zhi/HarborForge.Frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: zhi:feature/foundry-deck-ui
Branches Tags
zhi:main zhi:feat/knowledge-base zhi:feature/foundry-deck-ui
...
compare: zhi:8e52e2bf7444d181927e284839d0e949b900c2b7
Branches Tags
zhi:main zhi:feat/knowledge-base zhi:feature/foundry-deck-ui

8 Commits
feature/fo ... 8e52e2bf74

Author SHA1 Message Date
hzhang
8e52e2bf74 feat(ui): overridable favicon/logo with branded default 
Replace the  emoji with a real logo image used as the in-app brand
mark and the favicon. Default bundled public/logo.svg is the
HangmanLab mark recolored to the Foundry-Deck ember (#ff6a1a).
Override at deploy time via HARBORFORGE_LOGO_URL (injected into
runtime-config.js; getLogoUrl() + favicon swap), no rebuild needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 22:39:58 +01:00
h z
4d0575291d Merge pull request 'feature/oidc-login' (#12) from feature/oidc-login into main 
Reviewed-on: #12
 2026-05-17 21:27:55 +00:00
hzhang
73da3926e7 feat(auth): admin_role config; drop manual admin-subject from wizard 
OIDC settings page + setup wizard now configure the bootstrap admin
role instead of a hand-typed OIDC subject. The OIDC-only admin link is
handled automatically by the backend admin-role auto-connect on first
sign-in (explained inline in both the wizard and settings page).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 21:05:40 +01:00
hzhang
782e42ac64 feat(setup): OIDC step in setup wizard + runtime OIDC_ONLY flag 
Solves the OIDC-only bootstrap lockout (admin can't reach the in-app
OIDC settings page when password login is disabled and OIDC is unset).

- Frontend image entrypoint injects /runtime-config.js from the
  deploy-time HARBORFORGE_OIDC_ONLY env so the SPA knows the mode
  before the backend exists.
- Setup wizard gains an "OIDC" step (between Admin and Backend):
  required when OIDC-only (incl. admin's OIDC subject so the bootstrap
  admin can sign in), optional otherwise; written into harborforge.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:50:58 +01:00
hzhang
ba55fee9d5 fix(auth): register /settings/oidc route for admins only 
Non-admins fall through to the catch-all redirect instead of seeing
the OIDC settings page shell. Sidebar link, in-page guard and the
admin-only backend API remain as defense in depth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:33:28 +01:00
hzhang
8cac6951d7 feat(auth): admin OIDC settings page 
New admin page /settings/oidc to configure the OIDC provider (issuer,
client id/secret, redirect/callback URL, scopes, post-login redirect).
Prominently shows the callback URL to register at the IdP, current
status/source, and the read-only deploy-level OIDC-only flag. Secret
is write-only (blank = keep). Sidebar entry for admins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:29:22 +01:00
hzhang
8f8d6d5465 feat(auth): OIDC login UI + binding management + OIDC-only mode 
- useAuthConfig fetches public /auth/config; LoginPage hides the
  password form when oidc_only and shows an SSO button when enabled.
- /oidc/callback route applies the returned JWT (sign-in) or shows the
  link result; oidc_error surfaced on LoginPage.
- UsersPage: hides password fields in OIDC-only mode; admin OIDC
  bind/unbind UI per user. Sidebar self-service "Link OIDC account"
  (non-OIDC_ONLY).
- Dockerfile ARG/ENV HARBORFORGE_OIDC_ONLY.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:22:14 +01:00
hzhang
aaf36a4f5c Merge feature/foundry-deck-ui into main 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-16 17:56:00 +01:00
15 changed files with 687 additions and 48 deletions
Expand all files Collapse all files

16
Dockerfile
View File

@@ -12,5 +12,19 @@ RUN npm install -g serve@14
WORKDIR /app
COPY --from=build /app ./
ENV FRONTEND_DEV_MODE=0
# OIDC-only mode flag. Injected into the SPA at container start as
# /runtime-config.js so the setup wizard knows it before the backend
# exists; /auth/config remains authoritative once the backend is up.
ARG HARBORFORGE_OIDC_ONLY=false
ENV HARBORFORGE_OIDC_ONLY=${HARBORFORGE_OIDC_ONLY}
# Optional deploy-time branding override: a URL the SPA uses for the
# logo + favicon. Empty → bundled /logo.svg default.
ARG HARBORFORGE_LOGO_URL=
ENV HARBORFORGE_LOGO_URL=${HARBORFORGE_LOGO_URL}
EXPOSE 3000
CMD ["sh", "-c", "if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]
CMD ["sh", "-c", "\
if [ \"$HARBORFORGE_OIDC_ONLY\" = \"true\" ]; then OO=true; else OO=false; fi; \
CFG=\"window.__HF_RUNTIME__={\\\"oidc_only\\\":$OO,\\\"logo_url\\\":\\\"$HARBORFORGE_LOGO_URL\\\"};\"; \
mkdir -p public; printf '%s' \"$CFG\" > public/runtime-config.js; \
[ -d dist ] && printf '%s' \"$CFG\" > dist/runtime-config.js; \
if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]

12
index.html
View File

@@ -2,12 +2,22 @@
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/vite.svg" />
<link id="hf-favicon" rel="icon" type="image/svg+xml" href="/logo.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>HarborForge</title>
</head>
<body>
<div id="root"></div>
<!-- Runtime config injected by the container entrypoint (deploy-time
HARBORFORGE_OIDC_ONLY). Absent in dev → app falls back to /auth/config. -->
<script src="/runtime-config.js"></script>
<script>
// Optional deploy-time branding override (HARBORFORGE_LOGO_URL).
try {
var u = window.__HF_RUNTIME__ && window.__HF_RUNTIME__.logo_url;
if (u) document.getElementById('hf-favicon').href = u;
} catch (e) {}
</script>
<script type="module" src="/src/main.tsx"></script>
</body>
</html>

