Skip to content

feat: modern auth (SCRAM-SHA-256, 2FA, WebAuthn) + tic-tac-toe #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ValwareIRC merged 20 commits into from
May 11, 2026
Merged

feat: modern auth (SCRAM-SHA-256, 2FA, WebAuthn) + tic-tac-toe #180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
dbd6086
feat: SCRAM-SHA-256, TOTP 2FA + biometric (WebAuthn) login
ValwareIRC May 2, 2026
af2064b
feat: tic-tac-toe (compatible with KiwiIRC plugin)
ValwareIRC May 2, 2026
b6e6bd9
feat: surface tic-tac-toe button in the PM header action row
ValwareIRC May 2, 2026
25f5b0d
2FA: confirm-before-remove, block removing last credential while enabled
ValwareIRC May 3, 2026
d82124b
Request draft/account-2fa CAP so the client merges it into server.cap…
ValwareIRC May 4, 2026
cca2abd
Move 2FA management into UserSettings → Account; raise 2FA modal z-in…
ValwareIRC May 4, 2026
b096e0b
Don't send spurious AUTHENTICATE + after SCRAM server-final
ValwareIRC May 4, 2026
8fd71bb
feat(auth): SASL IRCV3BEARER + per-server OAuth2/OIDC sign-in
ValwareIRC May 9, 2026
68140b4
feat(auth): bake OAuth config into the build for lock-mode deployments
ValwareIRC May 9, 2026
fe7e9e5
refactor(EditServerModal): tabbed left-sidebar layout
ValwareIRC May 9, 2026
7b9034e
feat(auth): opaque-token (GitHub) + id_token (Gmail) OAuth paths
ValwareIRC May 9, 2026
6223a7c
feat(auth): static /oauth/callback page
ValwareIRC May 9, 2026
581dbfe
Merge main into feat/auth-modern
ValwareIRC May 9, 2026
b16a4d5
merge feat/auth-modern (deploy-only; not for push)
ValwareIRC May 9, 2026
a3863d4
feat(auth): smart 2FA step-up — IRCV3BEARER step-up + reject same-fac…
ValwareIRC May 10, 2026
511a41c
Feat/account recovery (#181)
ValwareIRC May 10, 2026
f3dcbb7
Feat/read marker (#182)
ValwareIRC May 10, 2026
e52d614
Merge remote-tracking branch 'origin/main' into feat/auth-modern
ValwareIRC May 11, 2026
36307ab
Fix cmd→command after standard-reply merge
ValwareIRC May 11, 2026
f2aca63
Merge remote-tracking branch 'origin/main' into feat/auth-modern
ValwareIRC May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions BUILD.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,76 @@ VITE_HIDE_SERVER_LIST=true
# Optional comma-separated list of trusted media URLs
# Useful for chat bridges like Matterbridge or Matrix bridges that host media
VITE_TRUSTED_MEDIA_URLS="https://matterbridge.example.com,https://matrix-media.example.com"

# Optional OAuth2 / OIDC defaults. Only surfaced when VITE_HIDE_SERVER_LIST=true,
# i.e. single-server lock-mode. Users see a "Sign in with <label>" button
# instead of having to enter the issuer/client_id themselves. Requires the
# IRC server to support SASL IRCV3BEARER (e.g. obbyircd's oauth-provider).
VITE_DEFAULT_OAUTH_PROVIDER_LABEL="Logto"
VITE_DEFAULT_OAUTH_ISSUER="https://my-tenant.logto.app/oidc"
VITE_DEFAULT_OAUTH_CLIENT_ID="m0obbyircd1234"
# Optional, defaults to "openid"
VITE_DEFAULT_OAUTH_SCOPES="openid"
# Optional, defaults to <origin>/oauth/callback. Must be registered with the IdP.
VITE_DEFAULT_OAUTH_REDIRECT_URI="https://chat.example.com/oauth/callback"
# "jwt" (default) for Logto/Auth0/Keycloak/Google id_token.
# "opaque" for GitHub/Discord/Slack -- IRC server hits userinfo endpoint.
VITE_DEFAULT_OAUTH_TOKEN_KIND="jwt"
# Opaque only: name of the matching oauth-provider {} on the IRC server,
# so the server knows which userinfo URL to hit.
VITE_DEFAULT_OAUTH_SERVER_PROVIDER="github"
# Non-OIDC providers (GitHub) need explicit endpoints since they don't
# publish /.well-known/openid-configuration.
VITE_DEFAULT_OAUTH_AUTHORIZE_URL="https://github.com/login/oauth/authorize"
VITE_DEFAULT_OAUTH_TOKEN_URL="https://github.com/login/oauth/access_token"
```

#### Provider quick-reference

**Sign in with Google**

```sh
VITE_DEFAULT_OAUTH_PROVIDER_LABEL=Google
VITE_DEFAULT_OAUTH_ISSUER=https://accounts.google.com
VITE_DEFAULT_OAUTH_CLIENT_ID=<your_client_id>.apps.googleusercontent.com
VITE_DEFAULT_OAUTH_SCOPES="openid email profile"
VITE_DEFAULT_OAUTH_TOKEN_KIND=jwt
```

obbyircd side:

