feat: add optional OIDC authentication

app/api/auth/[...nextauth]/route.ts

@@ -0,0 +1,47 @@
+import NextAuth, { type NextAuthOptions } from "next-auth";
+import type { OAuthConfig } from "next-auth/providers/oauth";
+import {
+  getAuthMode,
+  getOidcProviderName,
+  getRequiredAuthSecret,
+  mapOidcProfile,
+  type OidcProfile,
+} from "@/lib/auth-config";
+
+const authMode = getAuthMode();
+
+function oidcProvider(): OAuthConfig<OidcProfile> {
+  return {
+    id: "oidc",
+    name: getOidcProviderName(),
+    type: "oauth",
+    wellKnown: `${process.env.OIDC_ISSUER}/.well-known/openid-configuration`,
+    authorization: { params: { scope: "openid profile email" } },
+    checks: ["pkce", "state"],
+    clientId: process.env.OIDC_CLIENT_ID,
+    clientSecret: process.env.OIDC_CLIENT_SECRET,
+    idToken: true,
+    profile(profile) {
+      return mapOidcProfile(profile);
+    },
+  };
+}
+
+const authOptions: NextAuthOptions = {
+  providers: authMode.enabled ? [oidcProvider()] : [],
+  secret: authMode.enabled ? getRequiredAuthSecret() : "auth-disabled",
+  session: {
+    strategy: "jwt",
+  },
+};
+
+const handler = authMode.enabled
+  ? NextAuth(authOptions)
+  : function authDisabled() {
+      return Response.json(
+        { error: authMode.error ?? "OIDC authentication is not configured." },
+        { status: authMode.error ? 500 : 404 }
+      );
+    };
+
+export { handler as GET, handler as POST };