@lobehub/lobehub 2.1.1 → 2.1.3

package/docs/self-hosting/auth/providers/password.zh-CN.mdx

@@ -0,0 +1,103 @@
+---
+title: 配置 LobeHub 邮箱密码登录
+description: 了解如何配置 LobeHub 的邮箱密码登录，包括启用/禁用选项和仅 SSO 模式。
+tags:
+  - 邮箱
+  - 密码
+  - 身份验证
+  - LobeHub
+---
+
+# 配置邮箱密码登录
+
+LobeHub 默认支持传统的邮箱密码登录方式。本指南介绍可用的配置选项。
+
+## 默认行为
+
+默认情况下，邮箱密码登录已启用。用户可以使用邮箱地址注册并设置密码。
+
+## 配置选项
+
+### 禁用邮箱密码登录（仅 SSO 模式）
+
+如果你希望强制用户只能通过 SSO 提供商登录，请设置以下环境变量：
+
+| 环境变量                          | 类型 | 描述               |
+| ----------------------------- | -- | ---------------- |
+| `AUTH_DISABLE_EMAIL_PASSWORD` | 可选 | 设置为 `1` 禁用邮箱密码登录 |
+
+启用后：
+
+- 登录页面隐藏邮箱输入框
+- 仅显示 SSO 提供商登录按钮
+- 注册页面重定向到登录页面
+- 用户必须通过配置的 SSO 提供商进行身份验证
+
+<Callout type={'warning'}>
+  启用仅 SSO 模式前，请确保已通过 `AUTH_SSO_PROVIDERS` 配置了至少一个 SSO
+  提供商。否则用户将无法登录。
+</Callout>
+
+### 启用邮箱验证
+
+要求用户在登录前验证邮箱地址：
+
+| 环境变量                      | 类型 | 描述             |
+| ------------------------- | -- | -------------- |
+| `AUTH_EMAIL_VERIFICATION` | 可选 | 设置为 `1` 启用邮箱验证 |
+
+这需要配置邮件服务（SMTP）。详情请参阅[邮件服务配置](/zh/docs/self-hosting/auth/email)。
+
+### 启用魔法链接登录
+
+允许通过邮件魔法链接实现无密码登录：
+
+| 环境变量                     | 类型 | 描述               |
+| ------------------------ | -- | ---------------- |
+| `AUTH_ENABLE_MAGIC_LINK` | 可选 | 设置为 `1` 启用魔法链接登录 |
+
+这也需要配置邮件服务（SMTP）。
+
+## 修改密码
+
+用户可以通过以下两种方式修改密码：
+
+1. **个人设置**：前往 设置 > 个人资料 修改密码
+2. **忘记密码**：在登录页面输入邮箱后，进入密码输入步骤，点击密码框下方的「忘记密码」
+
+<Callout type={'info'}>
+  以上两种方式都需要配置邮件服务（SMTP）以发送密码重置邮件。
+</Callout>
+
+## 配置示例
+
+### 仅 SSO（禁用邮箱密码）
+
+```bash
+AUTH_DISABLE_EMAIL_PASSWORD=1
+AUTH_SSO_PROVIDERS=google,github
+```
+
+### 邮箱密码 + 邮箱验证
+
+```bash
+AUTH_EMAIL_VERIFICATION=1
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=noreply@example.com
+SMTP_PASS=your-password
+```
+
+### 邮箱密码 + 魔法链接
+
+```bash
+AUTH_ENABLE_MAGIC_LINK=1
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=noreply@example.com
+SMTP_PASS=your-password
+```
+
+<Callout type={'tip'}>
+  前往[环境变量](/zh/docs/self-hosting/environment-variables/auth)查看所有身份验证相关变量的详细信息。
+</Callout>

package/docs/self-hosting/{advanced/auth → auth}/providers/wechat.mdx

@@ -1,12 +1,12 @@
 ---
-title: Configuring WeChat Authentication for LobeChat
+title: Configuring WeChat Authentication for LobeHub
 description: >-
-  Learn how to configure WeChat SSO for LobeChat, including creating an
+  Learn how to configure WeChat SSO for LobeHub, including creating an
   application on WeChat Open Platform.
 tags:
   - WeChat
   - Authentication
-  - LobeChat
+  - LobeHub
   - Single Sign-On
 ---
 
@@ -47,12 +47,12 @@ tags:
 
