Authentication v1.2.0

What’s new

PostgreSQL-backed session store

Sessions are now persisted in PostgreSQL using connect-pg-simple. A background job automatically purges stale sessions, preventing unbounded table growth over time.

Breaking change: SESSION_SECRET is now a required environment variable. The service will refuse to start without it. Generate a value with openssl rand -base64 48 and add it to your deployment before upgrading.

OpenID Connect (OIDC) SSO

Single sign-on via OpenID Connect is now fully supported. Once configured, a provider sign-in button appears on the login screen alongside the existing email/password form. OIDC configuration is managed through the admin config API — no service restart is required after changing settings.

New endpoints:

Method	Path	Auth	Description
GET	/oidc/enabled	Public	Returns whether OIDC is configured
GET	/login/oidc	Public	Initiates the OIDC authorization flow (redirects to provider)
GET	/login/oidc/callback	Public	Handles the provider redirect callback and issues tokens
GET	/config	Admin	Retrieve the full authentication configuration including OIDC settings
GET	/config/public	Public	Retrieve sanitized config (oidcEnabled, oidcProviderName, signupEnabled)
PATCH	/config	Admin	Update authentication configuration including OIDC credentials

Improvements

• Refactored authentication strategies to use the Passport strategy pattern, making it straightforward to add additional providers in future releases
• Improved error logging for OIDC authentication exceptions to aid debugging of provider misconfiguration

Breaking changes

SESSION_SECRET is now required. The service will not start without it.

Upgrade notes

1. Generate a session secret: openssl rand -base64 48
2. Add SESSION_SECRET to your environment (add APP_URL for OIDC redirect URL generation)
3. The session table is created automatically on first startup
4. See the updated Getting Started guide for a revised docker-compose.yml