```
oauth-provider "google" {
issuer 'https://accounts.google.com';
audience '<your_client_id>.apps.googleusercontent.com';
jwks-file "/etc/obbyircd/google-jwks.json"; # curl from https://www.googleapis.com/oauth2/v3/certs
subject-claim "sub";
};
```

**Sign in with GitHub**

```sh
VITE_DEFAULT_OAUTH_PROVIDER_LABEL=GitHub
VITE_DEFAULT_OAUTH_ISSUER=https://github.com
VITE_DEFAULT_OAUTH_CLIENT_ID=<your_client_id>
VITE_DEFAULT_OAUTH_SCOPES="read:user user:email"
VITE_DEFAULT_OAUTH_TOKEN_KIND=opaque
VITE_DEFAULT_OAUTH_SERVER_PROVIDER=github
VITE_DEFAULT_OAUTH_AUTHORIZE_URL=https://github.com/login/oauth/authorize
VITE_DEFAULT_OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token
```

obbyircd side:

```
oauth-provider "github" {
userinfo-url 'https://api.github.com/user';
subject-claim "login"; # or "id" for GitHub's stable user id
};
```


### Docker
```sh
docker build -t obsidianirc .
Expand All @@ -47,6 +115,9 @@ docker build \
--build-arg VITE_DEFAULT_IRC_CHANNELS="#general,#random" \
--build-arg VITE_HIDE_SERVER_LIST=false \
--build-arg VITE_TRUSTED_MEDIA_URLS="https://matterbridge.example.com,https://matrix-media.example.com" \
--build-arg VITE_DEFAULT_OAUTH_PROVIDER_LABEL="Logto" \
--build-arg VITE_DEFAULT_OAUTH_ISSUER="https://my-tenant.logto.app/oidc" \
--build-arg VITE_DEFAULT_OAUTH_CLIENT_ID="m0obbyircd1234" \
-t obsidianirc .
```

Expand Down
18 changes: 18 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,30 @@ ARG VITE_DEFAULT_IRC_SERVER_NAME
ARG VITE_DEFAULT_IRC_CHANNELS
ARG VITE_HIDE_SERVER_LIST
ARG VITE_TRUSTED_MEDIA_URLS
ARG VITE_DEFAULT_OAUTH_PROVIDER_LABEL
ARG VITE_DEFAULT_OAUTH_ISSUER
ARG VITE_DEFAULT_OAUTH_CLIENT_ID
ARG VITE_DEFAULT_OAUTH_SCOPES
ARG VITE_DEFAULT_OAUTH_REDIRECT_URI
ARG VITE_DEFAULT_OAUTH_TOKEN_KIND
ARG VITE_DEFAULT_OAUTH_SERVER_PROVIDER
ARG VITE_DEFAULT_OAUTH_AUTHORIZE_URL
ARG VITE_DEFAULT_OAUTH_TOKEN_URL

ENV VITE_DEFAULT_IRC_SERVER=$VITE_DEFAULT_IRC_SERVER
ENV VITE_DEFAULT_IRC_SERVER_NAME=$VITE_DEFAULT_IRC_SERVER_NAME
ENV VITE_DEFAULT_IRC_CHANNELS=$VITE_DEFAULT_IRC_CHANNELS
ENV VITE_HIDE_SERVER_LIST=$VITE_HIDE_SERVER_LIST
ENV VITE_TRUSTED_MEDIA_URLS=$VITE_TRUSTED_MEDIA_URLS
ENV VITE_DEFAULT_OAUTH_PROVIDER_LABEL=$VITE_DEFAULT_OAUTH_PROVIDER_LABEL
ENV VITE_DEFAULT_OAUTH_ISSUER=$VITE_DEFAULT_OAUTH_ISSUER
ENV VITE_DEFAULT_OAUTH_CLIENT_ID=$VITE_DEFAULT_OAUTH_CLIENT_ID
ENV VITE_DEFAULT_OAUTH_SCOPES=$VITE_DEFAULT_OAUTH_SCOPES
ENV VITE_DEFAULT_OAUTH_REDIRECT_URI=$VITE_DEFAULT_OAUTH_REDIRECT_URI
ENV VITE_DEFAULT_OAUTH_TOKEN_KIND=$VITE_DEFAULT_OAUTH_TOKEN_KIND
ENV VITE_DEFAULT_OAUTH_SERVER_PROVIDER=$VITE_DEFAULT_OAUTH_SERVER_PROVIDER
ENV VITE_DEFAULT_OAUTH_AUTHORIZE_URL=$VITE_DEFAULT_OAUTH_AUTHORIZE_URL
ENV VITE_DEFAULT_OAUTH_TOKEN_URL=$VITE_DEFAULT_OAUTH_TOKEN_URL

WORKDIR /app
COPY package*.json ./
Expand Down
Loading
Loading