From 4635fd4daa31cc5eb893970044d903b4d8db5d9d Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 14:49:52 +0000
Subject: [PATCH 1/7] feat(auth): add Authentik OIDC provider for self-hosted
 SSO

NextAuth ships next-auth/providers/authentik but Cap does not currently
wire it up, so Authentik users have no clean way to sign in to a self-
hosted Cap. The provider is gated on AUTHENTIK_ISSUER being set, so
Cap Cloud builds (and any deployment that has not configured Authentik)
remain unchanged.

Closes #914 (CAP-453)
---
 packages/database/auth/auth-options.ts | 10 ++++++++++
 packages/env/server.ts                 |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/packages/database/auth/auth-options.ts b/packages/database/auth/auth-options.ts
index 1e3a886b2b1..e2a3e0fb460 100644
--- a/packages/database/auth/auth-options.ts
+++ b/packages/database/auth/auth-options.ts
@@ -6,6 +6,7 @@ import type { NextAuthOptions } from "next-auth";
 import { getServerSession as _getServerSession } from "next-auth";
 import type { Adapter } from "next-auth/adapters";
 import { decode, type JWT, type JWTDecodeParams } from "next-auth/jwt";
+import AuthentikProvider from "next-auth/providers/authentik";
 import EmailProvider from "next-auth/providers/email";
 import GoogleProvider from "next-auth/providers/google";
 import type { Provider } from "next-auth/providers/index";
@@ -69,6 +70,15 @@ export const authOptions = (): NextAuthOptions => {
 		get providers() {
 			if (_providers) return _providers;
 			_providers = [
+				...(serverEnv().AUTHENTIK_ISSUER
+					? [
+							AuthentikProvider({
+								clientId: serverEnv().AUTHENTIK_CLIENT_ID as string,
+								clientSecret: serverEnv().AUTHENTIK_CLIENT_SECRET as string,
+								issuer: serverEnv().AUTHENTIK_ISSUER as string,
+							}),
+						]
+					: []),
 				GoogleProvider({
 					clientId: serverEnv().GOOGLE_CLIENT_ID as string,
 					clientSecret: serverEnv().GOOGLE_CLIENT_SECRET as string,
diff --git a/packages/env/server.ts b/packages/env/server.ts
index febc9e3e873..0e952321dd0 100644
--- a/packages/env/server.ts
+++ b/packages/env/server.ts
@@ -72,6 +72,14 @@ function createServerEnv() {
 			WORKOS_CLIENT_ID: z.string().optional(),
 			WORKOS_API_KEY: z.string().optional(),
 
+			/// Authentik OIDC (self-hosted SSO)
+			// Provide these to enable a "Sign in with Authentik" provider.
+			// AUTHENTIK_ISSUER must include the application slug; no trailing slash:
+			//   https://auth.example.com/application/o/<slug>
+			AUTHENTIK_CLIENT_ID: z.string().optional(),
+			AUTHENTIK_CLIENT_SECRET: z.string().optional(),
+			AUTHENTIK_ISSUER: z.string().optional(),
+
 			/// Settings
 			CAP_VIDEOS_DEFAULT_PUBLIC: boolString(true).describe(
 				"Should videos be public or private by default",

From 3d0a31bdff5297f99167f99c0488e1b233b12855 Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 15:13:06 +0000
Subject: [PATCH 2/7] feat(auth): render Authentik sign-in button on
 login/signup/share pages

Adds an authentikAuthAvailable boolean to publicEnv (gated on AUTHENTIK_ISSUER)
and renders a Login/Sign-up with Authentik button alongside the existing
Google and WorkOS options in apps/web/app/(org)/login/form.tsx,
apps/web/app/(org)/signup/form.tsx, and apps/web/app/s/[videoId]/_components/
AuthOverlay.tsx. Mirrors the existing pattern; deployments without Authentik
configured see no UI change.

Refs #914 (CAP-453)
---
 apps/web/app/(org)/login/form.tsx             | 31 ++++++++++++-
 apps/web/app/(org)/signup/form.tsx            | 33 +++++++++++++-
 apps/web/app/layout.tsx                       |  1 +
 .../s/[videoId]/_components/AuthOverlay.tsx   | 43 +++++++++++++------
 apps/web/utils/public-env.tsx                 |  1 +
 5 files changed, 94 insertions(+), 15 deletions(-)

diff --git a/apps/web/app/(org)/login/form.tsx b/apps/web/app/(org)/login/form.tsx
index 50ffff2733f..f64df0df7ac 100644
--- a/apps/web/app/(org)/login/form.tsx
+++ b/apps/web/app/(org)/login/form.tsx
@@ -6,6 +6,7 @@ import {
 	faArrowLeft,
 	faEnvelope,
 	faExclamationCircle,
+	faRightToBracket,
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { AnimatePresence, motion } from "framer-motion";
@@ -115,6 +116,17 @@ export function LoginForm() {
 		});
 	};
 
