feat(auth): Add external authentication (OAuth/OIDC & LDAP) with admin management, UI, and encryption support

changelog.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 2025-12-03 - 1.3.0 - feat(auth)
+Add external authentication (OAuth/OIDC & LDAP) with admin management, UI, and encryption support
+
+- Introduce external authentication models: AuthProvider, ExternalIdentity, PlatformSettings to store provider configs, links, and platform auth settings
+- Add AuthProvider admin API (AdminAuthApi) to create/update/delete/test providers and manage platform auth settings
+- Add public OAuth endpoints (OAuthApi) for listing providers, initiating OAuth flows, handling callbacks, and LDAP login
+- Implement ExternalAuthService to orchestrate OAuth and LDAP flows, user provisioning, linking, session/token generation, and provider testing
+- Add pluggable auth strategy pattern with OAuthStrategy and LdapStrategy plus AuthStrategyFactory to select appropriate strategy
+- Add CryptoService for AES-256-GCM encryption/decryption of provider secrets and helper for key generation
+- Extend AuthService and session/user handling to support tokens/sessions created by external auth flows and user provisioning flags
+- Add UI: admin pages for managing auth providers (list, provider form, connection test) and login enhancements (SSO buttons, LDAP form, oauth-callback handler)
+- Add client-side AdminAuthService for communicating with new admin auth endpoints and an adminGuard for route protection
+- Register new API routes in ApiRouter and wire server-side handlers into the router
+- Implement safeguards: mask secrets in admin responses, validate provider configs, and track connection test results and audit logs
+
 ## 2025-11-28 - 1.2.0 - feat(tokens)
 Add support for organization-owned API tokens and org-level token management