feat(auth): Add web authentication with django-allauth

Add social login (GitHub, GitLab), passwordless login-by-code,
styled login/dashboard pages, and API key management UI.

- django-allauth with conditional provider registration
- Tailwind CSS v4 via standalone CLI (ARM-compatible)
- WhiteNoise for static file serving
- Dark-themed login, code entry, dashboard, and API keys pages
- setup_default_site management command (reads DAIV_EXTERNAL_URL)
- Custom social account adapter for GitLab server URL separation

Author: srtab

CHANGELOG.md

@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Added web-based authentication via django-allauth with GitHub and GitLab social login, passwordless login-by-code for existing users, and a styled dark-themed login page. Includes a post-login dashboard with API key management (create, list, revoke).
+
 - Added `setup_langsmith_dashboard` management command to create a pre-configured LangSmith custom dashboard with 27 monitoring charts covering trace volume, latency, cost, tool usage, model comparison, and pipeline health. Supports `--project` and `--recreate` options.
 - Added `model` and `thinking_level` metadata to all LangSmith traces, enabling per-model dashboards and A/B comparison when switching between models.
 - Added async Jobs API (`POST /api/jobs`, `GET /api/jobs/{id}`) for programmatic agent execution with configurable per-user rate limiting (`JOBS_THROTTLE_RATE`). Enables scheduled CI pipelines, Slack bots, and scripted workflows to trigger DAIV agents without blocking.

Makefile

@@ -1,6 +1,6 @@
 # Makefile
 
-.PHONY: help setup test test-ci lint lint-check lint-format lint-fix lint-typing evals
+.PHONY: help setup test test-ci lint lint-check lint-format lint-fix lint-typing evals tailwind-build tailwind-watch
 
 help:
 	@echo "Available commands:"
@@ -103,5 +103,11 @@ swerebench-clean:
 docs-serve:
 	uv run --only-group=docs mkdocs serve -o -a localhost:4000 -w docs/
 
+tailwind-build:
+	docker compose exec app tailwindcss -i daiv/accounts/static_src/css/input.css -o daiv/accounts/static/accounts/css/styles.css --minify
+
+tailwind-watch:
+	docker compose exec app tailwindcss -i daiv/accounts/static_src/css/input.css -o daiv/accounts/static/accounts/css/styles.css --watch
+
 langsmith-fetch:
 	uv run langsmith-fetch traces --project-uuid 00d1a04e-0087-4813-9a18-5995cd5bee5c --limit 1 ./daiv-traces

daiv/accounts/adapter.py

@@ -0,0 +1,14 @@
+from allauth.account.adapter import DefaultAccountAdapter
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+
+
+class AccountAdapter(DefaultAccountAdapter):
+    def is_open_for_signup(self, request):
+        """Disable standard email/password signup. Users are created via social providers only."""
+        return False
+
+
+class SocialAccountAdapter(DefaultSocialAccountAdapter):
+    def is_open_for_signup(self, request, sociallogin):
+        """Allow new user creation via social providers (GitHub, GitLab)."""
+        return True

daiv/accounts/forms.py

@@ -0,0 +1,11 @@
+from django import forms
+
+from accounts.models import APIKey
+
+
+class APIKeyCreateForm(forms.ModelForm):
+    name = forms.CharField(max_length=128)
+
+    class Meta:
+        model = APIKey
+        fields = ["name"]

daiv/accounts/management/commands/setup_default_site.py

@@ -0,0 +1,20 @@
+from django.conf import settings
+from django.contrib.sites.models import Site
+from django.core.management.base import BaseCommand, CommandError
+
+from core.conf import settings as core_settings
+
+
+class Command(BaseCommand):
+    help = "Update the default Site domain from DAIV_EXTERNAL_URL."
+
+    def handle(self, *args, **options):
+        domain = core_settings.EXTERNAL_URL.host
+        if not domain:
+            raise CommandError("DAIV_EXTERNAL_URL has no valid host. Check your DAIV_EXTERNAL_URL setting.")
+
+        rows = Site.objects.filter(pk=settings.SITE_ID).update(domain=domain, name="DAIV")
+        if rows == 0:
+            raise CommandError(f"Site with pk={settings.SITE_ID} does not exist. Run 'migrate' first.")
+
+        self.stdout.write(self.style.SUCCESS(f"Default site updated: domain={domain}, name=DAIV"))

daiv/accounts/socialaccount.py

@@ -0,0 +1,35 @@
+from allauth.core import context
+from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.providers.gitlab.views import GitLabOAuth2Adapter
+from allauth.socialaccount.providers.oauth2.views import OAuth2CallbackView, OAuth2LoginView
+
+
+class GitLabServerAwareAdapter(GitLabOAuth2Adapter):
+    """
+    GitLab adapter that supports a separate ``gitlab_server_url`` app setting
+    for server-side HTTP calls (token exchange, profile fetch).  This is needed
+    in Docker/compose environments where the browser-facing URL differs from
+    the URL reachable inside the container network.
+
+    When ``gitlab_server_url`` is empty or absent the adapter falls back to the
+    standard ``gitlab_url``.
+    """
+
+    def _build_server_url(self, path):
+        app = get_adapter().get_app(context.request, provider=self.provider_id)
+        server_url = app.settings.get("gitlab_server_url")
+        if server_url:
+            return f"{server_url}{path}"
+        return self._build_url(path)
+
+    @property
+    def access_token_url(self):
+        return self._build_server_url("/oauth/token")
+
+    @property
+    def profile_url(self):
+        return self._build_server_url(f"/api/{self.provider_api_version}/user")
+
+
+oauth2_login = OAuth2LoginView.adapter_view(GitLabServerAwareAdapter)
+oauth2_callback = OAuth2CallbackView.adapter_view(GitLabServerAwareAdapter)

