Simplify auth to SSO with optional demo mode (#69)

### Motivation
- Remove the passkey / one‑time login complexity and legacy scripts to
simplify startup and deployments.
- Make it easy for developers to trial the system without passkeys by
exposing an optional demo admin sign‑in.
- Reduce surface area and legacy dependencies related to passkeys/login
links and keep the auth story SSO‑first.

### Description
- Replaced passkey / login‑link flows with an optional demo credentials
provider gated by `ENABLE_DEMO_MODE`, and removed the one‑time login
link code and helper (`src/server/auth/login-link.ts` and related
constants and script).
- Added `ENABLE_DEMO_MODE` to the env schema and wiring (`src/env.ts`,
`.env.example`, `deploy/docker/.env.example`, and
`deploy/docker/docker-compose.yml`) and made UI sign‑in pages honor the
toggle (`src/app/(public-routes)/auth/signin/page.tsx`,
`src/features/shared/auth/sign-in-page.tsx`).
- Simplified user/profile shapes and surfaces to remove passkey
metadata, updated router/service shapes to return core profile fields
only, and trimmed UI that referenced passkey flows
(`src/server/api/routers/users.ts`,
`src/server/services/userService.ts`,
`src/features/settings/components/users-tab.tsx`,
`src/app/(protected-routes)/account/page.tsx`, and
`src/features/shared/users/user-validators.ts`).
- Updated NextAuth config to register a `demo` credentials provider when
enabled, removed passkey experimental enablement and login‑link
provider, and adjusted sign‑in callback logic to enforce provider rules
(`src/server/auth/config.ts`).
- Cleaned up tooling/docs: removed the admin login generation script and
tests targeting login links, removed simplewebauthn package references,
and updated README / docs / AGENTS.md to reflect the SSO‑first + demo
mode approach.

### Testing
- No automated test suites were executed in this rollout;
unit/integration tests were adjusted to the new user/profile shapes but
`npm run test` and `npm run check` were not run here.
- Manual local dependency operations (`npm uninstall`/`npm install`)
were performed to align package.json changes; no test failures were
observed because tests were not executed.
- Recommend running `npm run check` and `npm run test` after pulling
these changes and before merging to validate type/lint/test coverage in
CI.

------
[Codex
Task](https://chatgpt.com/codex/tasks/task_e_6968d0695ea48323a8df1ca927593204)

Author: initstring

.env.example

@@ -20,9 +20,9 @@ AUTH_TRUST_HOST=true
 #GOOGLE_CLIENT_ID=
 #GOOGLE_CLIENT_SECRET=
 
-# Optional: enable passkey auth (default: enabled)
-# Set to "true" to allow passkey login and enrollment.
-AUTH_PASSKEYS_ENABLED=true
+# Optional: enable demo login (default: disabled)
+# Set to "true" to expose a demo admin login button on the sign-in screen.
+ENABLE_DEMO_MODE=false
 
 # Optional: logging level (default: debug in dev, info in prod)
 #LOG_LEVEL=info

AGENTS.md

@@ -72,7 +72,7 @@ Use `eslint-plugin-boundaries` and `no-restricted-imports` to discourage cross
   - Do not duplicate auth checks in child layouts/pages under the group. Rely on the group layout for auth.
   - Keep `src/app/(protected-routes)/settings/layout.tsx` for the admin-only rule; it should only enforce `session.user.role === ADMIN` (assumes auth already passed).
   - Keep public auth at `src/app/(public-routes)/auth/signin/**`.
-  - Passkey enrollment happens from the account page after first login via a one-time link.
+  - Demo mode login is optional; when enabled it should expose a single button for the initial admin on the sign-in page.
   - The homepage `/` is under the protected group and does not need page-level `auth()`.
 
