feat: Role based Cadence-web

[ribaraka]

Motivation: cadence-workflow/cadence#6706
Plan&Findings: cadence-workflow/cadence#7508

This PR adds JWT-based auth plumbing to Cadence Web and introduces auth-aware workflow action gating.

• Auth strategy: JWT auth is resolved through config, with token validity/expiry, groups, admin flag, and gRPC metadata derived from the cadence-authorization cookie.
• Dynamic config: auth behavior is routed through dynamic config resolvers: CADENCE_WEB_AUTH_STRATEGY validates auth mode, DOMAIN_ACCESS defines how domain access is determined,
• Auth endpoints: POST /api/auth/token to set the HttpOnly cookie, DELETE /api/auth/token to clear it, GET /api/auth/me to expose public auth context.
• API middleware now provides auth context, user info, and gRPC metadata for all route handlers that use routeHandlersDefaultMiddlewares.
• Workflow/domain actions: start/signal/terminate/etc. are disabled with “Not authorized” when the token lacks write access;
• Login/logout UI: navbar shows JWT paste modal when unauthenticated.

[ribaraka]

start page

rbac off:

rbac on:

[ribaraka]

user menu (un-auth user):

input to enter a token:

added an admin token (domains are appeared + pop message):

user menu (after login):

added a reader user:

reader user inside a domain:

added a writer user:

writer user inside a domain:

user redirected to "start page" when token is expired:

[ribaraka]

Unauthorised error messages are shown when user access protected domain

[ribaraka]

@Assem-Hafez @demirkayaender, when you available, please review my initial version of the feature to ship with this PR.

[Assem-Uber]

@ribaraka Thanks for opening the PR. Is this aligned with the requirements shared here?

[ribaraka]

@Assem-Uber, yes it is 😃

[cjrolo]

Hello, is it possible to get a review on this PR? Thanks!

[Copilot]

Pull request overview

This PR adds comprehensive Role-Based Access Control (RBAC) support to the Cadence Web UI. The implementation aligns with Cadence backend JWT authentication by extracting tokens from cookies, forwarding them via gRPC metadata, and using JWT claims (Admin flag, groups) to control UI visibility and enable/disable actions.

Changes:

• Authentication infrastructure with JWT cookie handling (cadence-authorization), token validation, and expiration tracking
• Domain access control filtering domains by READ_GROUPS/WRITE_GROUPS metadata and disabling workflow actions based on write permissions
• Login/logout UI in the navigation bar with automatic session expiration handling and token refresh support

Reviewed changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
src/utils/auth/auth-context.ts	Server-side auth context resolution with JWT decoding and cookie reading
src/utils/auth/auth-shared.ts	Shared auth types and domain access logic based on group membership
src/utils/auth/tests/auth-context.test.ts	Comprehensive tests for auth utilities
src/app/api/auth/token/route.ts	POST/DELETE endpoints for setting/clearing auth cookie
src/app/api/auth/me/route.ts	GET endpoint exposing public auth context
src/utils/route-handlers-middleware/middlewares/user-info.ts	Middleware to populate gRPC metadata from auth token
src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts	Reordered middlewares so userInfo runs before grpcClusterMethods
src/hooks/use-user-info/use-user-info.ts	Client hook for fetching current auth state
src/hooks/use-domain-access/use-domain-access.ts	Client hook combining user info and domain metadata to determine access
src/views/domains-page/helpers/get-all-domains.ts	Filters domains list by canRead permission
src/views/domains-page/domains-page.tsx	Passes auth context to domain loading
src/views/redirect-domain/redirect-domain.tsx	Uses auth context for domain access checks
src/views/workflow-actions/workflow-actions.tsx	Checks write permission and disables actions accordingly
src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx	Shows "Not authorized" for actions when write access is false
src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx	Disables start workflow button when write access is denied
src/views/domain-workflows/domain-workflows.tsx	Conditionally fetches cluster info based on auth state
src/components/app-nav-bar/app-nav-bar.tsx	Adds login/logout UI, token modal, and automatic expiration handling
src/components/auth-token-modal/auth-token-modal.tsx	Modal for pasting JWT tokens
src/components/snackbar-provider/snackbar-provider.tsx	Changed duration from infinite to medium
README.md	Documents RBAC configuration and JWT cookie mechanism
src/config/dynamic/dynamic.config.ts	Adds CADENCE_WEB_RBAC_ENABLED config

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The modal's internal state (token, error) is not reset when the modal is closed or when it's reopened. If a user encounters an error, closes the modal, and reopens it, the previous error message will still be displayed. Consider adding a useEffect to reset the state when isOpen changes to false, or call an onClose callback that resets the state.

[ribaraka]

added reset effect to prevent stale state on reopen.

