重构认证流程，合并 GitHub 和 OIDC 登录路由，更新回调 URL，简化环境变量配置，移除旧的 Dex 相关代码，增强代码可读性和维护性。更新文档以反映新的认证流程和环境变量设置。

2026-06-03 22:02:57 +00:00 · 2025-08-18 20:51:45 +08:00
parent aa8e9ed4d0
commit 2e368455ab
10 changed files with 394 additions and 402 deletions
@@ -19,8 +19,8 @@ alwaysApply: true
 - [x] **1.1.1**: 在 `go.mod` 中添加 `golang.org/x/oauth2` 依赖。
 - [x] **1.1.2**: 创建新的 HTTP 处理器用于处理 OAuth2 流程。
 - [x] **1.1.3**: 在 `main.go` 中添加认证路由:
-    - [x] `GET /auth/github/login`
+    - [x] `GET /auth/login`
-    - [x] `GET /auth/github/callback`
+    - [x] `GET /auth/callback`
 - [x] **1.1.4**: 实现从 GitHub API 获取用户信息的逻辑。
 - [x] **1.1.5**: 引入 JWT 库 (e.g., `github.com/golang-jwt/jwt/v5`)。
 - [x] **1.1.6**: 实现用户登录成功后生成和颁发 JWT 的逻辑。
@@ -29,7 +29,7 @@ alwaysApply: true
 ### 前端 (React)
 - [x] **1.2.1**: 在 UI 中AppWelcomeScreen中添加"使用 GitHub 登录"按钮。在excalidraw\excalidraw-app\components\AppMainMenu.tsx中添加"登录"按钮。
- [x] **1.2.2**: 添加api层，实现点击按钮后跳转到后端 `/auth/github/login` 的逻辑。
+- [x] **1.2.2**: 添加api层，实现点击按钮后跳转到后端 `/auth/login` 的逻辑。
 - [x] **1.2.3**: 创建一个用于处理登录回调的组件/页面，能从 URL 中解析出 JWT。
 - [x] **1.2.4**: 将获取到的 JWT 安全地存储在 `localStorage` 或 `sessionStorage` 中。
 - [x] **1.2.5**: 创建一个全局 API 请求封装（如 Axios 拦截器），为所有请求自动附加 `Authorization` 头。
@@ -1,13 +1,13 @@
 # GitHub OAuth 配置
 GITHUB_CLIENT_ID="xxxxxxxxxxxxxxxxxxx"
 GITHUB_CLIENT_SECRET="xxxxxxxxxxxxxx"
-GITHUB_REDIRECT_URL="http://localhost:3002/auth/github/callback" # 或者你部署后的回调地址
+GITHUB_REDIRECT_URL="http://localhost:3002/auth/callback" # 或者你部署后的回调地址
 # OIDC 配置
 OIDC_ISSUER_URL="http://localhost:5556/.well-known/openid-configuration"  # OIDC 提供商地址
 OIDC_CLIENT_ID="excalidraw"
 OIDC_CLIENT_SECRET="excalidraw-secret"
-OIDC_REDIRECT_URL="http://localhost:3002/auth/oidc/callback"
+OIDC_REDIRECT_URL="http://localhost:3002/auth/callback"
 # JWT 配置
 JWT_SECRET="YOUR_SUPER_SECRET_RANDOM_STRING"
@@ -1,7 +1,7 @@
 OIDC_ISSUER_URL=http://localhost:5556
 OIDC_CLIENT_ID=excalidraw
 OIDC_CLIENT_SECRET=excalidraw-secret
-OIDC_REDIRECT_URL=http://localhost:3000/auth/oidc/callback
+OIDC_REDIRECT_URL=http://localhost:3000/auth/callback
 ADMIN_USERNAME=admin
 ADMIN_PASSWORD_HASH='$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W'
@@ -63,7 +63,7 @@ You must configure GitHub OAuth and a JWT secret for the application to function
 - `GITHUB_CLIENT_ID`: Your GitHub OAuth App's Client ID.
 - `GITHUB_CLIENT_SECRET`: Your GitHub OAuth App's Client Secret.
- `GITHUB_REDIRECT_URL`: The callback URL. For local testing, this is `http://localhost:3002/auth/github/callback`.
+- `GITHUB_REDIRECT_URL`: The callback URL. For local testing, this is `http://localhost:3002/auth/callback`.