+	const handleAuthentikSignIn = () => {
+		trackEvent("auth_started", {
+			method: "authentik",
+			is_signup: false,
+			auth_surface: "login",
+		});
+		signIn("authentik", {
+			...(next && next.length > 0 ? { callbackUrl: next } : {}),
+		});
+	};
+
 	const handleOrganizationLookup = async (e: React.FormEvent) => {
 		e.preventDefault();
 		if (!organizationId) {
@@ -326,6 +338,7 @@ export function LoginForm() {
 											loading={loading}
 											oauthError={oauthError}
 											handleGoogleSignIn={handleGoogleSignIn}
+											handleAuthentikSignIn={handleAuthentikSignIn}
 										/>
 									</motion.form>
 								)}
@@ -405,6 +418,7 @@ const NormalLogin = ({
 	loading,
 	oauthError,
 	handleGoogleSignIn,
+	handleAuthentikSignIn,
 }: {
 	setShowOrgInput: (show: boolean) => void;
 	email: string;
@@ -413,6 +427,7 @@ const NormalLogin = ({
 	loading: boolean;
 	oauthError: boolean;
 	handleGoogleSignIn: () => void;
+	handleAuthentikSignIn: () => void;
 }) => {
 	const publicEnv = usePublicEnv();
 
@@ -465,7 +480,9 @@ const NormalLogin = ({
 				</Link>
 			</motion.p>
 
-			{(publicEnv.googleAuthAvailable || publicEnv.workosAuthAvailable) && (
+			{(publicEnv.googleAuthAvailable ||
+				publicEnv.workosAuthAvailable ||
+				publicEnv.authentikAuthAvailable) && (
 				<>
 					<div className="flex gap-4 items-center mt-4 mb-4">
 						<span className="flex-1 h-px bg-gray-5" />
@@ -476,6 +493,18 @@ const NormalLogin = ({
 						layout
 						className="flex flex-col gap-3 justify-center items-center"
 					>
+						{publicEnv.authentikAuthAvailable && !oauthError && (
+							<MotionButton
+								variant="gray"
+								type="button"
+								className="flex gap-2 justify-center items-center w-full text-sm"
+								onClick={handleAuthentikSignIn}
+								disabled={loading || emailSent}
+							>
+								<FontAwesomeIcon className="size-4" icon={faRightToBracket} />
+								Login with Authentik
+							</MotionButton>
+						)}
 						{publicEnv.googleAuthAvailable && !oauthError && (
 							<MotionButton
 								variant="gray"
diff --git a/apps/web/app/(org)/signup/form.tsx b/apps/web/app/(org)/signup/form.tsx
index c35635d4172..df6de6e67d3 100644
--- a/apps/web/app/(org)/signup/form.tsx
+++ b/apps/web/app/(org)/signup/form.tsx
@@ -6,6 +6,7 @@ import {
 	faArrowLeft,
 	faEnvelope,
 	faExclamationCircle,
+	faRightToBracket,
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { AnimatePresence, motion } from "framer-motion";
@@ -115,6 +116,17 @@ export function SignupForm() {
 		});
 	};
 
+	const handleAuthentikSignIn = () => {
+		trackEvent("auth_started", {
+			method: "authentik",
+			is_signup: true,
+			auth_surface: "signup",
+		});
+		signIn("authentik", {
+			...(next && next.length > 0 ? { callbackUrl: next } : {}),
+		});
+	};
+
 	const handleOrganizationLookup = async (e: React.FormEvent) => {
 		e.preventDefault();
 		if (!organizationId) {
@@ -326,6 +338,7 @@ export function SignupForm() {
 											loading={loading}
 											oauthError={oauthError}
 											handleGoogleSignIn={handleGoogleSignIn}
+											handleAuthentikSignIn={handleAuthentikSignIn}
 										/>
 									</motion.form>
 								)}
@@ -419,6 +432,7 @@ const NormalSignup = ({
 	loading,
 	oauthError,
 	handleGoogleSignIn,
+	handleAuthentikSignIn,
 }: {
 	setShowOrgInput: (show: boolean) => void;
 	email: string;
@@ -427,6 +441,7 @@ const NormalSignup = ({
 	loading: boolean;
 	oauthError: boolean;
 	handleGoogleSignIn: () => void;
+	handleAuthentikSignIn: () => void;
 }) => {
 	const publicEnv = usePublicEnv();
 
