Add frontend access control enhancements and JWT support

- Hide New Project button for unauthenticated users, show login link - Add lock icon for private projects on home page - Show access level badges on project cards (Owner, Admin, Write, Read) - Add permission expiration date field to AccessManagement component - Add query timeout configuration for database (ORCHARD_DATABASE_QUERY_TIMEOUT) - Add JWT token validation support for external identity providers - Configurable via ORCHARD_JWT_* environment variables - Supports HS256 with secret or RS256 with JWKS - Auto-provisions users from JWT claims
2026-01-08 18:52:57 -06:00
parent f7c91e94f6
commit 6b9f63a30e
10 changed files with 373 additions and 21 deletions
--- a/frontend/src/components/AccessManagement.tsx
+++ b/frontend/src/components/AccessManagement.tsx
@@ -22,11 +22,13 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
  const [showAddForm, setShowAddForm] = useState(false);
  const [newUsername, setNewUsername] = useState('');
  const [newLevel, setNewLevel] = useState<AccessLevel>('read');
+  const [newExpiresAt, setNewExpiresAt] = useState('');
  const [submitting, setSubmitting] = useState(false);

  // Edit state
  const [editingUser, setEditingUser] = useState<string | null>(null);
  const [editLevel, setEditLevel] = useState<AccessLevel>('read');
+  const [editExpiresAt, setEditExpiresAt] = useState('');

  const loadPermissions = useCallback(async () => {
    try {
@@ -55,10 +57,12 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
      await grantProjectAccess(projectName, {
        username: newUsername.trim(),
        level: newLevel,
+        expires_at: newExpiresAt || undefined,
      });
      setSuccess(`Access granted to ${newUsername}`);
      setNewUsername('');
      setNewLevel('read');
+      setNewExpiresAt('');
      setShowAddForm(false);
      await loadPermissions();
      setTimeout(() => setSuccess(null), 3000);
@@ -73,7 +77,10 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
    try {
      setSubmitting(true);
      setError(null);
-      await updateProjectAccess(projectName, username, { level: editLevel });
+      await updateProjectAccess(projectName, username, {
+        level: editLevel,
+        expires_at: editExpiresAt || null,
+      });
      setSuccess(`Updated access for ${username}`);
      setEditingUser(null);
      await loadPermissions();
@@ -105,10 +112,26 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
  const startEdit = (permission: AccessPermission) => {
    setEditingUser(permission.user_id);
    setEditLevel(permission.level as AccessLevel);
+    // Convert ISO date to local date format for date input
+    setEditExpiresAt(permission.expires_at ? permission.expires_at.split('T')[0] : '');
  };

  const cancelEdit = () => {
    setEditingUser(null);
+    setEditExpiresAt('');
+  };
+
+  const formatExpiration = (expiresAt: string | null) => {
+    if (!expiresAt) return 'Never';
+    const date = new Date(expiresAt);
+    const now = new Date();
+    const isExpired = date < now;
+    return (
+      <span className={isExpired ? 'expired' : ''}>
+        {date.toLocaleDateString()}
+        {isExpired && ' (Expired)'}
+      </span>
+    );
  };

  if (loading) {
@@ -158,6 +181,17 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
                <option value="admin">Admin</option>
              </select>
            </div>
+            <div className="form-group">
+              <label htmlFor="expires_at">Expires (optional)</label>
+              <input
+                id="expires_at"
+                type="date"
+                value={newExpiresAt}
+                onChange={(e) => setNewExpiresAt(e.target.value)}
+                disabled={submitting}
+                min={new Date().toISOString().split('T')[0]}
+              />
+            </div>
            <button type="submit" className="btn btn-primary" disabled={submitting}>
              {submitting ? 'Granting...' : 'Grant Access'}
            </button>
@@ -175,6 +209,7 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
                <th>User</th>
                <th>Access Level</th>
                <th>Granted</th>
+                <th>Expires</th>
                <th>Actions</th>
              </tr>
            </thead>
@@ -200,6 +235,19 @@ export function AccessManagement({ projectName }: AccessManagementProps) {
                    )}
                  </td>
                  <td>{new Date(p.created_at).toLocaleDateString()}</td>
+                  <td>
+                    {editingUser === p.user_id ? (
+                      <input
+                        type="date"
+                        value={editExpiresAt}
+                        onChange={(e) => setEditExpiresAt(e.target.value)}
+                        disabled={submitting}
+                        min={new Date().toISOString().split('T')[0]}
+                      />
+                    ) : (
+                      formatExpiration(p.expires_at)
+                    )}
+                  </td>
                  <td className="actions">
                    {editingUser === p.user_id ? (
                      <>