From 76489a53a6ab1dff64775eec92db2464a7626d12 Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Sun, 8 Feb 2026 12:57:19 +0100
Subject: [PATCH] Add social login providers (Google, Apple, Facebook) to TODO

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docs/TODO_SECURITY.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/TODO_SECURITY.md b/docs/TODO_SECURITY.md
index c48124f..b136578 100644
--- a/docs/TODO_SECURITY.md
+++ b/docs/TODO_SECURITY.md
@@ -14,6 +14,15 @@ When the cache expires, every concurrent request sees stale cache and calls `ref
 
 **Fix:** Add a "refresh-in-progress" flag or use double-checked locking so only one request triggers the refresh while others wait.
 
+### Social login providers (Zitadel IDP configuration)
+Configure external identity providers in Zitadel so users can sign in with social accounts. Each requires creating OAuth2 credentials with the respective provider and registering them in Zitadel Console → Settings → Identity Providers.
+
+1. **Google** — Google Cloud Console OAuth 2.0 Client ID
+2. **Apple** — Apple Developer Sign in with Apple service ID + key
+3. **Facebook** — Meta for Developers app with Facebook Login product
+
+No code changes needed in the SvelteKit app — Zitadel's login page shows social buttons automatically once IDPs are configured.
+
 ## Medium Priority
 
 ### `trustHost: true` in auth.ts