feat: Add Dashboard functionality and integrate Forum Notification Widget

- Implemented Dashboard access policies and authorization handlers.
- Created DashboardController to manage dashboard data retrieval and rendering.
- Added DashboardViewModel to aggregate data from multiple sources for the dashboard.
- Developed Index view for the dashboard with summary cards, server health, and moderation trends.
- Introduced a Forum Notification Widget for Invision Community integration, including HMAC token generation and API interaction.
- Enhanced navigation to include access to the Dashboard.
- Updated map rotation views to improve user experience and error handling.
- Added CSS and JavaScript for the notification widget to ensure proper styling and functionality.

Author: frasermolyneux

docs/forum-notification-widget.md

@@ -0,0 +1,163 @@
+# Forum Notification Widget — Invision Community Integration
+
+## Overview
+
+This document describes how to embed the XtremeIdiots Portal notification widget on the xtremeidiots.com Invision Community forum. The widget shows personalised notifications for logged-in forum users and a public activity feed for guests.
+
+## Prerequisites
+
+1. The HMAC shared secret must be configured in both:
+   - **Portal**: via Azure App Configuration key `XtremeIdiots:ExternalWidget:HmacSecret` (auto-provisioned by portal-environments Terraform)
+   - **Forum**: as a custom Invision Community setting (see step 2 below)
+
+2. The portal must be deployed with the external notifications API (`/api/external/notifications`)
+
+## Step 1: Add the HMAC Secret to Invision Community
+
+1. Go to **ACP → System → Settings** (or use a custom plugin settings page)
+2. Add a custom setting:
+   - **Key**: `portal_hmac_secret`
+   - **Value**: Copy the HMAC secret from Azure Key Vault (`external-widget-hmac-secret` in the shared Key Vault)
+
+> **Important**: The secret value must match exactly between the portal and forum. After the initial Terraform apply, retrieve the value from Azure Key Vault and paste it into the forum setting.
+
+## Step 2: Add the Widget to the Forum Template
+
+Edit the Invision Community theme template where you want the widget to appear (e.g., sidebar, footer, or a custom page block).
+
+### Option A: Global Template (sidebar on all pages)
+
+Edit the **globalTemplate** or **sidebar** template in your theme:
+
+```html
+{{if member.member_id}}
+    <?php
+        $secret = \IPS\Settings::i()->portal_hmac_secret;
+        $memberId = \IPS\Member::loggedIn()->member_id;
+        $timestamp = time();
+        $hmac = hash_hmac('sha256', "{$memberId}:{$timestamp}", $secret);
+        $token = base64_encode("{$memberId}:{$timestamp}:{$hmac}");
+    ?>
+    <div id="portal-notifications-widget"
+         data-token="<?php echo $token; ?>"
+         data-portal-url="https://portal.xtremeidiots.com">
+    </div>
+{{else}}
+    <div id="portal-notifications-widget"
+         data-token=""
+         data-portal-url="https://portal.xtremeidiots.com">
+    </div>
+{{endif}}
+<script src="https://portal.xtremeidiots.com/js/forum-widget.js" defer></script>
+```
+
+### Option B: Using an Invision Community Plugin Hook
+
+If you prefer not to mix PHP into templates, create a simple plugin:
+
+**File: `hooks/portalWidget.php`**
+```php
+class portalWidget
+{
+    public function globalTemplate($html)
+    {
+        $member = \IPS\Member::loggedIn();
+        $token = '';
+
+        if ($member->member_id) {
+            $secret = \IPS\Settings::i()->portal_hmac_secret;
+            $memberId = $member->member_id;
+            $timestamp = time();
+            $hmac = hash_hmac('sha256', "{$memberId}:{$timestamp}", $secret);
+            $token = base64_encode("{$memberId}:{$timestamp}:{$hmac}");
+        }
+
+        $widget = <<<HTML
+<div id="portal-notifications-widget"
+     data-token="{$token}"
+     data-portal-url="https://portal.xtremeidiots.com">
+</div>
+<script src="https://portal.xtremeidiots.com/js/forum-widget.js" defer></script>
+HTML;
+
+        // Insert before </body>
+        return str_replace('</body>', $widget . '</body>', $html);
+    }
+}
+```
+
+### Option C: Custom HTML Block (simplest)
+
+If you just want a quick test, use the **Pages** app or a **Custom Block**:
+
+1. Go to **ACP → Pages → Blocks → Create New Block**
+2. Choose **Custom HTML**
+3. Paste:
+```html
+<?php
+$token = '';
+$member = \IPS\Member::loggedIn();
+if ($member->member_id) {
+    $secret = \IPS\Settings::i()->portal_hmac_secret;
+    $memberId = $member->member_id;
+    $timestamp = time();
+    $hmac = hash_hmac('sha256', "{$memberId}:{$timestamp}", $secret);
+    $token = base64_encode("{$memberId}:{$timestamp}:{$hmac}");
+}
+?>
+<div id="portal-notifications-widget"
+     data-token="<?php echo $token; ?>"
+     data-portal-url="https://portal.xtremeidiots.com">
+</div>
+<script src="https://portal.xtremeidiots.com/js/forum-widget.js" defer></script>
+```
+4. Place the block in your desired sidebar/widget area
+
+## How It Works
+
+1. **Token generation** (forum-side): When a logged-in forum user loads a page, the PHP template generates an HMAC-SHA256 signed token containing their forum member ID and a Unix timestamp, signed with the shared secret.
+
+2. **Token format**: `Base64({forumMemberId}:{timestampUnix}:{hmacHex})`
+
+3. **Widget load**: The JavaScript widget (`forum-widget.js`) reads the token from the `data-token` attribute and calls the portal API.
+
+4. **API response**:
+   - **No token / invalid token**: Returns a public feed (recent admin actions)
+   - **Valid token**: Portal maps the forum member ID to a UserProfile, returns personalised notifications scoped to the user's permissions
+
+5. **Polling**: For authenticated users, the widget polls every 60 seconds for new notifications.
+
+6. **Security**: Tokens expire after 5 minutes, preventing replay attacks. The HMAC signature prevents token forgery.
+
+## Widget Features
+
+- **Unread count badge** with notification bell
+- **Notification list** with title, message, and relative timestamps
+- **Mark as read** on click (individual) and "Read all" button
+- **Unclaimed actions banner** for admins with pending actions
+- **"View all in Portal"** link to the full notifications page
+- **Graceful degradation** — shows public feed if not authenticated
+- **Self-contained** — no jQuery or other dependencies required
+- **Responsive** — max-width 400px, fits sidebar widgets
+
+## Styling
+
+The widget injects its own CSS with `xi-pw-` prefixed class names to avoid conflicts with the forum theme. The default styling uses a neutral colour scheme that should work with most themes.
+
+To customise, override the styles in your forum theme CSS:
+```css
+/* Example: match dark theme */
+.xi-portal-widget { background: #1a1a2e; color: #eee; border-color: #333; }
+.xi-pw-header { background: #16213e; }
+.xi-pw-item { color: #ddd; border-bottom-color: #333; }
+.xi-pw-item:hover { background: #1a1a2e; color: #fff; }
+```
+
+## Troubleshooting
+
+| Issue | Cause | Fix |
+|-------|-------|-----|
+| Widget shows "Portal URL not configured" | Missing `data-portal-url` attribute | Ensure the attribute is set in the template |
+| Widget shows "Unable to load notifications" | CORS or network error | Check browser console; verify portal CORS allows the forum domain |
+| All users see public feed only | HMAC secret mismatch | Ensure the forum `portal_hmac_secret` matches the Azure Key Vault value |
+| Token always expired | Server clock drift | Ensure both servers have NTP synced clocks (±1 minute tolerance) |