   ### Configure Environment Variables
 
-  | Environment Variable             | Type     | Description                                                     |
-  | -------------------------------- | -------- | --------------------------------------------------------------- |
-  | `AUTH_SECRET`                    | Required | Session encryption key, generate with `openssl rand -base64 32` |
-  | `AUTH_SSO_PROVIDERS`             | Required | Set to `wechat`                                                 |
-  | `AUTH_WECHAT_ID`                 | Required | AppID from WeChat Open Platform                                 |
-  | `AUTH_WECHAT_SECRET`             | Required | AppSecret from WeChat Open Platform                             |
+  | Environment Variable | Type     | Description                                                     |
+  | -------------------- | -------- | --------------------------------------------------------------- |
+  | `AUTH_SECRET`        | Required | Session encryption key, generate with `openssl rand -base64 32` |
+  | `AUTH_SSO_PROVIDERS` | Required | Set to `wechat`                                                 |
+  | `AUTH_WECHAT_ID`     | Required | AppID from WeChat Open Platform                                 |
+  | `AUTH_WECHAT_SECRET` | Required | AppSecret from WeChat Open Platform                             |
 
   <Callout type={'tip'}>
     Go to [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#wechat)
@@ -62,7 +62,7 @@ tags:
 
 <Callout type={'info'}>
   After successful deployment, users will be able to authenticate with WeChat
-  and use LobeChat.
+  and use LobeHub.
 </Callout>
 
 ## Notes

package/docs/self-hosting/{advanced/auth → auth}/providers/wechat.zh-CN.mdx

@@ -1,10 +1,10 @@
 ---
-title: 在 LobeChat 中配置微信身份验证
-description: 学习如何在 LobeChat 中配置微信 SSO，包括在微信开放平台创建应用。
+title: 在 LobeHub 中配置微信身份验证
+description: 学习如何在 LobeHub 中配置微信 SSO，包括在微信开放平台创建应用。
 tags:
   - 微信
   - 身份验证
-  - LobeChat
+  - LobeHub
   - 单点登录
 ---
 
@@ -43,12 +43,12 @@ tags:
 
   ### 配置环境变量
 
-  | 环境变量                             | 类型 | 描述                                     |
-  | -------------------------------- | -- | -------------------------------------- |
-  | `AUTH_SECRET`                    | 必选 | 会话加密密钥，使用 `openssl rand -base64 32` 生成 |
-  | `AUTH_SSO_PROVIDERS`             | 必选 | 填写 `wechat`                            |
-  | `AUTH_WECHAT_ID`                 | 必选 | 微信开放平台的 AppID                          |
-  | `AUTH_WECHAT_SECRET`             | 必选 | 微信开放平台的 AppSecret                      |
+  | 环境变量                 | 类型 | 描述                                     |
+  | -------------------- | -- | -------------------------------------- |
+  | `AUTH_SECRET`        | 必选 | 会话加密密钥，使用 `openssl rand -base64 32` 生成 |
+  | `AUTH_SSO_PROVIDERS` | 必选 | 填写 `wechat`                            |
+  | `AUTH_WECHAT_ID`     | 必选 | 微信开放平台的 AppID                          |
+  | `AUTH_WECHAT_SECRET` | 必选 | 微信开放平台的 AppSecret                      |
 
   <Callout type={'tip'}>
     前往 [📘 环境变量](/zh/docs/self-hosting/environment-variables/auth#wechat)
@@ -57,7 +57,7 @@ tags:
 </Steps>
 
 <Callout type={'info'}>
-  部署成功后，用户将可以通过微信身份认证并使用 LobeChat。
+  部署成功后，用户将可以通过微信身份认证并使用 LobeHub。
 </Callout>
 
 ## 注意事项

package/docs/self-hosting/{advanced/auth → auth}/providers/zitadel.mdx

@@ -1,12 +1,12 @@
 ---
-title: Configuring ZITADEL Authentication for LobeChat
+title: Configuring ZITADEL Authentication for LobeHub
 description: >-
-  Learn how to configure ZITADEL SSO for LobeChat, including creating an
+  Learn how to configure ZITADEL SSO for LobeHub, including creating an
   application and setting up environment variables.
 tags:
   - ZITADEL
   - Authentication
-  - LobeChat
+  - LobeHub
   - Single Sign-On
   - OIDC
 ---
@@ -23,7 +23,7 @@ tags:
   3. Click **New** to create a new application
   4. Select **Web** as the application type
   5. Configure:
-     - Name: `LobeChat`
+     - Name: `LobeHub`
      - Authentication Method: `CODE` (for confidential clients)
   6. Add redirect URI:
 
@@ -42,15 +42,15 @@ tags:
 
