easterbrooka swaps passwords for Microsoft sign-in

This fork drops email-and-password login in favour of Microsoft Entra, the identity system many firms already use to control who gets into what.

securityintegration

easterbrooka rebuilt the front door. Instead of users creating yet another username and password, they now sign in through Microsoft Entra - Microsoft's corporate identity and single-sign-on service - so access is governed by the same directory IT already manages. The old login forms are gone entirely, and the sign-in flow was set up with the more secure of the two standard handshakes, keeping access tokens out of the browser's address bar.

The second change is quieter but matters for teams: the operator running the instance can now supply the AI keys centrally, so individual users don't each need to paste in their own. A model simply shows as available when either the person or the host has a key configured.

So what Worth a look for any firm that wants a shared, IT-governed deployment where staff log in with their existing work accounts and don't manage their own AI credentials.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from easterbrooka/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
97c30c22 Add Microsoft SSO + system-level LLM key fallback andrew 2026-05-05 ↗ GitHub
commit body
- Replace email/password login with Microsoft Entra OAuth (single-tenant).
  Adds /auth/callback page for the OAuth code exchange. Removes /signup
  since users are now provisioned via Entra.
- Add /system/llm-providers backend endpoint (auth-required) that reports
  whether ANTHROPIC_API_KEY / GEMINI_API_KEY are set in the env. Frontend
  reads it once on auth and threads through isModelAvailable() so users
  without personal keys can use any model the system has configured.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
37d9bbda Use PKCE flow for Supabase OAuth andrew 2026-05-05 ↗ GitHub
commit body
Default supabase-js v2 browser flow is implicit (token in URL fragment),
which doesn't match the /auth/callback handler that exchanges a query-string
code. Switching to PKCE makes the flow explicit and more secure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-60.md from inside the repo you want the changes in.

⬇ Download capture-thread-60.md