@@ -456,7 +471,9 @@ const NormalSignup = ({
 					Sign up with email
 				</MotionButton>
 			</motion.div>
-			{(publicEnv.googleAuthAvailable || publicEnv.workosAuthAvailable) && (
+			{(publicEnv.googleAuthAvailable ||
+				publicEnv.workosAuthAvailable ||
+				publicEnv.authentikAuthAvailable) && (
 				<>
 					<div className="flex gap-4 items-center my-4">
 						<span className="flex-1 h-px bg-gray-5" />
@@ -467,7 +484,19 @@ const NormalSignup = ({
 						layout
 						className="flex flex-col gap-3 justify-center items-center"
 					>
-						{!oauthError && (
+						{publicEnv.authentikAuthAvailable && !oauthError && (
+							<MotionButton
+								variant="gray"
+								type="button"
+								className="flex gap-2 justify-center items-center w-full text-sm"
+								onClick={handleAuthentikSignIn}
+								disabled={loading}
+							>
+								<FontAwesomeIcon className="size-4" icon={faRightToBracket} />
+								Sign up with Authentik
+							</MotionButton>
+						)}
+						{publicEnv.googleAuthAvailable && !oauthError && (
 							<MotionButton
 								variant="gray"
 								type="button"
diff --git a/apps/web/app/layout.tsx b/apps/web/app/layout.tsx
index 1b595989d99..0522cb3f793 100644
--- a/apps/web/app/layout.tsx
+++ b/apps/web/app/layout.tsx
@@ -126,6 +126,7 @@ export default ({ children }: PropsWithChildren) =>
 												webUrl: buildEnv.NEXT_PUBLIC_WEB_URL,
 												workosAuthAvailable: !!serverEnv().WORKOS_CLIENT_ID,
 												googleAuthAvailable: !!serverEnv().GOOGLE_CLIENT_ID,
+												authentikAuthAvailable: !!serverEnv().AUTHENTIK_ISSUER,
 											}}
 										>
 											<ReactQueryProvider>
diff --git a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
index 75a3c834089..8f00da12bea 100644
--- a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
+++ b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
@@ -1,6 +1,10 @@
 import { NODE_ENV } from "@cap/env";
 import { Button, Dialog, DialogContent, Input, LogoBadge } from "@cap/ui";
-import { faArrowLeft, faEnvelope } from "@fortawesome/free-solid-svg-icons";
+import {
+	faArrowLeft,
+	faEnvelope,
+	faRightToBracket,
+} from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import Image from "next/image";
 import Link from "next/link";
@@ -224,23 +228,38 @@ const StepOne = ({
 						: "Email sent to your inbox"
 					: "Continue with Email"}
 			</Button>
-			{publicEnv.googleAuthAvailable && (
+			{(publicEnv.googleAuthAvailable ||
+				publicEnv.authentikAuthAvailable) && (
 				<>
 					<div className="flex gap-4 items-center">
 						<span className="flex-1 h-px bg-gray-5" />
 						<p className="text-sm text-center text-gray-10">OR</p>
 						<span className="flex-1 h-px bg-gray-5" />
 					</div>
-					<Button
-						variant="gray"
-						type="button"
-						className="flex gap-2 justify-center items-center my-1 w-full text-sm"
-						onClick={handleGoogleSignIn}
-						disabled={loading}
-					>
-						<Image src="/google.svg" alt="Google" width={16} height={16} />
-						Login with Google
-					</Button>
+					{publicEnv.authentikAuthAvailable && (
+						<Button
+							variant="gray"
+							type="button"
+							className="flex gap-2 justify-center items-center my-1 w-full text-sm"
+							onClick={() => signIn("authentik")}
+							disabled={loading}
+						>
+							<FontAwesomeIcon className="size-4" icon={faRightToBracket} />
+							Login with Authentik
+						</Button>
+					)}
+					{publicEnv.googleAuthAvailable && (
+						<Button
+							variant="gray"
+							type="button"
+							className="flex gap-2 justify-center items-center my-1 w-full text-sm"
+							onClick={handleGoogleSignIn}
+							disabled={loading}
+						>
+							<Image src="/google.svg" alt="Google" width={16} height={16} />
+							Login with Google
+						</Button>
+					)}
 				</>
 			)}
 		</form>
diff --git a/apps/web/utils/public-env.tsx b/apps/web/utils/public-env.tsx
index 94999923909..119ec507639 100644
--- a/apps/web/utils/public-env.tsx
+++ b/apps/web/utils/public-env.tsx
@@ -6,6 +6,7 @@ type PublicEnvContext = {
 	webUrl: string;
 	googleAuthAvailable: boolean;
 	workosAuthAvailable: boolean;
+	authentikAuthAvailable: boolean;
 };
 
 const Context = createContext<PublicEnvContext | null>(null);

From e3aaea343b1734817d9d432f0973f181955d28dc Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 15:21:10 +0000
Subject: [PATCH 3/7] feat(auth): CAP_DISABLE_EMAIL_AUTH env to hide magic-link
 UI

Adds an opt-in CAP_DISABLE_EMAIL_AUTH flag (boolean, default false) that
hides the email input + Login/Sign up with email button on /login,
/signup, and the share-page sign-in modal, plus the "Sign up here" link
on /login. The EmailProvider stays wired server-side so the magic-link
flow remains available as break-glass via direct API call. Useful for
OIDC-only deployments.

