bvandeusen
b37e15d59a
Add Authentik OAuth/OIDC SSO, email change, and setup docs
...
Phase 18 changes:
OAuth/OIDC SSO (Authorization Code + PKCE):
- alembic/versions/0015_add_oauth_fields.py: add oauth_sub UNIQUE column,
drop NOT NULL on password_hash
- src/fabledassistant/services/oauth.py: OIDC discovery (cached), build_auth_url,
exchange_code, get_userinfo, find_or_create_oauth_user (sub→email auto-link→create)
- src/fabledassistant/routes/auth.py: GET /api/auth/oauth/login and
GET /api/auth/oauth/callback; LOCAL_AUTH_ENABLED guards on login/register;
/api/auth/status now returns oauth_enabled + local_auth_enabled
- src/fabledassistant/config.py: OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET,
OIDC_SCOPES, LOCAL_AUTH_ENABLED, oidc_enabled() classmethod
- src/fabledassistant/models/user.py: password_hash nullable, oauth_sub field,
has_password bool in to_dict()
- src/fabledassistant/services/auth.py: create_user accepts password=None +
oauth_sub kwarg; authenticate returns None for OAuth-only users;
add get_user_by_oauth_sub, link_oauth_sub, update_user_email
- frontend: AuthStatus + User types updated; auth store exposes oauthEnabled +
localAuthEnabled; LoginView shows SSO button / hides password form accordingly
Email change:
- PUT /api/auth/email: requires password confirmation for local-auth users,
skips check for OAuth-only users; enforces email uniqueness
- SettingsView.vue: new Email Address section pre-filled with current email,
updates authStore.user in-place on success
Docs:
- docs/oauth-setup.md: step-by-step Authentik provider setup, example
docker-compose env vars, account linking explanation, per-provider issuer URL table
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-02-25 20:12:13 -05:00
bvandeusen
d354da5b51
Add email-based password reset flow
...
Users who forget their password can now request a reset link via email.
Tokens are SHA-256 hashed before storage, expire after 1 hour, and
previous unused tokens are invalidated on new requests. The forgot-password
endpoint always returns success to prevent email enumeration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-13 21:42:45 -05:00
bvandeusen
cbfdf5289e
Add multi-user auth, background generation, and chat UX improvements
...
Phase 5: Multi-user authentication with session cookies, bcrypt passwords,
first-user-is-admin pattern, per-user data isolation, backup/restore,
Docker Swarm production stack with secrets and network isolation.
Phase 5.1: Chat UX improvements:
- Background generation architecture (GenerationBuffer + asyncio task)
with SSE fan-out, reconnect support, and periodic DB flushes
- LLM-generated conversation titles (first exchange + every 10th message)
- Stop generation button with cancel_event and partial content preservation
- Relative timestamps in sidebar (5m ago, 3h ago, then dates)
- Empty chat auto-cleanup on navigation away
- Save-as-note uses LLM for title generation, tags notes with "chat"
- Summarize-as-note also tags with "chat"
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-11 14:36:30 -05:00