feat: add auth sso command for SSO provider configuration

[moranshe-max]

Note

Description

This PR adds the base44 auth sso command, enabling users to configure SSO (Single Sign-On) authentication for their Base44 apps from the CLI. It supports five providers — Google, Microsoft, GitHub, Okta, and custom OIDC — and handles secret management by pushing credentials securely to the backend. The implementation includes both the CLI presentation layer (auth/sso.ts) and the core SDK layer with provider-specific schemas, secret key definitions, and operations.

Related Issue

None

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Other (please describe):

Changes Made

• Added base44 auth sso enable and base44 auth sso disable subcommands under the existing auth command group
• Implemented core/resources/auth-config/sso/ module with provider schemas for Google, Microsoft, GitHub, Okta, and custom OIDC providers
• Added buildSSOSecrets, pushSSOSecrets, deleteSSOSecrets, and updateSSOConfig operations to manage secrets and local auth config
• Supports multiple secret input methods: --client-secret, --client-secret-stdin, --env-file, and environment variable (SSO_CLIENT_SECRET)
• Supports loading full SSO config from a JSON/JSONC file via --file, with CLI flags taking precedence
• Validates that --file and --env-file cannot be used together
• Enables SSO and automatically disables mutually exclusive social login providers in auth.jsonc
• Structured MissingSSOFieldsError maps missing API secret keys to user-facing flag names for clear error messages
• Added comprehensive CLI integration tests (tests/cli/auth_sso.spec.ts) and core unit tests (tests/core/auth-sso.spec.ts) covering validation, all providers, and all secret input methods

Testing

• I have tested these changes locally
• I have added/updated tests as needed
• All tests pass (npm test)

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (if applicable)
• My changes generate no new warnings
• I have updated docs/ (AGENTS.md) if I made architectural changes

Additional Notes

SSO and social login (Google, Microsoft, Facebook, Apple) are mutually exclusive in the auth config. Enabling SSO via this command automatically disables any enabled social login providers in the local auth.jsonc. The sso_name secret key intentionally maps to --sso-name (not --name) to avoid future flag collisions.

---

_{🤖 Generated by Claude | 2026-04-30 00:00 UTC | 9abd5e2}

[github-actions]

🚀 Package Preview Available!

---

Install this PR's preview build with npm:

npm i @base44-preview/cli@0.0.51-pr.484.9abd5e2

Prefer not to change any import paths? Install using npm alias so your code still imports base44:

npm i "base44@npm:@base44-preview/cli@0.0.51-pr.484.9abd5e2"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "base44": "npm:@base44-preview/cli@0.0.51-pr.484.9abd5e2"
  }
}

• 📦 Preview Package: @base44-preview/cli@0.0.51-pr.484.9abd5e2
• 🔗 View this commit on GitHub

---

_{Preview published to npm registry — try new features instantly!}

[Paveltarno]

SSO and social login are mutually exclusive — enabling SSO silently flips enableGoogleLogin / enableMicrosoftLogin / enableFacebookLogin / enableAppleLogin to false in auth/config.json (and vice versa for auth google enable etc.). This isn't surfaced anywhere user-facing. Consider mentioning it in the command description so it shows up in --help.

[Paveltarno]

nice work, this is shaping up well 👏
left some comments — main ones are around consistency with social-login (no lockout warning on disable, disable silently accepts enable flags) and using SchemaValidationError instead of hand-formatting zod issues. rest are mostly nits / wdyt

[Paveltarno]

all our other config-file loaders throw SchemaValidationError for zod parse failures — see agent/config.ts:25, function/config.ts:21, entity/config.ts:13, auth/config.ts:30. it formats the ZodError for us so we don't need to hand-roll the issues.map(...) block. wdyt about:

if (!result.success) {
  throw new SchemaValidationError(
    "Invalid SSO config file",
    result.error,
    filePath,
  );
}

(also called out in docs/error-handling.md)

[Paveltarno]

social-login.ts:150 warns the user via hasAnyLoginMethod when disabling leaves no login methods enabled, and hasAnyLoginMethod already factors in enableSSOLogin (schema.ts:74). does it make sense to do the same here? auth sso disable can lock users out the same way and right now it's silent.

[Paveltarno]

social-login.ts:73 errors out when enable-only options are passed alongside disable. here auth sso disable --provider google --client-id x --tenant-id y runs fine and silently drops everything. wdyt about doing the same check for parity?

[Paveltarno]

the provider list here is hardcoded as z.enum(["google", "microsoft", "github", "okta", "custom"]) but KNOWN_SSO_PROVIDERS is already the single source of truth (and Commander uses it on sso.ts:284 via Object.values(KNOWN_SSO_PROVIDERS)). wdyt about deriving it the same way here? something like:

provider: z.enum(Object.values(KNOWN_SSO_PROVIDERS) as [KnownSSOProvider, ...KnownSSOProvider[]]),

[Paveltarno]

the catch block here string-mangles sso_* substrings out of error.message to convert backend keys to flag names. similar to my comment on PR #445 — wdyt about returning structured info from buildSSOSecrets instead, so the CLI doesn't depend on the exact wording? e.g. attach missing: SSOSecretKey[] on the error, or split out a separate validateSSOSecrets() that returns missing keys without throwing. not blocking, just feels brittle.

[Paveltarno]

a few flows aren't covered — wdyt about adding:

• --file <path> happy path + invalid JSON / schema error
• --env-file resolving sso_client_secret (and key-missing case)
• --client-secret-stdin
• the flag-name translation in the error (asserting --tenant-id appears, not sso_tenant_id) — this is the entire point of the catch in ssoEnableAction and right now nothing locks it in
• flag override of provider defaults (e.g. passing --scope / --discovery-url to google and asserting it overrides)

the existing enables google SSO with valid flags test could also assert what got written to disk + what setSecrets was called with — auth_social_login.spec.ts does this for its command.

[Paveltarno]

small thing — when both --file and --env-file are passed, --env-file only kicks in if merged.clientSecret is empty (sso.ts:156), so a clientSecret in the JSON file silently outranks the env file. the precedence isn't documented and a user/agent could reasonably expect either to win. wdyt about either erroring on the combo, or stating the precedence explicitly in --env-file's help text?

[moranshe-max]

good point, I went with failing when both are passed.

[Paveltarno]

hit a small bug while looking through the changes — left a comment.

[Paveltarno]

secretKeyToFlag("sso_name") returns "--name" because the regex strips sso_ and then maps underscores to dashes, but the actual CLI flag declared on sso.ts:349 is --sso-name. so a user missing only --sso-name for the custom provider sees Missing required fields for custom: --name, then Commander rejects --name as an unknown option.

the existing flag-translation tests at test:86 / test:108 only cover --tenant-id and --okta-domain, both of which happen to derive correctly via the regex. sso_name is the lone secret key whose flag intentionally diverges from sso_* → --*, and there's no test for the custom missing---sso-name case so it slipped through.

[Paveltarno]

🔥 nice work, all comments addressed cleanly