Refs #914 (CAP-453)
---
 apps/web/app/(org)/login/form.tsx             | 74 ++++++++++---------
 apps/web/app/(org)/signup/form.tsx            | 50 +++++++------
 apps/web/app/layout.tsx                       |  1 +
 .../s/[videoId]/_components/AuthOverlay.tsx   | 60 ++++++++-------
 apps/web/utils/public-env.tsx                 |  1 +
 packages/env/server.ts                        |  4 +
 6 files changed, 103 insertions(+), 87 deletions(-)

diff --git a/apps/web/app/(org)/login/form.tsx b/apps/web/app/(org)/login/form.tsx
index f64df0df7ac..24f284c0f4c 100644
--- a/apps/web/app/(org)/login/form.tsx
+++ b/apps/web/app/(org)/login/form.tsx
@@ -433,29 +433,30 @@ const NormalLogin = ({
 
 	return (
 		<motion.div>
-			<motion.div layout className="flex flex-col space-y-3">
-				<MotionInput
-					id="email"
-					name="email"
-					autoFocus
-					type="email"
-					placeholder={emailSent ? "" : "tim@apple.com"}
-					autoComplete="email"
-					required
-					value={email}
-					disabled={emailSent || loading}
-					onChange={(e) => {
-						setEmail(e.target.value.toLowerCase());
-					}}
-				/>
-				<MotionButton
-					variant="dark"
-					type="submit"
-					disabled={loading || emailSent}
-					icon={<FontAwesomeIcon className="mr-1 size-4" icon={faEnvelope} />}
-				>
-					Login with email
-				</MotionButton>
+			{!publicEnv.disableEmailAuth && (
+				<motion.div layout className="flex flex-col space-y-3">
+					<MotionInput
+						id="email"
+						name="email"
+						autoFocus
+						type="email"
+						placeholder={emailSent ? "" : "tim@apple.com"}
+						autoComplete="email"
+						required
+						value={email}
+						disabled={emailSent || loading}
+						onChange={(e) => {
+							setEmail(e.target.value.toLowerCase());
+						}}
+					/>
+					<MotionButton
+						variant="dark"
+						type="submit"
+						disabled={loading || emailSent}
+						icon={<FontAwesomeIcon className="mr-1 size-4" icon={faEnvelope} />}
+					>
+						Login with email
+					</MotionButton>
 				{/* {NODE_ENV === "development" && (
                   <div className="flex justify-center items-center px-6 py-3 mt-3 bg-red-600 rounded-xl">
                     <p className="text-lg text-white">
@@ -466,19 +467,22 @@ const NormalLogin = ({
                     </p>
                   </div>
                 )} */}
-			</motion.div>
-			<motion.p
-				layout="position"
-				className="mt-3 mb-2 text-xs text-center text-gray-9"
-			>
-				Don't have an account?{" "}
-				<Link
-					href="/signup"
-					className="text-xs font-semibold text-blue-9 hover:text-blue-8"
+				</motion.div>
+			)}
+			{!publicEnv.disableEmailAuth && (
+				<motion.p
+					layout="position"
+					className="mt-3 mb-2 text-xs text-center text-gray-9"
 				>
-					Sign up here
-				</Link>
-			</motion.p>
+					Don't have an account?{" "}
+					<Link
+						href="/signup"
+						className="text-xs font-semibold text-blue-9 hover:text-blue-8"
+					>
+						Sign up here
+					</Link>
+				</motion.p>
+			)}
 
 			{(publicEnv.googleAuthAvailable ||
 				publicEnv.workosAuthAvailable ||
diff --git a/apps/web/app/(org)/signup/form.tsx b/apps/web/app/(org)/signup/form.tsx
index df6de6e67d3..b27cee2fcb5 100644
--- a/apps/web/app/(org)/signup/form.tsx
+++ b/apps/web/app/(org)/signup/form.tsx
@@ -447,30 +447,32 @@ const NormalSignup = ({
 