   ### Configure Environment Variables
 
-  When deploying LobeChat, you need to configure the following environment variables:
+  When deploying LobeHub, you need to configure the following environment variables:
 
-  | Environment Variable             | Type     | Description                                                                   |
-  | -------------------------------- | -------- | ----------------------------------------------------------------------------- |
-  | `AUTH_SECRET`                    | Required | Key used to encrypt session tokens. Generate using: `openssl rand -base64 32` |
-  | `AUTH_SSO_PROVIDERS`             | Required | SSO provider for LobeChat. Use `zitadel` for ZITADEL                          |
-  | `AUTH_ZITADEL_ID`                | Required | Client ID from ZITADEL application                                            |
-  | `AUTH_ZITADEL_SECRET`            | Required | Client Secret from ZITADEL application                                        |
-  | `AUTH_ZITADEL_ISSUER`            | Required | ZITADEL issuer URL (e.g., `https://your-instance.zitadel.cloud`)              |
+  | Environment Variable  | Type     | Description                                                                   |
+  | --------------------- | -------- | ----------------------------------------------------------------------------- |
+  | `AUTH_SECRET`         | Required | Key used to encrypt session tokens. Generate using: `openssl rand -base64 32` |
+  | `AUTH_SSO_PROVIDERS`  | Required | SSO provider for LobeHub. Use `zitadel` for ZITADEL                           |
+  | `AUTH_ZITADEL_ID`     | Required | Client ID from ZITADEL application                                            |
+  | `AUTH_ZITADEL_SECRET` | Required | Client Secret from ZITADEL application                                        |
+  | `AUTH_ZITADEL_ISSUER` | Required | ZITADEL issuer URL (e.g., `https://your-instance.zitadel.cloud`)              |
 
   <Callout type={'info'}>
     **Alternative Environment Variables**: For backward compatibility, the following aliases are also supported:
@@ -64,7 +64,7 @@ tags:
 </Steps>
 
 <Callout type={'info'}>
-  After successful deployment, users will be able to authenticate with ZITADEL and use LobeChat.
+  After successful deployment, users will be able to authenticate with ZITADEL and use LobeHub.
 </Callout>
 
 ## Related Resources

package/docs/self-hosting/{advanced/auth → auth}/providers/zitadel.zh-CN.mdx

@@ -1,10 +1,10 @@
 ---
-title: 在 LobeChat 中配置 ZITADEL 身份验证
-description: 学习如何在 LobeChat 中配置 ZITADEL SSO，包括创建应用和设置环境变量。
+title: 在 LobeHub 中配置 ZITADEL 身份验证
+description: 学习如何在 LobeHub 中配置 ZITADEL SSO，包括创建应用和设置环境变量。
 tags:
   - ZITADEL
   - 身份验证
-  - LobeChat
+  - LobeHub
   - 单点登录
   - OIDC
 ---
@@ -21,7 +21,7 @@ tags:
   3. 点击 **New** 创建新应用
   4. 选择 **Web** 作为应用类型
   5. 配置：
-     - Name: `LobeChat`
+     - Name: `LobeHub`
      - Authentication Method: `CODE`（用于机密客户端）
   6. 添加重定向 URI：
 
@@ -40,15 +40,15 @@ tags:
 
   ### 配置环境变量
 
-  在部署 LobeChat 时，你需要配置以下环境变量：
+  在部署 LobeHub 时，你需要配置以下环境变量：
 
-  | 环境变量                             | 类型 | 描述                                                           |
-  | -------------------------------- | -- | ------------------------------------------------------------ |
-  | `AUTH_SECRET`                    | 必选 | 用于加密会话令牌的密钥。使用以下命令生成：`openssl rand -base64 32`               |
-  | `AUTH_SSO_PROVIDERS`             | 必选 | SSO 提供商。使用 ZITADEL 请填写 `zitadel`                             |
-  | `AUTH_ZITADEL_ID`                | 必选 | ZITADEL 应用的 Client ID                                        |
-  | `AUTH_ZITADEL_SECRET`            | 必选 | ZITADEL 应用的 Client Secret                                    |
-  | `AUTH_ZITADEL_ISSUER`            | 必选 | ZITADEL Issuer URL（例如 `https://your-instance.zitadel.cloud`） |
+  | 环境变量                  | 类型 | 描述                                                           |
+  | --------------------- | -- | ------------------------------------------------------------ |
+  | `AUTH_SECRET`         | 必选 | 用于加密会话令牌的密钥。使用以下命令生成：`openssl rand -base64 32`               |
+  | `AUTH_SSO_PROVIDERS`  | 必选 | SSO 提供商。使用 ZITADEL 请填写 `zitadel`                             |
+  | `AUTH_ZITADEL_ID`     | 必选 | ZITADEL 应用的 Client ID                                        |
+  | `AUTH_ZITADEL_SECRET` | 必选 | ZITADEL 应用的 Client Secret                                    |
+  | `AUTH_ZITADEL_ISSUER` | 必选 | ZITADEL Issuer URL（例如 `https://your-instance.zitadel.cloud`） |
 
