Add SSO login support to MCR web UI

MCR can now redirect users to MCIAS for login instead of showing its own login form. This enables passkey/FIDO2 authentication since WebAuthn credentials are bound to MCIAS's domain. - Add optional [sso] config section with redirect_uri - Add handleSSOLogin (redirects to MCIAS) and handleSSOCallback (exchanges code for JWT, validates roles, sets session cookie) - SSO is opt-in: when redirect_uri is empty, the existing login form is used (backward compatible) - Guest role check preserved in SSO callback path - Return-to URL preserved across the SSO redirect - Uses mcdsl/sso package (local replace for now) Security: - State cookie uses SameSite=Lax for cross-site redirect compatibility - Session cookie remains SameSite=Strict (same-site only after login) - Code exchange is server-to-server over TLS 1.3 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 15:30:30 -07:00
parent 8c654a5537
commit 18756f62b7
9 changed files with 392 additions and 6 deletions
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,9 +1,10 @@
-# git.wntrmute.dev/mc/mcdsl v1.2.0
+# git.wntrmute.dev/mc/mcdsl v1.2.0 => ../mcdsl
 ## explicit; go 1.25.7
 git.wntrmute.dev/mc/mcdsl/auth
 git.wntrmute.dev/mc/mcdsl/config
 git.wntrmute.dev/mc/mcdsl/db
 git.wntrmute.dev/mc/mcdsl/grpcserver
+git.wntrmute.dev/mc/mcdsl/sso
 # github.com/dustin/go-humanize v1.0.1
 ## explicit; go 1.16
 github.com/dustin/go-humanize
@@ -197,3 +198,4 @@ modernc.org/memory
 modernc.org/sqlite
 modernc.org/sqlite/lib
 modernc.org/sqlite/vtab
+# git.wntrmute.dev/mc/mcdsl => ../mcdsl