feat: add magic link authentication

- Now can activate OIDC and/or MagicLink for user authentication.
- Add page to choose authentication method (if only OIDC is enabled, auto redirecting to login screen)

Author: btouchard

.env.example

@@ -11,7 +11,20 @@ POSTGRES_USER=ackifyr
 POSTGRES_PASSWORD=your_secure_password
 POSTGRES_DB=ackify
 
-# OAuth2 Configuration - Generic Provider
+# ============================================================================
+# Authentication Configuration
+# ============================================================================
+# At least ONE authentication method must be enabled (OAuth or MagicLink)
+#
+# AUTO-DETECTION:
+# - OAuth is enabled if ACKIFY_OAUTH_CLIENT_ID and ACKIFY_OAUTH_CLIENT_SECRET are set
+# - MagicLink is enabled if ACKIFY_MAIL_HOST is configured
+#
+# You can override auto-detection with these variables:
+# ACKIFY_AUTH_OAUTH_ENABLED=true
+# ACKIFY_AUTH_MAGICLINK_ENABLED=true
+
+# OAuth2 Configuration (OPTIONAL - remove if using MagicLink only)
 ACKIFY_OAUTH_CLIENT_ID=your_oauth_client_id
 ACKIFY_OAUTH_CLIENT_SECRET=your_oauth_client_secret
 ACKIFY_OAUTH_ALLOWED_DOMAIN=your-organization.com
@@ -35,6 +48,17 @@ ACKIFY_OAUTH_PROVIDER=google
 # GitLab specific (if using gitlab as provider and self-hosted)
 # ACKIFY_OAUTH_GITLAB_URL=https://gitlab.your-company.com
 
+# Email Configuration for MagicLink Authentication (OPTIONAL - required for MagicLink)
+# If configured, enables passwordless authentication via email
+# ACKIFY_MAIL_HOST=smtp.example.com
+# ACKIFY_MAIL_PORT=587
+# ACKIFY_MAIL_USERNAME=your_smtp_username
+# ACKIFY_MAIL_PASSWORD=your_smtp_password
+# ACKIFY_MAIL_FROM=noreply@example.com
+# ACKIFY_MAIL_FROM_NAME=Ackify
+# ACKIFY_MAIL_TLS=true
+# ACKIFY_MAIL_STARTTLS=true
+
 # Security Configuration
 ACKIFY_OAUTH_COOKIE_SECRET=your_base64_encoded_secret_key
 ACKIFY_ED25519_PRIVATE_KEY=your_base64_encoded_ed25519_private_key

