coryHawkvelt/gatehouse-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feat: RBAC, Keys Extension, Invites

Browse Source 
feat: org members page — invite users, cancel invites, change roles
feat: show pending invitations banner on profile page
feat: invite accept flow for existing users (no password needed)
feat: departments page updates
feat: SSH keys page — dept cert policy UI (expiry + extensions)
feat: wire up auth pages to real API (register, verify, reset, OIDC)
feat: CLI auth bridge — login page handles CLI token flow
feat: admin users — suspend/unsuspend, role badges, role filter
feat: add admin OAuth providers management page
feat: activity page — org-wide audit log view for admins
feat: add my memberships page
chore: add isOrgAdmin/isOrgMember to AuthContext, restrict sidebar
chore: update app routing and shared layout
This commit is contained in:
James Bhattarai
2026-03-01 16:50:19 +05:45
parent 62f767474b
commit 4c01fd0107
22 changed files with 2457 additions and 496 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/contexts/AuthContext.tsx
+57 -69
View File
@@ -12,10 +12,12 @@ interface AuthContextType {
user: User | null;
isLoading: boolean;
isAuthenticated: boolean;
isOrgAdmin: boolean;
isOrgMember: boolean;
mfaCompliance: MfaComplianceSummary | null;
requiresMfaEnrollment: boolean;
login: (email: string, password: string, rememberMe?: boolean) => Promise<LoginResult>;
verifyTotp: (code: string, isBackupCode?: boolean) => Promise<void>;
login: (email: string, password: string, rememberMe?: boolean, skipNavigate?: boolean) => Promise<LoginResult>;
verifyTotp: (code: string, isBackupCode?: boolean, skipNavigate?: boolean) => Promise<void>;
verifyWebAuthn: () => Promise<void>;
logout: () => Promise<void>;
refreshUser: () => Promise<void>;
@@ -40,66 +42,61 @@ function persistMfaCompliance(compliance: MfaComplianceSummary | null): void {
function loadMfaCompliance(): MfaComplianceSummary | null {
try {
const stored = localStorage.getItem(MFA_COMPLIANCE_KEY);
if (!stored) {
console.log('[AuthContext] loadMfaCompliance: no stored data');
return null;
}
if (!stored) return null;
const parsed = JSON.parse(stored);
console.log('[AuthContext] loadMfaCompliance: raw parsed:', parsed);
// Handle both direct format and legacy double-nested format
// Legacy format: { mfa_compliance: { ... } }
// Current format: { ... }
let compliance: Record<string, unknown>;
if (parsed.mfa_compliance && typeof parsed.mfa_compliance === 'object') {
console.log('[AuthContext] loadMfaCompliance: detected legacy double-nested format, unwrapping');
compliance = parsed.mfa_compliance as Record<string, unknown>;
} else {
compliance = parsed;
}
// Validate that the stored data has the required fields
if (!compliance || typeof compliance !== 'object') {
console.log('[AuthContext] loadMfaCompliance: invalid compliance object');
return null;
}
if (!Array.isArray(compliance.orgs)) {
console.log('[AuthContext] loadMfaCompliance: orgs is not an array');
return null;
}
// Validate missing_methods exists and is an array
if (!Array.isArray(compliance.missing_methods)) {
console.log('[AuthContext] loadMfaCompliance: missing_methods is not an array or missing');
}
if (!compliance || typeof compliance !== 'object') return null;
if (!Array.isArray(compliance.orgs)) return null;
// Check if at least one org has effective_mode (new field from API)
// If not, treat as stale data and return null to fetch fresh data
const hasEffectiveMode = compliance.orgs.some((org: Record<string, unknown>) =>
typeof org.effective_mode === 'string'
);
if (!hasEffectiveMode) {
console.log('[AuthContext] loadMfaCompliance: no effective_mode found, treating as stale');
return null;
}
console.log('[AuthContext] loadMfaCompliance: loaded successfully');
if (!hasEffectiveMode) return null;
return compliance as unknown as MfaComplianceSummary;
} catch (error) {
console.log('[AuthContext] loadMfaCompliance: error loading:', error);
} catch {
return null;
}
}
export function AuthProvider({ children }: { children: ReactNode }) {
const [user, setUser] = useState<User | null>(null);
const [isOrgAdmin, setIsOrgAdmin] = useState(false);
const [isOrgMember, setIsOrgMember] = useState(false);
const [mfaCompliance, setMfaCompliance] = useState<MfaComplianceSummary | null>(loadMfaCompliance);
const [requiresMfaEnrollment, setRequiresMfaEnrollment] = useState(false);
const [isLoading, setIsLoading] = useState(true);
const navigate = useNavigate();
// Helper to check if user is admin/owner in any org
const checkOrgAdmin = useCallback(async () => {
try {
const data = await api.users.organizations();
const admin = data.organizations.some(
(org) => org.role === 'owner' || org.role === 'admin'
);
setIsOrgAdmin(admin);
setIsOrgMember(data.organizations.length > 0);
} catch {
setIsOrgAdmin(false);
setIsOrgMember(false);
}
}, []);
const refreshCompliance = useCallback(async () => {
try {