   <Callout type={'info'}>
     **兼容的环境变量**：为了向后兼容，以下别名也支持：
@@ -61,7 +61,7 @@ tags:
   </Callout>
 </Steps>
 
-<Callout type={'info'}>部署成功后，用户将可以通过 ZITADEL 身份认证并使用 LobeChat。</Callout>
+<Callout type={'info'}>部署成功后，用户将可以通过 ZITADEL 身份认证并使用 LobeHub。</Callout>
 
 ## 相关资源
 

package/docs/self-hosting/{advanced/auth.mdx → auth.mdx}

@@ -1,8 +1,8 @@
 ---
 title: LobeHub Authentication Service Configuration
 description: >-
-  Learn how to configure external authentication services using Better Auth,
-  Clerk, or Next Auth for centralized user authorization management. Supported
+  Learn how to configure external authentication services using Better Auth
+  for centralized user authorization management. Supported
   authentication services include Auth0, Azure ID, etc.
 tags:
   - Authentication Service
@@ -12,17 +12,7 @@ tags:
 
 # Authentication Service
 
-LobeHub supports the configuration of external authentication services using Better Auth, Clerk, or Next Auth for internal use within enterprises/organizations to centrally manage user authorization.
-
-<Callout type={'info'}>
-  Looking for legacy authentication methods? See [Legacy Authentication](/docs/self-hosting/advanced/auth/legacy) for NextAuth and Clerk documentation.
-</Callout>
-
-Clerk is a comprehensive identity verification solution that has recently gained popularity. It provides a simple yet powerful API and services to handle user authentication and session management. Clerk's design philosophy is to offer a concise and modern authentication solution that enables developers to easily integrate and use it.
-
-LobeHub has deeply integrated with Clerk to provide users with a more secure and convenient login and registration experience. It also relieves developers from the burden of managing authentication logic. Clerk's concise and modern design philosophy aligns perfectly with LobeHub's goals, making user management on the entire platform more efficient and reliable.
-
-By setting the environment variables `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` and `CLERK_SECRET_KEY` in LobeHub's environment, you can enable and use Clerk.
+LobeHub supports the configuration of external authentication services using Better Auth for internal use within enterprises/organizations to centrally manage user authorization.
 
 ## Better Auth
 
@@ -40,12 +30,11 @@ By setting the environment variables `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` and `CL
 
 To enable Better Auth in LobeHub, set the following environment variables:
 
-| Environment Variable             | Type     | Description                                                                                                                                                               |
-| -------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `NEXT_PUBLIC_ENABLE_BETTER_AUTH` | Required | Set to `1` to enable Better Auth service                                                                                                                                  |
-| `AUTH_SECRET`                    | Required | Key used to encrypt session tokens. Generate using: `openssl rand -base64 32`                                                                                             |
-| `NEXT_PUBLIC_AUTH_URL`           | Required | The browser-accessible base URL for Better Auth (e.g., `http://localhost:3010`, `https://LobeHub.com`). Optional for Vercel deployments (auto-detected from `VERCEL_URL`) |
-| `AUTH_SSO_PROVIDERS`             | Optional | Comma-separated list of enabled SSO providers, e.g., `google,github,microsoft`                                                                                            |
+| Environment Variable   | Type     | Description                                                                                                                                                               |
+| ---------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `AUTH_SECRET`          | Required | Key used to encrypt session tokens. Generate using: `openssl rand -base64 32`                                                                                             |
+| `NEXT_PUBLIC_AUTH_URL` | Required | The browser-accessible base URL for Better Auth (e.g., `http://localhost:3010`, `https://LobeHub.com`). Optional for Vercel deployments (auto-detected from `VERCEL_URL`) |
+| `AUTH_SSO_PROVIDERS`   | Optional | Comma-separated list of enabled SSO providers, e.g., `google,github,microsoft`                                                                                            |
 
 ## Supported SSO Providers
 
@@ -72,6 +61,8 @@ To enable Better Auth in LobeHub, set the following environment variables:
 Click on a provider below for detailed configuration guides:
 