.github/workflows/e2e-tests.yml

@@ -0,0 +1,139 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+name: E2E Tests
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+jobs:
+  cypress-run:
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: ackify
+          POSTGRES_PASSWORD: testpassword
+          POSTGRES_DB: ackify_test
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+      mailhog:
+        image: mailhog/mailhog:latest
+        ports:
+          - 1025:1025
+          - 8025:8025
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24.5'
+          cache: true
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: webapp/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: webapp
+        run: npm ci
+
+      - name: Build frontend
+        working-directory: webapp
+        run: npm run build
+
+      - name: Install backend dependencies
+        run: go mod download
+
+      - name: Run database migrations
+        env:
+          ACKIFY_DB_DSN: "postgres://ackify:testpassword@localhost:5432/ackify_test?sslmode=disable"
+        run: |
+          go run ./backend/cmd/migrate/main.go up
+
+      - name: Generate Ed25519 keys
+        run: |
+          go run ./backend/cmd/community/keygen.go > /tmp/ed25519.key || true
+          if [ ! -f /tmp/ed25519.key ]; then
+            echo "Generating Ed25519 key for testing"
+            # Generate a test key if keygen doesn't exist
+            echo "test_private_key_base64_encoded_here" > /tmp/ed25519.key
+          fi
+
+      - name: Start Ackify server
+        env:
+          ACKIFY_DB_DSN: "postgres://ackify:testpassword@localhost:5432/ackify_test?sslmode=disable"
+          ACKIFY_BASE_URL: "http://localhost:8080"
+          ACKIFY_ORGANISATION: "Ackify Test"
+          ACKIFY_OAUTH_PROVIDER: "github"
+          ACKIFY_OAUTH_CLIENT_ID: "test_client_id"
+          ACKIFY_OAUTH_CLIENT_SECRET: "test_client_secret"
+          ACKIFY_OAUTH_COOKIE_SECRET: "dGVzdF9jb29raWVfc2VjcmV0X2Zvcl90ZXN0aW5nXzEyMzQ1Njc4OTA="
+          ACKIFY_ED25519_PRIVATE_KEY: "dGVzdF9wcml2YXRlX2tleV9mb3JfdGVzdGluZ19vbmx5XzEyMzQ1Njc4OTA="
+          ACKIFY_LISTEN_ADDR: ":8080"
+          ACKIFY_ADMIN_EMAILS: "admin@test.com"
+          ACKIFY_MAIL_HOST: "localhost"
+          ACKIFY_MAIL_PORT: "1025"
+          ACKIFY_MAIL_TLS: "false"
+          ACKIFY_MAIL_STARTTLS: "false"
+          ACKIFY_MAIL_FROM: "noreply@ackify.test"
+          ACKIFY_MAIL_FROM_NAME: "Ackify Test"
+          ACKIFY_LOG_LEVEL: "debug"
+        run: |
+          go build -o ackify ./backend/cmd/community
+          ./ackify &
+          echo $! > /tmp/ackify.pid
+
+          # Wait for server to be ready
+          timeout 30 bash -c 'until curl -s http://localhost:8080/api/v1/health > /dev/null; do sleep 1; done'
+
+      - name: Run Cypress tests
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: webapp
+          install: false
+          wait-on: 'http://localhost:8080/api/v1/health'
+          wait-on-timeout: 60
+          browser: chrome
+          headless: true
+        env:
+          CYPRESS_baseUrl: http://localhost:8080
+          CYPRESS_mailhogUrl: http://localhost:8025
+
+      - name: Upload Cypress screenshots
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: cypress-screenshots
+          path: webapp/cypress/screenshots
+          retention-days: 7
+
+      - name: Upload Cypress videos
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: cypress-videos
+          path: webapp/cypress/videos
+          retention-days: 7
+
+      - name: Stop Ackify server
+        if: always()
+        run: |
+          if [ -f /tmp/ackify.pid ]; then
+            kill $(cat /tmp/ackify.pid) || true
+          fi

README.md

@@ -29,7 +29,7 @@ Prove that collaborators have read and acknowledged important documents with **E
 
 **Key Features**:
 - ✅ Ed25519 cryptographic signatures
-- ✅ OAuth2 authentication (Google, GitHub, GitLab, custom)
+- ✅ **Flexible authentication**: OAuth2 (Google, GitHub, GitLab, custom) or MagicLink (passwordless email)
 - ✅ One signature per user/document (database enforced)
 - ✅ Immutable audit trail
 - ✅ Expected signers tracking with email reminders
@@ -45,7 +45,9 @@ Prove that collaborators have read and acknowledged important documents with **E
 ### Prerequisites
 
 - Docker & Docker Compose
-- OAuth2 credentials (Google, GitHub, or GitLab)
+- **At least ONE authentication method**:
+  - OAuth2 credentials (Google, GitHub, or GitLab), OR
+  - SMTP server for MagicLink (passwordless email authentication)
 
 ### Installation
 
@@ -111,15 +113,31 @@ POSTGRES_USER=ackifyr
 POSTGRES_PASSWORD=your_secure_password
 POSTGRES_DB=ackify
 
-# OAuth2 (example with Google)
+# Security (generate with: openssl rand -base64 32)
+ACKIFY_OAUTH_COOKIE_SECRET=your_base64_secret
+
+# ============================================================================
+# Authentication (choose AT LEAST ONE method)
+# ============================================================================
+
+# Option 1: OAuth2 (Google, GitHub, GitLab, custom)
 ACKIFY_OAUTH_PROVIDER=google
 ACKIFY_OAUTH_CLIENT_ID=your_client_id
 ACKIFY_OAUTH_CLIENT_SECRET=your_client_secret
 
