revamp auth docs

Author: msukkari

docs/docs.json

@@ -72,7 +72,10 @@
                                 "group": "Authentication",
                                 "pages": [
                                     "docs/configuration/auth/overview",
-                                    "docs/configuration/auth/roles-and-permissions"
+                                    "docs/configuration/auth/providers",
+                                    "docs/configuration/auth/inviting-members",
+                                    "docs/configuration/auth/roles-and-permissions",
+                                    "docs/configuration/auth/faq"
                                 ]
                             },
                             "docs/configuration/transactional-emails",

docs/docs/configuration/auth/faq.mdx

@@ -0,0 +1,46 @@
+---
+title: FAQ
+---
+
+This page covers a range of frequently asked questions about Sourcebot's built-in authentication system.
+
+<AccordionGroup>
+<Accordion title="Can I disable the authentication system?">
+    No, at this time it's not possible to disable the authentication system. If this is preventing you from deploying Sourcebot
+    within your organization please [reach out](https://www.sourcebot.dev/contact)
+</Accordion>
+
+<Accordion title="I don't want to restrict access to my Sourcebot deployment, what should I do?">
+    Every user must register an account within your Sourcebot deployment. However, this dosn't mean their access
+    is restricted.
+
+    Unless member approval is required, anyone can sign up for an account on your deployment and immediately be granted access.
+</Accordion>
+
+<Accordion title="Does any data related to authentication (emails, passwords, etc) leave my deployment?">
+    **No data related to authentication (or your code) leaves your deployment**. Authentication is handled
+    purely by your deployment and the authentication providers you configure. 
+
+    This data does not leave your device and is stored within in the database managed by your deployment. If you're
+    using credential login, passwords are encrypted at rest and in transit.
+</Accordion>
+
+<Accordion title="I'm deploying Sourcebot behind an identity proxy, do I still need to create an account in Sourcebot?">
+    <Note>Please note that IAP bridges are an enterprise feature</Note>
+    Sourcebot supports connecting your identity proxy directly into the built-in auth system using an IAP bridge. This allows Sourcebot to
+    register and authenticate automatically on a successful identity proxy log in.
+
+    Sourcebot currently supports [GCP IAP](/docs/configuration/auth/providers#gcp-iap). If you're using a different IAP
+    and require support, please [reach out](https://www.sourcebot.dev/contact)
+</Accordion>
+
+<Accordion title="How does Sourcebot implement authentication?">
+    Sourcebot uses [Auth.js](https://authjs.dev/) as its underlying authentication framework. Auth.js provides authentication providers
+    (credientials, Google, GitHub, etc) and an interface to enable user registration and log in. Internally, Auth.js uses JWT to provide
+    Sourcebot secure and reliable information about user authentication.
+</Accordion>
+</AccordionGroup>
+
+
+Have a question that's not answered here? Submit it on our [GitHub discussions](https://github.com/sourcebot-dev/sourcebot/discussions)
+page and we'll get back to you as soon as we can!

docs/docs/configuration/auth/inviting-members.mdx

@@ -0,0 +1,21 @@
+---
+title: Inviting Members
+sidebarTitle: Inviting members
+---
+
+There are various ways to configure how members can join a Sourcebot deployment. 
+
+**By default, Sourcebot doesn't
+require new members to be approved**. This means that new sign ups on your deployment are automatically added to 
+the organization.
+
+Member approval can be configured by an owner of the deployment by navigating to **Settings -> Members**:
+
+![Member Approval Toggle](/images/member_approval_toggle.png)
+
+## Invite link
+
+If member approval is required, an owner of the deployment can enable an invite link. When enabled, users
+can use this invite link to register and be automatically added to the organization without approval:
+
+![Invite Link Toggle](/images/invite_link_toggle.png)

docs/docs/configuration/auth/overview.mdx

@@ -4,118 +4,23 @@ title: Overview
 
 <Warning>If you're deploying Sourcebot behind a domain, you must set the [AUTH_URL](/docs/configuration/environment-variables) environment variable.</Warning>
 
-Sourcebot has built-in authentication that gates access to your organization. OAuth, email codes, and email / password are supported. 
+Sourcebot's built-in authentication system gates your deployment, and allows administrators to manage users and their permissions. 
+
+<CardGroup cols={2}>
+    <Card horizontal title="Authentication providers" icon="lock" href="/docs/configuration/auth/providers">
+        Configure additional authentication providers for your deployment.
+    </Card>
+    <Card horizontal title="Inviting members" icon="user" href="/docs/configuration/auth/providers">
+        Learn how to configure how members join your deployment.
+    </Card>
+    <Card horizontal title="Roles and permissions" icon="shield" href="/docs/configuration/auth/roles-and-permissions">
+        Learn more about the different roles and permissions in Sourcebot.
+    </Card>
+    <Card horizontal title="FAQ" icon="question" href="/docs/configuration/auth/faq">
+        Have a question about Sourcebot's auth system? We might have the answers here.
+    </Card>
+</CardGroup>
 
