Microsoft Entra SSO replaces email login; system LLM keys make models available for all users

Two changes in one commit: email/password auth is out, Microsoft Entra OAuth is in, and a new `/system/llm-providers` endpoint lets users without personal API keys use whatever models the deployment has configured at the environment level.

securityintegration

Commit 97c30c2 deletes frontend/src/app/signup/page.tsx (281 lines) on the assumption users are provisioned via Entra, adds /auth/callback/page.tsx to handle the OAuth code exchange, and wires in a new backend/src/routes/system.ts router that exposes a single authenticated endpoint: GET /system/llm-providers. That endpoint returns { claude: bool, gemini: bool } based on whether ANTHROPIC_API_KEY and GEMINI_API_KEY are set in the server environment. UserProfileContext fetches it once on auth and threads systemProviders through isModelAvailable, so the model selectors in ChatInput, ModelToggle, TRChatPanel, TabularReviewView, and the account models page all light up correctly when a system key covers the gap.

Commit 37d9bbd is a one-liner: switching the Supabase client to PKCE flow in frontend/src/lib/supabase.ts. Supabase-js v2 defaults to implicit (token in URL fragment), which doesn't work with the new callback handler that expects a query-string code. PKCE is also the more secure choice regardless.

These two pieces pull apart cleanly. The system-provider fallback in routes/system.ts and the UserProfileContext / isModelAvailable plumbing are self-contained and don't depend on Entra. The SSO half is opinionated - it deletes the signup page and assumes an external directory manages user accounts.

So what Cherry-pick the system LLM key fallback if you want users to work without personal API keys when the deployment has keys configured. Pull the PKCE switch regardless if you're using Supabase OAuth callbacks. Skip the Entra SSO half unless you're specifically moving to Microsoft-managed auth - it deletes signup and rebuilds the auth flow around a single-tenant Entra configuration.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from easterbrooka/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
97c30c22 Add Microsoft SSO + system-level LLM key fallback andrew 2026-05-05 ↗ GitHub
commit body
- Replace email/password login with Microsoft Entra OAuth (single-tenant).
  Adds /auth/callback page for the OAuth code exchange. Removes /signup
  since users are now provisioned via Entra.
- Add /system/llm-providers backend endpoint (auth-required) that reports
  whether ANTHROPIC_API_KEY / GEMINI_API_KEY are set in the env. Frontend
  reads it once on auth and threads through isModelAvailable() so users
  without personal keys can use any model the system has configured.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
37d9bbda Use PKCE flow for Supabase OAuth andrew 2026-05-05 ↗ GitHub
commit body
Default supabase-js v2 browser flow is implicit (token in URL fragment),
which doesn't match the /auth/callback handler that exchanges a query-string
code. Switching to PKCE makes the flow explicit and more secure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-60.md from inside the repo you want the changes in.

⬇ Download capture-thread-60.md