Add authenticated login and SSO protection

2026-05-29 15:54:13 +08:00
parent e36f28a668
commit 0648874801
50 changed files with 1853 additions and 63 deletions
--- a/.env.example
+++ b/.env.example
@@ -9,6 +9,21 @@ NEXT_PUBLIC_APP_URL=http://127.0.0.1:3000
 ZHINIAN_RUNTIME_DIR=.runtime
 ZHINIAN_PUBLIC_BASE_URL=http://127.0.0.1:3000

+# Account login / Web SSO.
+# Production requires login by default. Set ZHINIAN_AUTH_REQUIRED=0 only for trusted local development.
+ZHINIAN_AUTH_REQUIRED=auto
+ZHINIAN_AUTH_BASE_URL=https://<gateway-domain>/auth
+ZHINIAN_AUTH_CLIENT_ID=customPC
+ZHINIAN_AUTH_CLIENT_SECRET=
+ZHINIAN_AUTH_SCOPE=server
+ZHINIAN_AUTH_ISSUER=https://pig4cloud.com
+ZHINIAN_AUTH_SESSION_SECRET=change-me-to-a-long-random-secret
+# Optional overrides when endpoints do not follow AUTH_BASE defaults.
+ZHINIAN_AUTH_AUTHORIZE_URL=
+ZHINIAN_AUTH_TOKEN_URL=
+ZHINIAN_AUTH_JWKS_URL=
+ZHINIAN_AUTH_LOGOUT_URL=
+
 # Public API v1 and worker task management.
 # Format: clientId:key,anotherClient:anotherKey
 ZHINIAN_API_KEYS=demo-agent:change-me-public-api-key