44
public/logo.svg Normal file
View File

@@ -0,0 +1,44 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 733.000000 733.000000" role="img" aria-label="Hangman Lab">
<g transform="translate(0.000000,733.000000) scale(0.100000,-0.100000)"
fill="#ff6a1a" stroke="none">
<path d="M812 6860 c-66 -40 -73 -66 -70 -242 3 -141 5 -159 24 -185 43 -58
63 -63 262 -64 l182 -1 0 -2694 0 -2694 -290 0 c-314 0 -332 -3 -380 -54 -24
-27 -25 -32 -28 -199 -3 -195 4 -218 71 -250 32 -16 257 -17 3084 -17 2955 0
3049 1 3083 19 65 34 75 66 75 236 0 186 -16 224 -104 254 -25 8 -682 11
-2512 11 l-2479 0 0 1998 0 1997 698 697 697 697 670 -3 c369 -2 680 -4 693
-5 22 -1 22 -1 22 -269 l0 -268 84 -12 c47 -7 103 -19 125 -27 41 -14 41 -14
43 283 l3 297 631 1 c698 2 673 -1 714 67 18 28 20 51 20 187 0 173 -8 201
-72 240 -33 20 -56 20 -2623 20 -2567 0 -2590 0 -2623 -20z m1725 -500 c-1 -3
-183 -185 -404 -404 l-403 -399 0 405 0 406 405 -1 c223 -1 404 -4 402 -7z
M4283 5701 c-459 -125 -690 -624 -483 -1046 67 -138 196 -266 335 -335 281
-139 612 -93 837 118 235 219 297 575 152 870 -85 174 -235 306 -427 375 -111
40 -302 48 -414 18z m267 -211 c95 -15 201 -70 274 -144 273 -274 173 -723
-189 -851 -93 -33 -236 -35 -326 -5 -202 68 -340 249 -356 465 -18 242 153
471 394 529 71 18 119 19 203 6z M5945 4716 c-56 -25 -80 -61 -80 -122 0 -48
4 -57 36 -90 88 -88 219 -29 219 98 0 45 -34 96 -75 114 -42 17 -61 17 -100 0z
M5675 4466 c-60 -26 -73 -109 -26 -157 62 -61 161 -19 161 70 0 74 -68 118
-135 87z M3747 4397 c-10 -7 -226 -223 -479 -482 -307 -313 -467 -483 -479
-510 -35 -75 -17 -177 38 -227 39 -35 114 -61 160 -54 100 13 104 17 583 554
l145 162 3 -404 c3 -455 15 -342 -137 -1186 -76 -423 -101 -587 -101 -664 0
-190 182 -307 377 -242 62 21 136 95 152 152 6 22 29 188 52 369 57 466 109
839 118 848 4 4 52 6 106 5 l99 -3 67 -210 c38 -115 68 -220 69 -232 0 -12
-38 -152 -85 -311 -47 -159 -85 -302 -85 -317 0 -128 109 -225 255 -225 109 1
185 42 228 125 26 51 237 683 237 710 0 11 -54 182 -121 380 -121 360 -121
360 -134 605 -8 135 -14 292 -14 350 l0 105 152 -158 c84 -87 166 -167 182
-177 44 -29 98 -26 135 8 38 35 187 379 173 401 -5 8 -34 20 -64 26 -59 11
-38 -8 -393 362 -89 93 -100 97 -174 59 -59 -30 -161 -62 -229 -71 -52 -7 -53
-7 -53 -41 0 -44 -21 -84 -61 -118 -38 -32 -41 0 32 -455 l52 -325 -82 -78
c-45 -43 -85 -78 -89 -78 -4 0 -42 35 -84 78 l-77 77 34 215 c19 118 46 289
61 379 26 164 26 164 -5 188 -42 33 -54 58 -61 121 -5 54 -5 54 -92 87 -98 38
-184 89 -243 145 -76 70 -123 87 -168 57z M5504 4170 c-74 -30 -69 -170 6
-170 19 0 20 -7 20 -123 0 -122 0 -122 -54 -262 -30 -77 -97 -243 -150 -369
-106 -252 -113 -287 -73 -347 46 -70 38 -69 560 -69 327 0 475 3 490 11 69 35
107 109 88 172 -5 17 -62 142 -126 277 -225 470 -215 443 -215 586 0 114 2
124 18 124 57 0 72 101 23 151 -29 29 -29 29 -298 28 -147 0 -278 -4 -289 -9z
m376 -307 c1 -148 1 -148 81 -333 101 -231 98 -222 68 -216 -13 3 -116 22
-229 42 -112 19 -208 37 -212 40 -4 2 18 75 48 160 54 156 54 156 54 305 l0
149 95 0 95 0 0 -147z m-219 -593 c22 0 49 -42 49 -75 0 -46 -29 -75 -74 -75
-37 0 -76 36 -76 71 0 46 45 94 78 83 8 -2 18 -4 23 -4z m327 -126 c53 -59 -7
-144 -80 -113 -54 22 -65 83 -22 125 30 31 67 27 102 -12z"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.0 KiB

