feat: Oracle IAM OIDC, force password change, security hardening

- OIDC: authorization code flow, JWKS validation, JIT provisioning, group-to-role mapping, dual auth (local/oidc/both)
- Force password change: random admin password on first install, modal blocks UI until changed
- APP_SECRET required in docker-compose (fail if missing), .env.example improved
- Login page: Oracle IAM button (conditional), hide form in oidc-only mode
- OracleIamPage: test connection via backend, masked client_secret handling
- UsersPage: OIDC badge, auth_provider in list
- i18n: login.oidcButton, login.or (pt/en/es)
- README v3.1: Terminal, User Management, Security, OIDC endpoints, versioning
This commit is contained in:
nogueiraguh
2026-04-02 10:26:00 -03:00
parent 60596e790f
commit f22bb54e25
13 changed files with 514 additions and 106 deletions

View File

@@ -10,6 +10,7 @@ export interface User {
mfa_enabled?: boolean;
timezone?: string;
auth_provider?: string;
must_change_password?: boolean;
}
export interface LoginResponse {
@@ -18,6 +19,7 @@ export interface LoginResponse {
mfa_required?: boolean;
mfa_setup?: boolean;
totp_uri?: string;
must_change_password?: boolean;
}
export const authApi = {
@@ -26,6 +28,9 @@ export const authApi = {
logout: () => client.post('/auth/logout'),
oidcLogout: () =>
client.post<never, { ok: boolean; idp_logout_url?: string }>('/auth/oidc/logout'),
me: () => client.get<never, User>('/users/me'),
changePassword: (current_password: string, new_password: string) =>