Merge branch 'main' of https://github.com/objectstack-ai/framework

zhuangjianguo · zhuangjianguo · commit 43e2dccbf547 · 2026-04-24T10:09:06.000+08:00
diff --git a/content/docs/guides/auth-sso.mdx b/content/docs/guides/auth-sso.mdx
@@ -27,7 +27,7 @@ The Studio login and registration pages automatically render **Continue with …
    For local development: `http://localhost:3000/api/v1/auth/callback/google`
 4. Copy the **Client ID** and **Client Secret**.
 
-```env
+```bash
 GOOGLE_CLIENT_ID=your-google-client-id
 GOOGLE_CLIENT_SECRET=your-google-client-secret
 
@@ -44,7 +44,7 @@ GOOGLE_CLIENT_SECRET=your-google-client-secret
    ```
 3. Copy the **Client ID** and generate a **Client Secret**.
 
-```env
+```bash
 GITHUB_CLIENT_ID=your-github-client-id
 GITHUB_CLIENT_SECRET=your-github-client-secret
 ```
@@ -58,7 +58,7 @@ GITHUB_CLIENT_SECRET=your-github-client-secret
    ```
 3. Under **Certificates & secrets**, create a new client secret.
 
-```env
+```bash
 MICROSOFT_CLIENT_ID=your-azure-app-client-id
 MICROSOFT_CLIENT_SECRET=your-azure-client-secret
 
@@ -75,7 +75,7 @@ MICROSOFT_CLIENT_SECRET=your-azure-client-secret
    ```
 3. Generate a **private key** under **Keys**.
 
-```env
+```bash
 APPLE_CLIENT_ID=your-apple-services-id
 APPLE_CLIENT_SECRET=your-apple-private-key-jwt
 ```
@@ -90,7 +90,7 @@ For enterprise single sign-on, set the `OIDC_PROVIDERS` environment variable to
 
 ### Quick start — Okta
 
-```env
+```bash
 OIDC_PROVIDERS='[
   {
     "providerId": "okta",
@@ -105,7 +105,7 @@ OIDC_PROVIDERS='[
 
 ### Quick start — Azure AD (OIDC)
 
-```env
+```bash
 OIDC_PROVIDERS='[
   {
     "providerId": "azure-ad",
@@ -119,7 +119,7 @@ OIDC_PROVIDERS='[
 
 ### Quick start — Keycloak
 
-```env
+```bash
 OIDC_PROVIDERS='[
   {
     "providerId": "keycloak",
@@ -134,7 +134,7 @@ OIDC_PROVIDERS='[
 
 ### Multiple enterprise providers
 
-```env
+```bash
 OIDC_PROVIDERS='[
   {
     "providerId": "okta",
diff --git a/content/docs/references/api/auth-endpoints.mdx b/content/docs/references/api/auth-endpoints.mdx
@@ -71,9 +71,10 @@ const result = AuthEndpoint.parse(data);
 
 | Property | Type | Required | Description |
 | :--- | :--- | :--- | :--- |
-| **id** | `string` | ✅ | Provider ID (e.g., google, github, microsoft) |
+| **id** | `string` | ✅ | Provider ID (e.g., google, github, microsoft, okta) |
 | **name** | `string` | ✅ | Display name (e.g., Google, GitHub) |
 | **enabled** | `boolean` | ✅ | Whether this provider is enabled |
+| **type** | `Enum<'social' \| 'oidc'>` | ✅ | Provider type |
 
 
 ---
diff --git a/content/docs/references/cloud/project.mdx b/content/docs/references/cloud/project.mdx
@@ -210,6 +210,7 @@ Project type (prod/sandbox/dev/test/…)
 | **createdBy** | `string` | ✅ | User ID that initiated the provisioning |
 | **metadata** | `Record<string, any>` | optional | Free-form metadata |
 | **hostname** | `string` | optional | Canonical hostname for this project (auto-generated if omitted) |
+| **templateId** | `string` | optional | Template to seed into the project on first provisioning (e.g. "crm", "todo"). Defaults to "blank". |
 
