Add comprehensive login page customization options

[strickvl]

This PR adds comprehensive customization options for the login page, allowing users to customize all text elements through CLI arguments, environment variables, or config files.

🎯 Key Features

• Complete login customization - Every text element can be customized
• Multiple configuration methods - CLI args, environment variables, YAML config
• Docker-friendly - Perfect for containerized deployments with env vars
• Corporate branding - Customize titles, messages, and error text
• Security-first - All user input is HTML-escaped to prevent XSS
• Backwards compatible - Existing --app-name/--welcome-text unchanged

📋 New CLI Options

--login-title                      # Custom login page title
--login-below                      # Custom text below login title  
--password-placeholder             # Custom password field placeholder
--submit-text                      # Custom submit button text
--login-password-msg               # Custom config file password message
--login-env-password-msg           # Custom env password message
--login-hashed-password-msg        # Custom hashed password message
--login-rate-limit-msg             # Custom rate limiting message
--missing-password-msg             # Custom missing password error
--incorrect-password-msg           # Custom incorrect password error

🐳 Environment Variables

All CLI options have corresponding CS_* environment variables:

CS_LOGIN_TITLE, CS_LOGIN_BELOW, CS_PASSWORD_PLACEHOLDER, CS_SUBMIT_TEXT
CS_LOGIN_PASSWORD_MSG, CS_LOGIN_ENV_PASSWORD_MSG, CS_LOGIN_HASHED_PASSWORD_MSG  
CS_LOGIN_RATE_LIMIT_MSG, CS_MISSING_PASSWORD_MSG, CS_INCORRECT_PASSWORD_MSG

💼 Use Cases

Docker deployment with branding:

docker run -e CS_LOGIN_TITLE="ACME Corp Portal" \
           -e CS_LOGIN_ENV_PASSWORD_MSG="Contact IT for access" \
           -e CS_PASSWORD_PLACEHOLDER="Corporate ID" \
           codercom/code-server:latest

Corporate error messages:

code-server --missing-password-msg="Please enter your employee ID" \
           --incorrect-password-msg="Invalid credentials. Contact support."

🔧 Implementation Details

• Priority order: CLI args → env vars → config file → i18n defaults
• HTML escaping: All custom messages are automatically escaped for security
• Internationalization: Non-customized messages still use locale files
• Config file support: All options work in YAML config files
• Testing: Comprehensive unit and integration tests added

🧪 Test Plan

• CLI argument parsing for all new options
• Environment variable processing
• Config file YAML support
• HTML output correctness (titles, placeholders, buttons)
• HTML escaping security (XSS prevention)
• Error message customization
• Backwards compatibility with existing options
• Internationalization preservation
• Priority order (CLI > env > config > defaults)

📚 Documentation

• Updated docs/install.md with Docker customization examples
• Enhanced docs/FAQ.md with login customization section
• Added comprehensive docs/customization.md guide
• Updated main docs/README.md with link to customization guide

This enables powerful branding and customization for enterprise deployments while maintaining full backwards compatibility.

[code-asher]

Thank you for the contribution!

Thinking out loud, my first impression is that the flags are not scaling well. Since we have this concept of language files that we can use for strings in the app, I wonder if we can re-use this for user-provided strings as well? Maybe we have a flag that accepts a json file (or accepts raw json itself) and then we can pass that to the i18n library (merged with the default language file).

Then, all strings, including future ones, will automatically be available for configuration. What do you think?

We could then also deprecate --welcome-msg and --app-name.

[strickvl]

Sounds good. I'll work on that change.

[strickvl]

@code-asher is this in line with what you were thinking?

[code-asher]

Yes this is exactly along the line I was thinking! Thank you, this is really great.

[code-asher]

IMO this flag is too niche to earn a callout in the FAQ, so we should delete this.

[code-asher]

I am thinking we append an entry to guide.md instead of the main readme. Something like:

## Internationalization and customization

You can customize some of code-server's strings for either internationalization or customization purposes. See our [customization guide](./customization.md).

[code-asher]

What do you think about making this more generic rather than login-specific? I also think there is a fair bit of repetition here we could consolidate and I worry that this will get out of sync with the language file. We can also keep the legacy flags around, no need to say we might remove them eventually.

I also think it would be reasonable to keep this text in guide.md rather than linking out to a new file. We have so many markdown files sometimes I get lost. 😅

Maybe something like:

Internationalization and customization

code-server allows you to provide a language file or JSON to configure certain strings. This can be used for both internationalization and customization.

For example:

code-server --i18n /custom-strings.json
code-server --i18n `{"WELCOME": "{{app}} ログイン"}`

Or this can be done in the config file:

i18n: |
  {
    "WELCOME": "Welcome to the {{app}} Development Portal",
  }

You can combine this with the --locale flag to configure language support for both code-server and VS Code in cases where code-server has no support but VS Code does. If you are using this for internationalization, please consider sending us a pull request to contribute it to i18n/locales.

Available keys and placeholders

Refer to ../src/node/i18n/locales/en.json for a full list of the available keys for translations. Note that the only placeholders supported for each key are the ones used in the default string.

The --app-name flag controls the {{app}} placeholder in templates. If you want to change the name, you can either:

1. Set --app-name (potentially alongside --i18n)
2. Use --i18n and hardcode the name in your strings

Legacy flag

The --welcome-text flag is now deprecated. Use the WELCOME key instead.

[code-asher]

This guide is just for installing code-server, I think we should omit this. Also the customization can be applied to any install method, not just Docker, so we would want to generalize it anyway.

[code-asher]

What do you think about calling it i18n?

[code-asher]

We already check the arg before passing it in, so we can make this non-optional.

Suggested change

	export async function loadCustomStrings(customStringsArg?: string): Promise<void> {
	if (!customStringsArg) {
	return
	}
	export async function loadCustomStrings(customStringsArg: string): Promise<void> {

[code-asher]

We already add Failed to load custom strings to the error, and any errors thrown here will already be logged (I think?), so I am thinking we remove the catch to avoid logging the error twice.

Suggested change

	if (args["custom-strings"]) {
	try {
	await loadCustomStrings(args["custom-strings"])
	logger.info("Loaded custom strings")
	} catch (error) {
	logger.error("Failed to load custom strings", field("error", error))
	throw error
	}
	}
	if (args["custom-strings"]) {
	await loadCustomStrings(args["custom-strings"])
	logger.info("Loaded custom strings")
	}

[code-asher]

These env vars do not exist anymore, do they?

[code-asher]

This automatic JSON/filename handling is really convenient but I worry about overloading the flag like this, especially with error handling since we might return a "file not found" error but really the user just mistyped their JSON and forgot the leading {, as one example.

I am not familiar with any precedent we can draw on for inspiration, but I have a few ideas:

1. We make --i18n take a file always, with no way to provide raw JSON (for now).
2. We make separate --i18n and --i18n-json flags.
3. We make --i18n take a file always, and use an environment variable if you want to pass raw JSON.
4. We make --i18n take a file always, and a new repeatable i18n-var flag. Usage would be code-server i18n-var "WELCOME=my welcome text" i18n-var "LOGIN_TITLE=my title". Something like that. This is kinda nice because there is no need to write JSON on the command line, but it feels a bit clunky.

Thoughts? I think maybe we skip the raw JSON input for now and figure it out later if folks ask for it, unless you feel strongly about including it!

[code-asher]

Looks like these tests are outdated.