feat(auth): add option to disable authentication for external OAuth integration

[thenilayagarwal]

Summary

This PR adds a configuration option to disable the built-in JWT authentication in risingwave-console. This addresses the need for integrating with external OAuth/OIDC providers.

The Problem: Dual Authentication Friction

When deploying risingwave-console behind an external authentication proxy (such as OAuth2 Proxy, Pomerium, Traefik ForwardAuth, or cloud IAP), users face a dual-authentication problem:

1. External auth layer - The OAuth proxy authenticates users against an identity provider (Google, GitHub, Okta, etc.)
2. Internal auth layer - risingwave-console still requires its own JWT-based authentication

This creates several issues:

• Users must authenticate twice (once with OAuth, once with risingwave-console login)
• Session management becomes complex (two separate session lifecycles)
• Token refresh mechanisms may conflict
• No SSO experience despite having an SSO proxy in place

The Solution

Add an auth.disable configuration option that:

• Skips JWT token validation on all protected endpoints
• Sets a default OrgID (1) in the request context so downstream handlers continue to work
• Allows the external proxy to handle all authentication concerns

Configuration

YAML config:

auth:
  disable: true

Environment variable:

RCONSOLE_AUTH_DISABLE=true

Example: Using with OAuth2 Proxy

# docker-compose.yml
services:
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    environment:
      - OAUTH2_PROXY_PROVIDER=google
      - OAUTH2_PROXY_CLIENT_ID=...
      - OAUTH2_PROXY_CLIENT_SECRET=...
      - OAUTH2_PROXY_UPSTREAMS=http://risingwave-console:8020
    ports:
      - "4180:4180"

  risingwave-console:
    image: risingwavelabs/risingwave-console:v0.5.0
    environment:
      - RCONSOLE_AUTH_DISABLE=true
      - RCONSOLE_SERVER_PG_DSN=postgres://...

Security Considerations

⚠️ WARNING: When authentication is disabled, all API endpoints are accessible without credentials. This option should only be used:

• Behind a properly configured authentication proxy
• In trusted internal networks
• For development/testing purposes

Changes

• Added AuthConfig struct with Disable field to pkg/config/config.go
• Updated Validator in pkg/controller/validator.go to check disable flag and skip auth
• Regenerated wire dependency injection
• Updated documentation in docs/config.md

Test Plan

• Code compiles successfully (go build ./...)
• Existing tests pass (go test ./pkg/...)
• Manual testing with RCONSOLE_AUTH_DISABLE=true
• Verify API endpoints accessible without JWT when disabled
• Verify API endpoints still require JWT when not disabled (default behavior)

[wibus-wee]

Thanks for the PR! I’m trying to understand the intended usage here.

Even with backend auth disabled, the frontend still redirects to /login when there’s no refresh token in local storage, so access would still be blocked.

Could you describe how you’re using this in your setup?