Add Authentik OAuth/OIDC SSO, email change, and setup docs

Phase 18 changes:

OAuth/OIDC SSO (Authorization Code + PKCE):
- alembic/versions/0015_add_oauth_fields.py: add oauth_sub UNIQUE column,
  drop NOT NULL on password_hash
- src/fabledassistant/services/oauth.py: OIDC discovery (cached), build_auth_url,
  exchange_code, get_userinfo, find_or_create_oauth_user (sub→email auto-link→create)
- src/fabledassistant/routes/auth.py: GET /api/auth/oauth/login and
  GET /api/auth/oauth/callback; LOCAL_AUTH_ENABLED guards on login/register;
  /api/auth/status now returns oauth_enabled + local_auth_enabled
- src/fabledassistant/config.py: OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET,
  OIDC_SCOPES, LOCAL_AUTH_ENABLED, oidc_enabled() classmethod
- src/fabledassistant/models/user.py: password_hash nullable, oauth_sub field,
  has_password bool in to_dict()
- src/fabledassistant/services/auth.py: create_user accepts password=None +
  oauth_sub kwarg; authenticate returns None for OAuth-only users;
  add get_user_by_oauth_sub, link_oauth_sub, update_user_email
- frontend: AuthStatus + User types updated; auth store exposes oauthEnabled +
  localAuthEnabled; LoginView shows SSO button / hides password form accordingly

Email change:
- PUT /api/auth/email: requires password confirmation for local-auth users,
  skips check for OAuth-only users; enforces email uniqueness
- SettingsView.vue: new Email Address section pre-filled with current email,
  updates authStore.user in-place on success

Docs:
- docs/oauth-setup.md: step-by-step Authentik provider setup, example
  docker-compose env vars, account linking explanation, per-provider issuer URL table

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-02-25 20:12:13 -05:00
parent c3b05046b7
commit b37e15d59a
12 changed files with 578 additions and 31 deletions
+62
View File
@@ -10,6 +10,9 @@ const authStore = useAuthStore();
const toastStore = useToastStore();
const assistantName = ref("");
const intentModel = ref("");
const newEmail = ref("");
const emailPassword = ref("");
const changingEmail = ref(false);
const currentPassword = ref("");
const newPassword = ref("");
const confirmNewPassword = ref("");
@@ -61,6 +64,7 @@ const baseUrlSaved = ref(false);
onMounted(async () => {
await store.fetchSettings();
assistantName.value = store.assistantName;
newEmail.value = authStore.user?.email ?? "";
// Load notification preferences from user settings
const allSettings = await apiGet<Record<string, string>>("/api/settings");
@@ -97,6 +101,29 @@ onMounted(async () => {
}
});
async function changeEmail() {
changingEmail.value = true;
try {
const body: Record<string, string> = { email: newEmail.value.trim() };
if (authStore.user?.has_password) {
body.password = emailPassword.value;
}
const updated = await apiPut<import("@/types/auth").User>("/api/auth/email", body);
authStore.user = updated;
emailPassword.value = "";
toastStore.show("Email updated successfully");
} catch (e: unknown) {
if (e && typeof e === "object" && "body" in e) {
const b = (e as { body?: { error?: string } }).body;
toastStore.show(b?.error || "Failed to update email", "error");
} else {
toastStore.show("Failed to update email", "error");
}
} finally {
changingEmail.value = false;
}
}
async function changePassword() {
if (newPassword.value !== confirmNewPassword.value) {
toastStore.show("New passwords do not match", "error");
@@ -339,6 +366,41 @@ async function handleRestoreFile(event: Event) {
</div>
</section>
<section class="settings-section">
<h2>Email Address</h2>
<p class="section-desc">Used for password resets and notifications.</p>
<div class="field">
<label for="new-email">Email</label>
<input
id="new-email"
v-model="newEmail"
type="email"
placeholder="you@example.com"
class="input"
/>
</div>
<div v-if="authStore.user?.has_password" class="field">
<label for="email-password">Current Password</label>
<input
id="email-password"
v-model="emailPassword"
type="password"
autocomplete="current-password"
class="input"
/>
<p class="field-hint">Required to confirm the change.</p>
</div>
<div class="actions">
<button
class="btn-save"
@click="changeEmail"
:disabled="changingEmail || (authStore.user?.has_password && !emailPassword)"
>
{{ changingEmail ? "Saving..." : "Save Email" }}
</button>
</div>
</section>
<section class="settings-section">
<h2>Change Password</h2>
<div class="field">