const compliance = await api.policies.getMyCompliance();
@@ -148,7 +145,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
const response = await api.users.me();
setUser(response.user);
// Also fetch compliance status
// Also fetch compliance status and org role
try {
const compliance = await api.policies.getMyCompliance();
setMfaCompliance(compliance);
@@ -159,8 +156,12 @@ export function AuthProvider({ children }: { children: ReactNode }) {
setMfaCompliance(null);
persistMfaCompliance(null);
}
// Check org admin status
await checkOrgAdmin();
} catch {
setUser(null);
setIsOrgAdmin(false);
setIsOrgMember(false);
setMfaCompliance(null);
persistMfaCompliance(null);
setRequiresMfaEnrollment(false);
@@ -172,32 +173,21 @@ export function AuthProvider({ children }: { children: ReactNode }) {
checkAuth();
}, []);
const login = useCallback(async (email: string, password: string, rememberMe = false): Promise<LoginResult> => {
console.log('[AuthContext] login() called');
const login = useCallback(async (email: string, password: string, rememberMe = false, skipNavigate = false): Promise<LoginResult> => {
const response = await api.auth.login(email, password, rememberMe);
console.log('[AuthContext] login response:', {
requires_totp: response.requires_totp,
requires_webauthn: response.requires_webauthn,
requires_mfa_enrollment: response.requires_mfa_enrollment,
hasToken: !!response.token,
hasUser: !!response.user
});
// If WebAuthn is required, don't set user yet - wait for WebAuthn verification
if (response.requires_webauthn) {
console.log('[AuthContext] WebAuthn required, returning early');
return { requiresTotp: false, requiresWebAuthn: true };
}
// If TOTP is required, don't set user yet - wait for TOTP verification
if (response.requires_totp) {
console.log('[AuthContext] TOTP required, returning early');
return { requiresTotp: true, requiresWebAuthn: false };
}
// If MFA enrollment is required (past deadline), set compliance state
if (response.requires_mfa_enrollment) {
console.log('[AuthContext] MFA enrollment required, setting compliance state');
if (response.token) {
tokenManager.setToken(response.token, response.expires_at ?? null);
}
@@ -211,48 +201,39 @@ export function AuthProvider({ children }: { children: ReactNode }) {
setRequiresMfaEnrollment(true);
return { requiresTotp: false, requiresWebAuthn: false, requiresMfaEnrollment: true };
}
// Login complete: store token explicitly before setting user state
// This ensures the token is available for any subsequent API calls
// (e.g., when navigate('/profile') triggers refreshUser())
if (response.token) {
console.log('[AuthContext] Storing token in localStorage');
tokenManager.setToken(response.token, response.expires_at ?? null);
console.log('[AuthContext] Token stored, verifying:', tokenManager.getToken()?.substring(0, 20) + '...');
}
// Set user and navigate
if (response.user) {
console.log('[AuthContext] Setting user state and navigating to /profile');
setUser(response.user);
if (response.mfa_compliance) {
setMfaCompliance(response.mfa_compliance);
persistMfaCompliance(response.mfa_compliance);
}
setRequiresMfaEnrollment(false);
navigate('/profile');
await checkOrgAdmin();
if (!skipNavigate) {
navigate('/profile');
}
}
return { requiresTotp: false, requiresWebAuthn: false };
}, [navigate]);
}, [navigate, checkOrgAdmin]);
const verifyWebAuthn = useCallback(async () => {
// WebAuthn verification is handled directly in the LoginPage component
// This is a placeholder for consistency with the interface
console.log('[AuthContext] verifyWebAuthn called - verification handled in LoginPage');
}, []);
const verifyTotp = useCallback(async (code: string, isBackupCode = false) => {
const verifyTotp = useCallback(async (code: string, isBackupCode = false, skipNavigate = false) => {
const response = await api.totp.verify(code, isBackupCode);
// Store token explicitly before setting user state
// This ensures the token is available for any subsequent API calls
if (response.token) {
tokenManager.setToken(response.token, response.expires_at ?? null);
}
setUser(response.user);
// Check for MFA compliance in response
try {
const compliance = await api.policies.getMyCompliance();
setMfaCompliance(compliance);
@@ -263,14 +244,19 @@ export function AuthProvider({ children }: { children: ReactNode }) {
persistMfaCompliance(null);
}
navigate('/profile');
}, [navigate]);
await checkOrgAdmin();
if (!skipNavigate) {
navigate('/profile');
}
}, [navigate, checkOrgAdmin]);
const logout = useCallback(async () => {
try {
await api.auth.logout();
} finally {
setUser(null);
setIsOrgAdmin(false);
setIsOrgMember(false);
setMfaCompliance(null);
persistMfaCompliance(null);
setRequiresMfaEnrollment(false);
@@ -284,6 +270,8 @@ export function AuthProvider({ children }: { children: ReactNode }) {
user,
isLoading,
isAuthenticated: !!user,
isOrgAdmin,
isOrgMember,
mfaCompliance,
requiresMfaEnrollment,
login,