oauth

Author: zhuangjianguo

apps/server/objectstack.config.ts

@@ -30,6 +30,7 @@ import { AnalyticsServicePlugin } from '@objectstack/service-analytics';
 import CrmApp from '../../examples/app-crm/objectstack.config';
 import TodoApp from '../../examples/app-todo/objectstack.config';
 import BiPluginManifest from '../../examples/plugin-bi/objectstack.config';
+import type { SocialProviderConfig, OidcProvidersConfig } from '@objectstack/spec/system';
 import { fileURLToPath } from 'node:url';
 import { dirname, resolve } from 'node:path';
 
@@ -41,6 +42,64 @@ const baseUrl = process.env.NEXT_PUBLIC_BASE_URL
     ? `https://${process.env.VERCEL_URL}` : undefined)
   ?? 'http://localhost:3000';
 
+function buildSocialProviders(): SocialProviderConfig | undefined {
+  const providers: SocialProviderConfig = {};
+  if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
+    providers.google = {
+      clientId: process.env.GOOGLE_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+      ...(process.env.GOOGLE_OAUTH_SCOPES
+        ? { scope: process.env.GOOGLE_OAUTH_SCOPES.split(',').map((s) => s.trim()) }
+        : {}),
+    };
+  }
+  if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {
+    providers.github = {
+      clientId: process.env.GITHUB_CLIENT_ID,
+      clientSecret: process.env.GITHUB_CLIENT_SECRET,
+    };
+  }
+  if (process.env.MICROSOFT_CLIENT_ID && process.env.MICROSOFT_CLIENT_SECRET) {
+    providers.microsoft = {
+      clientId: process.env.MICROSOFT_CLIENT_ID,
+      clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+      ...(process.env.MICROSOFT_TENANT_ID
+        ? { tenantId: process.env.MICROSOFT_TENANT_ID }
+        : {}),
+    };
+  }
+  if (process.env.APPLE_CLIENT_ID && process.env.APPLE_CLIENT_SECRET) {
+    providers.apple = {
+      clientId: process.env.APPLE_CLIENT_ID,
+      clientSecret: process.env.APPLE_CLIENT_SECRET,
+    };
+  }
+  const keys = Object.keys(providers);
+  if (keys.length > 0) {
+    console.info(`[auth] enabled social providers: ${keys.join(', ')}`);
+    return providers;
+  }
+  return undefined;
+}
+
+function buildOidcProviders(): OidcProvidersConfig | undefined {
+  const raw = process.env.OIDC_PROVIDERS;
+  if (!raw) return undefined;
+  try {
+    const parsed = JSON.parse(raw) as OidcProvidersConfig;
+    if (Array.isArray(parsed) && parsed.length > 0) {
+      console.info(`[auth] enabled OIDC providers: ${parsed.map(p => p.providerId).join(', ')}`);
+      return parsed;
+    }
+  } catch {
+    console.warn('[auth] Failed to parse OIDC_PROVIDERS env var — expected a JSON array');
+  }
+  return undefined;
+}
+
+const socialProviders = buildSocialProviders();
+const oidcProviders = buildOidcProviders();
+
 // Turso driver for sys namespace — remote when env vars are configured, local SQLite otherwise
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const tursoDriver = new TursoDriver(
@@ -99,6 +158,8 @@ export default defineStack({
       secret: process.env.AUTH_SECRET ?? 'dev-secret-please-change-in-production-min-32-chars',
       baseUrl,
       plugins: { organization: true },
+      ...(socialProviders ? { socialProviders } : {}),
+      ...(oidcProviders ? { oidcProviders } : {}),
     }),
     new SecurityPlugin(),
     new AuditPlugin(),

apps/studio/src/components/auth/social-sign-in-buttons.tsx

@@ -0,0 +1,73 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { useEffect, useState } from 'react';
+import { useClient } from '@objectstack/client-react';
+import { Button } from '@/components/ui/button';
+
+interface SocialProvider {
+  id: string;
+  name: string;
+  enabled: boolean;
+  type?: 'social' | 'oidc';
+}
+
+interface Props {
+  mode: 'sign-in' | 'sign-up';
+}
+
+export function SocialSignInButtons({ mode }: Props) {
+  const client = useClient() as any;
+  const [providers, setProviders] = useState<SocialProvider[]>([]);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    if (!client?.auth?.getConfig) return;
+    client.auth.getConfig()
+      .then((res: any) => {
+        const list: SocialProvider[] = res?.socialProviders ?? res?.data?.socialProviders ?? [];
+        setProviders(list.filter((p) => p.enabled));
+      })
+      .catch((err: unknown) => {
+        console.warn('[SocialSignInButtons] failed to load auth config', err);
+      })
+      .finally(() => setLoading(false));
+  }, [client]);
+
+  if (loading || providers.length === 0) return null;
+
+  const label = mode === 'sign-in' ? 'Continue with' : 'Sign up with';
+
+  return (
+    <div className="flex flex-col gap-2">
+      {providers.map((p) => (
+        <Button
+          key={p.id}
+          type="button"
+          variant="outline"
+          className="w-full"
+          onClick={() =>
+            client.auth.signInWithProvider(p.id, {
+              callbackURL: window.location.origin + '/login',
+              errorCallbackURL: window.location.origin + '/login',
+              type: p.type ?? 'social',
+            })
+          }
+        >
+          {/* TODO: replace with provider icon from lucide-react or simple-icons */}
+          <span className="mr-2 flex h-4 w-4 items-center justify-center rounded-sm bg-muted text-[10px] font-bold uppercase">
+            {p.id[0]}
+          </span>
+          {label} {p.name}
+        </Button>
+      ))}
+      <div className="relative my-1">
+        <div className="absolute inset-0 flex items-center">
+          <span className="w-full border-t" />
+        </div>
+        <div className="relative flex justify-center text-xs uppercase">
+          <span className="bg-card px-2 text-muted-foreground">or continue with email</span>
+        </div>
+      </div>
+    </div>
+  );
+}

apps/studio/src/routes/login.tsx

@@ -10,6 +10,7 @@ import { Label } from '@/components/ui/label';
 import { toast } from '@/hooks/use-toast';
 import { useSession } from '@/hooks/useSession';
 import { useProjects } from '@/hooks/useProjects';
+import { SocialSignInButtons } from '@/components/auth/social-sign-in-buttons';
 
 export const Route = createFileRoute('/login')({
   component: LoginPage,
@@ -76,6 +77,7 @@ function LoginPage() {
         </CardHeader>
         <form onSubmit={handleSubmit}>
           <CardContent className="space-y-4">
+            <SocialSignInButtons mode="sign-in" />
             <div className="space-y-1.5">
               <Label htmlFor="email">Email</Label>
               <Input

apps/studio/src/routes/register.tsx

@@ -9,6 +9,7 @@ import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
 import { toast } from '@/hooks/use-toast';
 import { useSession } from '@/hooks/useSession';
+import { SocialSignInButtons } from '@/components/auth/social-sign-in-buttons';
 
 export const Route = createFileRoute('/register')({
   component: RegisterPage,
@@ -58,6 +59,7 @@ function RegisterPage() {
         </CardHeader>
         <form onSubmit={handleSubmit}>
           <CardContent className="space-y-4">
+            <SocialSignInButtons mode="sign-up" />
             <div className="space-y-1.5">
               <Label htmlFor="name">Name</Label>
               <Input