Skip to content

feat(auth): DB-backed users + generic OIDC login#359

Merged
aaliboyev merged 2 commits into
mainfrom
feat/auth-user-flow
Jul 2, 2026
Merged

feat(auth): DB-backed users + generic OIDC login#359
aaliboyev merged 2 commits into
mainfrom
feat/auth-user-flow

Conversation

@aaliboyev

Copy link
Copy Markdown
Member

Two additions to the auth layer, both dormant by default:

DB-backed users. New users table (migration 000023) + app/user store. YAML identity users (config/users/) seed into the table on boot — seed-if-absent, plain passwords bcrypt-hashed on ingest so cleartext never lands in Postgres. POST /auth/login consults the table first; YAML remains the break-glass fallback, so rotating an env-ref password can never lock you out. Actor/sessions/whoami now carry roles.

Generic OIDC login (auth:oidc settings section, enabled: false default). GET /auth/oidc/start + /callback run the authorization-code + PKCE dance against any issuer publishing a discovery document, then mint the same scs session as password login — everything downstream is unchanged. First-login auto-provisioning is gated by registration: open|closed. Extra authorize params some providers require go in authParams (config, not code). Identity is read from the id_token, falling back to an inline user profile on the token response.

sdk/oauth discovery now falls back to /.well-known/openid-configuration when the RFC 8414 path 404s.

Flow covered by tests against a fake IdP (discovery fallback, PKCE exchange, provisioning open/closed, forged state, expired cookie, disabled user, inline-profile shape); also verified live end-to-end against a hosted provider with Google sign-in.

aaliboyev added 2 commits July 2, 2026 06:50
- users table (000023) + app/user store/seed: YAML identity users seed
  into PG at boot (seed-if-absent; plain passwords bcrypt-hashed on
  ingest); /auth/login consults the table first, YAML stays the
  break-glass fallback
- generic OIDC login (auth:oidc settings section, disabled by default):
  /auth/oidc/start + /auth/oidc/callback do the authorization-code +
  PKCE dance against any issuer publishing discovery metadata; on
  success the same scs session as password login is minted. First-login
  auto-provisioning is gated by registration=open|closed
- sdk/oauth discovery falls back to /.well-known/openid-configuration
  when the RFC 8414 path is absent
- Actor.Roles carried from user record through the session; whoami
  returns roles; config.json advertises features.oidc when enabled
@aaliboyev aaliboyev merged commit f31d3aa into main Jul 2, 2026
2 checks passed
@aaliboyev aaliboyev deleted the feat/auth-user-flow branch July 2, 2026 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant