Skip to content

Email and OAuth2

Login-related configuration has two parts:

  • static email configuration
  • runtime OAuth2 provider configuration

OAuth2 providers live in runtime settings under oauth2.providers.

Email settings remain static and are used for SMTP connectivity and sender identity.

email:
smtp_host: "smtp.example.com"
smtp_port: 587
smtp_username: "synctv@example.com"
smtp_password_file: "/run/secrets/smtp_password"
from_email: "synctv@example.com"
from_name: "SyncTV"
use_tls: true
FieldDefaultMeaning
email.smtp_host""SMTP server host. Empty means email sending is not configured
email.smtp_port587SMTP port
email.smtp_username""SMTP login username
email.smtp_password""SMTP login password; supports smtp_password_file
email.from_email""Sender email address. Required and validated when SMTP is configured
email.from_nameSyncTVSender display name
email.use_tlstrueWhether SMTP uses TLS

Email verification codes, password reset, and email MFA depend on these SMTP settings. Standalone email login only serves existing accounts; the code request API intentionally returns a generic message to avoid account enumeration. Whether email signup is open or requires review is a runtime setting; see Runtime Settings.

oauth2.providers is an array of OAuth2ProviderSettings objects. Each element has an instanceName such as github, logto1, or corp_oidc. Instance names may contain only ASCII letters, digits, _, and -.

Every instance uses shared fields plus one provider oneof field:

{
"instanceName": "github",
"enableSignup": true,
"signupNeedReview": false,
"github": {
"clientId": "github-client-id",
"clientSecret": "github-client-secret",
"redirectUrl": "https://app.example.com/oauth2/callback"
}
}

Fields:

FieldMeaning
instanceNameProvider instance name
enableSignupWhether first-time login through this provider can create a local account
signupNeedReviewWhether first-time signup should enter the review queue
provider oneof fieldFor example github, google, logto, oidc, or casdoor. Provider-private fields live inside that object
[
{
"instanceName": "github",
"enableSignup": true,
"signupNeedReview": false,
"github": {
"clientId": "github-client-id",
"clientSecret": "github-client-secret",
"redirectUrl": "https://app.example.com/oauth2/callback"
}
}
]
  • When runtime settings change, the OAuth2 service rebuilds its provider map from the new value.
  • Missing instance names mean the login entry point is unavailable.
  • enableSignup=false only blocks first-time account creation through that provider. Existing linked OAuth2 logins still work.
  • signupNeedReview=true sends first-time OAuth2 signup into the review flow.

Each provider instance owns its full callback URL through redirectUrl. Different providers can use their own callback path and scheme.

Put it in clientSecret and manage it through runtime settings.