 ## API Architecture

README.md

@@ -16,7 +16,7 @@ Red Team Assessment Platform (RTAP) is built for internal Red Teams to plan and
 
 User Docs:
 - [Installation](docs/installation.md)
-- [Getting Started Workflow](docs/getting-started.md)
+- [Getting Started Workflow](docs/getting-started.md) (look here for UI screenshots)
 
 Development Docs:
 - [Development](docs/development.md)
@@ -41,7 +41,7 @@ Initially based on the T3 Stack - Next.js, tRPC, Prisma, TypeScript. Type-safe A
 
 Local development runs the Next.js dev server against a local PostgreSQL container. Production workloads also use Docker (web + Postgres) behind your own reverse proxy.
 
-Authentication is all passwordless using NextAuth - with an option for passkeys and/or OAuth providers (initial support includes Google SSO).
+Authentication is passwordless and SSO-only using NextAuth. For development and trials you can enable a demo admin sign-in button via `ENABLE_DEMO_MODE=true`.
 
 ## Licensing
 

deploy/docker/.env.example

@@ -1,16 +1,15 @@
 # Full base URL where the app will be reachable (include http:// or https://).
 # Cookies are sent over HTTPS only when this starts with https://.
 # If you put a TLS-terminating proxy in front of rtap-web, use its public URL.
-# Important: Passkey auth works only over HTTPS or on localhost
 RTAP_AUTH_URL=http://localhost:3000
 
 # Secure values: generate with `openssl rand -base64 32`
 RTAP_AUTH_SECRET=REPLACE_WITH_A_SECURE_RANDOM_VALUE
 RTAP_INITIAL_ADMIN_EMAIL=admin@example.com
 
 # Optional SSO
-# Toggle passkey provider (default enabled)
-RTAP_AUTH_PASSKEYS_ENABLED=true
+# Demo mode (default disabled): expose a demo admin login button
+RTAP_ENABLE_DEMO_MODE=false
 # Register Google provider when present (optional)
 #RTAP_GOOGLE_CLIENT_ID=
 #RTAP_GOOGLE_CLIENT_SECRET=

deploy/docker/docker-compose.yml

@@ -22,7 +22,7 @@ services:
       AUTH_URL: ${RTAP_AUTH_URL}
       AUTH_SECRET: ${RTAP_AUTH_SECRET}
       INITIAL_ADMIN_EMAIL: ${RTAP_INITIAL_ADMIN_EMAIL}
-      AUTH_PASSKEYS_ENABLED: ${RTAP_AUTH_PASSKEYS_ENABLED}
+      ENABLE_DEMO_MODE: ${RTAP_ENABLE_DEMO_MODE}
       GOOGLE_CLIENT_ID: ${RTAP_GOOGLE_CLIENT_ID}
       GOOGLE_CLIENT_SECRET: ${RTAP_GOOGLE_CLIENT_SECRET}
     ports:

docs/dev/DESIGN.md

@@ -18,7 +18,7 @@ Plan and execute red‑team operations and measure defensive effectiveness (dete
 
 - Next.js 15 (App Router) + TypeScript
 - tRPC v11 (Zod validation); Prisma targeting PostgreSQL (local dev uses a Docker container, production uses managed Postgres)
-- NextAuth (passkey-first, with optional OAuth)
+- NextAuth (SSO-first, with optional demo admin login in development)
 - Access helpers enforce scoping and rights: `getAccessibleOperationFilter`, `checkOperationAccess`.
 
 ### Conventions (where things live)

docs/development.md

@@ -17,8 +17,7 @@ docker compose -f deploy/docker/docker-compose.dev.yml up -d
 # Apply migrations and seed first-run admin + MITRE content
 npm run init
 
-# If not using SSO, generate a one-time login URL to enroll your first passkey
-npm run generate-admin-login
+# Optional: enable demo admin login (set ENABLE_DEMO_MODE=true in .env)
 
 # Optionally seed demo taxonomy/operation data (FOR DEMO PURPOSES ONLY)
 npm run seed:demo
@@ -43,4 +42,4 @@ All PRs should pass the following:
 npm run check
 npm run test
 npm run build
-```
+```

docs/installation.md

@@ -1,6 +1,8 @@
 # Installation
 
-Follow these instructions to set up Red Team Assessment Platform (RTAP) in local development or production environments.
+Follow these instructions to set up Red Team Assessment Platform (RTAP) for production or local testing purposes. This uses pre-built Docker containers.
+
+For development environments, you'll probably instead want to run a local npm dev server - not a pre-built container. Additional information is available [here](./development.md).
 