 - `JWT_SECRET`: A strong, random string for signing session tokens. Generate one with `openssl rand -base64 32`.
 - `OPENAI_API_KEY`: Your secret key from OpenAI.
 - `OPENAI_BASE_URL`: (Optional) For using compatible APIs like Azure OpenAI.
@@ -97,7 +97,7 @@ Create a `.env` file in the project root and add the following, filling in your
 # Get from https://github.com/settings/developers
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
-GITHUB_REDIRECT_URL=http://localhost:3002/auth/github/callback
+GITHUB_REDIRECT_URL=http://localhost:3002/auth/callback
 # Generate with: openssl rand -base64 32
 JWT_SECRET=your_super_secret_jwt_string
@@ -129,7 +129,7 @@ docker build -t excalidraw-complete -f excalidraw-complete.Dockerfile .
 docker run -p 3002:3002 \
  -e GITHUB_CLIENT_ID="your_id" \
  -e GITHUB_CLIENT_SECRET="your_secret" \
-  -e GITHUB_REDIRECT_URL="http://localhost:3002/auth/github/callback" \
+  -e GITHUB_REDIRECT_URL="http://localhost:3002/auth/callback" \
  -e JWT_SECRET="your_jwt_secret" \
  -e STORAGE_TYPE="sqlite" \
  -e DATA_SOURCE_NAME="excalidraw.db" \
@@ -63,7 +63,7 @@ docker compose up -d
 - `GITHUB_CLIENT_ID`: 您的 GitHub OAuth App 的 Client ID。
 - `GITHUB_CLIENT_SECRET`: 您的 GitHub OAuth App 的 Client Secret。
- `GITHUB_REDIRECT_URL`: 回调 URL。对于本地测试，这是 `http://localhost:3002/auth/github/callback`。
+- `GITHUB_REDIRECT_URL`: 回调 URL。对于本地测试，这是 `http://localhost:3002/auth/callback`。
 - `JWT_SECRET`: 用于签署会话令牌的强随机字符串。使用 `openssl rand -base64 32` 生成一个。
 - `OPENAI_API_KEY`: 您在 OpenAI 的秘密密钥。
 - `OPENAI_BASE_URL`: (可选) 用于使用兼容的 API，如 Azure OpenAI。
@@ -97,7 +97,7 @@ docker compose up -d
 # 从 https://github.com/settings/developers 获取
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
-GITHUB_REDIRECT_URL=http://localhost:3002/auth/github/callback
+GITHUB_REDIRECT_URL=http://localhost:3002/auth/callback
 # 使用以下命令生成: openssl rand -base64 32
 JWT_SECRET=your_super_secret_jwt_string
@@ -129,7 +129,7 @@ docker build -t excalidraw-complete -f excalidraw-complete.Dockerfile .
 docker run -p 3002:3002 \
  -e GITHUB_CLIENT_ID="your_id" \
  -e GITHUB_CLIENT_SECRET="your_secret" \
-  -e GITHUB_REDIRECT_URL="http://localhost:3002/auth/github/callback" \
+  -e GITHUB_REDIRECT_URL="http://localhost:3002/auth/callback" \
  -e JWT_SECRET="your_jwt_secret" \
  -e STORAGE_TYPE="sqlite" \
  -e DATA_SOURCE_NAME="excalidraw.db" \
@@ -5,7 +5,7 @@ services:
    image: busybox:latest
    ports:
      - "5556:5556"  # Dex
-      - "3002:3002"  # Excalidraw
+      - "3004:3002"  # Excalidraw
    command: ["sleep", "infinity"]
    networks:
      - excalidraw-network
@@ -17,7 +17,7 @@ services:
    volumes:
      - ./config/dex.config.yaml:/etc/dex/config.yaml
    environment:
-      - OIDC_REDIRECT_URL=${OIDC_REDIRECT_URL:-http://localhost:3002/auth/oidc/callback}
+      - OIDC_REDIRECT_URL=${OIDC_REDIRECT_URL:-http://localhost:3002/auth/callback}
      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-excalidraw-secret}
      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-excalidraw}
      - OIDC_ISSUER=${OIDC_ISSUER:-http://localhost:5556}
@@ -0,0 +1,376 @@
 package auth
 import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"excalidraw-complete/core"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"time"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
 	"encoding/hex"
 	"github.com/coreos/go-oidc/v3/oidc"
 )
 var (
 	loginHandler    http.HandlerFunc
 	callbackHandler http.HandlerFunc
 )
 var (
 	githubOauthConfig *oauth2.Config
 	jwtSecret         []byte
 	oidcOauthConfig *oauth2.Config
 	oidcProvider    *oidc.Provider
 	verifier        *oidc.IDTokenVerifier
 )
 // AppClaims represents the custom claims for the JWT.
