Add GitHub + Google OAuth login with encrypted API key storage

Implement NextAuth.js v5 authentication with GitHub and Google OAuth
providers, backed by Drizzle ORM adapter storing users/accounts in the
existing PostgreSQL database. Logged-in users can save their Anthropic
API key and GitHub PAT encrypted (AES-256-GCM) in the database instead
of localStorage, so keys persist across devices and sessions. Non-logged-in
users retain the existing localStorage flow unchanged.

- Add users, accounts, sessions, verification_tokens tables to schema
- Create auth config with JWT session strategy and Drizzle adapter
- Add AES-256-GCM encryption utilities for API key storage
- Add server actions for saving/loading/clearing encrypted keys
- Add Sign In button with avatar dropdown in header
- Update API key and Private Repos dialogs for dual-mode storage
- Update useDiagram hook to prefer DB-stored keys when logged in
- Add identity rewrite in next.config.js to prevent /api/auth/* proxying
- Add SessionProvider to app providers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

diagrams/.env.example

@@ -11,3 +11,19 @@ NEXT_PUBLIC_API_DEV_URL=http://localhost:8000
 
 # Skip env validation during build (useful for Docker/CI)
 # SKIP_ENV_VALIDATION=1
+
+# ── Authentication (NextAuth.js v5) ──
+
+# Required: Random secret for JWT signing (openssl rand -base64 32)
+# AUTH_SECRET=your-secret-here
+
+# GitHub OAuth App credentials (github.com/settings/developers)
+# AUTH_GITHUB_ID=your-github-client-id
+# AUTH_GITHUB_SECRET=your-github-client-secret
+
+# Google OAuth credentials (console.cloud.google.com > APIs & Services > Credentials)
+# AUTH_GOOGLE_ID=your-google-client-id
+# AUTH_GOOGLE_SECRET=your-google-client-secret
+
+# Encryption key for API keys stored in DB (openssl rand -hex 32)
+# ENCRYPTION_KEY=64-hex-characters-here

diagrams/next.config.js

@@ -25,8 +25,12 @@ const config = {
           destination: "https://us.i.posthog.com/decide",
         },
       ],
-      // Proxy /api/* to GitUnderstand backend
+      // Proxy /api/* to GitUnderstand backend (excluding /api/auth/* which is handled by NextAuth)
       afterFiles: [
+        {
+          source: "/api/auth/:path*",
+          destination: "/api/auth/:path*",
+        },
         {
           source: "/api/:path*",
           destination: `${process.env.GITUNDERSTAND_API_URL ?? "http://localhost:8080"}/api/:path*`,

diagrams/package.json

@@ -23,8 +23,10 @@
     "test:smoke": "python -m pytest tests/ -v -m smoke"
   },
   "dependencies": {
+    "@auth/drizzle-adapter": "^1.11.1",
     "@neondatabase/serverless": "^0.10.4",
     "@radix-ui/react-dialog": "^1.1.4",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
     "@radix-ui/react-progress": "^1.1.1",
     "@radix-ui/react-slot": "^1.1.1",
     "@radix-ui/react-switch": "^1.1.3",
@@ -39,6 +41,7 @@
     "lucide-react": "^0.468.0",
     "mermaid": "^11.4.1",
     "next": "^15.0.1",
+    "next-auth": "5.0.0-beta.30",
     "next-themes": "^0.4.6",
     "postgres": "^3.4.4",
     "posthog-js": "^1.203.1",