7
src/App.tsx
View File

@@ -20,6 +20,8 @@ import UsersPage from '@/pages/UsersPage'
import CalendarPage from '@/pages/CalendarPage'
import SupportDetailPage from '@/pages/SupportDetailPage'
import MeetingDetailPage from '@/pages/MeetingDetailPage'
import OidcCallbackPage from '@/pages/OidcCallbackPage'
import OidcSettingsPage from '@/pages/OidcSettingsPage'
import axios from 'axios'
const getStoredWizardPort = (): number | null => {
@@ -35,7 +37,7 @@ type AppState = 'checking' | 'setup' | 'ready'
export default function App() {
const [appState, setAppState] = useState<AppState>('checking')
const { user, loading, login, logout } = useAuth()
const { user, loading, login, loginWithToken, logout } = useAuth()
useEffect(() => {
checkInitialized()
@@ -100,6 +102,7 @@ export default function App() {
<Route path="/users" element={<UsersPage />} />
<Route path="/monitor" element={<MonitorPage />} />
<Route path="/login" element={<LoginPage onLogin={login} />} />
<Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
<Route path="*" element={<Navigate to="/monitor" />} />
</Routes>
</main>
@@ -133,6 +136,8 @@ export default function App() {
<Route path="/roles" element={<RoleEditorPage />} />
<Route path="/users" element={<UsersPage />} />
<Route path="/monitor" element={<MonitorPage />} />
{user?.is_admin && <Route path="/settings/oidc" element={<OidcSettingsPage />} />}
<Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
<Route path="*" element={<Navigate to="/" />} />
</Routes>
</main>

11
src/components/Sidebar.tsx
View File

@@ -1,6 +1,8 @@
import { useState, useEffect } from 'react'
import { Link, useLocation, useNavigate } from 'react-router-dom'
import api from '@/services/api'
import { useAuthConfig, oidcLinkHref } from '@/hooks/useAuthConfig'
import { getLogoUrl } from '@/runtime'
import type { User } from '@/types'
interface Props {
@@ -11,6 +13,7 @@ interface Props {
export default function Sidebar({ user, onLogout }: Props) {
const { pathname } = useLocation()
const navigate = useNavigate()
const { config: authCfg } = useAuthConfig()
const [unreadCount, setUnreadCount] = useState(0)
useEffect(() => {
@@ -39,6 +42,7 @@ export default function Sidebar({ user, onLogout }: Props) {
...(user.is_admin ? [
{ to: '/users', icon: '👥', label: 'Users' },
{ to: '/roles', icon: '🔐', label: 'Roles' },
{ to: '/settings/oidc', icon: '🪪', label: 'OIDC' },
] : []),
] : [
{ to: '/monitor', icon: '📡', label: 'Monitor' },
@@ -47,7 +51,7 @@ export default function Sidebar({ user, onLogout }: Props) {
return (
<nav className="sidebar">
<div className="sidebar-header">
<h1> HarborForge</h1>
<h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
</div>
<ul className="nav-links">
{links.map((l) => (
@@ -64,6 +68,11 @@ export default function Sidebar({ user, onLogout }: Props) {
<button onClick={() => navigate('/login')}>Log in</button>
)}
</div>
{user && authCfg.oidcEnabled && !authCfg.oidcOnly && (
<div className="sidebar-footer" style={{ borderTop: 'none', paddingTop: 0 }}>
<a href={oidcLinkHref()} title="Link your account to an OIDC identity">🔗 Link OIDC account</a>
</div>
)}
</nav>
)
}

8
src/hooks/useAuth.ts
View File

@@ -44,10 +44,16 @@ export function useAuth() {
await fetchUser()
}
const loginWithToken = async (token: string) => {
localStorage.setItem('token', token)
setState((s) => ({ ...s, token }))
await fetchUser()
}
const logout = () => {
localStorage.removeItem('token')
setState({ user: null, token: null, loading: false })
}
return { ...state, login, logout }
return { ...state, login, loginWithToken, logout }
}

76
src/hooks/useAuthConfig.ts Normal file
View File

@@ -0,0 +1,76 @@
import { useState, useEffect } from 'react'
import api from '@/services/api'
export interface AuthConfig {
oidcEnabled: boolean
oidcOnly: boolean
passwordLogin: boolean
oidcLoginUrl: string
}
const DEFAULT: AuthConfig = {
oidcEnabled: false,
oidcOnly: false,
passwordLogin: true,
oidcLoginUrl: '/auth/oidc/login',
}
let cache: AuthConfig | null = null
let inflight: Promise<AuthConfig> | null = null
async function load(): Promise<AuthConfig> {
if (cache) return cache
if (inflight) return inflight
inflight = api
.get('/auth/config')
.then(({ data }) => {
cache = {
oidcEnabled: !!data.oidc_enabled,
oidcOnly: !!data.oidc_only,
passwordLogin: data.password_login !== false,
oidcLoginUrl: data.oidc_login_url || '/auth/oidc/login',
}
return cache
})
.catch(() => {
// Backend unreachable / old backend without /auth/config:
// fall back to password-only so login is never fully blocked.
cache = { ...DEFAULT }
return cache
})
.finally(() => {
inflight = null
})
return inflight
}
/** Absolute backend URL for full-page OIDC redirects. */
export function oidcLoginHref(cfg: AuthConfig): string {
const base = localStorage.getItem('HF_BACKEND_BASE_URL') ?? ''
return `${base}${cfg.oidcLoginUrl}`
}
export function oidcLinkHref(): string {
const base = localStorage.getItem('HF_BACKEND_BASE_URL') ?? ''
return `${base}/auth/oidc/link`
}
export function useAuthConfig() {
const [config, setConfig] = useState<AuthConfig | null>(cache)
const [loading, setLoading] = useState(!cache)
useEffect(() => {
let alive = true
load().then((c) => {
if (alive) {
setConfig(c)
setLoading(false)
}
})
return () => {
alive = false
}
}, [])
return { config: config ?? DEFAULT, loading }
}