-The first account that's registered on a Sourcebot deployment is made the owner. All other users who register must be [approved](/docs/configuration/auth/overview#approving-new-members) by the owner.
-
-![Login Page](/images/login.png)
-
-
-# Approving New Members
-
-All account registrations after the first account must be approved by the owner. The owner can see all join requests by going into **Settings -> Members**.
-
-You can setup emails to be sent when new join requests are created/approved by configurating [transactional emails](/docs/configuration/transactional-emails)
-# Authentication Providers
-
-To enable an authentication provider in Sourcebot, configure the required environment variables for the provider. Under the hood, Sourcebot uses Auth.js which supports [many providers](https://authjs.dev/getting-started/authentication/oauth). Submit a [feature request on GitHub](https://github.com/sourcebot-dev/sourcebot/discussions/categories/ideas) if you want us to add support for a specific provider.
-
-## Core Authentication Providers
-
-### Email / Password
----
-Email / password authentication is enabled by default. It can be **disabled** by setting `AUTH_CREDENTIALS_LOGIN_ENABLED` to `false`.
-
-### Email codes
----
-Email codes are 6 digit codes sent to a provided email. Email codes are enabled when transactional emails are configured using the following environment variables:
-
-- `AUTH_EMAIL_CODE_LOGIN_ENABLED`
-- `SMTP_CONNECTION_URL`
-- `EMAIL_FROM_ADDRESS`
-
-
-See [transactional emails](/docs/configuration/transactional-emails) for more details.
-
-## Enterprise Authentication Providers
-
-The following authentication providers require an [enterprise license](/docs/license-key) to be enabled.
-
-### GitHub
----
-
-[Auth.js GitHub Provider Docs](https://authjs.dev/getting-started/providers/github)
-
-**Required environment variables:**
-- `AUTH_EE_GITHUB_CLIENT_ID`
-- `AUTH_EE_GITHUB_CLIENT_SECRET`
-
-Optional environment variables:
-- `AUTH_EE_GITHUB_BASE_URL` - Base URL for GitHub Enterprise (defaults to https://github.com)
-
-### GitLab
----
-
-[Auth.js GitLab Provider Docs](https://authjs.dev/getting-started/providers/gitlab)
-
-**Required environment variables:**
-- `AUTH_EE_GITLAB_CLIENT_ID`
-- `AUTH_EE_GITLAB_CLIENT_SECRET`
-
-Optional environment variables:
-- `AUTH_EE_GITLAB_BASE_URL` - Base URL for GitLab instance (defaults to https://gitlab.com)
-
-### Google
----
-
-[Auth.js Google Provider Docs](https://authjs.dev/getting-started/providers/google)
-
-**Required environment variables:**
-- `AUTH_EE_GOOGLE_CLIENT_ID`
-- `AUTH_EE_GOOGLE_CLIENT_SECRET`
-
-### GCP IAP
----
-
-<Note>If you're running Sourcebot in an environment that blocks egress, make sure you allow the [IAP IP ranges](https://www.gstatic.com/ipranges/goog.json)</Note>
-
-Custom provider built to enable automatic Sourcebot account registration/login when using GCP IAP.
-
-**Required environment variables**
-- `AUTH_EE_GCP_IAP_ENABLED`
-- `AUTH_EE_GCP_IAP_AUDIENCE`
-    - This can be found by selecting the ⋮ icon next to the IAP-enabled backend service and pressing `Get JWT audience code`
-
-### Okta
----
-
-[Auth.js Okta Provider Docs](https://authjs.dev/getting-started/providers/okta)
-
-**Required environment variables:**
-- `AUTH_EE_OKTA_CLIENT_ID`
-- `AUTH_EE_OKTA_CLIENT_SECRET`
-- `AUTH_EE_OKTA_ISSUER`
-
-### Keycloak
----
-
-[Auth.js Keycloak Provider Docs](https://authjs.dev/getting-started/providers/keycloak)
-
-**Required environment variables:**
-- `AUTH_EE_KEYCLOAK_CLIENT_ID`
-- `AUTH_EE_KEYCLOAK_CLIENT_SECRET`
-- `AUTH_EE_KEYCLOAK_ISSUER`
-
-### Microsoft Entra ID
-
-[Auth.js Microsoft Entra ID Provider Docs](https://authjs.dev/getting-started/providers/microsoft-entra-id)
-
-**Required environment variables:**
-- `AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID`
-- `AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET`
-- `AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER`
-
----
 
