ZimengXiong
diff --git a/‎README.md‎
Lines changed: 58 additions & 15 deletions b/‎README.md‎
Lines changed: 58 additions & 15 deletions
diff --git a/‎backend/.env.example‎
Lines changed: 11 additions & 0 deletions b/‎backend/.env.example‎
Lines changed: 11 additions & 0 deletions
@@ -121,7 +121,7 @@ Notes:
 # Installation
 
 > [!CAUTION]
-> This is a pre-release feature and production-readiness depends on deployment controls:
+> This is a BETA deployment and production-readiness depends on deployment controls:
 > use TLS, trusted reverse proxy, fixed secrets, backups, and endpoint rate limits.
 
 > [!CAUTION]
@@ -182,11 +182,12 @@ docker compose up -d
 
 When running ExcaliDash behind Traefik, Nginx, or another reverse proxy, configure both containers so that API + WebSocket calls resolve correctly:
 
-| Variable       | Purpose                                                                                                                                                                   |
-| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `FRONTEND_URL` | Backend allowed origin(s). Must match the public URL users access (for example `https://excalidash.example.com`). Supports comma-separated values for multiple addresses. |
-| `TRUST_PROXY`  | Set to `1` when traffic passes through one trusted reverse-proxy hop (for example frontend nginx -> backend) and headers are sanitized.                                   |
-| `BACKEND_URL`  | Frontend container-to-backend target used by Nginx. Override when backend host differs from default service DNS/host.                                                     |
+| Variable                 | Purpose                                                                                                                                                                   |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `FRONTEND_URL`           | Backend allowed origin(s). Must match the public URL users access (for example `https://excalidash.example.com`). Supports comma-separated values for multiple addresses. |
+| `TRUST_PROXY`            | Set to `1` when traffic passes through one trusted reverse-proxy hop (for example frontend nginx -> backend) and headers are sanitized.                                   |
+| `BACKEND_URL`            | Frontend container-to-backend target used by Nginx. Override when backend host differs from default service DNS/host.                                                     |
+| `ENFORCE_HTTPS_REDIRECT` | When `FRONTEND_URL` uses `https://`, the backend automatically redirects plain-HTTP requests to HTTPS. Set to `false` if your outer gateway already enforces HTTPS and you want to disable the built-in redirect (avoids redirect loops when `X-Forwarded-Proto` is not forwarded). Default: `true`. |
 
 ```yaml
 # docker-compose.yml example
@@ -198,6 +199,9 @@ backend:
     - TRUST_PROXY=1
     # Or multiple URLs (comma-separated) for local + network access
     # - FRONTEND_URL=http://localhost:6767,http://192.168.1.100:6767,http://nas.local:6767
+    # If your outer gateway enforces HTTPS and X-Forwarded-Proto is not forwarded,
+    # disable the built-in redirect to prevent redirect loops:
+    # - ENFORCE_HTTPS_REDIRECT=false
 frontend:
   environment:
     # For standard Docker Compose (default)
@@ -273,16 +277,39 @@ backend:
     - OIDC_CLIENT_ID=your-client-id
     # Optional for public clients; required for confidential clients
     # - OIDC_CLIENT_SECRET=your-client-secret
+    # Optional token endpoint auth override (useful for some IdPs/HS setups)
+    # - OIDC_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_post
+    # Optional override when your IdP client is configured for a non-default ID token alg
+    # - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=HS256
     - OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
     - OIDC_SCOPES=openid profile email
 ```
 
+Quick preflight check (recommended before starting backend):
+
+```bash
+cd backend
+npm run oidc:doctor
+```
+
+Provider-specific env templates for existing IdPs:
+
+- `backend/.env.oidc.keycloak.example`
+- `backend/.env.oidc.authentik.example`
+
+Copy one to `backend/.env`, update issuer/client/redirect values, then run `npm run oidc:doctor`.
+
 Notes:
 
 | Topic                       | Notes                                                                                                                         |
 | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
 | OIDC-only (`oidc_enforced`) | You typically do not use local bootstrap admin registration; first admin can be created through your IdP depending on config. |
 | Reverse proxy               | Set `FRONTEND_URL` and `TRUST_PROXY` correctly or auth + websockets may fail.                                                 |
+| ID token algorithm          | ExcaliDash defaults to `RS256`. If your IdP client is explicitly configured for another signed ID-token algorithm such as `HS256`, set `OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG` to match that exact client setting. `none` is not allowed, and `HS*` requires `OIDC_CLIENT_SECRET`. |
+| Keycloak issuer format      | Use realm issuer URL: `https://<keycloak-host>/realms/<realm>`.                                                               |
+| Authentik issuer format     | Use provider issuer URL: `https://<authentik-host>/application/o/<provider-slug>/`.                                           |
+| Authentik `email_verified`  | If Authentik does not emit `email_verified=true`, either add the scope mapping or set `OIDC_REQUIRE_EMAIL_VERIFIED=false`.   |
+| Redirect URI                | Must be exact callback: `https://<excalidash-host>/api/auth/oidc/callback`.                                                   |
 