 	return (
 		<motion.div>
-			<motion.div layout className="flex flex-col space-y-3">
-				<MotionInput
-					id="email"
-					name="email"
-					autoFocus
-					type="email"
-					placeholder={emailSent ? "" : "tim@apple.com"}
-					autoComplete="email"
-					required
-					value={email}
-					disabled={emailSent || loading}
-					onChange={(e) => {
-						setEmail(e.target.value.toLowerCase());
-					}}
-				/>
-				<MotionButton
-					variant="dark"
-					type="submit"
-					disabled={loading || emailSent}
-					icon={<FontAwesomeIcon className="mr-1 size-4" icon={faEnvelope} />}
-				>
-					Sign up with email
-				</MotionButton>
-			</motion.div>
+			{!publicEnv.disableEmailAuth && (
+				<motion.div layout className="flex flex-col space-y-3">
+					<MotionInput
+						id="email"
+						name="email"
+						autoFocus
+						type="email"
+						placeholder={emailSent ? "" : "tim@apple.com"}
+						autoComplete="email"
+						required
+						value={email}
+						disabled={emailSent || loading}
+						onChange={(e) => {
+							setEmail(e.target.value.toLowerCase());
+						}}
+					/>
+					<MotionButton
+						variant="dark"
+						type="submit"
+						disabled={loading || emailSent}
+						icon={<FontAwesomeIcon className="mr-1 size-4" icon={faEnvelope} />}
+					>
+						Sign up with email
+					</MotionButton>
+				</motion.div>
+			)}
 			{(publicEnv.googleAuthAvailable ||
 				publicEnv.workosAuthAvailable ||
 				publicEnv.authentikAuthAvailable) && (
diff --git a/apps/web/app/layout.tsx b/apps/web/app/layout.tsx
index 0522cb3f793..ae3eb785bd4 100644
--- a/apps/web/app/layout.tsx
+++ b/apps/web/app/layout.tsx
@@ -127,6 +127,7 @@ export default ({ children }: PropsWithChildren) =>
 												workosAuthAvailable: !!serverEnv().WORKOS_CLIENT_ID,
 												googleAuthAvailable: !!serverEnv().GOOGLE_CLIENT_ID,
 												authentikAuthAvailable: !!serverEnv().AUTHENTIK_ISSUER,
+												disableEmailAuth: serverEnv().CAP_DISABLE_EMAIL_AUTH,
 											}}
 										>
 											<ReactQueryProvider>
diff --git a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
index 8f00da12bea..261a239e942 100644
--- a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
+++ b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
@@ -200,34 +200,38 @@ const StepOne = ({
 			}}
 			className="flex flex-col gap-3"
 		>
-			<div>
-				<Input
-					id={emailId}
-					name="email"
-					autoFocus
-					type="email"
-					placeholder={emailSent ? "" : "tim@apple.com"}
-					autoComplete="email"
-					required
-					value={email}
-					disabled={emailSent || loading}
-					onChange={(e) => {
-						setEmail(e.target.value.toLowerCase());
-					}}
-				/>
-			</div>
-			<Button
-				variant="dark"
-				type="submit"
-				icon={<FontAwesomeIcon className="mr-1 size-4" icon={faEnvelope} />}
-				disabled={loading || emailSent}
-			>
-				{emailSent
-					? NODE_ENV === "development"
-						? "Email sent to your terminal"
-						: "Email sent to your inbox"
-					: "Continue with Email"}
-			</Button>
+			{!publicEnv.disableEmailAuth && (
+				<>
+					<div>
+						<Input
+							id={emailId}
+							name="email"
+							autoFocus
+							type="email"
+							placeholder={emailSent ? "" : "tim@apple.com"}
+							autoComplete="email"
+							required
+							value={email}
+							disabled={emailSent || loading}
+							onChange={(e) => {
+								setEmail(e.target.value.toLowerCase());
+							}}
+						/>
+					</div>
+					<Button
+						variant="dark"
+						type="submit"
+						icon={<FontAwesomeIcon className="mr-1 size-4" icon={faEnvelope} />}
+						disabled={loading || emailSent}
+					>
+						{emailSent
+							? NODE_ENV === "development"
+								? "Email sent to your terminal"
+								: "Email sent to your inbox"
+							: "Continue with Email"}
+					</Button>
+				</>
+			)}
 			{(publicEnv.googleAuthAvailable ||
 				publicEnv.authentikAuthAvailable) && (
 				<>
diff --git a/apps/web/utils/public-env.tsx b/apps/web/utils/public-env.tsx
index 119ec507639..2d4a8e83cb4 100644
--- a/apps/web/utils/public-env.tsx
+++ b/apps/web/utils/public-env.tsx
@@ -7,6 +7,7 @@ type PublicEnvContext = {
 	googleAuthAvailable: boolean;
 	workosAuthAvailable: boolean;
 	authentikAuthAvailable: boolean;
+	disableEmailAuth: boolean;
 };
 
 const Context = createContext<PublicEnvContext | null>(null);
diff --git a/packages/env/server.ts b/packages/env/server.ts
index 0e952321dd0..a36f9939885 100644
--- a/packages/env/server.ts
+++ b/packages/env/server.ts
@@ -88,6 +88,10 @@ function createServerEnv() {
 				.string()
 				.optional()
 				.describe("Comma-separated list of permitted signup domains"),
+			CAP_DISABLE_EMAIL_AUTH: boolString(false).describe(
+				"Hide the email magic-link UI on login/signup/share pages. "
+				+ "The provider stays wired server-side as break-glass.",
+			),
 
 			/// AI providers
 			DEEPGRAM_API_KEY: z.string().optional().describe("Audio transcription"),

From cc23f58f3858c8ea41f2abcf0adaca80cc082190 Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 15:31:17 +0000
Subject: [PATCH 4/7] feat(auth): hide OR divider when
 CAP_DISABLE_EMAIL_AUTH=true

The OR separator between email and OAuth buttons is meaningless when
the email block above it is hidden. Wrap the divider in the same
!publicEnv.disableEmailAuth gate so an OIDC-only deployment renders a
clean Authentik-only login form.