7
src/index.css
View File

@@ -144,7 +144,12 @@ input, textarea, select, button { font-family: inherit; }
font-size: 1.3rem; letter-spacing: .12em;
display: flex; align-items: center; gap: 8px;
}
.sidebar-header h1::first-letter { color: var(--accent); }
/* Brand logo (overridable via HARBORFORGE_LOGO_URL / public/logo.svg) */
.brand-logo {
height: 1.15em; width: auto; vertical-align: -0.18em;
display: inline-block; flex: 0 0 auto;
}
.login-card h1 .brand-logo, .setup-header h1 .brand-logo { height: 1.4em; }
.nav-links { list-style: none; flex: 1; padding: 14px 12px; display: flex; flex-direction: column; gap: 2px; }
.nav-links li a {
display: flex; align-items: center; gap: 10px;

45
src/pages/LoginPage.tsx
View File

@@ -1,15 +1,31 @@
import React, { useState } from 'react'
import { useAuthConfig, oidcLoginHref } from '@/hooks/useAuthConfig'
import { getLogoUrl } from '@/runtime'
interface Props {
onLogin: (username: string, password: string) => Promise<void>
}
const OIDC_ERRORS: Record<string, string> = {
not_linked: 'This OIDC account is not linked to any HarborForge user. Ask an administrator to bind it first.',
exchange_failed: 'OIDC sign-in failed during token exchange. Please try again.',
no_subject: 'The identity provider did not return a subject. Sign-in aborted.',
token_rejected: 'The issued session token was rejected. Please try again.',
missing_token: 'No session token was returned. Please try again.',
link_not_allowed: 'Account linking is not allowed in this mode.',
already_bound: 'That OIDC identity is already bound to another user.',
}
export default function LoginPage({ onLogin }: Props) {
const { config, loading: cfgLoading } = useAuthConfig()
const [username, setUsername] = useState('')
const [password, setPassword] = useState('')
const [error, setError] = useState('')
const [loading, setLoading] = useState(false)
const urlError = new URLSearchParams(window.location.search).get('oidc_error')
const oidcError = urlError ? (OIDC_ERRORS[urlError] || `OIDC error: ${urlError}`) : ''
const handleSubmit = async (e: React.FormEvent) => {
e.preventDefault()
setError('')
@@ -23,11 +39,18 @@ export default function LoginPage({ onLogin }: Props) {
}
}
const showPassword = !cfgLoading && config.passwordLogin && !config.oidcOnly
const showOidc = !cfgLoading && config.oidcEnabled
return (
<div className="login-page">
<div className="login-card">
<h1> HarborForge</h1>
<h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
<p className="subtitle">Agent/Human collaborative task management platform</p>
{oidcError && <p className="error" style={{ marginBottom: 14 }}>{oidcError}</p>}
{showPassword && (
<form onSubmit={handleSubmit}>
<input
type="text"
@@ -48,6 +71,26 @@ export default function LoginPage({ onLogin }: Props) {
{loading ? 'Signing in...' : 'Sign in'}
</button>
</form>
)}
{showPassword && showOidc && (
<p className="text-dim" style={{ textAlign: 'center', margin: '14px 0' }}> or </p>
)}
{showOidc && (
<a
className="btn-primary"
style={{ display: 'block', textAlign: 'center', textDecoration: 'none' }}
href={oidcLoginHref(config)}
>
Sign in with SSO
</a>
)}
{cfgLoading && <p className="subtitle">Loading sign-in options</p>}
{!cfgLoading && !showPassword && !showOidc && (
<p className="error">No sign-in method is available. Check server configuration.</p>
)}
</div>
</div>
)

56
src/pages/OidcCallbackPage.tsx Normal file
View File

@@ -0,0 +1,56 @@
import { useEffect, useRef, useState } from 'react'
import { useNavigate } from 'react-router-dom'
import { getLogoUrl } from '@/runtime'
interface Props {
onToken: (token: string) => Promise<void>
}
/**
* Lands here after the backend OIDC callback redirect.
* - sign-in: URL fragment `#token=<jwt>` → apply token, go to dashboard
* - self-link: query `?oidc_linked=1` → success notice, go to /users
* - failure: query `?oidc_error=<code>` → back to /login with the code
*/
export default function OidcCallbackPage({ onToken }: Props) {
const navigate = useNavigate()
const [msg, setMsg] = useState('Completing sign-in…')
const ran = useRef(false)
useEffect(() => {
if (ran.current) return
ran.current = true
const hash = new URLSearchParams(window.location.hash.replace(/^#/, ''))
const query = new URLSearchParams(window.location.search)
const token = hash.get('token')
const oidcError = query.get('oidc_error')
const linked = query.get('oidc_linked')
if (oidcError) {
navigate(`/login?oidc_error=${encodeURIComponent(oidcError)}`, { replace: true })
return
}
if (linked) {
setMsg('OIDC account linked. Redirecting…')
const t = setTimeout(() => navigate('/users', { replace: true }), 1200)
return () => clearTimeout(t)
}
if (token) {
onToken(token)
.then(() => navigate('/', { replace: true }))
.catch(() => navigate('/login?oidc_error=token_rejected', { replace: true }))
return
}
navigate('/login?oidc_error=missing_token', { replace: true })
}, [navigate, onToken])
return (
<div className="login-page">
<div className="login-card">
<h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
<p className="subtitle">{msg}</p>
</div>
</div>
)
}

