Authentication Methods

DeployStack supports multiple authentication methods to provide flexibility for different user preferences and organizational requirements. This document outlines the available authentication options and how to configure them.

Available Authentication Methods

Email-based authentication is the primary authentication method in DeployStack. Users can register with their email address and password, and subsequently log in using these credentials.

Features:

Secure password hashing using Argon2
Email verification (when email sending is enabled)
Password reset functionality
Profile management

User Experience:

Users register with email, password, and optional personal information
Email verification may be required (depending on configuration)
Users can log in using email or username
Password reset available via email (when email sending is enabled)

GitHub OAuth

GitHub OAuth provides a convenient way for users to authenticate using their existing GitHub accounts. This method is particularly useful for development teams and organizations already using GitHub.

Features:

Single sign-on with GitHub
Automatic email verification (GitHub emails are considered verified)
Profile information imported from GitHub
Secure OAuth 2.0 flow

User Experience:

Users click "Login with GitHub" button
Redirected to GitHub for authorization
Upon approval, automatically logged into DeployStack
Profile information (name, email) imported from GitHub

Authentication Configuration

Global Authentication Settings

Administrators can control authentication behavior through global settings:

Setting	Description	Default
Enable Login	Master switch for all authentication methods	`true`
Enable Email Registration	Allow new users to register via email	`true`
GitHub OAuth Enabled	Enable GitHub OAuth authentication	`false`

Email Authentication Configuration

Email authentication is always available but requires SMTP configuration for full functionality:

Required for Full Functionality:

SMTP server configuration (for email verification and password reset)
Email sending enabled in global settings

Configuration Steps:

Navigate to Global Settings → SMTP Mail Settings
Configure SMTP server details:
- Host (e.g., smtp.gmail.com)
- Port (e.g., 587)
- Username and Password
- Security settings
Enable email sending in Global Settings → Global Configuration

GitHub OAuth Configuration

GitHub OAuth requires setup both in GitHub and DeployStack:

GitHub Setup:

Go to GitHub → Settings → Developer settings → OAuth Apps
Create a new OAuth App with:
- Application name: Your DeployStack instance name
- Homepage URL: Your DeployStack frontend URL
- Authorization callback URL: https://your-domain.com/api/auth/github/callback
Note the Client ID and Client Secret

DeployStack Configuration:

Navigate to Global Settings → GitHub OAuth Configuration
Configure the following settings:
- Client ID: From your GitHub OAuth App
- Client Secret: From your GitHub OAuth App (encrypted)
- Enabled: Set to true to activate GitHub OAuth
- Callback URL: Must match the URL configured in GitHub
- Scope: OAuth permissions (default: user:email)

Configuration Example:

Client ID: abc123def456
Client Secret: [encrypted]
Enabled: true
Callback URL: https://your-deploystack.com/api/auth/github/callback
Scope: user:email

User Roles and First User

First User (Global Administrator)

The first user registered in DeployStack automatically becomes the Global Administrator with full system access. This ensures there's always at least one administrator who can manage the system.

Important Notes:

The first user must be created via email registration
GitHub OAuth cannot be used to create the first user
This prevents accidental creation of admin accounts via OAuth

Subsequent Users

All users registered after the first user receive the Global User role by default, regardless of authentication method used.

Role Assignment:

Email Registration: global_user role
GitHub OAuth: global_user role
Role Changes: Only global administrators can modify user roles

Security Considerations

Email Authentication Security

Passwords are hashed using Argon2 with secure parameters
Email verification prevents unauthorized account creation
Password reset tokens are time-limited and single-use
Session management handled by Lucia v3

GitHub OAuth Security

OAuth 2.0 standard with state parameter for CSRF protection
GitHub emails are considered verified
Secure token exchange and validation
No GitHub credentials stored in DeployStack

Account Linking

When a user with an existing email account uses GitHub OAuth with the same email address:

The GitHub account is automatically linked to the existing account
User can subsequently use either authentication method
No duplicate accounts are created

Troubleshooting

Email Authentication Issues

Email verification not working:

Check SMTP configuration in Global Settings
Verify email sending is enabled
Check server logs for email delivery errors

Password reset not working:

Ensure SMTP is configured and email sending is enabled
Verify the reset link hasn't expired (tokens are time-limited)

GitHub OAuth Issues

"GitHub OAuth is not enabled" error:

Check that GitHub OAuth is enabled in Global Settings
Verify Client ID and Client Secret are configured
Ensure callback URL matches GitHub OAuth App configuration

"GitHub email not available" error:

User's GitHub email must be public and verified
Check GitHub account email settings
Ensure OAuth scope includes user:email

First user creation blocked:

This is expected behavior - first user must use email registration
Use email registration to create the initial administrator account

General Authentication Issues

Login disabled:

Check that "Enable Login" is set to true in Global Settings
Verify database is properly configured and accessible

Registration disabled:

Check that "Enable Email Registration" is set to true for email signup
Verify GitHub OAuth is enabled and configured for GitHub login

API Endpoints

For developers and integrations, DeployStack provides REST API endpoints for authentication:

Email Authentication

POST /api/auth/email/register - User registration
POST /api/auth/email/login - User login
POST /api/auth/email/forgot-password - Password reset request
POST /api/auth/email/reset-password - Password reset confirmation

GitHub OAuth

GET /api/auth/github/login - Initiate GitHub OAuth flow
GET /api/auth/github/callback - OAuth callback handler
GET /api/auth/github/status - Check if GitHub OAuth is enabled

General Authentication

POST /api/auth/logout - User logout
GET /api/users/me - Get current user profile
PUT /api/auth/profile/update - Update user profile

Best Practices

For Administrators

Always configure the first user via email to ensure proper admin access
Set up SMTP early to enable email verification and password reset
Use strong OAuth secrets and keep them secure
Regularly review user accounts and roles
Monitor authentication logs for security issues

For Users

Use strong passwords for email authentication
Verify your email address when using email registration
Keep GitHub account secure when using OAuth
Use the same email address across authentication methods for account linking

For Organizations

Choose authentication methods that align with your security policies
Consider GitHub OAuth for development teams already using GitHub
Implement proper access controls through user roles
Document authentication procedures for your team
Plan for account recovery scenarios

For technical implementation details, see the Backend Authentication Documentation and Global Settings Management.

On this page