OIDC/SSO Authentication, General Improvements, Security & Dependency Patches
✨ Features
- server: Added optional OIDC/SSO authentication via a plugin adapter system. Supports Generic, PocketID, Authentik, and Keycloak providers via the
OIDC_PROVIDERenv var. File uploads and note creation can each be independently protected usingOIDC_PROTECT_FILESandOIDC_PROTECT_NOTES. Both HTTP and WebSocket upload transports are guarded. Sessions are stateless JWT cookies - no database changes required. - web: Added inline auth blocks on the upload page when OIDC is enabled and the user is not logged in. A user indicator with logout button is shown in the navigation header when authenticated.
- client: Added OIDC authentication support for the CLI. When a server has
OIDC_PROTECT_FILESorOIDC_PROTECT_NOTESenabled, the CLI automatically opens a browser for login before uploading or creating notes. Session tokens are stored per-server in~/.config/skysend/tokens.jsonand reused until they expire. Newauthsubcommands (login,logout,status) allow explicit session management.
🔒 Security
- infra: Added pnpm overrides for
@esbuild-kit/core-utils>esbuild(>=0.25.0) andvitepress>vite(~6.4.2) to address GHSA-67mh-4wv8-2f99 (esbuild dev server CORS bypass) and GHSA-4w7w-66w2-5vf9 (Vite path traversal in optimized deps.maphandling). - infra: Updated all dependencies to latest versions -
vite8.0.13,tailwindcss+@tailwindcss/vite4.3.0,better-sqlite312.10.0,@aws-sdk/*3.1046.0,i18next26.1.0,lucide-react1.16.0,tailwind-merge3.6.0,vitest+@vitest/coverage-v84.1.6,tsx4.22.0, and others.
🎨 Improvements
- web: The password input placeholder no longer says "(optional)" when
FORCE_FILE_PASSWORDorFORCE_NOTE_PASSWORDis enabled - it now correctly says "(required)". - web: The navigation header title now truncates with an ellipsis when a custom title is very long, preventing layout overflow on all screen sizes.
- web: Added a hamburger menu for mobile screens. All navigation links, the language switcher, theme toggle, and OIDC login/logout are now accessible in a collapsible dropdown on small viewports.
- web: The language selector dropdown now has a fixed max height with a scrollable list (using shadcn ScrollArea) and a search input at the top, so all languages are accessible on small screens without getting cut off.
- web: The logout button tooltip in the navigation header now uses the shadcn Tooltip component instead of a native browser
titleattribute.
🧪 Tests
- server: Added unit tests for the OIDC auth layer, all four provider adapters, the guard middleware, and auth routes, plus expanded coverage across multiple server modules - overall line coverage improved from 84.44% to 90%.
- client: Added unit tests for the OIDC login flow and progress/password prompt utilities, bringing both modules to near-100% coverage.
- web: Added unit tests for the auth hook, session API, and all remaining hooks that previously had 0% coverage.
- server: Increased patch coverage for OIDC-related modules - added tests for
verifySessionJwt/verifyPkceJwtreturning null on malformed payloads, theString(err)branch in the discovery warm-up handler, and empty-claims fallback paths in all four provider adapters, bringingauth/session.ts,routes/auth.ts, and allauth/adapters/*.tsto 100% branch coverage. - client: Added tests for the
getFreePorterror path and theperformOidcLogincatch block, bringinglib/oidc.tsto 100% line coverage.
📝 Documentation
- docs: Added OIDC Authentication page to the Developer Guide API Reference, covering the full PKCE login flow, auth/callback/logout/session endpoints, the OIDC guard middleware, protected vs. always-public endpoints, provider adapters, session JWT format, and the CLI device-browser login flow.
- docs: Added OIDC/SSO to the features list on the landing page.
- docs: Extended the API Overview with the
/auth/*endpoint table and a link to the new OIDC page. - docs: Added
auth login,auth logout, andauth statusto the client CLI command reference, including the OIDC login flow explanation and token storage details.
🐳 Docker
- Image:
skyfay/skysend:v2.8.0 - Also tagged as:
latest,v2 - Platforms: linux/amd64, linux/arm64