alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
d479726fe3521a32b1bb47d79a9a3850a1b4aaa2
web-app-launcher/plans/phase-2-enhanced-features/phase-1-oauth.md
T
alexei.dolgolyov 1c0a7cb850 feat: Phases 4-7 — Full Feature Expansion (26 features) 
Phase 4 — New Widget Types:
- Clock/Weather, System Stats, RSS/Feed, Calendar, Markdown,
  Metric/Counter, Link Group, Camera/Stream widgets
- Backend services with caching for each data source
- Full creation form with dynamic config fields per type

Phase 5 — Visual & Styling Enhancements:
- Glassmorphism card style (solid/glass/outline)
- Board-level themes with per-board hue/saturation
- Animated SVG status rings replacing static dots
- Card size options (compact/medium/large)
- Custom CSS injection (admin + per-board, sanitized)
- Wallpaper backgrounds with blur/overlay/parallax

Phase 6 — Functional Features:
- Favorites bar with drag-and-drop reordering
- Recent apps tracking with privacy toggle
- Uptime dashboard page (/status, guest-accessible)
- Notifications system (Discord/Slack/Telegram/HTTP webhooks)
- App tags with filtering in board view
- Multi-URL app cards with expandable sub-links
- Personal API tokens with scoped permissions
- Audit log with retention and admin viewer

Phase 7 — Quality of Life:
- Onboarding wizard (5-step first-launch setup)
- App URL health preview with favicon/title detection
- Board templates (4 built-in + custom import/export)
- Keyboard shortcut overlay (j/k nav, 1-9 boards, ? help)

212 files changed, 15641 insertions, 980 deletions.
Build, lint, type check, and 222 tests all pass.
2026-03-25 14:18:10 +03:00

3.4 KiB
Raw Blame History

Phase 1: OAuth/Authentik Integration

Status: Complete Parent plan: PLAN.md Domain: fullstack

Objective

Add OIDC/OAuth2 authentication via Authentik, including redirect/callback flows, auto-provisioning users, and admin configuration UI.

Tasks

  • Task 1: Create src/lib/server/services/oauthService.ts — OIDC client setup, discovery, token exchange
  • Task 2: Create src/routes/auth/oauth/authorize/+server.ts — redirect to Authentik with PKCE
  • Task 3: Create src/routes/auth/oauth/callback/+server.ts — handle callback, exchange code, provision user
  • Task 4: Update src/lib/server/services/userService.ts — add findOrCreateByOAuth() for auto-provisioning
  • Task 5: Update src/routes/login/+page.svelte — show OAuth button when auth mode is OAUTH or BOTH
  • Task 6: Update src/routes/login/+page.server.ts — load auth mode from SystemSettings
  • Task 7: Update src/routes/admin/settings/+page.svelte — make OAuth config fields functional (client ID, secret, discovery URL)
  • Task 8: Update src/lib/components/admin/SettingsForm.svelte — add OAuth test connection button
  • Task 9: Update src/hooks.server.ts — handle OAuth sessions alongside local JWT sessions (no changes needed — existing JWT hook handles OAuth users transparently)
  • Task 10: Add env vars to .env.example — OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OAUTH_DISCOVERY_URL, OAUTH_REDIRECT_URI

Files to Modify/Create

  • src/lib/server/services/oauthService.ts — NEW
  • src/routes/auth/oauth/authorize/+server.ts — NEW
  • src/routes/auth/oauth/callback/+server.ts — NEW
  • src/lib/server/services/userService.ts — MODIFY
  • src/routes/login/+page.svelte — MODIFY
  • src/routes/login/+page.server.ts — MODIFY
  • src/routes/admin/settings/+page.svelte — MODIFY
  • src/lib/components/admin/SettingsForm.svelte — MODIFY
  • src/hooks.server.ts — MODIFY
  • .env.example — MODIFY

Acceptance Criteria

  • OAuth login redirects to Authentik and returns with valid session
  • New OAuth users are auto-provisioned with correct role/groups
  • Existing users can link OAuth identity
  • Admin can configure OAuth provider in settings
  • Auth mode selector (local/oauth/both) controls which login options appear
  • Login page shows appropriate buttons based on auth mode

Notes

  • Use openid-client for OIDC discovery and token exchange
  • Store OAuth state/nonce in HTTP-only cookies for CSRF protection
  • Map Authentik groups to local groups by name
  • OAuth users have nullable password field
  • ⚠️ Big Bang: may not fully work until Phase 5 integration

Review Checklist

  • All tasks completed
  • Code follows project conventions
  • No unintended side effects
  • Build passes
  • Tests pass (new + existing)

Handoff to Next Phase

  • Installed openid-client v6.8.2 as a runtime dependency.
  • OAuth flow issues local JWT tokens, so hooks.server.ts required no changes.
  • New API endpoint POST /api/admin/oauth/test added for the test connection button in SettingsForm.
  • findOrCreateByOAuth() syncs OAuth groups to local groups by name (groups must pre-exist locally).
  • Login page conditionally renders OAuth button and/or local form based on authMode from SystemSettings.
  • OIDC discovery result is cached in-memory and invalidated when the admin tests the connection.
  • Phase 2 (DnD) and Phase 3 (Localization) are independent and can proceed in parallel.
Reference in New Issue View Git Blame Copy Permalink