openreader/docs-site/docs/configure/auth.md
Richard R 1f4794a706 feat(auth): implement session gatekeeping and architectural reorganization
- Introduce `USE_ANONYMOUS_AUTH_SESSIONS` to make guest access an opt-in feature.
- Transition root-level pages into `(app)` and `(public)` route groups for improved access control.
- Adopt Figtree as the primary typeface and implement a pre-render theme initialization script.
- Decouple audiobook chapter processing into a standalone API route and harden resource ownership logic.
- Replace the legacy footer with a unified layout and add skeleton loading states for document lists.
- Update environment documentation and test suites to align with the revised routing and auth flows.

BREAKING CHANGE: The audiobook generation API has been restructured, moving specific chapter logic to `/api/audiobook/chapter`.
2026-02-15 11:12:42 -07:00

1.8 KiB

title
Auth

This page covers application-level configuration for provider access and authentication.

Auth behavior

  • Auth is enabled only when both BASE_URL and AUTH_SECRET are set.
  • Remove either value to disable auth.
  • Keep AUTH_TRUSTED_ORIGINS empty to trust only BASE_URL.
  • Anonymous auth sessions are disabled by default.
  • Set USE_ANONYMOUS_AUTH_SESSIONS=true to enable anonymous session flows.

Route behavior

  • / is a public landing/onboarding page and remains indexable.
  • /app is the protected app home (document list and uploader UI).
  • If auth is enabled and a valid session exists (including anonymous), visiting / redirects to /app.
  • Protected app routes continue to require auth; when anonymous sessions are disabled and no session exists, users are redirected to /signin.

Sync notes

Auth enabled

  • Settings and reading progress are saved to the server.
  • Updates are not instant push-based sync; they use normal client polling/refresh behavior.
  • If two devices change the same item around the same time, the newest update wins.

Auth disabled

  • Settings and reading progress stay local in the browser (Dexie/IndexedDB).
  • This avoids no-auth cross-browser conflicts, but there is no cross-device sync.

Claim modal note

  • You may still see old anonymous settings/progress available to claim from older deployments.