Refactor: Implement Stateless Container Boot & JIT User Provisioning

[bigtcze]

Summary

To support the Scale-to-Zero architecture with private containers, the backend must be able to boot statelessly and trust an external Identity Provider (IdP) immediately. CRITICAL: This must be an option, not a replacement. The application must retain full support for self-hosted users with local authentication.

Requirements

1. Dual Authentication Mode

The application behavior should be controlled via environment variables (e.g., AUTH_MODE).

• Mode A: Standalone (Default/Self-Hosted)
  • Uses local PostgreSQL users table for passwords.
  • Setup Wizard runs if no admin exists.
  • Frontend is served locally (or via bundled Nginx).
• Mode B: Hosting / Managed (Scale-to-Zero)
  • AUTH_MODE=oidc-only (or similar).
  • Local password auth is disabled.
  • Setup Wizard is disabled.
  • Trusts external IdP via OIDC.

2. Environment Configuration

• Modify backend/src/config.js and settingsService.js to prioritize OIDC configuration from process.env.
• Ensure the application can start without a populated app_settings table in Mode B.

3. JIT User Provisioning (Mode B)

• Automatically create the user in the local users table upon the first valid OIDC login (Just-In-Time provisioning).
• Map JWT claims (email, sub) to user profile.

4. Docker Compose Strategy

We need two distinct configurations:

• docker-compose.yaml (Existing):
  • Remains the "Battery-included" standard for self-hosters.
  • Includes: Backend, DB, Frontend (served statically or via reverse proxy container).
• docker-compose-pod.yaml (New - for Hosting):
  • Minimal footprint.
  • Includes: Backend + DB only.
  • No exposed ports (connected via internal Docker network to OpenResty).
  • Hardcoded to AUTH_MODE=oidc-only.

Complexity

7/10 (Requires careful separation of concerns to not break the self-hosted experience)

Labels

feature, backend, security