Authentication

The dashboard supports two sign-in methods. Local credentials are the default so a fresh server on a raw IP works without DNS; Google SSO is available once you have a domain with HTTPS.

Two variables control auth, and they live in different files:

  • AUTH_PROVIDER (in dashboard/.env) — the runtime list of enabled methods: local, google, or local,google.
  • NEXT_PUBLIC_AUTH_PROVIDER (in the project .env) — which buttons the login page shows. This one is build-time (compiled into the dashboard bundle as a Docker build arg), so after changing it you must rebuild: docker compose up -d --build. Keep it equal to AUTH_PROVIDER.

Local email/password (default)

The first admin is created from the login page with an email, a password (8+ chars), and your LOMA_SETUP_TOKEN. In dashboard/.env:

AUTH_SECRET=<random-long-secret>
AUTH_PROVIDER=local
LOMA_SETUP_TOKEN=<same-as-backend>
OBSERVABILITY_MONGODB_URI=mongodb+srv://user:pass@cluster.example.com/
OBSERVABILITY_DB_NAME=loma_observability
AUTH_URL=http://<your-ip>

and in the project .env: NEXT_PUBLIC_AUTH_PROVIDER=local (the default).

Use the same MongoDB database as the backend so the admin you create is visible to the API. The first user created with the setup token becomes admin; later self-signups land in pending until an admin approves them in the Users page.

Google SSO (optional, requires HTTPS)

Google won’t redirect to a bare IP, so add a domain and HTTPS first.

  1. In Google Cloud Console, create an OAuth Web client. Authorized redirect URI:

    https://your-domain.com/api/auth/callback/google

    If your team is on Google Workspace, set the consent screen to Internal to limit sign-in to your organization.

  2. In dashboard/.env:

    AUTH_SECRET=<random-long-secret>
    AUTH_PROVIDER=google           # or local,google to keep a password fallback
    AUTH_GOOGLE_ID=...
    AUTH_GOOGLE_SECRET=...
    AUTH_URL=https://your-domain.com
    ALLOWED_EMAIL_DOMAINS=your-company.com
  3. In the project .env: NEXT_PUBLIC_AUTH_PROVIDER=google, then rebuild: docker compose up -d --build.

Who gets in

  • ALLOWED_EMAIL_DOMAINS restricts Google sign-in to those domains. When it’s set, a matching user is auto-provisioned active on first sign-in (the domain restriction is the gate), and the very first user becomes admin — so a Google-only deployment bootstraps without the local setup token. Manage everyone’s role afterward in the Users page.
  • Leave ALLOWED_EMAIL_DOMAINS unset to allow any Google account, in which case new users land in pending for admin approval instead.
  • An email outside the allowed domains sees an “address not allowed” message.

Break-glass

If Google sign-in ever breaks, set AUTH_PROVIDER=local,google (and NEXT_PUBLIC_AUTH_PROVIDER=local,google in the project .env), docker compose up -d --build, and the email/password form returns alongside Google.