171
src/pages/OidcSettingsPage.tsx Normal file
View File

@@ -0,0 +1,171 @@
import { useEffect, useState } from 'react'
import api from '@/services/api'
import { useAuth } from '@/hooks/useAuth'
interface Settings {
enabled: boolean
issuer: string | null
client_id: string | null
has_client_secret: boolean
redirect_uri: string | null
scopes: string | null
post_login_redirect: string | null
admin_role: string
oidc_only: boolean
effective_enabled: boolean
source: string
}
export default function OidcSettingsPage() {
const { user } = useAuth()
const isAdmin = user?.is_admin === true
const [loaded, setLoaded] = useState<Settings | null>(null)
const [loading, setLoading] = useState(true)
const [saving, setSaving] = useState(false)
const [message, setMessage] = useState('')
const [form, setForm] = useState({
enabled: false,
issuer: '',
client_id: '',
client_secret: '',
redirect_uri: '',
scopes: 'openid email profile',
post_login_redirect: '',
admin_role: 'admin',
})
useEffect(() => {
if (!isAdmin) { setLoading(false); return }
api.get<Settings>('/auth/oidc/settings')
.then(({ data }) => {
setLoaded(data)
setForm({
enabled: data.enabled,
issuer: data.issuer || '',
client_id: data.client_id || '',
client_secret: '',
redirect_uri: data.redirect_uri || '',
scopes: data.scopes || 'openid email profile',
post_login_redirect: data.post_login_redirect || '',
admin_role: data.admin_role || 'admin',
})
})
.catch((e) => setMessage(e.response?.data?.detail || 'Failed to load OIDC settings'))
.finally(() => setLoading(false))
}, [isAdmin])
const save = async () => {
setSaving(true)
setMessage('')
try {
const payload: Record<string, any> = {
enabled: form.enabled,
issuer: form.issuer.trim(),
client_id: form.client_id.trim(),
redirect_uri: form.redirect_uri.trim(),
scopes: form.scopes.trim(),
post_login_redirect: form.post_login_redirect.trim(),
admin_role: form.admin_role.trim() || 'admin',
}
if (form.client_secret) payload.client_secret = form.client_secret
const { data } = await api.put<Settings>('/auth/oidc/settings', payload)
setLoaded(data)
setForm((f) => ({ ...f, client_secret: '' }))
setMessage('OIDC settings saved successfully')
} catch (e: any) {
setMessage(e.response?.data?.detail || 'Failed to save OIDC settings')
} finally {
setSaving(false)
}
}
if (loading) return <div className="loading">Loading OIDC settings...</div>
if (!isAdmin) {
return (
<div className="section">
<h2>🔐 OIDC Settings</h2>
<p className="empty">Admin access required.</p>
</div>
)
}
const callbackHint = form.redirect_uri.trim() || loaded?.redirect_uri || '(set the Redirect / Callback URL below)'
return (
<div className="section">
<div className="page-header">
<div>
<h2>🔐 OIDC Settings</h2>
<div className="text-dim">Configure the OpenID Connect provider. Saved values override environment defaults.</div>
</div>
</div>
{message && (
<div style={{
padding: '10px 12px', marginBottom: 16, borderRadius: 8,
background: message.includes('success') ? 'rgba(70,180,135,.14)' : 'rgba(226,85,60,.14)',
border: `1px solid ${message.includes('success') ? 'rgba(70,180,135,.4)' : 'rgba(226,85,60,.4)'}`,
}}>{message}</div>
)}
<div className="monitor-card" style={{ marginBottom: 16 }}>
<div className="monitor-card-header">
<div style={{ fontWeight: 600 }}>Status</div>
<span className={'badge ' + (loaded?.effective_enabled ? 'status-online' : 'status-offline')}>
{loaded?.effective_enabled ? 'OIDC active' : 'OIDC inactive'}
</span>
</div>
<div className="monitor-metrics">
config source: <b>{loaded?.source}</b> · OIDC-only mode (deploy env): <b>{loaded?.oidc_only ? 'on' : 'off'}</b>
</div>
<div style={{ marginTop: 8 }}>
<div className="text-dim">Register this Redirect / Callback URL at your identity provider:</div>
<code style={{ display: 'block', marginTop: 6, wordBreak: 'break-all' }}>{callbackHint}</code>
</div>
</div>
<div className="task-create-form" style={{ maxWidth: 640 }}>
<label className="filter-check">
<input type="checkbox" checked={form.enabled} onChange={(e) => setForm({ ...form, enabled: e.target.checked })} />
Enable OIDC sign-in
</label>
<label>
Issuer (OIDC source)
<input placeholder="https://idp.example.com" value={form.issuer} onChange={(e) => setForm({ ...form, issuer: e.target.value })} />
</label>
<label>
Client ID
<input value={form.client_id} onChange={(e) => setForm({ ...form, client_id: e.target.value })} />
</label>
<label>
Client Secret
<input type="password" placeholder={loaded?.has_client_secret ? '•••••• (leave blank to keep current)' : 'client secret'} value={form.client_secret} onChange={(e) => setForm({ ...form, client_secret: e.target.value })} />
</label>
<label>
Redirect / Callback URL
<input placeholder="https://hf-api.example.com/auth/oidc/callback" value={form.redirect_uri} onChange={(e) => setForm({ ...form, redirect_uri: e.target.value })} />
</label>
<label>
Scopes
<input value={form.scopes} onChange={(e) => setForm({ ...form, scopes: e.target.value })} />
</label>
<label>
Post-login redirect (frontend)
<input placeholder="https://hf.example.com/oidc/callback" value={form.post_login_redirect} onChange={(e) => setForm({ ...form, post_login_redirect: e.target.value })} />
</label>
<label>
Admin role (bootstrap)
<input placeholder="admin" value={form.admin_role} onChange={(e) => setForm({ ...form, admin_role: e.target.value })} />
</label>
<p className="text-dim">
OIDC-only bootstrap: before any admin is linked, an IdP user whose token carries this role
auto-connects to the HarborForge admin account on first sign-in. Disables itself once an admin is bound.
</p>
<button className="btn-primary" disabled={saving} onClick={save}>
{saving ? 'Saving...' : 'Save OIDC Settings'}
</button>
</div>
</div>
)
}

