221 lines
9.5 KiB
Markdown
221 lines
9.5 KiB
Markdown
---
|
|
phase: 15-external-authentication
|
|
plan: 01
|
|
type: execute
|
|
wave: 1
|
|
depends_on: []
|
|
files_modified:
|
|
- docker-compose.yml
|
|
- docker-compose.dev.yml
|
|
- docker/init-logto-db.sql
|
|
- src/db/schema.ts
|
|
- .env.example
|
|
autonomous: true
|
|
requirements: [AUTH-04]
|
|
|
|
must_haves:
|
|
truths:
|
|
- "Logto container starts alongside Postgres in docker-compose"
|
|
- "Logto admin console is accessible at port 3002"
|
|
- "Logto OIDC discovery endpoint responds at /oidc/.well-known/openid-configuration"
|
|
- "GearBox schema no longer contains users or sessions tables"
|
|
- "A separate logto database is created automatically on Postgres first boot"
|
|
artifacts:
|
|
- path: "docker-compose.yml"
|
|
provides: "Production Logto service definition"
|
|
contains: "svhd/logto"
|
|
- path: "docker-compose.dev.yml"
|
|
provides: "Dev Logto service definition"
|
|
contains: "svhd/logto"
|
|
- path: "docker/init-logto-db.sql"
|
|
provides: "Postgres init script creating logto database"
|
|
contains: "CREATE DATABASE logto"
|
|
- path: "src/db/schema.ts"
|
|
provides: "Schema without users/sessions tables"
|
|
- path: ".env.example"
|
|
provides: "Documentation of required OIDC env vars"
|
|
contains: "OIDC_ISSUER"
|
|
key_links:
|
|
- from: "docker-compose.yml"
|
|
to: "docker/init-logto-db.sql"
|
|
via: "postgres volume mount to docker-entrypoint-initdb.d"
|
|
pattern: "init-logto-db.sql:/docker-entrypoint-initdb.d"
|
|
- from: "docker-compose.yml logto service"
|
|
to: "docker-compose.yml postgres service"
|
|
via: "depends_on with service_healthy"
|
|
pattern: "condition: service_healthy"
|
|
---
|
|
|
|
<objective>
|
|
Add Logto as a Docker Compose service and remove the users/sessions tables from the GearBox schema.
|
|
|
|
Purpose: Establishes the infrastructure foundation for OIDC authentication -- Logto must be running before server-side auth code can be integrated. Schema changes remove the old auth tables that will be replaced by Logto-managed identity.
|
|
|
|
Output: Updated docker-compose files with Logto, cleaned schema, env var documentation.
|
|
</objective>
|
|
|
|
<execution_context>
|
|
@$HOME/.claude/get-shit-done/workflows/execute-plan.md
|
|
@$HOME/.claude/get-shit-done/templates/summary.md
|
|
</execution_context>
|
|
|
|
<context>
|
|
@.planning/PROJECT.md
|
|
@.planning/ROADMAP.md
|
|
@.planning/STATE.md
|
|
@.planning/phases/15-external-authentication/15-CONTEXT.md
|
|
@.planning/phases/15-external-authentication/15-RESEARCH.md
|
|
@src/db/schema.ts
|
|
@docker-compose.yml
|
|
@docker-compose.dev.yml
|
|
</context>
|
|
|
|
<tasks>
|
|
|
|
<task type="auto">
|
|
<name>Task 1: Add Logto service to Docker Compose and create init script</name>
|
|
<files>docker-compose.yml, docker-compose.dev.yml, docker/init-logto-db.sql, .env.example</files>
|
|
<read_first>
|
|
- docker-compose.yml (current production compose)
|
|
- docker-compose.dev.yml (current dev compose)
|
|
- .planning/phases/15-external-authentication/15-RESEARCH.md (Pattern 4: Logto Docker Compose Integration, Pitfall 1: OIDC Issuer URL Mismatch)