 
 ---
diff --git a/content/docs/references/system/auth-config.mdx b/content/docs/references/system/auth-config.mdx
@@ -18,8 +18,8 @@ Used in server-side configuration injection.
 ## TypeScript Usage
 
 ```typescript
-import { AdvancedAuthConfig, AuthConfig, AuthPluginConfig, AuthProviderConfig, EmailAndPasswordConfig, EmailVerificationConfig, MutualTLSConfig, SocialProviderConfig } from '@objectstack/spec/system';
-import type { AdvancedAuthConfig, AuthConfig, AuthPluginConfig, AuthProviderConfig, EmailAndPasswordConfig, EmailVerificationConfig, MutualTLSConfig, SocialProviderConfig } from '@objectstack/spec/system';
+import { AdvancedAuthConfig, AuthConfig, AuthPluginConfig, AuthProviderConfig, EmailAndPasswordConfig, EmailVerificationConfig, MutualTLSConfig, OidcProviderConfig, OidcProvidersConfig, SocialProviderConfig } from '@objectstack/spec/system';
+import type { AdvancedAuthConfig, AuthConfig, AuthPluginConfig, AuthProviderConfig, EmailAndPasswordConfig, EmailVerificationConfig, MutualTLSConfig, OidcProviderConfig, OidcProvidersConfig, SocialProviderConfig } from '@objectstack/spec/system';
 
 // Validate data
 const result = AdvancedAuthConfig.parse(data);
@@ -57,6 +57,7 @@ Advanced / low-level Better-Auth options
 | **session** | `Object` | optional |  |
 | **trustedOrigins** | `string[]` | optional | Trusted origins for CSRF protection. Supports wildcards (e.g. "https://*.example.com"). The baseUrl origin is always trusted implicitly. |
 | **socialProviders** | `Record<string, Record<string, any>>` | optional | Social/OAuth provider map forwarded to better-auth socialProviders. Keys are provider ids (google, github, apple, …). |
+| **oidcProviders** | `Object[]` | optional | List of OIDC/OAuth2 providers for enterprise SSO. Can also be provided via OIDC_PROVIDERS env var as a JSON array. |
 | **emailAndPassword** | `Object` | optional | Email and password authentication options forwarded to better-auth |
 | **emailVerification** | `Object` | optional | Email verification options forwarded to better-auth |
 | **advanced** | `Object` | optional | Advanced / low-level Better-Auth options |
@@ -146,6 +147,32 @@ Email verification options forwarded to better-auth
 | **pinning** | `Object` | optional | Certificate pinning configuration |
 
 
+---
+
+## OidcProviderConfig
+
+OIDC / Generic OAuth2 provider configuration for enterprise SSO
+
+### Properties
+
+| Property | Type | Required | Description |
+| :--- | :--- | :--- | :--- |
+| **providerId** | `string` | ✅ | Unique identifier for this provider (e.g., okta, azure-ad) |
+| **name** | `string` | optional | Display name shown in the UI (defaults to providerId) |
+| **discoveryUrl** | `string` | optional | OIDC discovery URL (.well-known/openid-configuration). When provided, authorizationUrl/tokenUrl/userInfoUrl are fetched automatically. |
+| **issuer** | `string` | optional | Expected issuer identifier for token validation |
+| **authorizationUrl** | `string` | optional | OAuth2 authorization endpoint (optional if discoveryUrl is set) |
+| **tokenUrl** | `string` | optional | OAuth2 token endpoint (optional if discoveryUrl is set) |
+| **userInfoUrl** | `string` | optional | OAuth2 userinfo endpoint (optional if discoveryUrl is set) |
+| **clientId** | `string` | ✅ | OAuth2 client ID |
+| **clientSecret** | `string` | ✅ | OAuth2 client secret |
+| **scopes** | `string[]` | optional | Requested scopes (default: openid email profile) |
+| **pkce** | `boolean` | optional | Enable PKCE (recommended for public clients) |
+
+
+---
+
+
 ---
 
 
diff --git a/packages/runtime/src/http-dispatcher.ts b/packages/runtime/src/http-dispatcher.ts
@@ -1645,7 +1645,7 @@ export class HttpDispatcher {
                             if (adapter) {
                                 const result = await adapter.createDatabase({
                                     projectId,
-                                    databaseName: `proj-${projectId}`,
+                                    databaseName: `p-${projectId.replace(/-/g, "").slice(0, 24)}`,
                                     region: 'us-east-1',
                                     storageLimitMb: req.storage_limit_mb ?? 1024,
                                 });
@@ -1908,7 +1908,7 @@ export class HttpDispatcher {
                             if (adapter) {
                                 const result = await adapter.createDatabase({
                                     projectId: id,
-                                    databaseName: `proj-${id}`,
+                                    databaseName: `p-${id.replace(/-/g, "").slice(0, 24)}`,
                                     region: 'us-east-1',
                                     storageLimitMb: envRow.storage_limit_mb ?? 1024,
                                 });