 type AppClaims struct {
 	jwt.RegisteredClaims
 	Login     string `json:"login"`
 	AvatarURL string `json:"avatarUrl"`
 	Name      string `json:"name"`
 }
 // OIDCClaims represents the claims from OIDC token
 type OIDCClaims struct {
 	Email             string `json:"email"`
 	Name              string `json:"name"`
 	PreferredUsername string `json:"preferred_username"`
 	Picture           string `json:"picture"`
 	Sub               string `json:"sub"`
 }
 func InitAuth() {
 	oidcConfigured := os.Getenv("OIDC_ISSUER_URL") != "" && os.Getenv("OIDC_CLIENT_ID") != ""
 	githubConfigured := os.Getenv("GITHUB_CLIENT_ID") != "" && os.Getenv("GITHUB_CLIENT_SECRET") != ""
 	if oidcConfigured {
 		logrus.Info("Initializing OIDC authentication provider.")
 		initOIDC()
 		loginHandler = HandleOIDCLogin
 		callbackHandler = HandleOIDCCallback
 	} else if githubConfigured {
 		logrus.Info("Initializing GitHub authentication provider.")
 		initGitHub()
 		loginHandler = HandleGitHubLogin
 		callbackHandler = HandleGitHubCallback
 	} else {
 		logrus.Warn("No authentication provider configured.")
 		dummyHandler := func(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "Authentication not configured", http.StatusInternalServerError)
 		}
 		loginHandler = dummyHandler
 		callbackHandler = dummyHandler
 	}
 	jwtSecret = []byte(os.Getenv("JWT_SECRET"))
 	if len(jwtSecret) == 0 {
 		logrus.Warn("JWT_SECRET is not set. Authentication will not work.")
 	}
 }
 func HandleLogin(w http.ResponseWriter, r *http.Request) {
 	if loginHandler != nil {
 		loginHandler(w, r)
 	} else {
 		http.Error(w, "Authentication not configured", http.StatusInternalServerError)
 	}
 }
 func HandleCallback(w http.ResponseWriter, r *http.Request) {
 	if callbackHandler != nil {
 		callbackHandler(w, r)
 	} else {
 		http.Error(w, "Authentication not configured", http.StatusInternalServerError)
 	}
 }
 func initGitHub() {
 	githubOauthConfig = &oauth2.Config{
 		ClientID:     os.Getenv("GITHUB_CLIENT_ID"),
 		ClientSecret: os.Getenv("GITHUB_CLIENT_SECRET"),
 		RedirectURL:  os.Getenv("GITHUB_REDIRECT_URL"),
 		Scopes:       []string{"read:user", "user:email"},
 		Endpoint:     github.Endpoint,
 	}
 	if githubOauthConfig.ClientID == "" || githubOauthConfig.ClientSecret == "" {
 		logrus.Warn("GitHub OAuth credentials are not set. Authentication routes will not work.")
 	}
 }
 func initOIDC() {
 	providerURL := os.Getenv("OIDC_ISSUER_URL")
 	clientID := os.Getenv("OIDC_CLIENT_ID")
 	clientSecret := os.Getenv("OIDC_CLIENT_SECRET")
 	redirectURL := os.Getenv("OIDC_REDIRECT_URL")
 	if providerURL == "" || clientID == "" || clientSecret == "" {
 		logrus.Warn("OIDC credentials are not set. OIDC authentication routes will not work.")
 		return
 	}
 	var err error
 	oidcProvider, err = oidc.NewProvider(context.Background(), providerURL)
 	if err != nil {
 		logrus.Errorf("Failed to create OIDC provider: %s", err.Error())
 		return
 	}
 	oidcOauthConfig = &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		RedirectURL:  redirectURL,
 		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
 		Endpoint:     oidcProvider.Endpoint(),
 	}
 	logrus.Info("OIDC provider initialized")
 	verifier = oidcProvider.Verifier(&oidc.Config{
 		ClientID: clientID,
 	})
 }
 // Init function is deprecated, use InitAuth instead
 func Init() {
 	initGitHub()
 	jwtSecret = []byte(os.Getenv("JWT_SECRET"))
 	if githubOauthConfig.ClientID == "" || githubOauthConfig.ClientSecret == "" {
 		logrus.Warn("GitHub OAuth credentials are not set. Authentication routes will not work.")
