Add OIDC provider for Outline wiki SSO

Add oidc-provider with MongoDB adapter so ghostguild.org can act as the identity provider for the self-hosted Outline wiki. Members authenticate via the existing magic-link flow, with automatic SSO when an active session exists. Includes interaction routes, well-known discovery endpoint, and login page.
2026-03-01 15:46:01 +00:00 · 2026-03-01 15:46:01 +00:00 · 8a529a8e7c
commit 8a529a8e7c
parent a232a7bbf8
13 changed files with 1258 additions and 2 deletions
--- a/server/routes/oidc/interaction/login.post.ts
+++ b/server/routes/oidc/interaction/login.post.ts
@ -0,0 +1,81 @@
+/**
+ * Handle magic link login request during OIDC interaction flow.
+ *
+ * POST /oidc/interaction/login
+ * Body: { email: string, uid: string }
+ *
+ * Sends a magic link email. The link includes the OIDC interaction uid so the
+ * verify step can complete the interaction after authenticating.
+ */
+import jwt from "jsonwebtoken";
+import { Resend } from "resend";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export default defineEventHandler(async (event) => {
+  await connectDB();
+
+  const body = await readBody(event);
+  const email = body?.email?.trim()?.toLowerCase();
+  const uid = body?.uid;
+
+  if (!email || !uid) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Email and interaction uid are required",
+    });
+  }
+
+  const GENERIC_MESSAGE =
+    "If this email is registered, we've sent a login link.";
+
+  const member = await (Member as any).findOne({ email });
+  if (!member) {
+    return { success: true, message: GENERIC_MESSAGE };
+  }
+
+  const config = useRuntimeConfig(event);
+  const token = jwt.sign(
+    { memberId: member._id, oidcUid: uid },
+    config.jwtSecret,
+    { expiresIn: "15m" }
+  );
+
+  const headers = getHeaders(event);
+  const baseUrl =
+    process.env.BASE_URL ||
+    `${headers.host?.includes("localhost") ? "http" : "https"}://${headers.host}`;
+
+  try {
+    await resend.emails.send({
+      from: "Ghost Guild <ghostguild@babyghosts.org>",
+      to: email,
+      subject: "Sign in to Ghost Guild Wiki",
+      html: `
+        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+          <h2 style="color: #2563eb;">Sign in to the Ghost Guild Wiki</h2>
+          <p>Click the button below to sign in:</p>
+          <div style="text-align: center; margin: 30px 0;">
+            <a href="${baseUrl}/oidc/interaction/verify?token=${token}"
+               style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
+              Sign In
+            </a>
+          </div>
+          <p style="color: #666; font-size: 14px;">
+            This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.
+          </p>
+        </div>
+      `,
+    });
+
+    return { success: true, message: GENERIC_MESSAGE };
+  } catch (error) {
+    console.error("Failed to send OIDC login email:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Failed to send login email. Please try again.",
+    });
+  }
+});