- Agregar id único (/?app=lotes), launch_handler, handle_links y url_handlers
- Unificar workflow de 2 jobs (build + deploy) a 1 solo job
- Workaround para bug de Gitea que solo ejecuta el primer job
- Agregar capture_links en manifest para mejorar experiencia PWA
- Crear archivo .well-known para asociación con inicio.nucleoriofrio.com
- Agregar router público en Traefik para recursos PWA y .well-known
Document missing OAuth2 features and security improvements:
- State parameter for CSRF protection
- PKCE implementation
- Refresh tokens and expiration handling
- SSO logout with Authentik
- Redirect after login
- RBAC middleware
- Session timeout warnings
- Auto-refresh mechanisms
Organized by priority with code examples and references.
This fixes ETIMEDOUT errors when exchanging OAuth tokens. The container
now uses the Docker internal service name (authentiknucleo-server-1:9000)
for server-to-server API calls while keeping the public URL for browser
redirects.
Changes:
- Add NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL env var
- Use internal URL for token exchange and userinfo endpoints
- Update docker-compose.yml and Gitea workflow
BREAKING CHANGE: Auth routes moved from /auth/* to /api/auth/*
- Move server/routes/auth/ to server/api/auth/
- Update login.vue to use /api/auth/authentik
- Update UserMenu.vue to use /api/auth/logout
- Remove old server/routes/ structure
- server/api/ is better supported in Nuxt 4
IMPORTANT: Update these in Gitea:
- Variable NUXT_OAUTH_AUTHENTIK_REDIRECT_URL to: https://seguidordelotes.nucleoriofrio.com/api/auth/authentik
- Update Authentik redirect URI to: https://seguidordelotes.nucleoriofrio.com/api/auth/authentik
- Integrated Authentik OAuth/OIDC authentication
- Added PWA functionality with offline support
- Created protected and public API endpoints
- Configured Docker deployment with Traefik
- Added Gitea Actions CI/CD workflow
- Included comprehensive setup documentation