 	}
 	if len(jwtSecret) == 0 {
 		logrus.Warn("JWT_SECRET is not set. Authentication routes will not work.")
 	}
 }
 func generateStateOauthCookie(w http.ResponseWriter) string {
 	b := make([]byte, 16)
 	rand.Read(b)
 	state := base64.URLEncoding.EncodeToString(b)
 	cookie := &http.Cookie{
 		Name:     "oauthstate",
 		Value:    state,
 		Expires:  time.Now().Add(10 * time.Minute),
 		HttpOnly: true,
 	}
 	http.SetCookie(w, cookie)
 	return state
 }
 func HandleGitHubLogin(w http.ResponseWriter, r *http.Request) {
 	if githubOauthConfig.ClientID == "" {
 		http.Error(w, "GitHub OAuth is not configured", http.StatusInternalServerError)
 		return
 	}
 	state := generateStateOauthCookie(w)
 	url := githubOauthConfig.AuthCodeURL(state)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 }
 func HandleGitHubCallback(w http.ResponseWriter, r *http.Request) {
 	if githubOauthConfig.ClientID == "" {
 		http.Error(w, "GitHub OAuth is not configured", http.StatusInternalServerError)
 		return
 	}
 	token, err := githubOauthConfig.Exchange(context.Background(), r.FormValue("code"))
 	if err != nil {
 		logrus.Errorf("failed to exchange token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	client := githubOauthConfig.Client(context.Background(), token)
 	resp, err := client.Get("https://api.github.com/user")
 	if err != nil {
 		logrus.Errorf("failed to get user from github: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	defer resp.Body.Close()
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		logrus.Errorf("failed to read github response body: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	var githubUser struct {
 		ID        int64  `json:"id"`
 		Login     string `json:"login"`
 		AvatarURL string `json:"avatar_url"`
 		Name      string `json:"name"`
 	}
 	if err := json.Unmarshal(body, &githubUser); err != nil {
 		logrus.Errorf("failed to unmarshal github user: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Create user object using Subject instead of GitHubID
 	user := &core.User{
 		Subject:   fmt.Sprintf("github:%d", githubUser.ID),
 		Login:     githubUser.Login,
 		AvatarURL: githubUser.AvatarURL,
 		Name:      githubUser.Name,
 	}
 	jwtToken, err := createJWT(user)
 	if err != nil {
 		logrus.Errorf("failed to create JWT: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Redirect to frontend with token
 	http.Redirect(w, r, fmt.Sprintf("/?token=%s", jwtToken), http.StatusTemporaryRedirect)
 }
 func HandleOIDCLogin(w http.ResponseWriter, r *http.Request) {
 	if oidcOauthConfig == nil {
 		http.Error(w, "OIDC is not configured", http.StatusInternalServerError)
 		return
 	}
 	// Generate random state
 	stateBytes := make([]byte, 16)
 	_, err := rand.Read(stateBytes)
 	if err != nil {
 		http.Error(w, "Failed to generate state for OIDC login", http.StatusInternalServerError)
 		return
 	}
 	state := hex.EncodeToString(stateBytes)
 	// Set state in a cookie
 	http.SetCookie(w, &http.Cookie{
 		Name:     "oidc_state",
 		Value:    state,
 		Path:     "/",
 		Expires:  time.Now().Add(10 * time.Minute), // 10 minutes expiry
 		HttpOnly: true,
 		Secure:   r.Header.Get("X-Forwarded-Proto") == "https",
 		SameSite: http.SameSiteLaxMode,
 	})
 	url := oidcOauthConfig.AuthCodeURL(state, oauth2.AccessTypeOffline)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 }
 func HandleOIDCCallback(w http.ResponseWriter, r *http.Request) {