111
src/pages/SetupWizardPage.tsx
View File

@@ -1,5 +1,6 @@
import { useState } from 'react'
import axios from 'axios'
import { getRuntimeOidcOnly, getLogoUrl } from '@/runtime'
interface Props {
initialWizardPort: number | null
@@ -14,9 +15,18 @@ interface SetupForm {
backend_base_url: string
project_name: string
project_description: string
oidc_enabled: boolean
oidc_issuer: string
oidc_client_id: string
oidc_client_secret: string
oidc_redirect_uri: string
oidc_scopes: string
oidc_post_login_redirect: string
oidc_admin_role: string
}
const STEPS = ['Wizard', 'Admin', 'Backend', 'Finish']
const oidcOnly = getRuntimeOidcOnly() === true
const STEPS = ['Wizard', 'Admin', 'OIDC', 'Backend', 'Finish']
export default function SetupWizardPage({ initialWizardPort, onComplete }: Props) {
const [step, setStep] = useState(0)
@@ -35,9 +45,17 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
backend_base_url: '',
project_name: '',
project_description: '',
oidc_enabled: oidcOnly,
oidc_issuer: '',
oidc_client_id: '',
oidc_client_secret: '',
oidc_redirect_uri: '',
oidc_scopes: 'openid email profile',
oidc_post_login_redirect: '',
oidc_admin_role: 'admin',
})
const set = (key: keyof SetupForm, value: string | number) =>
const set = (key: keyof SetupForm, value: string | number | boolean) =>
setForm((f) => ({ ...f, [key]: value }))
const checkWizard = async () => {
@@ -61,11 +79,24 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
}
}
const validateOidc = (): string => {
if (!oidcOnly && !form.oidc_enabled) return ''
if (!form.oidc_issuer.trim()) return 'OIDC issuer is required'
if (!form.oidc_client_id.trim()) return 'OIDC client ID is required'
if (!form.oidc_client_secret.trim()) return 'OIDC client secret is required'
if (!form.oidc_redirect_uri.trim()) return 'OIDC redirect/callback URL is required'
if (oidcOnly && !form.oidc_admin_role.trim()) {
return 'In OIDC-only mode the admin role is required so the admin can bootstrap'
}
return ''
}
const saveConfig = async () => {
setError('')
setSaving(true)
try {
const config = {
const includeOidc = oidcOnly || form.oidc_enabled
const config: Record<string, any> = {
initialized: true,
admin: {
username: form.admin_username,
@@ -75,6 +106,18 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
},
backend_url: form.backend_base_url || undefined,
}
if (includeOidc) {
config.oidc = {
enabled: true,
issuer: form.oidc_issuer.trim(),
client_id: form.oidc_client_id.trim(),
client_secret: form.oidc_client_secret,
redirect_uri: form.oidc_redirect_uri.trim(),
scopes: form.oidc_scopes.trim() || 'openid email profile',
post_login_redirect: form.oidc_post_login_redirect.trim() || undefined,
admin_role: form.oidc_admin_role.trim() || 'admin',
}
}
await axios.put(`${wizardBase}/api/v1/config/harborforge.json`, config, {
headers: { 'Content-Type': 'application/json' },
@@ -85,7 +128,7 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
localStorage.setItem('HF_BACKEND_BASE_URL', form.backend_base_url)
}
setStep(3)
setStep(4)
} catch (err: any) {
setError(`Failed to save configuration: ${err.message}`)
} finally {
@@ -97,7 +140,7 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
<div className="setup-wizard">
<div className="setup-container">
<div className="setup-header">
<h1> HarborForge Setup Wizard</h1>
<h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge Setup Wizard</h1>
<div className="setup-steps">
{STEPS.map((s, i) => (
<span key={i} className={`setup-step ${i === step ? 'active' : i < step ? 'done' : ''}`}>
@@ -150,6 +193,9 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
<label>Email <input type="email" value={form.admin_email} onChange={(e) => set('admin_email', e.target.value)} placeholder="admin@example.com" /></label>
<label>Full name <input value={form.admin_full_name} onChange={(e) => set('admin_full_name', e.target.value)} /></label>