 # Troubleshooting
 

docs/docs/configuration/auth/providers.mdx

@@ -0,0 +1,105 @@
+---
+title: Providers
+---
+
+Sourcebot supports a wide range of different authentication providers through it's integration with [Auth.js](https://authjs.dev/). This page
+highlights how to configure the various supported providers.
+
+If theres an authentication provider you'd like us to support, please [reach out](https://www.sourcebot.dev/contact).
+
+# Core Authentication Providers
+
+### Email / Password
+---
+Email / password authentication is enabled by default. It can be **disabled** by setting `AUTH_CREDENTIALS_LOGIN_ENABLED` to `false`.
+
+### Email codes
+---
+Email codes are 6 digit codes sent to a provided email. Email codes are enabled when transactional emails are configured using the following environment variables:
+
+- `AUTH_EMAIL_CODE_LOGIN_ENABLED`
+- `SMTP_CONNECTION_URL`
+- `EMAIL_FROM_ADDRESS`
+
+
+See [transactional emails](/docs/configuration/transactional-emails) for more details.
+
+# Enterprise Authentication Providers
+
+The following authentication providers require an [enterprise license](/docs/license-key) to be enabled.
+
+### GitHub
+---
+
+[Auth.js GitHub Provider Docs](https://authjs.dev/getting-started/providers/github)
+
+**Required environment variables:**
+- `AUTH_EE_GITHUB_CLIENT_ID`
+- `AUTH_EE_GITHUB_CLIENT_SECRET`
+
+Optional environment variables:
+- `AUTH_EE_GITHUB_BASE_URL` - Base URL for GitHub Enterprise (defaults to https://github.com)
+
+### GitLab
+---
+
+[Auth.js GitLab Provider Docs](https://authjs.dev/getting-started/providers/gitlab)
+
+**Required environment variables:**
+- `AUTH_EE_GITLAB_CLIENT_ID`
+- `AUTH_EE_GITLAB_CLIENT_SECRET`
+
+Optional environment variables:
+- `AUTH_EE_GITLAB_BASE_URL` - Base URL for GitLab instance (defaults to https://gitlab.com)
+
+### Google
+---
+
+[Auth.js Google Provider Docs](https://authjs.dev/getting-started/providers/google)
+
+**Required environment variables:**
+- `AUTH_EE_GOOGLE_CLIENT_ID`
+- `AUTH_EE_GOOGLE_CLIENT_SECRET`
+
+### GCP IAP
+---
+
+<Note>If you're running Sourcebot in an environment that blocks egress, make sure you allow the [IAP IP ranges](https://www.gstatic.com/ipranges/goog.json)</Note>
+
+Custom provider built to enable automatic Sourcebot account registration/login when using GCP IAP.
+
+**Required environment variables**
+- `AUTH_EE_GCP_IAP_ENABLED`
+- `AUTH_EE_GCP_IAP_AUDIENCE`
+    - This can be found by selecting the ⋮ icon next to the IAP-enabled backend service and pressing `Get JWT audience code`
+
+### Okta
+---
+
+[Auth.js Okta Provider Docs](https://authjs.dev/getting-started/providers/okta)
+
+**Required environment variables:**
+- `AUTH_EE_OKTA_CLIENT_ID`
+- `AUTH_EE_OKTA_CLIENT_SECRET`
+- `AUTH_EE_OKTA_ISSUER`
+
+### Keycloak
+---
+
+[Auth.js Keycloak Provider Docs](https://authjs.dev/getting-started/providers/keycloak)
+
+**Required environment variables:**
+- `AUTH_EE_KEYCLOAK_CLIENT_ID`
+- `AUTH_EE_KEYCLOAK_CLIENT_SECRET`
+- `AUTH_EE_KEYCLOAK_ISSUER`
+
+### Microsoft Entra ID
+
+[Auth.js Microsoft Entra ID Provider Docs](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+
+**Required environment variables:**
+- `AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID`
+- `AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET`
+- `AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER`
+
+---

docs/images/invite_link_toggle.png

@@ -82,7 +82,15 @@ export const AuthSecurityNotice = ({ closable = false }: AuthSecurityNoticeProps
                     <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
                 </svg>
                 <span>
-                    <strong>Security Notice:</strong> Authentication data is managed by your deployment and is encrypted at rest. Zero data leaves your deployment.
+                    <strong>Security Notice:</strong> Authentication data is managed by your deployment and is encrypted at rest. Zero data leaves your deployment.{' '}
+                    <a
+                        href="https://docs.sourcebot.dev/docs/configuration/auth/faq"
+                        target="_blank"
+                        rel="noopener"
+                        className="underline text-[var(--highlight)] hover:text-[var(--highlight)]/80 font-medium"
+                    >
+                        Learn more
+                    </a>
                 </span>
             </p>
         </div>

docs/images/member_approval_toggle.png

@@ -73,8 +73,8 @@ export default async function Onboarding({ searchParams }: OnboardingProps) {
             icon: <GitBranchIcon className="w-4 h-4" />,
         },
         {
-            title: "Setup additional authentication providers",
-            description: "Learn how to setup additional authentication providers for your organization",
+            title: "Authentication system",
+            description: "Learn how to setup additional auth providers, invite members, and more",
             href: "https://docs.sourcebot.dev/docs/configuration/auth/overview",
             icon: <LockIcon className="w-4 h-4" />,
         }