feat: option to disable password login [closes #478]

[CoolShades]

Summary

• Add a Password Login toggle to Settings > Authentication that hides the password form from the login page and returns 403 on /api/auth/login/password when disabled
• Show an amber lockout warning when the toggle is switched off, reminding admins to verify their OAuth/LDAP provider works first
• Add a Skip login page toggle to OAuth Provider Management (only visible when password login is disabled and exactly one OAuth provider is configured) that auto-redirects users straight to the OAuth provider
• Both settings are persisted in GeneralSetting and survive restarts

Changes

Backend:

• pkg/model/general_setting.go — add PasswordLoginDisabled and SkipLoginPage fields
• pkg/auth/login_handler.go — exclude password from providers when disabled, return 403 on password login, expose skipLoginPage in providers response
• pkg/ai/handler.go — include both fields in general settings GET/PUT

Frontend:

• authentication-management.tsx — Password Login toggle with warning, tied to existing Save button
• oauth-provider-management.tsx — Skip login page toggle (instant save)
• auth-context.tsx — thread skipLoginPage through context
• login.tsx — auto-redirect to OAuth when skip is enabled
• admin.ts / auth.ts — type updates

Test plan

• Default state: password login enabled, login page shows password form
• Disable password login → save → password form hidden, direct POST returns 403
• Re-enable password login → save → password form returns
• Disabling password login does not affect LDAP, OAuth, or API key auth
• Disabling password login does not reset other general settings (AI key, kubectl, analytics)
• Amber warning appears when toggle is off (before saving)
• "Skip login page" toggle only appears when password disabled + 1 OAuth provider
• With skip enabled, visiting /login auto-redirects to OAuth provider
• With skip enabled, OAuth callback error shows login page (no redirect loop)
• Setting persists across container restarts

Closes #478

[CoolShades]

This project is way better than headlamp.
I was more than happy to put in the hours for you to further improve your ODIC implementation.

Ran locally and tested with Pocket ID (OAuth Provider). Works perfectly.

[zxh326]

Thanks for the contribution

We do not want to introduce a skip login page feature here.

Please remove the skipLoginPage backend/frontend changes from this PR and keep it focused on disable password login only.

[CoolShades]

@zxh326 Done in 9c878e0 — skipLoginPage removed, PR now focused on disable password login only.

The rebuild has been deployed and verified to be working perfectly.

Login page skip (it's actually a redirect) is standard functionality in many similar applications, but I can understand the concern given it opens doors to redirect loops, etc. I've removed this now. If you ever want to implement this, you have the code in 7121ca3 to work off of.

Proposed docs addition for docs/config/user-management.md (please mirror in
docs/zh/config/user-management.md) [I dont speak/write chinese]

Disabling Password Login

Administrators can disable password login from Settings → Authentication.
When disabled, the password form is hidden from the login page and POST /api/auth/login/password returns 403. LDAP, OAuth, and API key authentication are unaffected.

::: warning
Verify that LDAP or OAuth is working before disabling password login. Without a working alternative, you will be locked out and can only recover by resetting the database.
:::

[zxh326]

LGTM, thx