feat: add optional OIDC authentication

2026-06-05 17:34:03 +08:00
parent 09f752c8cf
commit 20654d9756
8 changed files with 382 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -40,6 +40,32 @@ PG_CONNECTION_STRING=postgres://user:password@host:5432/database

 The app uses this variable in `lib/db.ts` to create a `pg` connection pool.

+OIDC authentication is optional. If no OIDC variables are set, the dashboard and API remain open.
+To require login through a standard OIDC provider such as Sinodoor, add:
+
+```bash
+OIDC_ISSUER=https://casdoor.example.com
+OIDC_CLIENT_ID=analytics
+OIDC_CLIENT_SECRET=replace-me
+AUTH_SECRET=replace-with-random-secret
+# Optional login button label:
+OIDC_PROVIDER_NAME=Sinodoor
+```
+
+Generate `AUTH_SECRET` with a stable random value, for example:
+
+```bash
+openssl rand -base64 32
+```
+
+When OIDC is enabled, configure the provider redirect URI as:
+
+```text
+https://your-analytics-domain/api/auth/callback/oidc
+```
+
+Partial OIDC configuration is treated as an error instead of falling back to open access.
+
 ## Deployment

 The included Dockerfile builds a standalone Next.js output and starts `server.js` on port `8019`.