|
|
</read_first>
|
|
<action>
|
|
**Per D-13 and D-14:** Add Logto as a service in both docker-compose files.
|
|
|
|
1. Create `docker/init-logto-db.sql` with content:
|
|
```sql
|
|
-- Creates a separate database for Logto on the shared Postgres instance
|
|
CREATE DATABASE logto;
|
|
```
|
|
|
|
2. Update `docker-compose.yml` (production):
|
|
- Add volume mount on postgres service: `./docker/init-logto-db.sql:/docker-entrypoint-initdb.d/init-logto-db.sql`
|
|
- Add `logto` service:
|
|
```yaml
|
|
logto:
|
|
image: svhd/logto:latest
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
|
|
ports:
|
|
- "3001:3001"
|
|
- "3002:3002"
|
|
environment:
|
|
TRUST_PROXY_HEADER: "1"
|
|
DB_URL: postgres://gearbox:${POSTGRES_PASSWORD}@postgres:5432/logto
|
|
ENDPOINT: ${LOGTO_ENDPOINT:-http://localhost:3001}
|
|
ADMIN_ENDPOINT: ${LOGTO_ADMIN_ENDPOINT:-http://localhost:3002}
|
|
```
|
|
- Add to `app` service environment:
|
|
```yaml
|
|
OIDC_ISSUER: ${LOGTO_ENDPOINT:-http://localhost:3001}/oidc
|
|
OIDC_CLIENT_ID: ${LOGTO_CLIENT_ID}
|
|
OIDC_CLIENT_SECRET: ${LOGTO_CLIENT_SECRET}
|
|
OIDC_AUTH_SECRET: ${OIDC_AUTH_SECRET}
|
|
```
|
|
- Add `depends_on` for app -> logto: `condition: service_started`
|
|
|
|
3. Update `docker-compose.dev.yml`:
|
|
- Add the same postgres init volume mount
|
|
- Add same `logto` service definition (ports 3001, 3002)
|
|
- Logto environment uses hardcoded dev password: `DB_URL: postgres://gearbox:gearbox@postgres:5432/logto`
|
|
|
|
4. Create or update `.env.example` with all new OIDC env vars:
|
|
```
|
|
# PostgreSQL
|
|
POSTGRES_PASSWORD=changeme
|
|
|
|
# Logto OIDC (get from Logto Admin Console at http://localhost:3002)
|
|
LOGTO_ENDPOINT=http://localhost:3001
|
|
LOGTO_ADMIN_ENDPOINT=http://localhost:3002
|
|
LOGTO_CLIENT_ID=your-app-client-id
|
|
LOGTO_CLIENT_SECRET=your-app-client-secret
|
|
OIDC_AUTH_SECRET=generate-a-random-32-char-string-here
|
|
|
|
# GearBox
|
|
GEARBOX_URL=http://localhost:3000
|
|
```
|
|
|
|
**IMPORTANT (Pitfall 1):** The `ENDPOINT` on Logto and `OIDC_ISSUER` on the app must both use the *externally accessible* URL (e.g., `http://localhost:3001`), NOT Docker-internal hostnames. The browser redirect and server-side JWT validation must agree on the issuer string.
|
|
</action>
|
|
<verify>
|
|
<automated>grep -q "svhd/logto" docker-compose.yml && grep -q "svhd/logto" docker-compose.dev.yml && grep -q "CREATE DATABASE logto" docker/init-logto-db.sql && grep -q "OIDC_ISSUER" .env.example && echo "PASS" || echo "FAIL"</automated>
|
|
</verify>
|
|
<acceptance_criteria>
|
|
- docker-compose.yml contains `image: svhd/logto:latest`
|
|
- docker-compose.yml logto service has `depends_on: postgres: condition: service_healthy`
|
|
- docker-compose.yml logto service exposes ports 3001 and 3002
|
|
- docker-compose.yml postgres service has volume mount containing `init-logto-db.sql:/docker-entrypoint-initdb.d/init-logto-db.sql`
|
|
- docker-compose.yml app service has `OIDC_ISSUER`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET`, `OIDC_AUTH_SECRET` env vars
|
|
- docker-compose.dev.yml contains matching logto service definition
|
|
- docker/init-logto-db.sql contains `CREATE DATABASE logto;`
|
|
- .env.example contains `LOGTO_CLIENT_ID`, `LOGTO_CLIENT_SECRET`, `OIDC_AUTH_SECRET`, `LOGTO_ENDPOINT`
|
|
</acceptance_criteria>
|
|
<done>Both docker-compose files have Logto service, init SQL creates logto database, env vars documented</done>
|
|
</task>
|
|
|
|
<task type="auto">
|
|
<name>Task 2: Remove users and sessions tables from schema and generate migration</name>
|
|
<files>src/db/schema.ts</files>
|
|
<read_first>
|
|
- src/db/schema.ts (current full schema with users, sessions, apiKeys, oauth* tables)
|
|
- .planning/phases/15-external-authentication/15-CONTEXT.md (D-03: Remove users and sessions tables)
|
|
</read_first>
|
|
<action>
|
|
**Per D-03:** Remove the `users` and `sessions` table definitions from `src/db/schema.ts`. Keep everything else: `categories`, `items`, `threads`, `threadCandidates`, `setups`, `setupItems`, `settings`, `apiKeys`, `oauthClients`, `oauthCodes`, `oauthTokens`.
