refactor: update forward authentication handling in domain schema and tests

- Replaced `forwardAuthProviderId` with `forwardAuthEnabled` in the domain schema to simplify the configuration of forward authentication.
- Updated related tests to reflect this change, ensuring consistency across the application.
- Introduced a new SQL migration to create the `forward_auth_settings` table for managing authentication domains and their configurations.

This refactor enhances the clarity and maintainability of the forward authentication logic within the application.

packages/server/src/db/schema/domain.ts

@@ -16,7 +16,6 @@ import { applications } from "./application";
 import { compose } from "./compose";
 import { previewDeployments } from "./preview-deployments";
 import { certificateType } from "./shared";
-import { ssoProvider } from "./sso";
 
 export const domainType = pgEnum("domainType", [
 	"compose",
@@ -56,10 +55,7 @@ export const domains = pgTable("domain", {
 	internalPath: text("internalPath").default("/"),
 	stripPath: boolean("stripPath").notNull().default(false),
 	middlewares: text("middlewares").array().default(sql`ARRAY[]::text[]`),
-	forwardAuthProviderId: text("forwardAuthProviderId").references(
-		() => ssoProvider.providerId,
-		{ onDelete: "set null" },
-	),
+	forwardAuthEnabled: boolean("forwardAuthEnabled").notNull().default(false),
 });
 
 export const domainsRelations = relations(domains, ({ one }) => ({
@@ -75,10 +71,6 @@ export const domainsRelations = relations(domains, ({ one }) => ({
 		fields: [domains.previewDeploymentId],
 		references: [previewDeployments.previewDeploymentId],
 	}),
-	forwardAuthProvider: one(ssoProvider, {
-		fields: [domains.forwardAuthProviderId],
-		references: [ssoProvider.providerId],
-	}),
 }));
 
 const createSchema = createInsertSchema(domains, {
@@ -103,7 +95,7 @@ export const apiCreateDomain = createSchema.pick({
 	internalPath: true,
 	stripPath: true,
 	middlewares: true,
-	forwardAuthProviderId: true,
+	forwardAuthEnabled: true,
 });
 
 export const apiFindDomain = z.object({
@@ -136,6 +128,6 @@ export const apiUpdateDomain = createSchema
 		internalPath: true,
 		stripPath: true,
 		middlewares: true,
-		forwardAuthProviderId: true,
+		forwardAuthEnabled: true,
 	})
 	.merge(createSchema.pick({ domainId: true }).required());

packages/server/src/services/proprietary/forward-auth.ts

@@ -108,10 +108,7 @@ export const getDomainSsoStatus = async (
 			domain: ["read"],
 		});
 	}
-	return {
-		enabled: !!domain.forwardAuthProviderId,
-		providerId: domain.forwardAuthProviderId ?? null,
-	};
+	return { enabled: !!domain.forwardAuthEnabled };
 };
 
 const settingsWhere = (serverId: string | null) =>
@@ -348,9 +345,7 @@ export const enableForwardAuthOnDomain = async (input: {
 		});
 	}
 
-	await updateDomainById(input.domainId, {
-		forwardAuthProviderId: settings.providerId,
-	});
+	await updateDomainById(input.domainId, { forwardAuthEnabled: true });
 	const domain = await findDomainById(input.domainId);
 	await manageDomain(application, domain);
 
@@ -365,7 +360,7 @@ export const disableForwardAuthOnDomain = async (input: {
 	);
 	const uniqueConfigKey = domain.uniqueConfigKey;
 
-	await updateDomainById(input.domainId, { forwardAuthProviderId: null });
+	await updateDomainById(input.domainId, { forwardAuthEnabled: false });
 	const updated = await findDomainById(input.domainId);
 	await manageDomain(application, updated);
 	await removeForwardAuthMiddleware(application, uniqueConfigKey);

packages/server/src/utils/traefik/domain.ts

@@ -198,7 +198,7 @@ export const createRouterConfig = async (
 		// authentication runs first. No-op unless the domain links a provider.
 		// The -errors middleware must come first so a 401 from the auth check is
 		// rewritten to a 302 redirect to the login page.
-		if (domain.forwardAuthProviderId) {
+		if (domain.forwardAuthEnabled) {
 			const name = forwardAuthMiddlewareName(appName, uniqueConfigKey);
 			routerConfig.middlewares?.push(`${name}-errors`);
 			routerConfig.middlewares?.push(name);

packages/server/src/utils/traefik/forward-auth.ts

@@ -73,7 +73,7 @@ export const createForwardAuthMiddleware = async (
 	app: ApplicationNested,
 	domain: Domain,
 ) => {
-	if (!domain.forwardAuthProviderId) {
+	if (!domain.forwardAuthEnabled) {
 		return;
 	}