From dd2cb63309018b2fa856750b4dbf84330e04ccd5 Mon Sep 17 00:00:00 2001
From: Caffrey <sunhongwei0913@163.com>
Date: Fri, 10 Apr 2026 11:12:47 +0800
Subject: [PATCH 1/2] fix(runtime): pass auth environment variables to
 containers

The web container's envsubst in 30-runtime-config.sh only substituted
SKILLHUB_WEB_API_BASE_URL and SKILLHUB_PUBLIC_BASE_URL, leaving auth-related
variables (authDirectEnabled, authSessionBootstrapEnabled, etc.) as literal
${...} strings in runtime-config.js. Additionally, compose.release.yml did not
pass SKILLHUB_WEB_AUTH_DIRECT_ENABLED or SKILLHUB_WEB_AUTH_DIRECT_PROVIDER to
the web container, nor SKILLHUB_AUTH_DIRECT_ENABLED to the server container.

This made it impossible to enable direct (username/password) authentication
for intranet deployments without OAuth2, even though the frontend template and
backend already supported it.

Changes:
- compose.release.yml: add SKILLHUB_AUTH_DIRECT_ENABLED to server env
- compose.release.yml: add auth direct and session bootstrap vars to web env
- 30-runtime-config.sh: expand envsubst to cover all runtime-config.js template variables
- .env.release.example: document the new auth configuration variables

All new variables default to false/empty, preserving existing GitHub OAuth behavior.
---
 .env.release.example                         | 11 +++++++++++
 compose.release.yml                          |  6 ++++++
 web/docker-entrypoint.d/30-runtime-config.sh |  7 ++++++-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/.env.release.example b/.env.release.example
index 366409e5f..cacdf9cea 100644
--- a/.env.release.example
+++ b/.env.release.example
@@ -56,6 +56,17 @@ DEVICE_AUTH_VERIFICATION_URI=
 OAUTH2_GITHUB_CLIENT_ID=
 OAUTH2_GITHUB_CLIENT_SECRET=
 
+# Direct (username/password) authentication. Enable for environments without OAuth2.
+# Requires SKILLHUB_AUTH_DIRECT_ENABLED=true in server and matching frontend config below.
+SKILLHUB_AUTH_DIRECT_ENABLED=false
+SKILLHUB_WEB_AUTH_DIRECT_ENABLED=false
+SKILLHUB_WEB_AUTH_DIRECT_PROVIDER=
+
+# Enterprise SSO session bootstrap (e.g. header-based SSO proxy).
+SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED=false
+SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER=
+SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO=false
+
 # Security scanner is enabled by default. Set to false to disable scanning.
 SKILLHUB_SECURITY_SCANNER_ENABLED=true
 
diff --git a/compose.release.yml b/compose.release.yml
index cd51781f1..93535e8f0 100644
--- a/compose.release.yml
+++ b/compose.release.yml
@@ -72,6 +72,7 @@ services:
       SKILLHUB_SECURITY_SCANNER_ENABLED: ${SKILLHUB_SECURITY_SCANNER_ENABLED:-true}
       SKILLHUB_SECURITY_SCANNER_URL: http://skill-scanner:8000
       SKILLHUB_SECURITY_SCANNER_MODE: upload
+      SKILLHUB_AUTH_DIRECT_ENABLED: ${SKILLHUB_AUTH_DIRECT_ENABLED:-false}
       BOOTSTRAP_ADMIN_ENABLED: ${BOOTSTRAP_ADMIN_ENABLED:-false}
       BOOTSTRAP_ADMIN_USER_ID: ${BOOTSTRAP_ADMIN_USER_ID:-docker-admin}
       BOOTSTRAP_ADMIN_USERNAME: ${BOOTSTRAP_ADMIN_USERNAME:-admin}
@@ -103,6 +104,11 @@ services:
       SKILLHUB_API_UPSTREAM: ${SKILLHUB_API_UPSTREAM:-http://server:8080}
       SKILLHUB_WEB_API_BASE_URL: ${SKILLHUB_WEB_API_BASE_URL:-}
       SKILLHUB_PUBLIC_BASE_URL: ${SKILLHUB_PUBLIC_BASE_URL:-}
+      SKILLHUB_WEB_AUTH_DIRECT_ENABLED: ${SKILLHUB_WEB_AUTH_DIRECT_ENABLED:-false}
+      SKILLHUB_WEB_AUTH_DIRECT_PROVIDER: ${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER:-}
+      SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED: ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED:-false}
+      SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER: ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER:-}
+      SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO: ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO:-false}
     depends_on:
       server:
         condition: service_healthy
diff --git a/web/docker-entrypoint.d/30-runtime-config.sh b/web/docker-entrypoint.d/30-runtime-config.sh
index 8e4720a31..780b3ac46 100644
--- a/web/docker-entrypoint.d/30-runtime-config.sh
+++ b/web/docker-entrypoint.d/30-runtime-config.sh
@@ -3,9 +3,14 @@ set -eu
 
