fix(backend): support legacy OIDC callback path

Add a compatibility route for /oidc/callback so OIDC logins still complete when deployments omit the /api prefix in redirect_uri. Clarify the canonical callback URL in docs and env examples to prevent future misconfiguration.

.env.example

@@ -55,6 +55,8 @@ FUSION_LOG_FORMAT=auto
 # FUSION_OIDC_CLIENT_SECRET=
 
 # Callback URL (required when OIDC issuer is configured)
+# Must include the callback path: /api/oidc/callback
+# Example: FUSION_OIDC_REDIRECT_URI=https://fusion.example.com/api/oidc/callback
 # FUSION_OIDC_REDIRECT_URI=
 
 # Restrict login to a specific user identity (email or subject claim, optional)

README.md

@@ -101,6 +101,8 @@ Then configure based on your goal:
   - Guide: [`docs/fever-api.md`](./docs/fever-api.md)
 - Use SSO instead of password-only login
   - Configure: `FUSION_OIDC_*`
+  - Set `FUSION_OIDC_REDIRECT_URI` to `https://<host>/api/oidc/callback`
+  - `https://<host>/oidc/callback` is accepted for compatibility
 - Tune feed pull behavior
   - Configure: `FUSION_PULL_INTERVAL`, `FUSION_PULL_TIMEOUT`, `FUSION_PULL_CONCURRENCY`, `FUSION_PULL_MAX_BACKOFF`
   - Optional for private networks: `FUSION_ALLOW_PRIVATE_FEEDS`

backend/internal/handler/handler.go

@@ -101,6 +101,8 @@ func (h *Handler) SetupRouter() *gin.Engine {
 		if h.oidcAuth != nil {
 			api.GET("/oidc/login", h.oidcLogin)
 			api.GET("/oidc/callback", h.oidcCallback)
+			// Compatibility route for deployments that configured redirect_uri without /api.
+			r.GET("/oidc/callback", h.oidcCallback)
 		}
 
 		auth := api.Group("")