feat: update OIDC configuration to be optional and enhance auth

[danships]

feat: update OIDC configuration to be optional and enhance authentication logic

• Made OIDC environment variables optional in the configuration, allowing for fallback to credentials authentication if not set.
• Added a function to check for OIDC configuration presence and adjusted the authentication initialization logic accordingly.

Summary by CodeRabbit

• New Features
  • Added optional OIDC (OpenID Connect) authentication support. Users can now sign in via OIDC providers, with email/password authentication available as a fallback if OIDC is not configured.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Introduces server startup automation with environment variable resolution and persistence, alongside conditional authentication support for OIDC and email/password modes. The startup script resolves database connection details and auth secrets (with file-based caching), while the auth config adapts authentication strategy based on OIDC environment variables.

Changes

Cohort / File(s)	Summary
Server Bootstrap scripts/start-server.mjs	New startup script that resolves home directory, database connection string, and Better Auth secret (with file persistence), then spawns pnpm start with merged environment variables and error propagation.
Authentication Configuration src/lib/auth/config.ts	Adds conditional OIDC vs email/password authentication modes based on environment check; consolidates database hooks for user creation and workspace setup; adds helper to verify complete OIDC configuration.
Environment Schema src/lib/environment.ts	Makes OIDC environment variables (OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_DISCOVERY_URL, OIDC_AUTHORIZATION_URL) optional with undefined defaults instead of required.

Sequence Diagram(s)

sequenceDiagram
    participant StartScript as Startup Script
    participant EnvResolver as Environment Resolver
    participant AuthConfig as Auth Config
    participant BetterAuth as Better Auth
    participant Database as Database
    participant Server as Next.js Server

    StartScript->>StartScript: Resolve THOTH_HOME_DIR<br/>(or default ~/.thoth)
    StartScript->>StartScript: Resolve DB env var<br/>(or default MySQL URL)
    StartScript->>StartScript: Resolve BETTER_AUTH_SECRET<br/>(from env or home dir file)
    
    StartScript->>EnvResolver: Inject resolved vars
    EnvResolver->>AuthConfig: Pass environment variables
    
    AuthConfig->>AuthConfig: Check OIDC completeness<br/>(hasOidcConfig)
    alt OIDC Fully Configured
        AuthConfig->>BetterAuth: Initialize with OIDC<br/>via genericOAuth
    else OIDC Not Configured
        AuthConfig->>BetterAuth: Initialize with<br/>email/password auth
    end
    
    BetterAuth->>Database: Setup auth database<br/>with hooks
    AuthConfig->>Server: Merged config
    StartScript->>Server: Spawn with env vars
    Server->>Server: Start listening

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• danships/thoth#4 — Modifies the same authentication configuration and environment variable schema files for OIDC and credential-based auth support.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: making OIDC configuration optional and enhancing authentication logic, which directly corresponds to the primary objectives of the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}