 ## Docker Installation
 
@@ -17,36 +19,27 @@ docker compose up -d
 # Optionally - seed demo taxonomy/operation data (FOR DEMO PURPOSES ONLY)
 docker exec rtap-web npm run seed:demo
 
-# If not using SSO, generate 1-time login URL to set up your first passkey
-docker exec rtap-web npm run generate-admin-login
+# Optional: enable demo admin login for trials (see Authentication below)
 ```
 
 ## Authentication
 
 ### How it Works
 
-Let's be the change we want to see in the world. There is no support for passwords! Currently supported options are:
-
-- Passkeys (required TLS or localhost)
-- Google OAuth (SSO)
+Authentication is SSO-only, with an optional demo-mode button for trials.
 
-The platform uses NextAuth, so adding additional SSO providers would be pretty easy.
+Currently, only Google SSO is enabled. However, [NextAuth supports tons of providers](https://next-auth.js.org/v3/configuration/providers#oauth-providers). Open an issue and I will add providers for you.
 
 **Admin bootstrap:**
 
 - On first run, the application creates an admin account using `INITIAL_ADMIN_EMAIL` from your `.env`.
-- If using Google SSO, just sign in with the matching Google account.
-- If using passkeys, you must generate a one-time login URL (`npm run generate-admin-login`) and register a passkey for that account.
+- If using SSO, sign in with the matching account and it will just work.
+- If using demo mode, click "Sign in as Demo Admin" (requires `ENABLE_DEMO_MODE=true`).
 
 **Ongoing user management:**
 
 - Once logged in as admin, you can create additional users.
-- Google SSO users: just log in with the matching Google email.
-- Passkey users: must receive a one-time login URL from the admin, then register a passkey.
-
-**Recovery:**
-
-- If locked out, re-run `npm run generate-admin-login` to obtain another single-use login URL for the initial admin account.
+- SSO users: log in with the matching email.
 
 Accounts must be created inside the platform; SSO logins for unknown emails will be rejected.
 
@@ -55,10 +48,10 @@ Accounts must be created inside the platform; SSO logins for unknown emails will
 Authentication options are configured in your `.env` file. The names are slightly different depending on whether you are doing local development or docker compose - the correct values are provided in the appropriate `.env-example` files.
 
 ```
-# Enable or disable passkey authentication
-AUTH_PASSKEYS_ENABLED=true
+# Demo mode: expose a demo admin login button on the sign-in page
+ENABLE_DEMO_MODE=false
 
-# Configuring the follow values will enable Google SSO
+# Configuring the following values will enable Google SSO
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 ```

package-lock.json

@@ -7,7 +7,6 @@
     "build": "next build",
     "check": "eslint . && tsc --project tsconfig.check.json --noEmit",
     "init": "tsx scripts/init.ts",
-    "generate-admin-login": "tsx scripts/generate-admin-login.ts",
     "db:migrate": "prisma migrate dev --schema prisma/schema.prisma",
     "db:deploy": "prisma migrate deploy --schema prisma/schema.prisma",
     "db:reset": "prisma migrate reset --force --skip-generate --skip-seed --schema prisma/schema.prisma && npm run init",
@@ -38,8 +37,6 @@
     "@hookform/resolvers": "^5.2.2",
     "@prisma/client": "^6.19.0",
     "@radix-ui/react-select": "^2.2.6",
-    "@simplewebauthn/browser": "^9.0.1",
-    "@simplewebauthn/server": "^9.0.3",
     "@t3-oss/env-nextjs": "^0.13.0",
     "@tanstack/react-query": "^5.90.11",
     "@trpc/client": "^11.7.2",