 	if oidcOauthConfig == nil {
 		http.Error(w, "OIDC is not configured", http.StatusInternalServerError)
 		return
 	}
 	code := r.FormValue("code")
 	if code == "" {
 		logrus.Error("no code in callback")
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	token, err := oidcOauthConfig.Exchange(context.Background(), code)
 	if err != nil {
 		logrus.Errorf("failed to exchange token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	rawIDToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		logrus.Error("no id_token in token response")
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	idToken, err := verifier.Verify(context.Background(), rawIDToken)
 	if err != nil {
 		logrus.Errorf("failed to verify ID token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	var claims OIDCClaims
 	if err := idToken.Claims(&claims); err != nil {
 		logrus.Errorf("failed to extract claims from ID token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Create user from OIDC claims
 	user := &core.User{
 		Subject:   claims.Sub,
 		Login:     claims.PreferredUsername,
 		Email:     claims.Email,
 		AvatarURL: claims.Picture,
 		Name:      claims.Name,
 	}
 	// If preferred_username is not available, use email
 	if user.Login == "" && user.Email != "" {
 		user.Login = user.Email
 	}
 	jwtToken, err := createJWT(user)
 	if err != nil {
 		logrus.Errorf("failed to create JWT: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Redirect to frontend with token
 	http.Redirect(w, r, fmt.Sprintf("/?token=%s", jwtToken), http.StatusTemporaryRedirect)
 }
 func createJWT(user *core.User) (string, error) {
 	claims := AppClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   user.Subject,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24 * 7)), // 1 week
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
 		Login:     user.Login,
 		AvatarURL: user.AvatarURL,
 		Name:      user.Name,
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	return token.SignedString(jwtSecret)
 }
 func ParseJWT(tokenString string) (*AppClaims, error) {
 	token, err := jwt.ParseWithClaims(tokenString, &AppClaims{}, func(token *jwt.Token) (interface{}, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
 		return jwtSecret, nil
 	})
 	if err != nil {
 		return nil, err
 	}
 	if claims, ok := token.Claims.(*AppClaims); ok && token.Valid {
 		return claims, nil
 	}
 	return nil, fmt.Errorf("invalid token")
 }
@@ -1,200 +0,0 @@
 package auth
 import (
 	"context"
 	"crypto/rand"
 	"encoding/hex"
 	"excalidraw-complete/core"
 	"fmt"
 	"net/http"
 	"os"
 	"time"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 )
 var (
 	oidcOauthConfig *oauth2.Config
 	oidcProvider    *oidc.Provider
 	verifier        *oidc.IDTokenVerifier
 )
 // OIDCClaims represents the claims from OIDC token
 type OIDCClaims struct {
 	Email             string `json:"email"`
 	Name              string `json:"name"`
 	PreferredUsername string `json:"preferred_username"`
 	Picture           string `json:"picture"`
 	Sub               string `json:"sub"`
 }
 func InitDex() {
 	providerURL := os.Getenv("OIDC_ISSUER_URL")
 	clientID := os.Getenv("OIDC_CLIENT_ID")
 	clientSecret := os.Getenv("OIDC_CLIENT_SECRET")
 	redirectURL := os.Getenv("OIDC_REDIRECT_URL")
 	if providerURL == "" || clientID == "" || clientSecret == "" {
 		logrus.Warn("OIDC credentials are not set. OIDC authentication routes will not work.")