[Assem-Uber]

@ribaraka Sorry for the delay in getting back to you! I had some time off that kept me from looking into this sooner.

I’ve shared some feedback on the approach above, but please note that this feature will require a design document and discussion for broader review. Let me know today if you would like to continue that process; otherwise, I can pick it up and kick off the design documentation."

The design document should cover the following:

• High level design for UI auth life cycle.
• Behavior in different setups.
• Integration with backend and responsibilities of each.
• Security (Security measures that was taken in account)
• Usage (How users are going to get started with different setups)

[ribaraka]

Thank you for your review, @Assem-Uber!
I'd like to proceed further! I'll prepare a design doc soon.

[ribaraka]

@Assem-Uber, I have added the design doc, please reveiew

[ribaraka]

[Copilot]

Pull request overview

Copilot reviewed 40 out of 40 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

src/views/domains-page/helpers/get-all-domains.ts:69

• The failedClusters logic is incorrect. At line 68, it tries to find ANY rejected result in the results array, not the specific rejection for the current cluster. This means all clusters in failedClusters will have the same rejection (the first one found by find()), rather than their own specific rejection. The logic should match each cluster config with its corresponding result by index or cluster name. For example: rejection: results[CLUSTERS_CONFIGS.indexOf(config)] (if results are in the same order) or find by matching some cluster identifier.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Assem-Uber]

TODO: move this to separate file, we follow single component per file pattern.

[Assem-Uber]

TODO: move this type in a types file

[Assem-Uber]

TODO: overrides should be in styles file

[Assem-Uber]

nit: logout trigger is better naming

[Assem-Uber]

TODO: this type should be replaced and imported from the endpoint types

[Assem-Uber]

TODO: move this to fixtures and reuse it in different tests in other files

[ribaraka]

I am going to handle the TODOs and nits in another PR

[gitar-bot]

Code Review ⚠️ Changes requested 7 resolved / 11 findings

Role-based access control implementation for Cadence-web with 7 commits addressing auth and domain workflows. Three critical issues remain: x-forwarded-proto header trusted without proxy validation (appears twice), useUserInfo staleTime set to 0 causing excessive refetches, and POST /api/auth/token accepting already-expired JWTs without exp claim verification.

⚠️ Security: x-forwarded-proto trusted without proxy validation

📄 src/app/api/auth/token/route.ts:22-27 📄 src/components/app-nav-bar/app-nav-bar.tsx:157 📄 src/components/app-nav-bar/app-nav-bar.tsx:164 📄 src/utils/auth/schemas/cadence-jwt-claims-schema.ts:6 📄 src/route-handlers/auth-token/helpers/get-cookie-secure-attribute.ts:3-7 📄 src/route-handlers/auth-token/set-auth-token.ts:34 📄 src/route-handlers/auth-token/clear-auth-token.ts:19

In getCookieSecureAttribute, the x-forwarded-proto header is unconditionally trusted to determine the cookie's Secure flag. If the app is deployed without a reverse proxy that strips or overwrites this header, a client can send x-forwarded-proto: http over an HTTPS connection to force secure: false, causing the auth cookie to be sent over plaintext connections. Conversely, x-forwarded-proto: https over HTTP would set Secure but the cookie would never be sent back.

Consider either: (a) documenting this as a deployment requirement, (b) adding a config option to trust/ignore the header, or (c) defaulting to secure: true in production and only relaxing for development.

⚠️ Performance: staleTime: 0 on useUserInfo causes excessive refetches

📄 src/views/shared/hooks/use-user-info/use-user-info.ts:15 📄 src/components/app-nav-bar/hooks/use-auth-lifecycle.ts:10 📄 src/views/domain-workflows/domain-workflows.tsx:23 📄 src/views/shared/hooks/use-user-info/use-user-info.ts:9

The useUserInfo hook sets staleTime: 0, which overrides the project-wide default of staleTime: Infinity (set in react-query-provider.tsx specifically to prevent immediate client-side refetches in Next.js). Because refetchOnWindowFocus defaults to true in React Query, every tab focus event triggers a new /api/auth/me request. Additionally, every component mount treats cached data as stale and refetches. Since AppNavBar (always mounted at layout level) and DomainWorkflows both consume this hook, this creates unnecessary duplicate requests on page loads.

Consider using a reasonable staleTime (e.g., 30-60 seconds) or Infinity to align with the project default. The expiry-based logout timer in AppNavBar already handles token expiration, and the explicit refetch() calls in saveToken/logout ensure freshness after mutations.