 <Cards>
+  <Card href={'/docs/self-hosting/advanced/auth/providers/password'} title={'Email/Password'} />
+
   <Card href={'/docs/self-hosting/advanced/auth/providers/github'} title={'GitHub'} />
 
   <Card href={'/docs/self-hosting/advanced/auth/providers/google'} title={'Google'} />
@@ -116,63 +107,7 @@ When configuring OAuth providers, use the following callback URL format:
 
 ## Email Service Configuration
 
-Used by email verification, password reset, and magic-link delivery. Two providers are supported:
-
-### Option 1: Nodemailer (SMTP)
-
-Send emails via SMTP protocol, suitable for users with existing email services. See [Nodemailer SMTP docs](https://nodemailer.com/smtp/).
-
-| Environment Variable     | Type     | Description                                                    | Example               |
-| ------------------------ | -------- | -------------------------------------------------------------- | --------------------- |
-| `EMAIL_SERVICE_PROVIDER` | Optional | Set to `nodemailer` (default)                                  | `nodemailer`          |
-| `SMTP_HOST`              | Required | SMTP server hostname                                           | `smtp.gmail.com`      |
-| `SMTP_PORT`              | Required | SMTP server port (`587` for TLS, `465` for SSL)                | `587`                 |
-| `SMTP_SECURE`            | Optional | `true` for SSL (port 465), `false` for TLS (port 587)          | `false`               |
-| `SMTP_USER`              | Required | SMTP auth username                                             | `user@gmail.com`      |
-| `SMTP_PASS`              | Required | SMTP auth password                                             | `your-app-password`   |
-| `SMTP_FROM`              | Optional | Sender address (required for AWS SES), defaults to `SMTP_USER` | `noreply@example.com` |
-
-<Callout type={'warning'}>
-  When using Gmail, you must use an App Password instead of your account password. Generate one at [Google App Passwords](https://myaccount.google.com/apppasswords).
-</Callout>
-
-### Option 2: Resend
-
-[Resend](https://resend.com/) is a modern email API service with simple setup, recommended for new users.
-
-| Environment Variable     | Type        | Description                               | Example                     |
-| ------------------------ | ----------- | ----------------------------------------- | --------------------------- |
-| `EMAIL_SERVICE_PROVIDER` | Required    | Set to `resend`                           | `resend`                    |
-| `RESEND_API_KEY`         | Required    | Resend API Key                            | `re_xxxxxxxxxxxxxxxxxxxxxx` |
-| `RESEND_FROM`            | Recommended | Sender address, must be a verified domain | `noreply@your-domain.com`   |
-
-<Callout type={'info'}>
-  Before using Resend, you need to [verify your sending domain](https://resend.com/docs/dashboard/domains/introduction), otherwise emails can only be sent to your own address.
-</Callout>
-
-### Common Configuration
-
-Before using Better Auth, please set the following variables in LobeHub's environment variables:
-
-## Email Verification
-
-Enable email verification to ensure users own the email addresses they register with (off by default):
-
-| Environment Variable      | Type     | Description                                                 |
-| ------------------------- | -------- | ----------------------------------------------------------- |
-| `AUTH_EMAIL_VERIFICATION` | Optional | Set to `1` to require email verification after registration |
-
-<Callout type={'info'}>
-  Email verification requires a working email service (SMTP or Resend) configured above. When enabled, users must verify their email address before they can sign in.
-</Callout>
-
-## Magic Link (Passwordless) Login
-
-Enable magic-link login (depends on a working email provider above, off by default):
-
-| Environment Variable     | Type     | Description                                                         |
-| ------------------------ | -------- | ------------------------------------------------------------------- |
-| `AUTH_ENABLE_MAGIC_LINK` | Optional | Set to `1` to enable passwordless magic-link login (off by default) |
+Email service is used for email verification, password reset, and magic link delivery. For detailed configuration, see [Email Service Configuration](/docs/self-hosting/auth/email).
 
 <Callout type={'tip'}>
   Go to [Environment Variables](/docs/self-hosting/environment-variables/auth#better-auth) for detailed information on all Better Auth variables.
@@ -216,6 +151,16 @@ The current authentication system requires email. Please configure a valid email
 
 This applies to all authentication methods, including SSO providers like Casdoor. Always ensure users have valid email addresses configured.
 
