Context
Surfaced during a usability/extensibility survey.
OAuth providers live in system_config as JSON (oauth_providers, seeded from OAUTH_PROVIDERS). Adding or updating a provider requires editing the DB row (or env + reseed); there is no REST admin surface for it, unlike other admin operations. Provider client secrets correctly stay in env vars referenced by clientSecretEnv.
Suggested work
- Add admin-scoped endpoints to list / add / update / disable OAuth providers, validated against
OAuthProviderConfigSchema (src/schemas/systemConfig.schema.ts).
- Invalidate the system-config cache after writes (see
getSystemConfig.ts).
- Keep client secrets out of the API surface (continue referencing
clientSecretEnv; never accept or return raw secrets).
Acceptance
- Admin can manage providers via the API without hand-editing
system_config, with tests and OpenAPI coverage.
Context
Surfaced during a usability/extensibility survey.
OAuth providers live in
system_configas JSON (oauth_providers, seeded fromOAUTH_PROVIDERS). Adding or updating a provider requires editing the DB row (or env + reseed); there is no REST admin surface for it, unlike other admin operations. Provider client secrets correctly stay in env vars referenced byclientSecretEnv.Suggested work
OAuthProviderConfigSchema(src/schemas/systemConfig.schema.ts).getSystemConfig.ts).clientSecretEnv; never accept or return raw secrets).Acceptance
system_config, with tests and OpenAPI coverage.