Auth & Quota
Luker has a built-in multi-user authentication and quota management system, suitable for team-shared instances or publicly deployed scenarios. Administrators can comprehensively manage user access and resource consumption through OAuth login, storage quotas, and the logging system.
Authentication System
Self-Service Registration
The login page can show a "Create account" form so visitors register themselves directly. This is disabled by default and is toggled from the admin panel (stored in the accountRegistration section of admin-settings.json):
{
"accountRegistration": {
"enabled": false
}
}Accounts created this way are always non-admin, are enabled immediately, and inherit the default storage quota. When disabled, the registration endpoint rejects requests with HTTP 403 regardless of payload — there is no way for the form to leak through.
GitHub OAuth Login
Luker supports user authentication via GitHub OAuth. When users click login, they are redirected to the GitHub authorization page. After authorization is complete, a local user account is automatically created or associated.
Configuration: Configure the GitHub OAuth App credentials in the frontend admin panel (stored in the oauth section of admin-settings.json):
{
"oauth": {
"github": {
"enabled": true,
"clientId": "your-github-client-id",
"clientSecret": "your-github-client-secret",
"allowAutoCreate": false
}
}
}Discord OAuth Login
Luker also supports Discord OAuth login, with more fine-grained access control — it can verify whether a user is a member of a specified Discord server and whether they have specific roles.
{
"oauth": {
"discord": {
"enabled": true,
"clientId": "your-discord-client-id",
"clientSecret": "your-discord-client-secret",
"allowAutoCreate": false,
"requireGuildMembership": false,
"allowedGuildIds": [],
"requiredRoleIds": []
}
}
}The OAuth callback URL is automatically generated by the system based on the current request (format: {protocol}://{host}/api/users/oauth/callback/{provider}), requiring no manual configuration.
TIP
If you don't need OAuth login, there's no need to configure the oauth section. Luker still supports SillyTavern's original user authentication methods. OAuth configuration is recommended to be done through the frontend admin panel.
User Quota Management
Storage Quota
Administrators can set storage space quotas for each user to control file storage resource consumption:
- Quota limit — Maximum storage space available to the user
Token Usage Statistics
The token usage tracked by the Request Inspector is an independent statistics feature, separate from the storage quota management system. See Request Inspector for details.
When a user's storage usage exceeds the quota limit, the system blocks further data writes (returning a 413 status code). Administrators can set and adjust quotas for users in the frontend admin panel.
Logging System
Luker implements a server-side log capture system for administrators to remotely view server operational status.
Luker's logging system covers both backend and frontend, helping administrators troubleshoot issues remotely. See Logging System for details.
Configuration Reference
The following are OAuth-related configuration items in admin-settings.json (set through the admin panel):
| Config Path | Type | Default | Purpose |
|---|---|---|---|
accountRegistration.enabled | boolean | false | Whether to expose the self-service registration form on the login page |
oauth.github.enabled | boolean | false | Whether to enable GitHub OAuth |
oauth.github.clientId | string | — | GitHub OAuth client ID |
oauth.github.clientSecret | string | — | GitHub OAuth client secret |
oauth.github.allowAutoCreate | boolean | false | Whether to allow automatic user creation |
oauth.discord.enabled | boolean | false | Whether to enable Discord OAuth |
oauth.discord.clientId | string | — | Discord OAuth client ID |
oauth.discord.clientSecret | string | — | Discord OAuth client secret |
oauth.discord.allowAutoCreate | boolean | false | Whether to allow automatic user creation |
oauth.discord.requireGuildMembership | boolean | false | Whether to require server membership |
oauth.discord.allowedGuildIds | string[] | [] | List of allowed Discord server IDs |
oauth.discord.requiredRoleIds | string[] | [] | List of required role IDs |
WARNING
OAuth secrets are sensitive information. admin-settings.json is stored in the server data directory — please ensure the access permissions of this directory are protected. Configuration through the admin panel is recommended.