+### How do I enable SSO-only mode (disable email/password login)?
+
+Set `AUTH_DISABLE_EMAIL_PASSWORD=1` to disable email/password authentication. When enabled:
+
+- The email input will be hidden on the login page, only SSO buttons are displayed
+- The signup page will redirect to the login page
+- Users can only log in via configured SSO providers
+
+Make sure you have at least one SSO provider configured via `AUTH_SSO_PROVIDERS` before enabling this option.
+
 ### How do I restrict registration to specific emails or domains?
 
 Set the `AUTH_ALLOWED_EMAILS` environment variable with a comma-separated list of allowed emails or domains. For example:
@@ -233,10 +178,8 @@ Set the `AUTH_ALLOWED_EMAILS` environment variable with a comma-separated list o
 
 Allow LobeHub to receive notifications when user information is updated in the identity provider. Supported providers include Casdoor and Logto. Please refer to the specific provider documentation for configuration details.
 
-### Database Session
-
-Allow the session store in database, see also the [Auth.js Session Documentation](https://authjs.dev/concepts/session-strategies#database-session).
+### Other SSO Providers
 
-## Other SSO Providers
+If you need to use an SSO provider not included in the list above, you can use [Generic OIDC](/docs/self-hosting/auth/providers/generic-oidc) to configure any OpenID Connect or OAuth 2.0 compliant provider.
 
-Please refer to the [Auth.js](https://authjs.dev/getting-started/authentication/oauth) documentation and feel free to submit a Pull Request.
+Feel free to submit a Pull Request to add more built-in SSO provider support. For details, see the [Better Auth documentation](https://www.better-auth.com/docs/concepts/oauth).

package/docs/self-hosting/{advanced/auth.zh-CN.mdx → auth.zh-CN.mdx}

@@ -1,7 +1,7 @@
 ---
 title: LobeHub 身份验证服务配置
 description: >-
-  了解如何使用 Better Auth、Clerk 或 Next Auth 配置外部身份验证服务，以统一管理用户授权。支持的身份验证服务包括 Auth0、
+  了解如何使用 Better Auth 配置外部身份验证服务，以统一管理用户授权。支持的身份验证服务包括 Auth0、
   Azure ID 等。
 tags:
   - 身份验证服务
@@ -12,17 +12,7 @@ tags:
 
 # 身份验证服务
 
-LobeHub 支持使用 Better Auth、Clerk 或者 Next Auth 配置外部身份验证服务，供企业 / 组织内部使用，统一管理用户授权。
-
-<Callout type={'info'}>
-  需要使用旧版身份验证方案？请参阅 [旧版身份验证](/zh/docs/self-hosting/advanced/auth/legacy) 了解 NextAuth 和 Clerk 的文档。
-</Callout>
-
-Clerk 是一个近期流行起来的全面的身份验证解决方案，它提供了简单而强大的 API 和服务来处理用户认证和会话管理。Clerk 的设计哲学是提供一套简洁、现代的认证解决方案，使得开发者可以轻松集成和使用。
-
-LobeHub 与 Clerk 做了深度集成，能够为用户提供一个更加安全、便捷的登录和注册体验，同时也为开发者减轻了管理身份验证逻辑的负担。Clerk 的简洁和现代的设计理念与 LobeHub 的目标非常契合，使得整个平台的用户管理更加高效和可靠。
-
-在 LobeHub 的环境变量中设置 `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` 和 `CLERK_SECRET_KEY`，即可开启和使用 Clerk。
+LobeHub 支持使用 Better Auth 配置外部身份验证服务，供企业 / 组织内部使用，统一管理用户授权。
 
