ndemarco · ndemarco · Apr 20, 2026 · Apr 20, 2026
diff --git a/web/app/login/page.tsx b/web/app/login/page.tsx
@@ -1,8 +1,8 @@
 import { signIn } from "@/lib/auth/config";
 
-// Minimal stub — Phase D will replace this with a proper UI.
-// Email+password hits the credentials provider; the dev-impersonate
-// form is only rendered in non-production and trusts any email.
+// Force dynamic rendering so process.env is read at request time,
+// not baked in at build time (needed for runtime-injected container env vars).
+export const dynamic = "force-dynamic";
 
 async function credentialsSignIn(formData: FormData) {
   "use server";
@@ -11,19 +11,43 @@ async function credentialsSignIn(formData: FormData) {
   await signIn("credentials", { email, password, redirectTo: "/" });
 }
 
+async function homelabSignIn() {
+  "use server";
+  await signIn("homelab", { redirectTo: "/" });
+}
+
 async function devImpersonate(formData: FormData) {
   "use server";
   const email = String(formData.get("email") ?? "");
   await signIn("dev-impersonate", { email, redirectTo: "/" });
 }
 
 export default function LoginPage() {
-  const isProd = process.env.NODE_ENV === "production";
+  const allowDevImpersonate =
+    process.env.NODE_ENV !== "production" ||
+    process.env.ALLOW_DEV_IMPERSONATE === "1";
+
+  const homelabConfigured = !!(
+    process.env.AUTH_HOMELAB_ISSUER &&
+    process.env.AUTH_HOMELAB_CLIENT_ID &&
+    process.env.AUTH_HOMELAB_CLIENT_SECRET
+  );
 
   return (
     <div className="max-w-md mx-auto mt-16 p-6">
       <h1 className="text-2xl font-bold mb-6">Sign in</h1>
 
+      {homelabConfigured && (
+        <form action={homelabSignIn} className="mb-6">
+          <button
+            type="submit"
+            className="w-full border border-accent text-accent rounded px-4 py-2 font-medium hover:bg-accent hover:text-white transition-colors"
+          >
+            Sign in with Homelab IdP
+          </button>
+        </form>
+      )}
+
       <form action={credentialsSignIn} className="space-y-3 mb-10">
         <input
           name="email"
@@ -49,7 +73,7 @@ export default function LoginPage() {
         </button>
       </form>
 
-      {!isProd && (
+      {allowDevImpersonate && (
         <form action={devImpersonate} className="space-y-3 pt-6 border-t">
           <p className="text-xs uppercase tracking-wide text-neutral-500">
             Dev impersonate (non-prod only)

diff --git a/web/lib/auth/config.ts b/web/lib/auth/config.ts
@@ -5,8 +5,14 @@ import { eq } from "drizzle-orm";
 import bcrypt from "bcryptjs";
 import { db } from "@/db/connection";
 import { users, accounts, sessions, verificationTokens } from "@/db/schema";
+import { orgs, userOrgs } from "@/db/schema/orgs";
 
 const isProd = process.env.NODE_ENV === "production";
+// Escape hatch so a production build can still expose the dev-impersonate
+// provider when explicitly opted in. Intended for the staging/preview
+// environments during early testing; must not be set in real production.
+const allowDevImpersonate =
+  !isProd || process.env.ALLOW_DEV_IMPERSONATE === "1";
 
 const homelabIssuer = process.env.AUTH_HOMELAB_ISSUER;
 const homelabClientId = process.env.AUTH_HOMELAB_CLIENT_ID;
@@ -44,7 +50,7 @@ if (homelabIssuer && homelabClientId && homelabClientSecret) {
   });
 }
 
-if (!isProd) {
+if (allowDevImpersonate) {
   providers.push(
     Credentials({
       id: "dev-impersonate",
@@ -79,6 +85,26 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
     signIn: "/login",
   },
   callbacks: {
+    async signIn({ user }) {
+      if (!user.id) return false;
+      const existing = await db
+        .select({ orgId: userOrgs.orgId })
+        .from(userOrgs)
+        .where(eq(userOrgs.userId, user.id))
+        .limit(1);
+      if (existing.length === 0) {
+        const displayName = user.name ?? user.email?.split("@")[0] ?? "workspace";
+        const slug = `org-${user.id.slice(0, 8)}`;
+        const [org] = await db
+          .insert(orgs)
+          .values({ name: `${displayName}'s workspace`, slug, plan: "free" })
+          .returning({ id: orgs.id });
+        await db
+          .insert(userOrgs)
+          .values({ userId: user.id, orgId: org.id, role: "owner" });
+      }
+      return true;
+    },
     async jwt({ token, user }) {
       if (user?.id) token.sub = user.id;
       return token;