Refs #914 (CAP-453)
---
 apps/web/app/(org)/login/form.tsx                    | 12 +++++++-----
 apps/web/app/(org)/signup/form.tsx                   | 12 +++++++-----
 apps/web/app/s/[videoId]/_components/AuthOverlay.tsx | 12 +++++++-----
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/apps/web/app/(org)/login/form.tsx b/apps/web/app/(org)/login/form.tsx
index 24f284c0f4c..8009320bf30 100644
--- a/apps/web/app/(org)/login/form.tsx
+++ b/apps/web/app/(org)/login/form.tsx
@@ -488,11 +488,13 @@ const NormalLogin = ({
 				publicEnv.workosAuthAvailable ||
 				publicEnv.authentikAuthAvailable) && (
 				<>
-					<div className="flex gap-4 items-center mt-4 mb-4">
-						<span className="flex-1 h-px bg-gray-5" />
-						<p className="text-sm text-center text-gray-10">OR</p>
-						<span className="flex-1 h-px bg-gray-5" />
-					</div>
+					{!publicEnv.disableEmailAuth && (
+						<div className="flex gap-4 items-center mt-4 mb-4">
+							<span className="flex-1 h-px bg-gray-5" />
+							<p className="text-sm text-center text-gray-10">OR</p>
+							<span className="flex-1 h-px bg-gray-5" />
+						</div>
+					)}
 					<motion.div
 						layout
 						className="flex flex-col gap-3 justify-center items-center"
diff --git a/apps/web/app/(org)/signup/form.tsx b/apps/web/app/(org)/signup/form.tsx
index b27cee2fcb5..56674fd6cca 100644
--- a/apps/web/app/(org)/signup/form.tsx
+++ b/apps/web/app/(org)/signup/form.tsx
@@ -477,11 +477,13 @@ const NormalSignup = ({
 				publicEnv.workosAuthAvailable ||
 				publicEnv.authentikAuthAvailable) && (
 				<>
-					<div className="flex gap-4 items-center my-4">
-						<span className="flex-1 h-px bg-gray-5" />
-						<p className="text-sm text-center text-gray-10">OR</p>
-						<span className="flex-1 h-px bg-gray-5" />
-					</div>
+					{!publicEnv.disableEmailAuth && (
+						<div className="flex gap-4 items-center my-4">
+							<span className="flex-1 h-px bg-gray-5" />
+							<p className="text-sm text-center text-gray-10">OR</p>
+							<span className="flex-1 h-px bg-gray-5" />
+						</div>
+					)}
 					<motion.div
 						layout
 						className="flex flex-col gap-3 justify-center items-center"
diff --git a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
index 261a239e942..0e173106fd8 100644
--- a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
+++ b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
@@ -235,11 +235,13 @@ const StepOne = ({
 			{(publicEnv.googleAuthAvailable ||
 				publicEnv.authentikAuthAvailable) && (
 				<>
-					<div className="flex gap-4 items-center">
-						<span className="flex-1 h-px bg-gray-5" />
-						<p className="text-sm text-center text-gray-10">OR</p>
-						<span className="flex-1 h-px bg-gray-5" />
-					</div>
+					{!publicEnv.disableEmailAuth && (
+						<div className="flex gap-4 items-center">
+							<span className="flex-1 h-px bg-gray-5" />
+							<p className="text-sm text-center text-gray-10">OR</p>
+							<span className="flex-1 h-px bg-gray-5" />
+						</div>
+					)}
 					{publicEnv.authentikAuthAvailable && (
 						<Button
 							variant="gray"

From b944571c1d0ec458b987d25da720c24ae2125bd3 Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 15:41:54 +0000
Subject: [PATCH 5/7] feat(auth): hide email-specific ToS line + redirect
 /signup when CAP_DISABLE_EMAIL_AUTH

Two cleanups for OIDC-only deployments:

1. The "By typing your email and clicking continue..." Terms-of-Service
   line on /login and /signup is orphan copy when the email block is
   hidden. Wrap it in the same !publicEnv.disableEmailAuth gate.

2. With email auth disabled, OAuth users sign up via first sign-in
   (NextAuth auto-provisions through the database adapter), so /signup
   has no separate flow. Add a server-side redirect /signup -> /login
   when CAP_DISABLE_EMAIL_AUTH=true.