 ## Better Auth
 
@@ -40,12 +30,11 @@ LobeHub 与 Clerk 做了深度集成，能够为用户提供一个更加安全
 
 要在 LobeHub 中启用 Better Auth，请设置以下环境变量：
 
-| 环境变量                             | 类型 | 描述                                                                                                              |
-| -------------------------------- | -- | --------------------------------------------------------------------------------------------------------------- |
-| `NEXT_PUBLIC_ENABLE_BETTER_AUTH` | 必选 | 设置为 `1` 以启用 Better Auth 服务                                                                                      |
-| `AUTH_SECRET`                    | 必选 | 用于加密会话令牌的密钥。使用以下命令生成：`openssl rand -base64 32`                                                                  |
-| `NEXT_PUBLIC_AUTH_URL`           | 必选 | 浏览器可访问的 Better Auth 基础 URL（例如 `http://localhost:3010`、`https://LobeHub.com`）。Vercel 部署时可选（会自动从 `VERCEL_URL` 获取） |
-| `AUTH_SSO_PROVIDERS`             | 可选 | 启用的 SSO 提供商列表，以逗号分隔，例如 `google,github,microsoft`                                                                |
+| 环境变量                   | 类型 | 描述                                                                                                              |
+| ---------------------- | -- | --------------------------------------------------------------------------------------------------------------- |
+| `AUTH_SECRET`          | 必选 | 用于加密会话令牌的密钥。使用以下命令生成：`openssl rand -base64 32`                                                                  |
+| `NEXT_PUBLIC_AUTH_URL` | 必选 | 浏览器可访问的 Better Auth 基础 URL（例如 `http://localhost:3010`、`https://LobeHub.com`）。Vercel 部署时可选（会自动从 `VERCEL_URL` 获取） |
+| `AUTH_SSO_PROVIDERS`   | 可选 | 启用的 SSO 提供商列表，以逗号分隔，例如 `google,github,microsoft`                                                                |
 
 ## 支持的 SSO 提供商
 
@@ -72,6 +61,8 @@ LobeHub 与 Clerk 做了深度集成，能够为用户提供一个更加安全
 点击下方提供商查看详细配置指南：
 
 <Cards>
+  <Card href={'/zh/docs/self-hosting/advanced/auth/providers/password'} title={'邮箱密码'} />
+
   <Card href={'/zh/docs/self-hosting/advanced/auth/providers/github'} title={'GitHub'} />
 
   <Card href={'/zh/docs/self-hosting/advanced/auth/providers/google'} title={'Google'} />
@@ -116,63 +107,7 @@ LobeHub 与 Clerk 做了深度集成，能够为用户提供一个更加安全
 
 ## 邮件服务配置
 
-用于邮箱验证、密码重置和魔法链接发送。支持两种邮件服务：
-
-### 方式一：Nodemailer（SMTP）
-
-使用 SMTP 协议发送邮件，适合已有邮箱服务的用户。参考 [Nodemailer SMTP 文档](https://nodemailer.com/smtp/)。
-
-| 环境变量                     | 类型 | 描述                                             | 示例                    |
-| ------------------------ | -- | ---------------------------------------------- | --------------------- |
-| `EMAIL_SERVICE_PROVIDER` | 可选 | 设置为 `nodemailer`（默认值）                          | `nodemailer`          |
-| `SMTP_HOST`              | 必选 | SMTP 服务器主机名                                    | `smtp.gmail.com`      |
-| `SMTP_PORT`              | 必选 | SMTP 服务器端口（TLS 通常为 `587`，SSL 为 `465`）          | `587`                 |
-| `SMTP_SECURE`            | 可选 | SSL 设置为 `true`（端口 465），TLS 设置为 `false`（端口 587） | `false`               |
-| `SMTP_USER`              | 必选 | SMTP 认证用户名                                     | `user@gmail.com`      |
-| `SMTP_PASS`              | 必选 | SMTP 认证密码                                      | `your-app-password`   |
-| `SMTP_FROM`              | 可选 | 发件人地址（AWS SES 必填），默认为 `SMTP_USER`              | `noreply@example.com` |
-
-<Callout type={'warning'}>
-  使用 Gmail 时，需使用应用专用密码而非账户密码。前往 [Google 应用专用密码](https://myaccount.google.com/apppasswords) 生成。
-</Callout>
-
-### 方式二：Resend
-
-[Resend](https://resend.com/) 是一个现代邮件 API 服务，配置简单，推荐新用户使用。
-
-| 环境变量                     | 类型 | 描述                        | 示例                          |
-| ------------------------ | -- | ------------------------- | --------------------------- |
-| `EMAIL_SERVICE_PROVIDER` | 必选 | 设置为 `resend`              | `resend`                    |
-| `RESEND_API_KEY`         | 必选 | Resend API Key            | `re_xxxxxxxxxxxxxxxxxxxxxx` |
-| `RESEND_FROM`            | 推荐 | 发件人地址，需为 Resend 已验证域名下的邮箱 | `noreply@your-domain.com`   |
-
-<Callout type={'info'}>
-  使用 Resend 前需先 [验证发件域名](https://resend.com/docs/dashboard/domains/introduction)，否则只能发送到自己的邮箱。
-</Callout>
-
-### 通用配置
-
-在使用 Better Auth 之前，请先在 LobeHub 的环境变量中设置以下变量：
-
-## 邮箱验证
-
-启用邮箱验证以确保用户拥有其注册的邮箱地址（默认关闭）：
-
-| 环境变量                      | 类型 | 描述                   |
-| ------------------------- | -- | -------------------- |
-| `AUTH_EMAIL_VERIFICATION` | 可选 | 设置为 `1` 以要求注册后进行邮箱验证 |
-
-<Callout type={'info'}>
-  邮箱验证需要上方已配置好的邮件服务（SMTP 或 Resend）。启用后，用户必须验证其邮箱地址才能登录。
-</Callout>
-
-## 魔法链接（免密）登录
-
-启用魔法链接登录（依赖上方已配置好的邮件服务，默认关闭）：
-
-| 环境变量                     | 类型 | 描述                      |
-| ------------------------ | -- | ----------------------- |
-| `AUTH_ENABLE_MAGIC_LINK` | 可选 | 设置为 `1` 以启用魔法链接登录（默认关闭） |
+邮件服务用于邮箱验证、密码重置和魔法链接发送。详细配置请参阅 [邮件服务配置](/zh/docs/self-hosting/auth/email)。
 