 		return
 	}
 	var err error
 	oidcProvider, err = oidc.NewProvider(context.Background(), providerURL)
 	if err != nil {
 		logrus.Errorf("Failed to create OIDC provider: %s", err.Error())
 		return
 	}
 	oidcOauthConfig = &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		RedirectURL:  redirectURL,
 		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
 		Endpoint:     oidcProvider.Endpoint(),
 	}
 	logrus.Info("OIDC provider initialized")
 	verifier = oidcProvider.Verifier(&oidc.Config{
 		ClientID: clientID,
 	})
 }
 func HandleOIDCLogin(w http.ResponseWriter, r *http.Request) {
 	if oidcOauthConfig == nil {
 		http.Error(w, "OIDC is not configured", http.StatusInternalServerError)
 		return
 	}
 	// Generate random state
 	stateBytes := make([]byte, 16)
 	_, err := rand.Read(stateBytes)
 	if err != nil {
 		http.Error(w, "Failed to generate state for OIDC login", http.StatusInternalServerError)
 		return
 	}
 	state := hex.EncodeToString(stateBytes)
 	// Set state in a cookie
 	http.SetCookie(w, &http.Cookie{
 		Name:     "oidc_state",
 		Value:    state,
 		Path:     "/",
 		Expires:  time.Now().Add(10 * time.Minute), // 10 minutes expiry
 		HttpOnly: true,
 		Secure:   r.Header.Get("X-Forwarded-Proto") == "https",
 		SameSite: http.SameSiteLaxMode,
 	})
 	url := oidcOauthConfig.AuthCodeURL(state, oauth2.AccessTypeOffline)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 }
 func HandleOIDCCallback(w http.ResponseWriter, r *http.Request) {
 	if oidcOauthConfig == nil {
 		http.Error(w, "OIDC is not configured", http.StatusInternalServerError)
 		return
 	}
 	// Verify state cookie
 	stateCookie, err := r.Cookie("oidc_state")
 	if err != nil {
 		http.Error(w, "State cookie not found", http.StatusBadRequest)
 		return
 	}
 	if r.URL.Query().Get("state") != stateCookie.Value {
 		http.Error(w, "Invalid state", http.StatusBadRequest)
 		return
 	}
 	// Clear state cookie
 	http.SetCookie(w, &http.Cookie{
 		Name:     "oidc_state",
 		Value:    "",
 		Path:     "/",
 		Expires:  time.Unix(0, 0),
 		HttpOnly: true,
 		Secure:   r.Header.Get("X-Forwarded-Proto") == "https",
 		SameSite: http.SameSiteLaxMode,
 	})
 	code := r.FormValue("code")
 	if code == "" {
 		logrus.Error("no code in callback")
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	token, err := oidcOauthConfig.Exchange(context.Background(), code)
 	if err != nil {
 		logrus.Errorf("failed to exchange token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	rawIDToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		logrus.Error("no id_token in token response")
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	idToken, err := verifier.Verify(context.Background(), rawIDToken)
 	if err != nil {
 		logrus.Errorf("failed to verify ID token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	var claims OIDCClaims
 	if err := idToken.Claims(&claims); err != nil {
 		logrus.Errorf("failed to extract claims from ID token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Create user from OIDC claims
 	user := &core.User{
 		Subject:   claims.Sub,
 		Login:     claims.PreferredUsername,
 		Email:     claims.Email,
 		AvatarURL: claims.Picture,
 		Name:      claims.Name,
 	}
 	// If preferred_username is not available, use email
 	if user.Login == "" && user.Email != "" {
 		user.Login = user.Email
 	}
 	jwtToken, err := createOIDCJWT(user)
 	if err != nil {
 		logrus.Errorf("failed to create JWT: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Redirect to frontend with token
 	http.Redirect(w, r, fmt.Sprintf("/?token=%s", jwtToken), http.StatusTemporaryRedirect)
 }
 func createOIDCJWT(user *core.User) (string, error) {
 	claims := AppClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   user.Subject,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24 * 7)), // 1 week
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
 		Login:     user.Login,
 		AvatarURL: user.AvatarURL,
 		Name:      user.Name,
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	return token.SignedString(jwtSecret)
 }
@@ -1,178 +0,0 @@
 package auth
 import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"excalidraw-complete/core"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"time"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
 )
 var (
 	githubOauthConfig *oauth2.Config
 	jwtSecret         []byte
 )
 // AppClaims represents the custom claims for the JWT.
 type AppClaims struct {
 	jwt.RegisteredClaims
 	Login     string `json:"login"`
 	AvatarURL string `json:"avatarUrl"`
 	Name      string `json:"name"`
 }
 func Init() {
 	githubOauthConfig = &oauth2.Config{
 		ClientID:     os.Getenv("GITHUB_CLIENT_ID"),
 		ClientSecret: os.Getenv("GITHUB_CLIENT_SECRET"),
 		RedirectURL:  os.Getenv("GITHUB_REDIRECT_URL"),
 		Scopes:       []string{"read:user", "user:email"},
 		Endpoint:     github.Endpoint,
 	}
 	jwtSecret = []byte(os.Getenv("JWT_SECRET"))
 	if githubOauthConfig.ClientID == "" || githubOauthConfig.ClientSecret == "" {
 		logrus.Warn("GitHub OAuth credentials are not set. Authentication routes will not work.")
 	}
 	if len(jwtSecret) == 0 {
 		logrus.Warn("JWT_SECRET is not set. Authentication routes will not work.")