 </details>
 
@@ -336,19 +363,35 @@ docker compose -f docker-compose.oidc.yml down
 
 Base values are documented in `backend/.env.example`. Common ones to care about:
 
-| Variable       | Default / Example         | Description                                                                         |
-| -------------- | ------------------------- | ----------------------------------------------------------------------------------- |
-| `DATABASE_URL` | `file:/app/prisma/dev.db` | SQLite file or external DB URL.                                                     |
-| `FRONTEND_URL` | `http://localhost:6767`   | Allowed frontend origin(s), comma-separated for multiple entries.                   |
-| `TRUST_PROXY`  | `false`                   | `false`, `true`, or hop count (for example `1`).                                    |
-| `JWT_SECRET`   | `change-this-secret...`   | Recommended in production so sessions remain stable across restarts and migrations. |
-| `CSRF_SECRET`  | `change-this-secret`      | Recommended in production so CSRF validation remains stable across restarts.        |
-| `AUTH_MODE`    | `local`                   | `local`, `hybrid`, `oidc_enforced`.                                                 |
+| Variable                 | Default / Example         | Description                                                                         |
+| ------------------------ | ------------------------- | ----------------------------------------------------------------------------------- |
+| `DATABASE_URL`           | `file:/app/prisma/dev.db` | SQLite file or external DB URL.                                                     |
+| `FRONTEND_URL`           | `http://localhost:6767`   | Allowed frontend origin(s), comma-separated for multiple entries.                   |
+| `TRUST_PROXY`            | `false`                   | `false`, `true`, or hop count (for example `1`).                                    |
+| `JWT_SECRET`             | `change-this-secret...`   | Recommended in production so sessions remain stable across restarts and migrations. |
+| `CSRF_SECRET`            | `change-this-secret`      | Recommended in production so CSRF validation remains stable across restarts.        |
+| `AUTH_MODE`              | `local`                   | `local`, `hybrid`, `oidc_enforced`.                                                 |
+| `ENFORCE_HTTPS_REDIRECT` | `true`                    | Set to `false` to disable the built-in HTTP→HTTPS redirect when your outer gateway handles it. |
+| `ENABLE_S3_IMAGE_STORAGE` | `false`                  | Opt-in: externalize embedded drawing image payloads to S3-compatible object storage. |
+| `S3_ENDPOINT`            | `http://localhost:8333`   | S3-compatible endpoint URL (for example SeaweedFS, MinIO, or cloud S3 endpoint).    |
+| `S3_BUCKET`              | `excalidash-images-test`  | Bucket used for externalized drawing image blobs.                                    |
+| `S3_ACCESS_KEY_ID` / `S3_SECRET_ACCESS_KEY` | _required when enabled_ | Credentials for object storage access.                                 |
+| `S3_FORCE_PATH_STYLE`    | `true`                    | Keep `true` for most self-hosted S3-compatible services (including local SeaweedFS). |
+| `S3_KEY_PREFIX`          | `excalidash-images`       | Prefix for object keys inside the configured bucket.                                 |
+
+When enabling external image storage on an existing instance, run:
+
+```bash
+cd backend
+npm run storage:migrate-images
+```
 
 </details>
 
 # Development
 
+For contributor workflow, `make dev` starts the app in local single-user mode so you can reproduce editor bugs without going through login/onboarding. Use `make dev-auth` if you need to test local auth or OIDC flows from your `backend/.env`.
+
 <details>
 <summary>Clone the Repository</summary>
 
@@ -460,7 +503,7 @@ Common flags:
 </details>
 
 # Credits
-
+If you find ExcaliDash useful, please consider [sponsoring](https://github.com/sponsors/ZimengXiong)
 - Example designs from:
   - https://github.com/Prakash-sa/system-design-ultimatum/tree/main
   - https://github.com/kitsteam/excalidraw-examples/tree/main
 
@@ -32,6 +32,17 @@ CSRF_SECRET=change-this-secret-in-production
 # Optional GitHub token to increase API rate limits (public repo scopes are fine).
 # UPDATE_CHECK_GITHUB_TOKEN=
 
+# Optional: externalize drawing image payloads to S3-compatible object storage.
+# This is opt-in and disabled by default.
+# ENABLE_S3_IMAGE_STORAGE=false
+# S3_ENDPOINT=http://localhost:8333
+# S3_REGION=us-east-1
+# S3_BUCKET=excalidash-images-test
+# S3_ACCESS_KEY_ID=change-me
+# S3_SECRET_ACCESS_KEY=change-me
+# S3_FORCE_PATH_STYLE=true
+# S3_KEY_PREFIX=excalidash-images
+
 # One-time bootstrap setup code (first admin registration)
 # BOOTSTRAP_SETUP_CODE_TTL_MS=900000
 # BOOTSTRAP_SETUP_CODE_MAX_ATTEMPTS=10