working on arm64 native

crates/api/src/auth/ldap.rs

@@ -139,7 +139,8 @@ fn conn_settings(config: &LdapConfig) -> LdapConnSettings {
 /// Open a new LDAP connection.
 async fn connect(config: &LdapConfig) -> Result<Ldap, ApiError> {
     let settings = conn_settings(config);
-    let (conn, ldap) = LdapConnAsync::with_settings(settings, &config.url)
+    let url = config.url.as_deref().unwrap_or_default();
+    let (conn, ldap) = LdapConnAsync::with_settings(settings, url)
         .await
         .map_err(|err| {
             ApiError::InternalServerError(format!("Failed to connect to LDAP server: {err}"))
@@ -333,7 +334,7 @@ fn extract_claims(config: &LdapConfig, entry: &SearchEntry) -> LdapUserClaims {
         .unwrap_or_default();
 
     LdapUserClaims {
-        server_url: config.url.clone(),
+        server_url: config.url.clone().unwrap_or_default(),
         dn: entry.dn.clone(),
         login: first_attr(&config.login_attr),
         email: first_attr(&config.email_attr),

crates/api/src/auth/oidc.rs

@@ -126,15 +126,17 @@ pub async fn build_login_redirect(
         .map_err(|err| {
             ApiError::InternalServerError(format!("Failed to build OIDC HTTP client: {err}"))
         })?;
-    let redirect_uri = RedirectUrl::new(oidc.redirect_uri.clone()).map_err(|err| {
+    let redirect_uri_str = oidc.redirect_uri.clone().unwrap_or_default();
+    let redirect_uri = RedirectUrl::new(redirect_uri_str).map_err(|err| {
         ApiError::InternalServerError(format!("Invalid OIDC redirect URI: {err}"))
     })?;
     let client_secret = oidc.client_secret.clone().ok_or_else(|| {
         ApiError::InternalServerError("OIDC client secret is missing".to_string())
     })?;
+    let client_id = oidc.client_id.clone().unwrap_or_default();
     let client = CoreClient::from_provider_metadata(
         discovery.metadata.clone(),
-        ClientId::new(oidc.client_id.clone()),
+        ClientId::new(client_id),
         Some(ClientSecret::new(client_secret)),
     )
     .set_redirect_uri(redirect_uri);
@@ -238,15 +240,17 @@ pub async fn handle_callback(
         .map_err(|err| {
             ApiError::InternalServerError(format!("Failed to build OIDC HTTP client: {err}"))
         })?;
-    let redirect_uri = RedirectUrl::new(oidc.redirect_uri.clone()).map_err(|err| {
+    let redirect_uri_str = oidc.redirect_uri.clone().unwrap_or_default();
+    let redirect_uri = RedirectUrl::new(redirect_uri_str).map_err(|err| {
         ApiError::InternalServerError(format!("Invalid OIDC redirect URI: {err}"))
     })?;
     let client_secret = oidc.client_secret.clone().ok_or_else(|| {
         ApiError::InternalServerError("OIDC client secret is missing".to_string())
     })?;
+    let client_id = oidc.client_id.clone().unwrap_or_default();
     let client = CoreClient::from_provider_metadata(
         discovery.metadata.clone(),
-        ClientId::new(oidc.client_id.clone()),
+        ClientId::new(client_id),
         Some(ClientSecret::new(client_secret)),
     )
     .set_redirect_uri(redirect_uri);
@@ -336,7 +340,7 @@ pub async fn build_logout_redirect(
                 pairs.append_pair("id_token_hint", &id_token_hint);
             }
             pairs.append_pair("post_logout_redirect_uri", &post_logout_redirect_uri);
-            pairs.append_pair("client_id", &oidc.client_id);
+            pairs.append_pair("client_id", oidc.client_id.as_deref().unwrap_or_default());
         }
         String::from(url)
     } else {
@@ -481,7 +485,8 @@ fn oidc_config(state: &SharedState) -> Result<OidcConfig, ApiError> {
 }
 
 async fn fetch_discovery_document(oidc: &OidcConfig) -> Result<OidcDiscoveryDocument, ApiError> {
-    let discovery = reqwest::get(&oidc.discovery_url).await.map_err(|err| {
+    let discovery_url = oidc.discovery_url.as_deref().unwrap_or_default();
+    let discovery = reqwest::get(discovery_url).await.map_err(|err| {
         ApiError::InternalServerError(format!("Failed to fetch OIDC discovery document: {err}"))
     })?;
 
@@ -621,7 +626,7 @@ async fn verify_id_token(
     let issuer = discovery.metadata.issuer().to_string();
     let mut validation = Validation::new(algorithm);
     validation.set_issuer(&[issuer.as_str()]);
-    validation.set_audience(&[oidc.client_id.as_str()]);
+    validation.set_audience(&[oidc.client_id.as_deref().unwrap_or_default()]);
     validation.set_required_spec_claims(&["exp", "iat", "iss", "sub", "aud"]);
     validation.validate_nbf = false;
 
@@ -740,7 +745,8 @@ fn should_use_secure_cookies(state: &SharedState) -> bool {
             .security
             .oidc
             .as_ref()
-            .map(|oidc| oidc.redirect_uri.starts_with("https://"))
+            .and_then(|oidc| oidc.redirect_uri.as_deref())
+            .map(|uri| uri.starts_with("https://"))
             .unwrap_or(false)
 }
 

crates/common/src/config.rs

@@ -355,10 +355,14 @@ pub struct OidcConfig {
     pub enabled: bool,
 
     /// OpenID Provider discovery document URL.
-    pub discovery_url: String,
+    /// Required when `enabled` is true; ignored otherwise.
+    #[serde(default)]
+    pub discovery_url: Option<String>,
 