 : "${SKILLHUB_WEB_API_BASE_URL:=}"
 : "${SKILLHUB_PUBLIC_BASE_URL:=}"
+: "${SKILLHUB_WEB_AUTH_DIRECT_ENABLED:=false}"
+: "${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER:=}"
+: "${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED:=false}"
+: "${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER:=}"
+: "${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO:=false}"
 
 # Generate runtime-config.js
-envsubst '${SKILLHUB_WEB_API_BASE_URL} ${SKILLHUB_PUBLIC_BASE_URL}' \
+envsubst '${SKILLHUB_WEB_API_BASE_URL} ${SKILLHUB_PUBLIC_BASE_URL} ${SKILLHUB_WEB_AUTH_DIRECT_ENABLED} ${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER} ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED} ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER} ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO}' \
   < /usr/share/nginx/html/runtime-config.js.template \
   > /usr/share/nginx/html/runtime-config.js
 

From f199eeb997d4403fbf8ad691cf94ba4d31a83f5f Mon Sep 17 00:00:00 2001
From: Caffrey <sunhongwei0913@163.com>
Date: Mon, 13 Apr 2026 14:31:26 +0800
Subject: [PATCH 2/2] fix: remove session bootstrap frontend config from
 compose

Per reviewer feedback: exposing SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_* in the
compose without matching SKILLHUB_AUTH_SESSION_BOOTSTRAP_ENABLED on the server
would cause 403 errors when frontend attempts bootstrap.

Keep this PR focused on direct auth only. Bootstrap variables are still handled
in 30-runtime-config.sh with false defaults, so runtime-config.js will have
authSessionBootstrapEnabled: "false" and frontend will not trigger bootstrap.
---
 .env.release.example | 5 -----
 compose.release.yml  | 3 ---
 2 files changed, 8 deletions(-)

diff --git a/.env.release.example b/.env.release.example
index cacdf9cea..ffb6ca845 100644
--- a/.env.release.example
+++ b/.env.release.example
@@ -62,11 +62,6 @@ SKILLHUB_AUTH_DIRECT_ENABLED=false
 SKILLHUB_WEB_AUTH_DIRECT_ENABLED=false
 SKILLHUB_WEB_AUTH_DIRECT_PROVIDER=
 
-# Enterprise SSO session bootstrap (e.g. header-based SSO proxy).
-SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED=false
-SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER=
-SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO=false
-
 # Security scanner is enabled by default. Set to false to disable scanning.
 SKILLHUB_SECURITY_SCANNER_ENABLED=true
 
diff --git a/compose.release.yml b/compose.release.yml
index 93535e8f0..e45b2069e 100644
--- a/compose.release.yml
+++ b/compose.release.yml
@@ -106,9 +106,6 @@ services:
       SKILLHUB_PUBLIC_BASE_URL: ${SKILLHUB_PUBLIC_BASE_URL:-}
       SKILLHUB_WEB_AUTH_DIRECT_ENABLED: ${SKILLHUB_WEB_AUTH_DIRECT_ENABLED:-false}
       SKILLHUB_WEB_AUTH_DIRECT_PROVIDER: ${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER:-}
-      SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED: ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED:-false}
-      SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER: ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER:-}
-      SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO: ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO:-false}
     depends_on:
       server:
         condition: service_healthy