 <Callout type={'tip'}>
   前往 [环境变量](/zh/docs/self-hosting/environment-variables/auth#better-auth) 可查阅所有 Better Auth 相关变量详情。
@@ -217,6 +152,16 @@ Better Auth 支持内置提供商（Google、GitHub、Microsoft、Apple、AWS Co
 
 这适用于所有身份验证方式，包括 Casdoor 等 SSO 提供商。请确保用户配置了有效的邮箱地址。
 
+### 如何启用仅 SSO 模式（禁用邮箱密码登录）？
+
+设置 `AUTH_DISABLE_EMAIL_PASSWORD=1` 可禁用邮箱密码登录。启用后：
+
+- 登录页面将隐藏邮箱输入框，仅显示 SSO 登录按钮
+- 注册页面将重定向到登录页面
+- 用户只能通过配置的 SSO 提供商登录
+
+启用此选项前，请确保已通过 `AUTH_SSO_PROVIDERS` 配置了至少一个 SSO 提供商。
+
 ### 如何限制只允许特定邮箱或域名注册？
 
 设置 `AUTH_ALLOWED_EMAILS` 环境变量，支持完整邮箱地址或域名，以逗号分隔。例如：
@@ -232,10 +177,8 @@ Better Auth 支持内置提供商（Google、GitHub、Microsoft、Apple、AWS Co
 
 允许 LobeHub 在身份提供商中用户信息更新时接收通知。支持的提供商包括 Casdoor 和 Logto。请参考具体提供商文档进行配置。
 
-### 数据库会话
-
-允许会话存储在数据库中，详情请参阅 [Auth.js 会话文档](https://authjs.dev/concepts/session-strategies#database-session)。
+### 其他 SSO 提供商
 
-## 其他 SSO 提供商
+如果你需要使用上述列表中未包含的 SSO 提供商，可以使用 [Generic OIDC](/zh/docs/self-hosting/auth/providers/generic-oidc) 来配置任何符合 OpenID Connect 或 OAuth 2.0 标准的提供商。
 
-请参考 [Auth.js](https://authjs.dev/getting-started/authentication/oauth) 文档，欢迎提交 Pull Request。
+欢迎提交 Pull Request 来添加更多内置 SSO 提供商支持。详情请参考 [Better Auth 文档](https://www.better-auth.com/docs/concepts/oauth)。

package/docs/self-hosting/environment-variables/auth.mdx

@@ -46,6 +46,13 @@ LobeHub provides a complete authentication service capability when deployed. The
 - Default: `-`
 - Example: `example.com,admin@other.com`
 
+#### `AUTH_DISABLE_EMAIL_PASSWORD`
+
+- Type: Optional
+- Description: Set to `1` to disable email/password authentication, forcing users to use SSO login only. When enabled, the email input will be hidden on the login page and the signup page will redirect to login.
+- Default: `0`
+- Example: `1`
+
 #### `JWKS_KEY`
 
 - Type: Required

package/docs/self-hosting/environment-variables/auth.zh-CN.mdx

@@ -44,6 +44,13 @@ LobeHub 在部署时提供了完善的身份验证服务能力，以下是相关
 - 默认值：`-`
 - 示例：`example.com,admin@other.com`
 
+#### `AUTH_DISABLE_EMAIL_PASSWORD`
+
+- 类型：可选
+- 描述：设置为 `1` 以禁用邮箱密码登录，强制用户使用 SSO 登录。启用后，登录页面将隐藏邮箱输入框，注册页面将重定向到登录页。
+- 默认值：`0`
+- 示例：`1`
+
 #### `JWKS_KEY`
 
 - 类型：必选