daiv/accounts/static/accounts/css/styles.css

@@ -0,0 +1,20 @@
+@import "tailwindcss";
+
+@theme {
+  --font-sans: "Outfit", ui-sans-serif, system-ui, sans-serif;
+}
+
+@keyframes fade-up {
+  from {
+    opacity: 0;
+    transform: translateY(10px);
+  }
+}
+
+a, button, [role="button"] {
+  cursor: pointer;
+}
+
+.animate-fade-up {
+  animation: fade-up 0.5s ease-out both;
+}

daiv/accounts/static/accounts/img/logo.png

@@ -0,0 +1,63 @@
+{% extends "base.html" %}
+{% load static %}
+
+{% block title %}Enter code — DAIV{% endblock %}
+
+{% block content %}
+<div class="relative flex min-h-dvh items-center justify-center overflow-hidden px-4">
+    <div class="pointer-events-none absolute inset-0"
+         style="background: radial-gradient(ellipse 60% 50% at 50% 40%, rgba(255,255,255,0.025) 0%, transparent 100%)"></div>
+    <div class="pointer-events-none absolute inset-0 opacity-30"
+         style="background-image: radial-gradient(circle at 1px 1px, rgba(255,255,255,0.07) 1px, transparent 0); background-size: 32px 32px"></div>
+
+    <div class="relative w-full max-w-[380px]">
+        <!-- Logo -->
+        <div class="animate-fade-up mb-10 flex flex-col items-center">
+            <img src="{% static 'accounts/img/logo.png' %}" alt="DAIV" class="h-10">
+        </div>
+
+        <!-- Icon + message -->
+        <div class="animate-fade-up mb-8 text-center" style="animation-delay: 80ms">
+            <div class="mx-auto mb-4 flex h-12 w-12 items-center justify-center rounded-full border border-white/[0.08] bg-white/[0.03]">
+                <svg class="h-5 w-5 text-gray-400" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" d="M21.75 6.75v10.5a2.25 2.25 0 0 1-2.25 2.25h-15a2.25 2.25 0 0 1-2.25-2.25V6.75m19.5 0A2.25 2.25 0 0 0 19.5 4.5h-15a2.25 2.25 0 0 0-2.25 2.25m19.5 0v.243a2.25 2.25 0 0 1-1.07 1.916l-7.5 4.615a2.25 2.25 0 0 1-2.36 0L3.32 8.91a2.25 2.25 0 0 1-1.07-1.916V6.75"/>
+                </svg>
+            </div>
+            <h2 class="text-[16px] font-semibold text-white">Check your email</h2>
+            <p class="mt-2 text-[14px] font-light text-gray-400">
+                We sent a login code to your inbox.<br>Enter it below to continue.
+            </p>
+        </div>
+
+        <form method="post" class="animate-fade-up" style="animation-delay: 160ms">
+            {% csrf_token %}
+            <div class="space-y-3">
+                {% for field in form %}
+                <div>
+                    {% if field.errors %}
+                    <p class="mb-2 text-[14px] text-red-400">{{ field.errors.0 }}</p>
+                    {% endif %}
+                    <input type="text"
+                           name="{{ field.html_name }}"
+                           id="{{ field.id_for_label }}"
+                           value="{{ field.value|default:'' }}"
+                           {% if field.field.required %}required{% endif %}
+                           autocomplete="one-time-code"
+                           inputmode="numeric"
+                           placeholder="Enter code"
+                           class="block w-full rounded-xl border border-white/[0.06] bg-white/[0.03] px-4 py-3.5 text-center text-lg font-semibold tracking-[0.3em] text-white placeholder-gray-500 outline-none transition-all duration-200 focus:border-white/[0.15] focus:bg-white/[0.05] focus:ring-1 focus:ring-white/[0.08]">
+                </div>
+                {% endfor %}
+                <button type="submit"
+                        class="w-full rounded-xl bg-white px-4 py-3 text-[14px] font-semibold text-[#030712] transition-all duration-200 hover:bg-gray-200 active:scale-[0.98]">
+                    Verify &amp; sign in
+                </button>
+            </div>
+        </form>
+
+        <p class="animate-fade-up mt-6 text-center text-[14px] text-gray-500" style="animation-delay: 220ms">
+            <a href="{% url 'account_login' %}" class="text-gray-400 transition-colors hover:text-white">Back to sign in</a>
+        </p>
+    </div>
+</div>
+{% endblock %}