Add VK callback auth support and admin demotion

deploy/vk-auth-setup.md

@@ -0,0 +1,81 @@
+# VK OAuth callback setup
+
+The desktop app uses this redirect URI by default:
+
+```text
+https://vk.daemonlord.ru/vk/callback
+```
+
+The public HTTPS endpoint is expected to be handled by a reverse proxy. The
+backend callback host itself is plain HTTP on a non-standard local port:
+
+```text
+http://127.0.0.1:8787/vk/callback
+```
+
+## VK app settings
+
+1. Open the VK developer dashboard.
+2. Select the standalone app with ID `54454043`.
+3. Make sure the app type is `Standalone application`.
+4. Add the exact redirect URI:
+
+```text
+https://vk.daemonlord.ru/vk/callback
+```
+
+If the redirect URI in the OAuth request does not exactly match the app settings,
+VK can return:
+
+```json
+{"error":"invalid_request","error_description":"Security Error"}
+```
+
+## Backend callback host
+
+Run the local HTTP callback host:
+
+```bash
+python deploy/vk_callback_server.py --host 127.0.0.1 --port 8787
+```
+
+Health check:
+
+```text
+http://127.0.0.1:8787/health
+```
+
+Optional systemd unit:
+
+```text
+deploy/systemd/anabasis-vk-callback.service
+```
+
+Adjust `WorkingDirectory`, `ExecStart`, and `User` for the server path/user.
+
+The callback page does not process or store the token. With implicit OAuth, VK
+puts `access_token` in the URL fragment. The desktop webview reads that final URL
+directly from the embedded browser.
+
+## Reverse proxy
+
+Use the nginx example:
+
+```text
+deploy/nginx/vk.daemonlord.ru.conf
+```
+
+It proxies:
+
+```text
+https://vk.daemonlord.ru/vk/callback -> http://127.0.0.1:8787/vk/callback
+```
+
+## Desktop app override
+
+The app already defaults to `https://vk.daemonlord.ru/vk/callback`. To override it:
+
+```powershell
+$env:ANABASIS_VK_REDIRECT_URI = "https://vk.daemonlord.ru/vk/callback"
+python main.py
+```