alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
1c0a7cb85083eb54cc92dd39a66078aff7a9ccf0
web-app-launcher/plans/phase-2-enhanced-features/phase-1-oauth.md
T
alexei.dolgolyov 1c0a7cb850 feat: Phases 4-7 — Full Feature Expansion (26 features) 
Phase 4 — New Widget Types:
- Clock/Weather, System Stats, RSS/Feed, Calendar, Markdown,
  Metric/Counter, Link Group, Camera/Stream widgets
- Backend services with caching for each data source
- Full creation form with dynamic config fields per type

Phase 5 — Visual & Styling Enhancements:
- Glassmorphism card style (solid/glass/outline)
- Board-level themes with per-board hue/saturation
- Animated SVG status rings replacing static dots
- Card size options (compact/medium/large)
- Custom CSS injection (admin + per-board, sanitized)
- Wallpaper backgrounds with blur/overlay/parallax

Phase 6 — Functional Features:
- Favorites bar with drag-and-drop reordering
- Recent apps tracking with privacy toggle
- Uptime dashboard page (/status, guest-accessible)
- Notifications system (Discord/Slack/Telegram/HTTP webhooks)
- App tags with filtering in board view
- Multi-URL app cards with expandable sub-links
- Personal API tokens with scoped permissions
- Audit log with retention and admin viewer

Phase 7 — Quality of Life:
- Onboarding wizard (5-step first-launch setup)
- App URL health preview with favicon/title detection
- Board templates (4 built-in + custom import/export)
- Keyboard shortcut overlay (j/k nav, 1-9 boards, ? help)

212 files changed, 15641 insertions, 980 deletions.
Build, lint, type check, and 222 tests all pass.
2026-03-25 14:18:10 +03:00

71 lines
3.4 KiB
Markdown
Raw Blame History

# Phase 1: OAuth/Authentik Integration
**Status:** ✅ Complete
**Parent plan:** [PLAN.md](./PLAN.md)
**Domain:** fullstack
## Objective
Add OIDC/OAuth2 authentication via Authentik, including redirect/callback flows, auto-provisioning users, and admin configuration UI.
## Tasks
- [x] Task 1: Create `src/lib/server/services/oauthService.ts` — OIDC client setup, discovery, token exchange
- [x] Task 2: Create `src/routes/auth/oauth/authorize/+server.ts` — redirect to Authentik with PKCE
- [x] Task 3: Create `src/routes/auth/oauth/callback/+server.ts` — handle callback, exchange code, provision user
- [x] Task 4: Update `src/lib/server/services/userService.ts` — add `findOrCreateByOAuth()` for auto-provisioning
- [x] Task 5: Update `src/routes/login/+page.svelte` — show OAuth button when auth mode is OAUTH or BOTH
- [x] Task 6: Update `src/routes/login/+page.server.ts` — load auth mode from SystemSettings
- [x] Task 7: Update `src/routes/admin/settings/+page.svelte` — make OAuth config fields functional (client ID, secret, discovery URL)
- [x] Task 8: Update `src/lib/components/admin/SettingsForm.svelte` — add OAuth test connection button
- [x] Task 9: Update `src/hooks.server.ts` — handle OAuth sessions alongside local JWT sessions (no changes needed — existing JWT hook handles OAuth users transparently)
- [x] Task 10: Add env vars to `.env.example` — OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OAUTH_DISCOVERY_URL, OAUTH_REDIRECT_URI
## Files to Modify/Create
- `src/lib/server/services/oauthService.ts` — NEW
- `src/routes/auth/oauth/authorize/+server.ts` — NEW
- `src/routes/auth/oauth/callback/+server.ts` — NEW
- `src/lib/server/services/userService.ts` — MODIFY
- `src/routes/login/+page.svelte` — MODIFY
- `src/routes/login/+page.server.ts` — MODIFY
- `src/routes/admin/settings/+page.svelte` — MODIFY
- `src/lib/components/admin/SettingsForm.svelte` — MODIFY
- `src/hooks.server.ts` — MODIFY
- `.env.example` — MODIFY
## Acceptance Criteria
- OAuth login redirects to Authentik and returns with valid session
- New OAuth users are auto-provisioned with correct role/groups
- Existing users can link OAuth identity
- Admin can configure OAuth provider in settings
- Auth mode selector (local/oauth/both) controls which login options appear
- Login page shows appropriate buttons based on auth mode
## Notes
- Use `openid-client` for OIDC discovery and token exchange
- Store OAuth state/nonce in HTTP-only cookies for CSRF protection
- Map Authentik groups to local groups by name
- OAuth users have nullable password field
- ⚠️ Big Bang: may not fully work until Phase 5 integration
## Review Checklist
- [x] All tasks completed
- [x] Code follows project conventions
- [ ] No unintended side effects
- [ ] Build passes
- [ ] Tests pass (new + existing)
## Handoff to Next Phase
- Installed `openid-client` v6.8.2 as a runtime dependency.
- OAuth flow issues local JWT tokens, so hooks.server.ts required no changes.
- New API endpoint `POST /api/admin/oauth/test` added for the test connection button in SettingsForm.
- `findOrCreateByOAuth()` syncs OAuth groups to local groups by name (groups must pre-exist locally).
- Login page conditionally renders OAuth button and/or local form based on `authMode` from SystemSettings.
- OIDC discovery result is cached in-memory and invalidated when the admin tests the connection.
- Phase 2 (DnD) and Phase 3 (Localization) are independent and can proceed in parallel.
Reference in New Issue View Git Blame Copy Permalink