2.7 KiB
Phase 15: External Authentication - Discussion Log
Audit trail only. Do not use as input to planning, research, or execution agents. Decisions are captured in CONTEXT.md — this log preserves the alternatives considered.
Date: 2026-04-04 Phase: 15-external-authentication Areas discussed: Auth Provider Choice, Session Migration Strategy, Login Flow UX, Existing User Migration Mode: --auto --batch (all decisions auto-selected)
Auth Provider Choice
| Option | Description | Selected |
|---|---|---|
| Logto | Lightweight, purpose-built auth, no Redis, first-class OIDC, simpler deployment | ✓ |
| Authentik | Full IdP suite, more features but heavier, may need Redis, more complex setup |
User's choice: Logto (auto-selected) Notes: Matches project's "no Redis" out-of-scope constraint. Logto is simpler to deploy and maintain for a single-app use case.
Session Migration Strategy
| Option | Description | Selected |
|---|---|---|
| Replace with OIDC session management | Logto handles sessions, remove users/sessions tables from GearBox | ✓ |
| Hybrid — keep GearBox sessions populated from OIDC | Validate OIDC on login, create local session for subsequent requests | |
| Token-only — validate OIDC token on every request | No local sessions, every request validates against Logto |
User's choice: Replace with OIDC session management (auto-selected) Notes: Simplifies the codebase by removing credential management from GearBox entirely. API keys remain as the programmatic access path.
Login Flow UX
| Option | Description | Selected |
|---|---|---|
| Redirect to Logto login page | Standard OIDC redirect, Logto handles UI for login/register/reset | ✓ |
| Embedded login form via Logto SDK | Use Logto's SDK to render login inline within GearBox |
User's choice: Redirect to Logto login page (auto-selected) Notes: Standard OIDC pattern. More secure, less maintenance — Logto owns the login/registration UX.
Existing User Migration
| Option | Description | Selected |
|---|---|---|
| Manual re-registration on Logto | User creates account on Logto, migration script links to GearBox data | ✓ |
| Automated import from GearBox users table | Script creates Logto user from existing credentials |
User's choice: Manual re-registration on Logto (auto-selected) Notes: Only one existing user — automation not worth the complexity.
Claude's Discretion
- Logto SDK choice
- Token storage mechanism
- Logto configuration and branding
- User ID mapping strategy
- E2E test auth approach
Deferred Ideas
None — discussion stayed within phase scope