|
|
|
|
Specifically:
|
|
1. Delete the `users` table definition (lines defining `export const users = pgTable("users", { ... })`)
|
|
2. Delete the `sessions` table definition (lines defining `export const sessions = pgTable("sessions", { ... })`)
|
|
3. Remove the `boolean` import from `drizzle-orm/pg-core` if no longer used (check: `oauthCodes` uses `boolean` for `used` field, so keep it)
|
|
4. Do NOT remove `apiKeys` table -- it stays per D-10
|
|
|
|
After editing schema, run migration generation:
|
|
```bash
|
|
bun run db:generate
|
|
```
|
|
|
|
This creates a Drizzle migration SQL file in `drizzle/` that drops the `users` and `sessions` tables. Review the generated migration to confirm it only drops `users` and `sessions` -- no other tables.
|
|
|
|
**Do NOT run `bun run db:push` yet** -- that will be done when the full auth refactor is ready.
|
|
</action>
|
|
<verify>
|
|
<automated>! grep -q "export const users" src/db/schema.ts && ! grep -q "export const sessions" src/db/schema.ts && grep -q "export const apiKeys" src/db/schema.ts && echo "PASS" || echo "FAIL"</automated>
|
|
</verify>
|
|
<acceptance_criteria>
|
|
- src/db/schema.ts does NOT contain `export const users`
|
|
- src/db/schema.ts does NOT contain `export const sessions`
|
|
- src/db/schema.ts DOES contain `export const apiKeys`
|
|
- src/db/schema.ts DOES contain `export const oauthClients`
|
|
- src/db/schema.ts DOES contain `export const oauthCodes`
|
|
- src/db/schema.ts DOES contain `export const oauthTokens`
|
|
- A new migration file exists in drizzle/ directory
|
|
</acceptance_criteria>
|
|
<done>Users and sessions tables removed from schema, migration generated to drop them</done>
|
|
</task>
|
|
|
|
</tasks>
|
|
|
|
<verification>
|
|
- `grep -q "svhd/logto" docker-compose.yml` succeeds
|
|
- `grep -q "svhd/logto" docker-compose.dev.yml` succeeds
|
|
- `docker/init-logto-db.sql` exists with CREATE DATABASE logto
|
|
- `src/db/schema.ts` has no `users` or `sessions` exports
|
|
- `src/db/schema.ts` retains `apiKeys`, `oauthClients`, `oauthCodes`, `oauthTokens`
|
|
- New Drizzle migration file exists in `drizzle/`
|
|
</verification>
|
|
|
|
<success_criteria>
|
|
- Logto service defined in both docker-compose files with correct ports, env vars, and Postgres dependency
|
|
- Postgres init script creates the logto database
|
|
- GearBox schema has users and sessions tables removed
|
|
- Drizzle migration generated for the table drops
|
|
- All OIDC-related environment variables documented in .env.example
|
|
</success_criteria>
|
|
|
|
<output>
|
|
After completion, create `.planning/phases/15-external-authentication/15-01-SUMMARY.md`
|
|
</output>
|