Suggested fix

// use-user-info.ts
export default function useUserInfo() {
  return useQuery<PublicAuthContext, RequestError>({
    queryKey: ['auth-me'],
    queryFn: async () => {
      const res = await request('/api/auth/me', { method: 'GET' });
      return res.json();
    },
    staleTime: 60_000, // 1 minute; mutations call refetch() explicitly
  });
}

💡 Edge Case: POST /api/auth/token sets cookie for expired JWTs

📄 src/route-handlers/auth-token/set-auth-token.ts:21 📄 src/route-handlers/auth-token/schemas/token-request-body-schema.ts:3 📄 src/route-handlers/auth-token/set-auth-token.ts:19-33 📄 src/route-handlers/auth-token/schemas/token-request-body-schema.ts:1-15

The setAuthToken handler validates the JWT format (three dot-delimited base64url segments) but does not decode or check the exp claim. An already-expired token is accepted and persisted as an HttpOnly cookie. The user gets correct feedback (the subsequent /api/auth/me call returns isValidToken: false), but the round-trip is wasted and leaves a useless cookie on the client.

Consider decoding and checking exp server-side before setting the cookie to provide immediate 400 feedback.

💡 Quality: Deprecated act import from react-dom/test-utils

📄 src/views/domain-workflows/tests/domain-workflows.test.tsx:4 📄 src/views/domain-workflows/tests/domain-workflows.test.tsx:33-46

act imported from react-dom/test-utils is deprecated in React 18 and removed in React 19. The recommended import is import { act } from '@testing-library/react' (which your test file already imports render and screen from @/test-utils/rtl, likely re-exporting @testing-library/react).

Additionally, the try/catch-around-act pattern for asserting render errors is fragile — whether the error escapes act depends on React internals and can break across versions. The previous ErrorBoundary approach was more reliable and idiomatic for testing components that throw.

Suggested fix

import { act, render, screen } from '@/test-utils/rtl';
// or restore the ErrorBoundary pattern for error assertion

✅ 7 resolved

✅ Bug: doLogout finally-block redirects even when DELETE fails

📄 src/components/app-nav-bar/use-auth-lifecycle.ts:100-111
In doLogout, the finally block unconditionally calls refetch(), router.refresh(), router.replace('/domains'), and resets logoutInFlightRef. If the DELETE request fails (catch branch), logoutReasonRef is set to null, but the redirect still fires. This means:

1. A failed logout still redirects the user to /domains and refreshes the page, even though they're still authenticated.
2. If refetch() itself throws inside finally, logoutInFlightRef.current = false is never reached, permanently locking out all future logout attempts.

The finally block should only execute redirect/refresh logic on success, and the logoutInFlightRef reset should be guaranteed (e.g. in its own try/finally).

✅ Edge Case: Authenticated users get NO_ACCESS on domains with no groups

📄 src/utils/auth/auth-shared.ts:60-62
In getDomainAccessForUser, when a domain has neither READ_GROUPS nor WRITE_GROUPS configured (both empty), any authenticated non-admin user gets NO_ACCESS. This is a deny-by-default posture which may be surprising: domains that haven't been set up for RBAC become invisible to all non-admin users when auth is enabled. If the intent is that unconfigured domains should be readable by all authenticated users, this needs a change. If it's intentional, consider adding a test case to document this contract (the existing test at auth-context.test.ts:404 covers unauthenticated users but not authenticated non-admins with empty groups).

✅ Edge Case: POST /api/auth/token accepts already-expired JWTs

📄 src/app/api/auth/token/route.ts:49-61 📄 src/utils/auth/auth-context.ts:74-76 📄 src/components/app-nav-bar/app-nav-bar.tsx:164 📄 src/components/app-nav-bar/app-nav-bar.tsx:171
The POST handler validates JWT structure (3 base64url segments) but does not decode or check the exp claim. An expired JWT is stored in the cookie, and the user only discovers it's invalid on the next page load when resolveAuthContext silently drops the token. This could be confusing UX — the user sees { ok: true } but is immediately treated as unauthenticated.

Note: The client-side saveToken in use-auth-lifecycle.ts does refetch and check isAuthenticated after saving, showing an error snackbar. So the UX impact is limited to the API contract being misleading (returns 200 for expired tokens).

✅ Quality: Redundant try/catch that only re-throws in handleSaveToken

📄 src/components/app-nav-bar/app-nav-bar.tsx:95 📄 src/components/app-nav-bar/app-nav-bar.tsx:106
The handleSaveToken callback wraps its body in try { ... } catch (e) { throw e; }, which has no effect — the exception propagates identically without the try/catch. This adds visual noise and may confuse readers into thinking error handling was intended but left incomplete.

✅ Quality: Grammar issue in doc heading

📄 docs/auth-strategy-design.md:223
The heading was changed to ### One of possible Authorization Model which is grammatically incorrect. It should read ### One Possible Authorization Model or ### Example Authorization Model.

