Handle OIDC users during database import (#424)

* Update Docker image name for GitHub registry

* Fix image name casing in Docker workflow

* Remove untagged image cleanup step from workflow

Removed the step to delete untagged image versions from the workflow.

* Change Docker login to use GHCR credentials

Updated Docker login credentials for GitHub Container Registry.

* Remove cache moving step from Docker workflow

Removed the step to move the build cache in the Docker workflow.

* Refactor Docker image workflow for versioning and builds

* Update docker-image.yml

* Allow OIDC users to import database without password

* Skip import password prompt for OIDC users

* docs: clarify OIDC import unlocking flow

* docs: explain admin import password logic

---------

Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: Nikola Novoselec <nikolanovoselec@users.noreply.github.com>

src/backend/database/database.ts

@@ -901,17 +901,40 @@ app.post(
 
       const userId = (req as AuthenticatedRequest).userId;
       const { password } = req.body;
+      const mainDb = getDb();
 
-      if (!password) {
-        return res.status(400).json({
-          error: "Password required for import",
-          code: "PASSWORD_REQUIRED",
-        });
+      const userRecords = await mainDb
+        .select()
+        .from(users)
+        .where(eq(users.id, userId));
+
+      if (!userRecords || userRecords.length === 0) {
+        return res.status(404).json({ error: "User not found" });
       }
 
-      const unlocked = await authManager.authenticateUser(userId, password);
-      if (!unlocked) {
-        return res.status(401).json({ error: "Invalid password" });
+      const isOidcUser = !!userRecords[0].is_oidc;
+
+      if (!isOidcUser) {
+        // Local accounts still prove knowledge of the password so their DEK can be derived again.
+        if (!password) {
+          return res.status(400).json({
+            error: "Password required for import",
+            code: "PASSWORD_REQUIRED",
+          });
+        }
+
+        const unlocked = await authManager.authenticateUser(userId, password);
+        if (!unlocked) {
+          return res.status(401).json({ error: "Invalid password" });
+        }
+      } else if (!DataCrypto.getUserDataKey(userId)) {
+        // OIDC users skip the password prompt; make sure their DEK is unlocked via the OIDC session.
+        const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
+        if (!oidcUnlocked) {
+          return res.status(403).json({
+            error: "Failed to unlock user data with SSO credentials",
+          });
+        }
       }
 
       apiLogger.info("Importing SQLite data", {
@@ -922,7 +945,14 @@ app.post(
         mimetype: req.file.mimetype,
       });
 
-      const userDataKey = DataCrypto.getUserDataKey(userId);
+      let userDataKey = DataCrypto.getUserDataKey(userId);
+      if (!userDataKey && isOidcUser) {
+        // authenticateOIDCUser lazily provisions the session key; retry the fetch when it succeeds.
+        const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
+        if (oidcUnlocked) {
+          userDataKey = DataCrypto.getUserDataKey(userId);
+        }
+      }
       if (!userDataKey) {
         throw new Error("User data not unlocked");
       }
@@ -976,7 +1006,6 @@ app.post(
       };
 
       try {
-        const mainDb = getDb();
 
         try {
           const importedHosts = importDb