 	}
 }
 func generateStateOauthCookie(w http.ResponseWriter) string {
 	b := make([]byte, 16)
 	rand.Read(b)
 	state := base64.URLEncoding.EncodeToString(b)
 	cookie := &http.Cookie{
 		Name:     "oauthstate",
 		Value:    state,
 		Expires:  time.Now().Add(10 * time.Minute),
 		HttpOnly: true,
 	}
 	http.SetCookie(w, cookie)
 	return state
 }
 func HandleGitHubLogin(w http.ResponseWriter, r *http.Request) {
 	if githubOauthConfig.ClientID == "" {
 		http.Error(w, "GitHub OAuth is not configured", http.StatusInternalServerError)
 		return
 	}
 	state := generateStateOauthCookie(w)
 	url := githubOauthConfig.AuthCodeURL(state)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 }
 func HandleGitHubCallback(w http.ResponseWriter, r *http.Request) {
 	if githubOauthConfig.ClientID == "" {
 		http.Error(w, "GitHub OAuth is not configured", http.StatusInternalServerError)
 		return
 	}
 	oauthState, _ := r.Cookie("oauthstate")
 	if r.FormValue("state") != oauthState.Value {
 		logrus.Error("invalid oauth github state")
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	token, err := githubOauthConfig.Exchange(context.Background(), r.FormValue("code"))
 	if err != nil {
 		logrus.Errorf("failed to exchange token: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	client := githubOauthConfig.Client(context.Background(), token)
 	resp, err := client.Get("https://api.github.com/user")
 	if err != nil {
 		logrus.Errorf("failed to get user from github: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	defer resp.Body.Close()
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		logrus.Errorf("failed to read github response body: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	var githubUser struct {
 		ID        int64  `json:"id"`
 		Login     string `json:"login"`
 		AvatarURL string `json:"avatar_url"`
 		Name      string `json:"name"`
 	}
 	if err := json.Unmarshal(body, &githubUser); err != nil {
 		logrus.Errorf("failed to unmarshal github user: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Create user object using Subject instead of GitHubID
 	user := &core.User{
 		Subject:   fmt.Sprintf("github:%d", githubUser.ID),
 		Login:     githubUser.Login,
 		AvatarURL: githubUser.AvatarURL,
 		Name:      githubUser.Name,
 	}
 	jwtToken, err := createJWT(user)
 	if err != nil {
 		logrus.Errorf("failed to create JWT: %s", err.Error())
 		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		return
 	}
 	// Redirect to frontend with token
 	http.Redirect(w, r, fmt.Sprintf("/?token=%s", jwtToken), http.StatusTemporaryRedirect)
 }
 func createJWT(user *core.User) (string, error) {
 	claims := AppClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   user.Subject,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24 * 7)), // 1 week
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
 		Login:     user.Login,
 		AvatarURL: user.AvatarURL,
 		Name:      user.Name,
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	return token.SignedString(jwtSecret)
 }
 func ParseJWT(tokenString string) (*AppClaims, error) {
 	token, err := jwt.ParseWithClaims(tokenString, &AppClaims{}, func(token *jwt.Token) (interface{}, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
 		return jwtSecret, nil
 	})
 	if err != nil {
 		return nil, err
 	}
 	if claims, ok := token.Claims.(*AppClaims); ok && token.Valid {
 		return claims, nil
 	}
 	return nil, fmt.Errorf("invalid token")
 }
@@ -166,14 +166,9 @@ func setupRouter(store stores.Store) *chi.Mux {
 		})
 	})
-	r.Route("/auth/github", func(r chi.Router) {
+	r.Route("/auth", func(r chi.Router) {
-		r.Get("/login", auth.HandleGitHubLogin)
+		r.Get("/login", auth.HandleLogin)
-		r.Get("/callback", auth.HandleGitHubCallback)
+		r.Get("/callback", auth.HandleCallback)
 	})
 	r.Route("/auth/oidc", func(r chi.Router) {
 		r.Get("/login", auth.HandleOIDCLogin)
 		r.Get("/callback", auth.HandleOIDCCallback)
 	})
 	return r
@@ -311,8 +306,7 @@ func main() {
 		FullTimestamp: true,
 	})
-	auth.Init()
+	auth.InitAuth()
 	auth.InitDex()
 	openai.Init()
 	store := stores.GetStore()