     /// Confidential client ID.
-    pub client_id: String,
+    /// Required when `enabled` is true; ignored otherwise.
+    #[serde(default)]
+    pub client_id: Option<String>,
 
     /// Provider name used in login-page overrides such as `?auth=<provider_name>`.
     #[serde(default = "default_oidc_provider_name")]
@@ -374,7 +378,9 @@ pub struct OidcConfig {
     pub client_secret: Option<String>,
 
     /// Redirect URI registered with the provider.
-    pub redirect_uri: String,
+    /// Required when `enabled` is true; ignored otherwise.
+    #[serde(default)]
+    pub redirect_uri: Option<String>,
 
     /// Optional post-logout redirect URI.
     pub post_logout_redirect_uri: Option<String>,
@@ -396,7 +402,9 @@ pub struct LdapConfig {
     pub enabled: bool,
 
     /// LDAP server URL (e.g., "ldap://ldap.example.com:389" or "ldaps://ldap.example.com:636").
-    pub url: String,
+    /// Required when `enabled` is true; ignored otherwise.
+    #[serde(default)]
+    pub url: Option<String>,
 
     /// Bind DN template. Use `{login}` as placeholder for the user-supplied login.
     /// Example: "uid={login},ou=users,dc=example,dc=com"
@@ -985,14 +993,20 @@ impl Config {
 
         if let Some(oidc) = &self.security.oidc {
             if oidc.enabled {
-                if oidc.discovery_url.trim().is_empty() {
+                if oidc
+                    .discovery_url
+                    .as_deref()
+                    .unwrap_or("")
+                    .trim()
+                    .is_empty()
+                {
                     return Err(crate::Error::validation(
-                        "OIDC discovery URL cannot be empty when OIDC is enabled",
+                        "OIDC discovery URL is required when OIDC is enabled",
                     ));
                 }
-                if oidc.client_id.trim().is_empty() {
+                if oidc.client_id.as_deref().unwrap_or("").trim().is_empty() {
                     return Err(crate::Error::validation(
-                        "OIDC client ID cannot be empty when OIDC is enabled",
+                        "OIDC client ID is required when OIDC is enabled",
                     ));
                 }
                 if oidc
@@ -1006,9 +1020,19 @@ impl Config {
                         "OIDC client secret is required when OIDC is enabled",
                     ));
                 }
-                if oidc.redirect_uri.trim().is_empty() {
+                if oidc.redirect_uri.as_deref().unwrap_or("").trim().is_empty() {
                     return Err(crate::Error::validation(
-                        "OIDC redirect URI cannot be empty when OIDC is enabled",
+                        "OIDC redirect URI is required when OIDC is enabled",
+                    ));
+                }
+            }
+        }
+
+        if let Some(ldap) = &self.security.ldap {
+            if ldap.enabled {
+                if ldap.url.as_deref().unwrap_or("").trim().is_empty() {
+                    return Err(crate::Error::validation(
+                        "LDAP server URL is required when LDAP is enabled",
                     ));
                 }
             }
@@ -1172,6 +1196,31 @@ mod tests {
         assert!(config.validate().is_err());
     }
 
+    #[test]
+    fn test_oidc_config_disabled_no_urls_required() {
+        let yaml = r#"
+enabled: false
+"#;
+        let cfg: OidcConfig = serde_yaml_ng::from_str(yaml).unwrap();
+        assert!(!cfg.enabled);
+        assert!(cfg.discovery_url.is_none());
+        assert!(cfg.client_id.is_none());
+        assert!(cfg.redirect_uri.is_none());
+        assert!(cfg.client_secret.is_none());
+        assert_eq!(cfg.provider_name, "oidc");
+    }
+
+    #[test]
+    fn test_ldap_config_disabled_no_url_required() {
+        let yaml = r#"
+enabled: false
+"#;
+        let cfg: LdapConfig = serde_yaml_ng::from_str(yaml).unwrap();
+        assert!(!cfg.enabled);
+        assert!(cfg.url.is_none());
+        assert_eq!(cfg.provider_name, "ldap");
+    }
+
     #[test]
     fn test_ldap_config_defaults() {
         let yaml = r#"
@@ -1182,7 +1231,7 @@ client_id: "test"
         let cfg: LdapConfig = serde_yaml_ng::from_str(yaml).unwrap();
 
         assert!(cfg.enabled);
-        assert_eq!(cfg.url, "ldap://localhost:389");
+        assert_eq!(cfg.url.as_deref(), Some("ldap://localhost:389"));
         assert_eq!(cfg.user_filter, "(uid={login})");
         assert_eq!(cfg.login_attr, "uid");
         assert_eq!(cfg.email_attr, "mail");
@@ -1222,7 +1271,7 @@ provider_icon_url: "https://corp.com/icon.svg"
         let cfg: LdapConfig = serde_yaml_ng::from_str(yaml).unwrap();
 
         assert!(cfg.enabled);
-        assert_eq!(cfg.url, "ldaps://ldap.corp.com:636");
+        assert_eq!(cfg.url.as_deref(), Some("ldaps://ldap.corp.com:636"));
         assert_eq!(
             cfg.bind_dn_template.as_deref(),
             Some("uid={login},ou=people,dc=corp,dc=com")