Refs #914 (CAP-453)
---
 apps/web/app/(org)/login/form.tsx  | 47 ++++++++++++++++--------------
 apps/web/app/(org)/signup/form.tsx | 47 ++++++++++++++++--------------
 apps/web/app/(org)/signup/page.tsx |  4 +++
 3 files changed, 54 insertions(+), 44 deletions(-)

diff --git a/apps/web/app/(org)/login/form.tsx b/apps/web/app/(org)/login/form.tsx
index 8009320bf30..cb41d0787ab 100644
--- a/apps/web/app/(org)/login/form.tsx
+++ b/apps/web/app/(org)/login/form.tsx
@@ -28,6 +28,7 @@ const MotionLink = motion(Link);
 const MotionButton = motion(Button);
 
 export function LoginForm() {
+	const publicEnv = usePublicEnv();
 	const searchParams = useSearchParams();
 	const router = useRouter();
 	const next = searchParams?.get("next");
@@ -344,29 +345,31 @@ export function LoginForm() {
 								)}
 							</motion.div>
 						</AnimatePresence>
-						<motion.p
-							layout="position"
-							className="pt-3 text-xs text-center text-gray-9"
-						>
-							By typing your email and clicking continue, you acknowledge that
-							you have both read and agree to Cap's{" "}
-							<Link
-								href="/terms"
-								target="_blank"
-								className="text-xs font-semibold text-gray-12 hover:text-blue-300"
-							>
-								Terms of Service
-							</Link>{" "}
-							and{" "}
-							<Link
-								href="/privacy"
-								target="_blank"
-								className="text-xs font-semibold text-gray-12 hover:text-blue-300"
+						{!publicEnv.disableEmailAuth && (
+							<motion.p
+								layout="position"
+								className="pt-3 text-xs text-center text-gray-9"
 							>
-								Privacy Policy
-							</Link>
-							.
-						</motion.p>
+								By typing your email and clicking continue, you acknowledge that
+								you have both read and agree to Cap's{" "}
+								<Link
+									href="/terms"
+									target="_blank"
+									className="text-xs font-semibold text-gray-12 hover:text-blue-300"
+								>
+									Terms of Service
+								</Link>{" "}
+								and{" "}
+								<Link
+									href="/privacy"
+									target="_blank"
+									className="text-xs font-semibold text-gray-12 hover:text-blue-300"
+								>
+									Privacy Policy
+								</Link>
+								.
+							</motion.p>
+						)}
 					</motion.div>
 				</Suspense>
 			</motion.div>
diff --git a/apps/web/app/(org)/signup/form.tsx b/apps/web/app/(org)/signup/form.tsx
index 56674fd6cca..788cc61f34d 100644
--- a/apps/web/app/(org)/signup/form.tsx
+++ b/apps/web/app/(org)/signup/form.tsx
@@ -28,6 +28,7 @@ const MotionLink = motion(Link);
 const MotionButton = motion(Button);
 
 export function SignupForm() {
+	const publicEnv = usePublicEnv();
 	const searchParams = useSearchParams();
 	const router = useRouter();
 	const next = searchParams?.get("next");
@@ -356,29 +357,31 @@ export function SignupForm() {
 								Log in here
 							</Link>
 						</motion.p>
-						<motion.p
-							layout="position"
-							className="text-xs text-center text-gray-9"
-						>
-							By typing your email and clicking continue, you acknowledge that
-							you have both read and agree to Cap's{" "}
-							<Link
-								href="/terms"
-								target="_blank"
-								className="text-xs font-semibold text-gray-12 hover:text-blue-300"
+						{!publicEnv.disableEmailAuth && (
+							<motion.p
+								layout="position"
+								className="text-xs text-center text-gray-9"
 							>
-								Terms of Service
-							</Link>{" "}
-							and{" "}
-							<Link
-								href="/privacy"
-								target="_blank"
-								className="text-xs font-semibold text-gray-12 hover:text-blue-300"
-							>
-								Privacy Policy
-							</Link>
-							.
-						</motion.p>
+								By typing your email and clicking continue, you acknowledge that
+								you have both read and agree to Cap's{" "}
+								<Link
+									href="/terms"
+									target="_blank"
+									className="text-xs font-semibold text-gray-12 hover:text-blue-300"
+								>
+									Terms of Service
+								</Link>{" "}
+								and{" "}
+								<Link
+									href="/privacy"
+									target="_blank"
+									className="text-xs font-semibold text-gray-12 hover:text-blue-300"
+								>
+									Privacy Policy
+								</Link>
+								.
+							</motion.p>
+						)}
 					</motion.div>
 				</Suspense>
 			</motion.div>
diff --git a/apps/web/app/(org)/signup/page.tsx b/apps/web/app/(org)/signup/page.tsx
index de68b63d08c..ccdb4af327d 100644
--- a/apps/web/app/(org)/signup/page.tsx
+++ b/apps/web/app/(org)/signup/page.tsx
@@ -1,3 +1,4 @@
+import { serverEnv } from "@cap/env";
 import { getCurrentUser } from "@cap/database/auth/session";
 import { faArrowLeft } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -8,6 +9,9 @@ import { SignupForm } from "./form";
 export const dynamic = "force-dynamic";
 
 export default async function SignupPage() {
+	if (serverEnv().CAP_DISABLE_EMAIL_AUTH) {
+		redirect("/login");
+	}
 	const session = await getCurrentUser();
 	if (session) {
 		redirect("/dashboard");

From 3132c2ed7458ecb0a2949be701b2df4128a5811d Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 16:57:31 +0000
Subject: [PATCH 6/7] fix(auth): require AUTHENTIK_CLIENT_ID/SECRET when
 AUTHENTIK_ISSUER is set

Address greptile-apps[bot] P1 review on PR #1869: previously the
`AUTHENTIK_ISSUER` env gated provider registration, but
`AUTHENTIK_CLIENT_ID` and `AUTHENTIK_CLIENT_SECRET` were each
independently optional. A deployer who set the issuer but mistyped a
companion key would silently register `AuthentikProvider` with empty
credentials and only fail at the IdP token-exchange step with a
cryptic error.

