Add authenticated login and SSO protection

task_plan.md

@@ -4,7 +4,7 @@
 Add EvoLink GPT Image 2 as a selectable image creation engine in the settings flow, while preserving the existing Jimeng/Volcengine image engine and the current task/asset workflow.
 
 ## Current Phase
-Complete - latest update: Task management and public API v1
+Complete - latest update: Standalone Login Page Polish
 
 ## Phases
 
@@ -94,6 +94,30 @@ Complete - latest update: Task management and public API v1
 - [x] Verify tests, production build, and desktop/mobile create-page layout
 - **Status:** complete
 
+### Phase 13: Account Login and SSO Protection
+- [x] Trace existing page/API access and data ownership boundaries
+- [x] Add OAuth2 Authorization Code login, callback, logout, and current-user session helpers
+- [x] Verify JWT locally with JWKS and validate issuer/client/scope claims
+- [x] Protect browser pages and first-party UI APIs while preserving public API key and worker endpoints
+- [x] Thread authenticated owner IDs through assets and generation jobs
+- [x] Add focused tests, docs, env examples, and run verification
+- **Status:** complete
+
+### Phase 14: Password Captcha Login
+- [x] Verify auth captcha endpoint and password grant response shape without printing tokens
+- [x] Add `/api/auth/captcha` proxy and `/api/auth/password` session-issuing login endpoint
+- [x] Add account/password/captcha form to `/auth/login`
+- [x] Verify login creates a session and logout returns to the login page
+- **Status:** complete
+
+### Phase 15: Standalone Login Page Polish
+- [x] Remove the shared top bar from `/auth/*` pages
+- [x] Keep only the logo, platform name, and account login form on the login page
+- [x] Remove the visible unified-auth/SSO login entry from the login page
+- [x] Apply the existing GSAP motion helper layer to the standalone login layout
+- [x] Verify desktop and mobile login layout has no horizontal overflow
+- **Status:** complete
+
 ## Key Questions
 1. How should the selected image engine be stored and exposed in settings?
 2. Which current capabilities should EvoLink handle first?
@@ -114,6 +138,11 @@ Complete - latest update: Task management and public API v1
 | Use Docker Compose as the primary server deployment path | Gives server operators one command, persistent local runtime data, and a restart policy |
 | Implement multi-task support as task management, not an external message queue | Matches user preference and keeps deployment simpler for this server product |
 | Use API Key auth for public API v1 | Fastest stable server-to-server integration model for other AI systems |
+| Use OAuth2 Authorization Code for the browser UI login | Matches the provided SSO guide and keeps `client_secret` on the server |
+| Derive first-party owner ids from verified JWT claims as `auth:<clientId>:<user_id/sub>` | Gives logged-in users isolated assets and jobs without changing the storage schema |
+| Keep `/api/v1/*` outside SSO middleware | Existing partner integrations authenticate with API keys and must not be redirected to browser login |
+| Add password grant login as a first-class browser login path | The provided auth service currently accepts `customPC` password login with image captcha while `/oauth2/authorize` returns 400 for the local callback |
+| Hide the unified-auth/SSO entry from the login page | The user wants a focused branded login screen with only logo, platform name, and the account login form |
 
 ## Errors Encountered
 | Error | Attempt | Resolution |