--- phase: 15-external-authentication plan: 01 subsystem: infra tags: [logto, oidc, docker-compose, postgres] # Dependency graph requires: - phase: 14-postgresql-migration provides: Postgres database and Docker Compose foundation provides: - Logto OIDC provider running as Docker Compose service - Postgres init script for separate Logto database - OIDC environment variable documentation - Schema without users/sessions tables (ready for external auth) affects: [15-02, 15-03, 16-multi-user-data-model] # Tech tracking tech-stack: added: [logto (svhd/logto Docker image)] patterns: [multi-database Postgres init via docker-entrypoint-initdb.d, OIDC env var convention] key-files: created: - docker-compose.yml - docker-compose.dev.yml - docker/init-logto-db.sql - .env.example modified: - src/db/schema.ts key-decisions: - "Logto shares Postgres instance via separate database created by init script" - "OIDC_ISSUER derived from LOGTO_ENDPOINT in docker-compose, not separately configured" patterns-established: - "Docker init scripts in docker/ directory mounted to docker-entrypoint-initdb.d" - "OIDC environment variables: LOGTO_ENDPOINT, LOGTO_CLIENT_ID, LOGTO_CLIENT_SECRET, OIDC_AUTH_SECRET" requirements-completed: [AUTH-04] # Metrics duration: 3min completed: 2026-04-04 --- # Phase 15 Plan 01: Logto Docker Infrastructure and Schema Cleanup Summary **Logto OIDC provider added to Docker Compose with Postgres init script, users/sessions tables removed from schema** ## Performance - **Duration:** 3 min - **Started:** 2026-04-04T18:35:52Z - **Completed:** 2026-04-04T18:38:52Z - **Tasks:** 2 - **Files modified:** 6 ## Accomplishments - Added Logto as a Docker Compose service in both production and dev configurations with proper health-check dependency on Postgres - Created Postgres init script that automatically creates the logto database on first boot - Removed users and sessions tables from GearBox schema, generated Drizzle migration to drop them - Documented all required OIDC environment variables in .env.example ## Task Commits Each task was committed atomically: 1. **Task 1: Add Logto service to Docker Compose and create init script** - `625862f` (feat) 2. **Task 2: Remove users and sessions tables from schema** - `0fe231f` (feat) ## Files Created/Modified - `docker-compose.yml` - Production compose with Postgres, Logto, and app services - `docker-compose.dev.yml` - Dev compose with Postgres and Logto for local auth testing - `docker/init-logto-db.sql` - SQL script creating separate logto database on Postgres - `.env.example` - Documents all required environment variables for OIDC configuration - `src/db/schema.ts` - Removed users and sessions table definitions - `drizzle/0010_foamy_marvel_zombies.sql` - Migration to drop users and sessions tables ## Decisions Made - Logto shares the same Postgres instance but uses a separate database (created by init script), rather than a dedicated Postgres container - OIDC_ISSUER is derived from LOGTO_ENDPOINT in docker-compose.yml rather than being a separate top-level env var, reducing configuration duplication - Dev compose uses hardcoded password for Logto DB connection (matching existing dev Postgres pattern) ## Deviations from Plan None - plan executed exactly as written. ## Issues Encountered None. ## User Setup Required None - no external service configuration required. Logto admin console setup (creating OIDC application, obtaining client ID/secret) will be needed before plan 15-02, but is handled as part of the Logto first-boot experience at http://localhost:3002. ## Next Phase Readiness - Logto infrastructure is ready for plan 15-02 (server-side OIDC integration) - Schema is cleaned of old auth tables, ready for OIDC-based authentication - API keys table preserved for continued programmatic access --- *Phase: 15-external-authentication* *Completed: 2026-04-04*