</div>
{oidcOnly && (
<p className="setup-hint">OIDC-only deployment: this admin will sign in via OIDC; the password is kept only as a fallback identity record.</p>
)}
<div className="setup-nav">
<button className="btn-back" onClick={() => setStep(0)}>Back</button>
<button className="btn-primary" onClick={() => {
@@ -161,8 +207,55 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
</div>
)}
{/* Step 2: Backend */}
{/* Step 2: OIDC */}
{step === 2 && (
<div className="setup-step-content">
<h2>OIDC {oidcOnly ? '(required)' : '(optional)'}</h2>
<p className="text-dim">
{oidcOnly
? 'This deployment runs in OIDC-only mode — configure the identity provider now (the admin cannot reach this page again without it).'
: 'Optionally configure single sign-on. You can also do this later from the admin OIDC settings page.'}
</p>
{!oidcOnly && (
<label className="filter-check" style={{ marginBottom: 12 }}>
<input type="checkbox" checked={form.oidc_enabled} onChange={(e) => set('oidc_enabled', e.target.checked)} />
Enable OIDC sign-in
</label>
)}
{(oidcOnly || form.oidc_enabled) && (
<div className="setup-form">
<label>Issuer (OIDC source) <input value={form.oidc_issuer} onChange={(e) => set('oidc_issuer', e.target.value)} placeholder="https://idp.example.com/realms/hf" /></label>
<label>Client ID <input value={form.oidc_client_id} onChange={(e) => set('oidc_client_id', e.target.value)} /></label>
<label>Client Secret <input type="password" value={form.oidc_client_secret} onChange={(e) => set('oidc_client_secret', e.target.value)} /></label>
<label>Redirect / Callback URL <input value={form.oidc_redirect_uri} onChange={(e) => set('oidc_redirect_uri', e.target.value)} placeholder="https://hf-api.example.com/auth/oidc/callback" /></label>
<label>Scopes <input value={form.oidc_scopes} onChange={(e) => set('oidc_scopes', e.target.value)} /></label>
<label>Post-login redirect (frontend) <input value={form.oidc_post_login_redirect} onChange={(e) => set('oidc_post_login_redirect', e.target.value)} placeholder="https://hf.example.com/oidc/callback" /></label>
<label>Admin role (bootstrap)
<input value={form.oidc_admin_role} onChange={(e) => set('oidc_admin_role', e.target.value)} placeholder="admin" />
</label>
<p className="setup-hint">Register the Redirect / Callback URL above at your identity provider.</p>
{oidcOnly && (
<p className="setup-hint">
OIDC-only: before any admin is linked, the first IdP user whose token carries the
role above auto-connects to the HarborForge admin account. It then disables itself.
</p>
)}
</div>
)}
<div className="setup-nav">
<button className="btn-back" onClick={() => setStep(1)}>Back</button>
<button className="btn-primary" onClick={() => {
const e = validateOidc()
if (e) { setError(e); return }
setError('')
setStep(3)
}}>Next</button>
</div>
</div>
)}
{/* Step 3: Backend */}
{step === 3 && (
<div className="setup-step-content">
<h2>Backend URL</h2>
<p className="text-dim">Configure the HarborForge backend API URL (leave blank to use the frontend default).</p>
@@ -170,7 +263,7 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
<label>Backend Base URL <input value={form.backend_base_url} onChange={(e) => set('backend_base_url', e.target.value)} placeholder="http://backend:8000" /></label>
</div>
<div className="setup-nav">
<button className="btn-back" onClick={() => setStep(1)}>Back</button>
<button className="btn-back" onClick={() => setStep(2)}>Back</button>
<button className="btn-primary" onClick={saveConfig} disabled={saving}>
{saving ? 'Saving...' : 'Finish setup'}
</button>
@@ -178,8 +271,8 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
</div>
)}
{/* Step 3: Done */}
{step === 3 && (
{/* Step 4: Done */}
{step === 4 && (
<div className="setup-step-content">
<div className="setup-done">
<h2> Setup complete!</h2>

