From bec485de0bf0fcd2e200e51b09ab5088e7b8b2b6 Mon Sep 17 00:00:00 2001
From: Vladimir Timofeenko <id@vtimofeenko.com>
Date: Wed, 22 May 2024 17:18:18 -0700
Subject: [PATCH 1/2] Add logout-url option to Nix module

Closes #2643
---
 nix/modules/server.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nix/modules/server.nix b/nix/modules/server.nix
index c9f2404a4..49b681c4d 100644
--- a/nix/modules/server.nix
+++ b/nix/modules/server.nix
@@ -111,6 +111,7 @@ with lib; let
         scope = "profile";
         authorize-url = null;
         token-url = null;
+        logout-url = "";
         user-url = null;
         sign-key = "";
         sig-algo = "RS256";
@@ -424,6 +425,11 @@ in {
                     default = defaults.openid.provider.token-url;
                     description = "The URL used to retrieve the token.";
                   };
+                  logout-url = mkOption {
+                    type = types.str;
+                    default = defaults.openid.provider.logout-url;
+                    description = "The URL used for user's logout.";
+                  };
                   user-url = mkOption {
                     type = types.nullOr types.str;
                     default = defaults.openid.provider.user-url;

From a2ae339870ed4f491dc13c64c5a165ce1b947b6f Mon Sep 17 00:00:00 2001
From: Vladimir Timofeenko <id@vtimofeenko.com>
Date: Fri, 24 May 2024 13:27:46 -0700
Subject: [PATCH 2/2] Add auth.on-account-source-conflict

---
 nix/modules/server.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nix/modules/server.nix b/nix/modules/server.nix
index 49b681c4d..c2a6d51e2 100644
--- a/nix/modules/server.nix
+++ b/nix/modules/server.nix
@@ -92,6 +92,7 @@ with lib; let
     auth = {
       server-secret = "hex:caffee";
       session-valid = "5 minutes";
+      on-account-source-conflict = "fail";
       remember-me = {
         enabled = true;
         valid = "30 days";
@@ -324,6 +325,19 @@ in {
                 will get a new one periodically.
               '';
             };
+            on-account-source-conflict = mkOption {
+              type = types.enum ["fail" "convert"];
+              default = defaults.auth.on-account-source-conflict;
+              description = ''
+                Accounts can be local or defined at a remote provider and
+                integrated via OIDC. If the same account is defined in both
+                sources, docspell by default fails if a user mixes logins (e.g.
+                when registering a user locally and then logging in with the
+                same user via OIDC). When set to `convert` docspell treats it as
+                being the same and simply updates the account to reflect the new
+                account source.
+              '';
+            };
             remember-me = mkOption {
               type = types.submodule {
                 options = {