feat(oidc): implement OIDC authentication flow and user management

backend/src/db/migrations/0013_add_oidc_subject.sql

@@ -0,0 +1,2 @@
+-- Add OIDC subject column for SSO user identification
+ALTER TABLE users ADD COLUMN oidc_subject TEXT;

backend/src/db/migrations/meta/_journal.json

@@ -12,6 +12,7 @@
     { "idx": 9, "version": 1, "when": 1735500000, "tag": "0009_add_taken_by", "breakpoint": false },
     { "idx": 10, "version": 1, "when": 1735600000, "tag": "0010_add_user_settings", "breakpoint": false },
     { "idx": 11, "version": 1, "when": 1735700000, "tag": "0011_add_dose_tracking", "breakpoint": false },
-    { "idx": 12, "version": 1, "when": 1735800000, "tag": "0012_add_user_avatar", "breakpoint": false }
+    { "idx": 12, "version": 1, "when": 1735800000, "tag": "0012_add_user_avatar", "breakpoint": false },
+    { "idx": 13, "version": 1, "when": 1735900000, "tag": "0013_add_oidc_subject", "breakpoint": false }
   ]
 }

backend/src/db/schema.ts

@@ -10,6 +10,7 @@ export const users = sqliteTable("users", {
   passwordHash: text("password_hash", { length: 255 }),
   avatarUrl: text("avatar_url", { length: 255 }),
   authProvider: text("auth_provider", { length: 50 }).notNull().default("local"),
+  oidcSubject: text("oidc_subject", { length: 255 }),  // OIDC provider's unique user ID (sub claim)
   isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
   lastLoginAt: integer("last_login_at", { mode: "timestamp" }),
   createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),