...and 2 more resolved from earlier reviews

🤖 Prompt for agents

Code Review: Role-based access control implementation for Cadence-web with 7 commits addressing auth and domain workflows. Three critical issues remain: x-forwarded-proto header trusted without proxy validation (appears twice), useUserInfo staleTime set to 0 causing excessive refetches, and POST /api/auth/token accepting already-expired JWTs without exp claim verification.

1. ⚠️ Security: x-forwarded-proto trusted without proxy validation
   Files: src/app/api/auth/token/route.ts:22-27, src/components/app-nav-bar/app-nav-bar.tsx:157, src/components/app-nav-bar/app-nav-bar.tsx:164, src/utils/auth/schemas/cadence-jwt-claims-schema.ts:6, src/route-handlers/auth-token/helpers/get-cookie-secure-attribute.ts:3-7, src/route-handlers/auth-token/set-auth-token.ts:34, src/route-handlers/auth-token/clear-auth-token.ts:19

   In `getCookieSecureAttribute`, the `x-forwarded-proto` header is unconditionally trusted to determine the cookie's `Secure` flag. If the app is deployed without a reverse proxy that strips or overwrites this header, a client can send `x-forwarded-proto: http` over an HTTPS connection to force `secure: false`, causing the auth cookie to be sent over plaintext connections. Conversely, `x-forwarded-proto: https` over HTTP would set `Secure` but the cookie would never be sent back.
   
   Consider either: (a) documenting this as a deployment requirement, (b) adding a config option to trust/ignore the header, or (c) defaulting to `secure: true` in production and only relaxing for development.

2. ⚠️ Performance: staleTime: 0 on useUserInfo causes excessive refetches
   Files: src/views/shared/hooks/use-user-info/use-user-info.ts:15, src/components/app-nav-bar/hooks/use-auth-lifecycle.ts:10, src/views/domain-workflows/domain-workflows.tsx:23, src/views/shared/hooks/use-user-info/use-user-info.ts:9

   The `useUserInfo` hook sets `staleTime: 0`, which overrides the project-wide default of `staleTime: Infinity` (set in `react-query-provider.tsx` specifically to prevent immediate client-side refetches in Next.js). Because `refetchOnWindowFocus` defaults to `true` in React Query, every tab focus event triggers a new `/api/auth/me` request. Additionally, every component mount treats cached data as stale and refetches. Since `AppNavBar` (always mounted at layout level) and `DomainWorkflows` both consume this hook, this creates unnecessary duplicate requests on page loads.
   
   Consider using a reasonable staleTime (e.g., 30-60 seconds) or `Infinity` to align with the project default. The expiry-based logout timer in `AppNavBar` already handles token expiration, and the explicit `refetch()` calls in `saveToken`/`logout` ensure freshness after mutations.

   Suggested fix:
   // use-user-info.ts
   export default function useUserInfo() {
     return useQuery<PublicAuthContext, RequestError>({
       queryKey: ['auth-me'],
       queryFn: async () => {
         const res = await request('/api/auth/me', { method: 'GET' });
         return res.json();
       },
       staleTime: 60_000, // 1 minute; mutations call refetch() explicitly
     });
   }

3. 💡 Edge Case: POST /api/auth/token sets cookie for expired JWTs
   Files: src/route-handlers/auth-token/set-auth-token.ts:21, src/route-handlers/auth-token/schemas/token-request-body-schema.ts:3, src/route-handlers/auth-token/set-auth-token.ts:19-33, src/route-handlers/auth-token/schemas/token-request-body-schema.ts:1-15

   The `setAuthToken` handler validates the JWT format (three dot-delimited base64url segments) but does not decode or check the `exp` claim. An already-expired token is accepted and persisted as an HttpOnly cookie. The user gets correct feedback (the subsequent `/api/auth/me` call returns `isValidToken: false`), but the round-trip is wasted and leaves a useless cookie on the client.
   
   Consider decoding and checking `exp` server-side before setting the cookie to provide immediate 400 feedback.

4. 💡 Quality: Deprecated `act` import from `react-dom/test-utils`
   Files: src/views/domain-workflows/__tests__/domain-workflows.test.tsx:4, src/views/domain-workflows/__tests__/domain-workflows.test.tsx:33-46

   `act` imported from `react-dom/test-utils` is deprecated in React 18 and removed in React 19. The recommended import is `import { act } from '@testing-library/react'` (which your test file already imports `render` and `screen` from `@/test-utils/rtl`, likely re-exporting `@testing-library/react`).
   
   Additionally, the try/catch-around-`act` pattern for asserting render errors is fragile — whether the error escapes `act` depends on React internals and can break across versions. The previous ErrorBoundary approach was more reliable and idiomatic for testing components that throw.

   Suggested fix:
   import { act, render, screen } from '@/test-utils/rtl';
   // or restore the ErrorBoundary pattern for error assertion

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Assem-Uber]

Guitar review comments are tracked in #1234