feat: Oracle IAM OIDC, force password change, security hardening

- OIDC: authorization code flow, JWKS validation, JIT provisioning, group-to-role mapping, dual auth (local/oidc/both)
- Force password change: random admin password on first install, modal blocks UI until changed
- APP_SECRET required in docker-compose (fail if missing), .env.example improved
- Login page: Oracle IAM button (conditional), hide form in oidc-only mode
- OracleIamPage: test connection via backend, masked client_secret handling
- UsersPage: OIDC badge, auth_provider in list
- i18n: login.oidcButton, login.or (pt/en/es)
- README v3.1: Terminal, User Management, Security, OIDC endpoints, versioning
This commit is contained in:
nogueiraguh
2026-04-02 10:26:00 -03:00
parent 60596e790f
commit f22bb54e25
13 changed files with 514 additions and 106 deletions

View File

@@ -1,7 +1,19 @@
# Generate with: openssl rand -hex 32
APP_SECRET=change-me-generate-a-secure-random-string
# REQUIRED — Generate with: openssl rand -hex 64
# This key encrypts JWT tokens, Fernet credentials, and session data.
# It MUST be the same across container restarts and all workers.
APP_SECRET=
# JWT token expiry in hours (default: 12)
JWT_EXPIRY_HOURS=12
# Frontend port (default: 8080)
PORT=8080
# CORS allowed origins (comma-separated, e.g., https://your-domain.com)
CORS_ORIGINS=http://localhost:8080
# Timezone
TZ=America/Sao_Paulo
# Suppress OCI CLI file permission warnings
OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True