto | |
|
||||
|
||||
**User's choice:** Replace with OIDC session management (auto-selected)
|
||||
**Notes:** Simplifies the codebase by removing credential management from GearBox entirely. API keys remain as the programmatic access path.
|
||||
|
||||
---
|
||||
|
||||
## Login Flow UX
|
||||
|
||||
| Option | Description | Selected |
|
||||
|--------|-------------|----------|
|
||||
| Redirect to Logto login page | Standard OIDC redirect, Logto handles UI for login/register/reset | ✓ |
|
||||
| Embedded login form via Logto SDK | Use Logto's SDK to render login inline within GearBox | |
|
||||
|
||||
**User's choice:** Redirect to Logto login page (auto-selected)
|
||||
**Notes:** Standard OIDC pattern. More secure, less maintenance — Logto owns the login/registration UX.
|
||||
|
||||
---
|
||||
|
||||
## Existing User Migration
|
||||
|
||||
| Option | Description | Selected |
|
||||
|--------|-------------|----------|
|
||||
| Manual re-registration on Logto | User creates account on Logto, migration script links to GearBox data | ✓ |
|
||||
| Automated import from GearBox users table | Script creates Logto user from existing credentials | |
|
||||
|
||||
**User's choice:** Manual re-registration on Logto (auto-selected)
|
||||
**Notes:** Only one existing user — automation not worth the complexity.
|
||||
|
||||
---
|
||||
|
||||
## Claude's Discretion
|
||||
|
||||
- Logto SDK choice
|
||||
- Token storage mechanism
|
||||
- Logto configuration and branding
|
||||
- User ID mapping strategy
|
||||
- E2E test auth approach
|
||||
|
||||
## Deferred Ideas
|
||||
|
||||
None — discussion stayed within phase scope
|
||||
Reference in New Issue
Block a user