Add SSO login support

- Add [sso] config section with redirect_uri - Create mcdsl/sso client when SSO is configured - Add /login (landing page), /sso/redirect, /sso/callback routes - Add /logout route - Update login template with SSO landing page variant - Bump mcdsl to v1.6.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 20:23:25 -07:00
parent ae4cc8b420
commit 647fd26e60
2619 changed files with 6833933 additions and 9 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -10,13 +10,14 @@ import (

 // Config is the top-level configuration for Metacrypt.
 type Config struct {
-	Server   ServerConfig   `toml:"server"`
-	Web      WebConfig      `toml:"web"`
-	MCIAS    MCIASConfig    `toml:"mcias"`
+	Server   ServerConfig               `toml:"server"`
+	Web      WebConfig                  `toml:"web"`
+	MCIAS    MCIASConfig                `toml:"mcias"`
+	SSO      SSOConfig                  `toml:"sso"`
 	Database mcdslconfig.DatabaseConfig `toml:"database"`
 	Log      mcdslconfig.LogConfig      `toml:"log"`
-	Seal     SealConfig     `toml:"seal"`
-	Audit    AuditConfig    `toml:"audit"`
+	Seal     SealConfig                 `toml:"seal"`
+	Audit    AuditConfig                `toml:"audit"`
 }

 // ServerConfig holds HTTP/gRPC server settings. It embeds the standard
@@ -33,6 +34,13 @@ type MCIASConfig struct {
 	ServiceToken string `toml:"service_token"`
 }

+// SSOConfig holds SSO redirect settings for the web UI.
+type SSOConfig struct {
+	// RedirectURI is the callback URL that MCIAS redirects to after login.
+	// Must exactly match the redirect_uri registered in MCIAS config.
+	RedirectURI string `toml:"redirect_uri"`
+}
+
 // WebConfig holds settings for the standalone web UI server (metacrypt-web).
 type WebConfig struct {
 	// ListenAddr is the address the web server listens on (default: 127.0.0.1:8080).