From cc0753ececc7df2dbf1340e262f0996535d1c41e Mon Sep 17 00:00:00 2001 From: initstring <26131150+initstring@users.noreply.github.com> Date: Sat, 17 Jan 2026 21:16:25 +1100 Subject: [PATCH 1/2] Disable demo auth when SSO enabled --- docs/installation.md | 2 +- src/app/(public-routes)/auth/signin/page.tsx | 3 +- src/server/auth/config.ts | 43 ++++++++++++-------- 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/docs/installation.md b/docs/installation.md index 7045c17..41b8290 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -29,7 +29,7 @@ Minimum values to edit: RTAP supports SSO or a demo login button. Supported SSO providers today are Google, GitHub, GitLab, Keycloak, and Okta. If you need another provider, open an issue and we can add it. - **SSO (recommended):** configure your provider's details (client ID/secret, plus issuer for Keycloak/Okta) using the variable names provided in the .env file. -- **Demo mode:** set `ENABLE_DEMO_MODE=true`. This exposes a “Sign in as Demo Admin” button and **anyone with access to the sign-in page can log in without an account**. Use only for isolated testing or demos. +- **Demo mode:** set `ENABLE_DEMO_MODE=true`. This exposes a “Sign in as Demo Admin” button and **anyone with access to the sign-in page can log in without an account**. Use only for isolated testing or demos. Demo mode is automatically disabled when any SSO provider is configured. For any SSO provider, configure the following in your identity provider console: diff --git a/src/app/(public-routes)/auth/signin/page.tsx b/src/app/(public-routes)/auth/signin/page.tsx index 9ed6450..6ecc443 100644 --- a/src/app/(public-routes)/auth/signin/page.tsx +++ b/src/app/(public-routes)/auth/signin/page.tsx @@ -10,12 +10,13 @@ export default async function SignInPage(props: { searchParams?: Promise<{ callb } const { callbackUrl = "/", error } = (await props.searchParams) ?? {}; - const demoEnabled = env.ENABLE_DEMO_MODE === "true"; const googleEnabled = Boolean(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET); const githubEnabled = Boolean(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET); const gitlabEnabled = Boolean(env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET); const keycloakEnabled = Boolean(env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER); const oktaEnabled = Boolean(env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER); + const ssoEnabled = googleEnabled || githubEnabled || gitlabEnabled || keycloakEnabled || oktaEnabled; + const demoEnabled = env.ENABLE_DEMO_MODE === "true" && !ssoEnabled; return ( => @@ -196,51 +203,51 @@ export const authConfig = { : []), // Conditionally register providers when env credentials are available. // Actual enablement is enforced via DB in the signIn callback/UI. - ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET + ...(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET ? [ GoogleProvider({ - clientId: process.env.GOOGLE_CLIENT_ID, - clientSecret: process.env.GOOGLE_CLIENT_SECRET, + clientId: env.GOOGLE_CLIENT_ID, + clientSecret: env.GOOGLE_CLIENT_SECRET, // We trust the locally provisioned accounts and block unknown e-mails in the // sign-in callback, so allow Auth.js to link Google users directly by e-mail. allowDangerousEmailAccountLinking: true, }), ] : []), - ...(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET + ...(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET ? [ GitHubProvider({ - clientId: process.env.GITHUB_CLIENT_ID, - clientSecret: process.env.GITHUB_CLIENT_SECRET, + clientId: env.GITHUB_CLIENT_ID, + clientSecret: env.GITHUB_CLIENT_SECRET, allowDangerousEmailAccountLinking: true, }), ] : []), - ...(process.env.GITLAB_CLIENT_ID && process.env.GITLAB_CLIENT_SECRET + ...(env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET ? [ GitLabProvider({ - clientId: process.env.GITLAB_CLIENT_ID, - clientSecret: process.env.GITLAB_CLIENT_SECRET, + clientId: env.GITLAB_CLIENT_ID, + clientSecret: env.GITLAB_CLIENT_SECRET, allowDangerousEmailAccountLinking: true, }), ] : []), - ...(process.env.KEYCLOAK_CLIENT_ID && process.env.KEYCLOAK_CLIENT_SECRET && process.env.KEYCLOAK_ISSUER + ...(env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER ? [ KeycloakProvider({ - clientId: process.env.KEYCLOAK_CLIENT_ID, - clientSecret: process.env.KEYCLOAK_CLIENT_SECRET, - issuer: process.env.KEYCLOAK_ISSUER, + clientId: env.KEYCLOAK_CLIENT_ID, + clientSecret: env.KEYCLOAK_CLIENT_SECRET, + issuer: env.KEYCLOAK_ISSUER, allowDangerousEmailAccountLinking: true, }), ] : []), - ...(process.env.OKTA_CLIENT_ID && process.env.OKTA_CLIENT_SECRET && process.env.OKTA_ISSUER + ...(env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER ? [ OktaProvider({ - clientId: process.env.OKTA_CLIENT_ID, - clientSecret: process.env.OKTA_CLIENT_SECRET, - issuer: process.env.OKTA_ISSUER, + clientId: env.OKTA_CLIENT_ID, + clientSecret: env.OKTA_CLIENT_SECRET, + issuer: env.OKTA_ISSUER, allowDangerousEmailAccountLinking: true, }), ] From c735387e0aaddfb4640d4e1238af57dbe5e126fc Mon Sep 17 00:00:00 2001 From: initstring <26131150+initstring@users.noreply.github.com> Date: Sat, 17 Jan 2026 21:21:10 +1100 Subject: [PATCH 2/2] Fix SSO demo mode linting --- src/server/auth/config.ts | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/server/auth/config.ts b/src/server/auth/config.ts index d90553a..fb79887 100644 --- a/src/server/auth/config.ts +++ b/src/server/auth/config.ts @@ -43,13 +43,13 @@ declare module "@auth/core/adapters" { // Local extension for JWT to carry role information type AugmentedJWT = NextAuthJWT & { role?: UserRole }; -const ssoProvidersEnabled = Boolean( - (env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET) - || (env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET) - || (env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET) - || (env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER) - || (env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER), -); +const ssoProvidersEnabled = [ + env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET, + env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET, + env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET, + env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER, + env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER, +].some(Boolean); const demoModeEnabled = env.ENABLE_DEMO_MODE === "true" && !ssoProvidersEnabled; const oauthProviders = new Set(["google", "github", "gitlab", "keycloak", "okta"]);