-# Security (generate with: openssl rand -base64 32)
-ACKIFY_OAUTH_COOKIE_SECRET=your_base64_secret
+# Option 2: MagicLink (passwordless email authentication)
+# ACKIFY_MAIL_HOST=smtp.example.com
+# ACKIFY_MAIL_PORT=587
+# ACKIFY_MAIL_USERNAME=your_smtp_username
+# ACKIFY_MAIL_PASSWORD=your_smtp_password
+# ACKIFY_MAIL_FROM=noreply@example.com
 ```
 
+**Auto-detection**:
+- OAuth is enabled automatically if `ACKIFY_OAUTH_CLIENT_ID` and `ACKIFY_OAUTH_CLIENT_SECRET` are set
+- MagicLink is enabled automatically if `ACKIFY_MAIL_HOST` is configured
+- You can use **both methods simultaneously** for maximum flexibility
+
 See [docs/en/configuration.md](docs/en/configuration.md) for all options.
 
 ---
@@ -175,7 +193,7 @@ See [docs/en/configuration.md](docs/en/configuration.md) for all options.
 https://your-domain.com/?doc=security_policy_2025
 ```
 
-User authenticates via OAuth2 and signs with one click.
+User authenticates (OAuth2 or MagicLink) and signs with one click.
 
 ### Embed in Your Tools
 

README_FR.md

@@ -29,7 +29,7 @@ Prouvez que vos collaborateurs ont lu et pris connaissance de documents importan
 
 **Fonctionnalités clés** :
 - ✅ Signatures cryptographiques Ed25519
-- ✅ Authentification OAuth2 (Google, GitHub, GitLab, custom)
+- ✅ **Authentification flexible** : OAuth2 (Google, GitHub, GitLab, custom) ou MagicLink (email sans mot de passe)
 - ✅ Une signature par utilisateur/document (contrainte base de données)
 - ✅ Piste d'audit immutable
 - ✅ Tracking signataires attendus avec rappels email
@@ -45,7 +45,9 @@ Prouvez que vos collaborateurs ont lu et pris connaissance de documents importan
 ### Prérequis
 
 - Docker & Docker Compose
-- Credentials OAuth2 (Google, GitHub, ou GitLab)
+- **Au moins UNE méthode d'authentification** :
+  - Credentials OAuth2 (Google, GitHub, ou GitLab), OU
+  - Serveur SMTP pour MagicLink (authentification email sans mot de passe)
 
 ### Installation
 
@@ -111,15 +113,31 @@ POSTGRES_USER=ackifyr
 POSTGRES_PASSWORD=votre_mot_de_passe_securise
 POSTGRES_DB=ackify
 
-# OAuth2 (exemple avec Google)
+# Sécurité (générer avec: openssl rand -base64 32)
+ACKIFY_OAUTH_COOKIE_SECRET=votre_secret_base64
+
+# ============================================================================
+# Authentification (choisir AU MOINS UNE méthode)
+# ============================================================================
+
+# Option 1 : OAuth2 (Google, GitHub, GitLab, custom)
 ACKIFY_OAUTH_PROVIDER=google
 ACKIFY_OAUTH_CLIENT_ID=votre_client_id
 ACKIFY_OAUTH_CLIENT_SECRET=votre_client_secret
 
-# Sécurité (générer avec: openssl rand -base64 32)
-ACKIFY_OAUTH_COOKIE_SECRET=votre_secret_base64
+# Option 2 : MagicLink (authentification email sans mot de passe)
+# ACKIFY_MAIL_HOST=smtp.example.com
+# ACKIFY_MAIL_PORT=587
+# ACKIFY_MAIL_USERNAME=votre_utilisateur_smtp
+# ACKIFY_MAIL_PASSWORD=votre_mot_de_passe_smtp
+# ACKIFY_MAIL_FROM=noreply@example.com
 ```
 
+**Auto-détection** :
+- OAuth activé automatiquement si `ACKIFY_OAUTH_CLIENT_ID` et `ACKIFY_OAUTH_CLIENT_SECRET` sont définis
+- MagicLink activé automatiquement si `ACKIFY_MAIL_HOST` est configuré
+- Vous pouvez utiliser **les deux méthodes simultanément** pour une flexibilité maximale
+
 Voir [docs/fr/configuration.md](docs/fr/configuration.md) pour toutes les options.
 
 ---
@@ -175,7 +193,7 @@ Voir [docs/fr/configuration.md](docs/fr/configuration.md) pour toutes les option
 https://votre-domaine.com/?doc=politique_securite_2025
 ```
 
-L'utilisateur s'authentifie via OAuth2 et signe en un clic.
+L'utilisateur s'authentifie (OAuth2 ou MagicLink) et signe en un clic.
 
 ### Intégrer dans vos Outils