Now all three vars are read once, and we throw a clear startup error
if `AUTHENTIK_ISSUER` is set without the companions. Drops the unsafe
`as string` casts that had been masking the type mismatch.

Refs CapSoftware/Cap#1869
---
 packages/database/auth/auth-options.ts | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/packages/database/auth/auth-options.ts b/packages/database/auth/auth-options.ts
index e2a3e0fb460..70404c84182 100644
--- a/packages/database/auth/auth-options.ts
+++ b/packages/database/auth/auth-options.ts
@@ -69,13 +69,27 @@ export const authOptions = (): NextAuthOptions => {
 		},
 		get providers() {
 			if (_providers) return _providers;
+			const authentikIssuer = serverEnv().AUTHENTIK_ISSUER;
+			const authentikClientId = serverEnv().AUTHENTIK_CLIENT_ID;
+			const authentikClientSecret = serverEnv().AUTHENTIK_CLIENT_SECRET;
+			if (
+				authentikIssuer &&
+				(!authentikClientId || !authentikClientSecret)
+			) {
+				throw new Error(
+					"AUTHENTIK_ISSUER is set but AUTHENTIK_CLIENT_ID and/or " +
+						"AUTHENTIK_CLIENT_SECRET is missing. All three must be " +
+						"provided together to enable the Authentik OIDC provider.",
+				);
+			}
+
 			_providers = [
-				...(serverEnv().AUTHENTIK_ISSUER
+				...(authentikIssuer && authentikClientId && authentikClientSecret
 					? [
 							AuthentikProvider({
-								clientId: serverEnv().AUTHENTIK_CLIENT_ID as string,
-								clientSecret: serverEnv().AUTHENTIK_CLIENT_SECRET as string,
-								issuer: serverEnv().AUTHENTIK_ISSUER as string,
+								clientId: authentikClientId,
+								clientSecret: authentikClientSecret,
+								issuer: authentikIssuer,
 							}),
 						]
 					: []),

From ba2388742fdb5f48d698e8324085b30b68924bf8 Mon Sep 17 00:00:00 2001
From: Lynton Infra <infra@lynton.ai>
Date: Sun, 24 May 2026 16:57:31 +0000
Subject: [PATCH 7/7] fix(auth): preserve callbackUrl + analytics on Authentik
 signin in AuthOverlay

Address greptile-apps[bot] P1+P2 review on PR #1869: the share-page
`AuthOverlay` Authentik button called `signIn("authentik")` with no
options, so a user clicking it from a video share page would land on
`/dashboard` instead of returning to the video. It also skipped the
`trackEvent("auth_started", ...)` analytics call and the `setLoading`
state setup that the Google handler in the same component performs.

Replaces the inline onClick with a `handleAuthentikSignIn` handler
that mirrors `handleGoogleSignIn`: tracks the auth_started event with
`auth_surface: "share_overlay"` and `video_id`, sets loading, and
passes `callbackUrl: \`${window.location.origin}/s/${videoId}\`` so the
user returns to the share page after sign-in.

Refs CapSoftware/Cap#1869
---
 .../app/s/[videoId]/_components/AuthOverlay.tsx   | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
index 0e173106fd8..325d189f3fb 100644
--- a/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
+++ b/apps/web/app/s/[videoId]/_components/AuthOverlay.tsx
@@ -154,6 +154,19 @@ const StepOne = ({
 			callbackUrl: `${window.location.origin}/s/${videoId}`,
 		});
 	};
+	const handleAuthentikSignIn = () => {
+		trackEvent("auth_started", {
+			method: "authentik",
+			is_signup: false,
+			auth_surface: "share_overlay",
+			video_id: videoId,
+		});
+		setLoading(true);
+		signIn("authentik", {
+			redirect: false,
+			callbackUrl: `${window.location.origin}/s/${videoId}`,
+		});
+	};
 	const publicEnv = usePublicEnv();
 
 	return (
@@ -247,7 +260,7 @@ const StepOne = ({
 							variant="gray"
 							type="button"
 							className="flex gap-2 justify-center items-center my-1 w-full text-sm"
-							onClick={() => signIn("authentik")}
+							onClick={handleAuthentikSignIn}
 							disabled={loading}
 						>
 							<FontAwesomeIcon className="size-4" icon={faRightToBracket} />