90
src/pages/UsersPage.tsx
View File

@@ -1,6 +1,7 @@
import { useEffect, useMemo, useState } from 'react'
import api from '@/services/api'
import { useAuth } from '@/hooks/useAuth'
import { useAuthConfig } from '@/hooks/useAuthConfig'
import type { User } from '@/types'
interface RoleOption {
@@ -16,8 +17,13 @@ interface ApiKeyPerms {
export default function UsersPage() {
const { user } = useAuth()
const { config: authCfg } = useAuthConfig()
const oidcOnly = authCfg.oidcOnly
const oidcEnabled = authCfg.oidcEnabled
const isAdmin = user?.is_admin === true
const [bindForm, setBindForm] = useState({ issuer: '', subject: '' })
const [users, setUsers] = useState<User[]>([])
const [roles, setRoles] = useState<RoleOption[]>([])
const [loading, setLoading] = useState(true)
@@ -105,17 +111,20 @@ export default function UsersPage() {
}
const handleCreateUser = async () => {
if (!createForm.username.trim() || !createForm.email.trim() || !createForm.password.trim()) return
if (!createForm.username.trim() || !createForm.email.trim()) return
if (!oidcOnly && !createForm.password.trim()) return
setSaving(true)
setMessage('')
try {
const payload = {
const payload: Record<string, any> = {
username: createForm.username.trim(),
email: createForm.email.trim(),
full_name: createForm.full_name.trim() || null,
password: createForm.password,
role_id: createForm.role_id ? Number(createForm.role_id) : undefined,
}
if (!oidcOnly) {
payload.password = createForm.password
}
const { data } = await api.post<User>('/users', payload)
const guestRole = roles.find((r) => r.name === 'guest') ?? roles[0]
setCreateForm({
@@ -201,6 +210,42 @@ export default function UsersPage() {
}
}
const handleBindOidc = async () => {
if (!selectedUser) return
if (!bindForm.issuer.trim() || !bindForm.subject.trim()) return
setSaving(true)
setMessage('')
try {
await api.put(`/users/${selectedUser.id}/oidc-binding`, {
issuer: bindForm.issuer.trim(),
subject: bindForm.subject.trim(),
})
setBindForm({ issuer: '', subject: '' })
setMessage('OIDC identity bound successfully')
await fetchData()
} catch (err: any) {
setMessage(err.response?.data?.detail || 'Failed to bind OIDC identity')
} finally {
setSaving(false)
}
}
const handleUnbindOidc = async () => {
if (!selectedUser) return
if (!confirm(`Remove the OIDC binding for ${selectedUser.username}?`)) return
setSaving(true)
setMessage('')
try {
await api.delete(`/users/${selectedUser.id}/oidc-binding`)
setMessage('OIDC binding removed')
await fetchData()
} catch (err: any) {
setMessage(err.response?.data?.detail || 'Failed to remove OIDC binding')
} finally {
setSaving(false)
}
}
if (loading) return <div className="loading">Loading users...</div>
if (!isAdmin) {
@@ -251,10 +296,15 @@ export default function UsersPage() {
Full Name
<input value={createForm.full_name} onChange={(e) => setCreateForm({ ...createForm, full_name: e.target.value })} />
</label>
{!oidcOnly && (
<label>
Password
<input type="password" value={createForm.password} onChange={(e) => setCreateForm({ ...createForm, password: e.target.value })} />
</label>
)}
{oidcOnly && (
<p className="text-dim">OIDC-only mode: users are created without a password and sign in via a bound OIDC identity.</p>
)}
<label>
Role
<select value={createForm.role_id} onChange={(e) => setCreateForm({ ...createForm, role_id: e.target.value })}>
@@ -264,7 +314,7 @@ export default function UsersPage() {
))}
</select>
</label>
<button className="btn-primary" disabled={saving || !createForm.username.trim() || !createForm.email.trim() || !createForm.password.trim() || !createForm.role_id} onClick={handleCreateUser}>
<button className="btn-primary" disabled={saving || !createForm.username.trim() || !createForm.email.trim() || (!oidcOnly && !createForm.password.trim()) || !createForm.role_id} onClick={handleCreateUser}>
{saving ? 'Saving...' : 'Create User'}
</button>
</div>
@@ -326,10 +376,12 @@ export default function UsersPage() {
Full Name
<input value={editForm.full_name} onChange={(e) => setEditForm({ ...editForm, full_name: e.target.value })} />
</label>
{!oidcOnly && (
<label>
Reset Password
<input type="password" placeholder="Leave blank to keep current password" value={editForm.password} onChange={(e) => setEditForm({ ...editForm, password: e.target.value })} />
</label>
)}
<div style={{ marginTop: '8px', padding: '12px', border: '1px solid var(--border)', borderRadius: '8px' }}>
<div style={{ fontWeight: 600, marginBottom: '10px' }}>Role</div>
@@ -381,6 +433,36 @@ export default function UsersPage() {
)}
</div>
)}
{oidcEnabled && (
<div style={{ marginTop: '8px', padding: '12px', border: '1px solid var(--border)', borderRadius: '8px' }}>
<div style={{ fontWeight: 600, marginBottom: '10px' }}>OIDC Binding</div>
{selectedUser.oidc_subject ? (
<div style={{ marginBottom: 10 }}>
<div className="text-dim" style={{ fontFamily: 'monospace', wordBreak: 'break-all' }}>
issuer: {selectedUser.oidc_issuer || '—'}<br />
subject: {selectedUser.oidc_subject}
</div>
<button className="btn-danger" style={{ marginTop: 10 }} disabled={saving} onClick={handleUnbindOidc}>
Unbind OIDC identity
</button>
</div>
) : (
<div className="text-dim" style={{ marginBottom: 10 }}>No OIDC identity bound.</div>
)}
<label>
Issuer
<input value={bindForm.issuer} placeholder="https://idp.example.com" onChange={(e) => setBindForm({ ...bindForm, issuer: e.target.value })} />
</label>
<label>
Subject (sub)
<input value={bindForm.subject} placeholder="OIDC subject claim" onChange={(e) => setBindForm({ ...bindForm, subject: e.target.value })} />
</label>
<button className="btn-secondary" style={{ marginTop: 10 }} disabled={saving || !bindForm.issuer.trim() || !bindForm.subject.trim()} onClick={handleBindOidc}>
{selectedUser.oidc_subject ? 'Rebind OIDC identity' : 'Bind OIDC identity'}
</button>
</div>
)}
</div>
</>
) : (

23
src/runtime.ts Normal file
View File

@@ -0,0 +1,23 @@
// Runtime config injected by the container entrypoint into
// /runtime-config.js (from the deploy-time HARBORFORGE_OIDC_ONLY env).
// Available before the backend exists — used by the setup wizard.
declare global {
interface Window {
__HF_RUNTIME__?: { oidc_only?: boolean; logo_url?: string }
}
}
/** true/false from the injected runtime config, or null when unknown. */
export function getRuntimeOidcOnly(): boolean | null {
const v = typeof window !== 'undefined' ? window.__HF_RUNTIME__?.oidc_only : undefined
return typeof v === 'boolean' ? v : null
}
/** Brand logo URL: deploy-time override (HARBORFORGE_LOGO_URL) or the
* bundled default at /logo.svg. */
export function getLogoUrl(): string {
const u = typeof window !== 'undefined' ? window.__HF_RUNTIME__?.logo_url : undefined
return (typeof u === 'string' && u) ? u : '/logo.svg'
}
export {}

2
src/types/index.ts
View File

@@ -7,6 +7,8 @@ export interface User {
is_active: boolean
role_id: number | null
role_name: string | null
oidc_issuer?: string | null
oidc_subject?: string | null
created_at: string
}