src/XtremeIdiots.Portal.Web/Auth/Constants/AuthPolicies.cs

@@ -47,6 +47,9 @@ public static class AuthPolicies
     // Home policies
     public const string AccessHome = nameof(AccessHome);
 
+    // Dashboard policies
+    public const string AccessDashboard = nameof(AccessDashboard);
+
     // Profile policies
     public const string AccessProfile = nameof(AccessProfile);
 

src/XtremeIdiots.Portal.Web/Auth/Handlers/DashboardAuthHandler.cs

@@ -0,0 +1,25 @@
+using Microsoft.AspNetCore.Authorization;
+using XtremeIdiots.Portal.Web.Auth.Requirements;
+
+namespace XtremeIdiots.Portal.Web.Auth.Handlers;
+
+/// <summary>
+/// Handles authorization requirements for dashboard access.
+/// The dashboard is read-only overview data, accessible to any admin role.
+/// </summary>
+public class DashboardAuthHandler : IAuthorizationHandler
+{
+    public Task HandleAsync(AuthorizationHandlerContext context)
+    {
+        foreach (var requirement in context.PendingRequirements)
+        {
+            if (requirement is AccessDashboard)
+            {
+                BaseAuthorizationHelper.CheckClaimTypes(context, requirement,
+                    BaseAuthorizationHelper.ClaimGroups.ServerAdminAccessLevels);
+            }
+        }
+
+        return Task.CompletedTask;
+    }
+}

src/XtremeIdiots.Portal.Web/Auth/Requirements/DashboardAuthRequirements.cs

@@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace XtremeIdiots.Portal.Web.Auth.Requirements;
+
+/// <summary>
+/// Authorization requirement for accessing the admin dashboard
+/// </summary>
+public class AccessDashboard : IAuthorizationRequirement
+{
+}

src/XtremeIdiots.Portal.Web/Controllers/DashboardController.cs

@@ -0,0 +1,88 @@
+using Microsoft.ApplicationInsights;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+using XtremeIdiots.Portal.Repository.Api.Client.V1;
+using XtremeIdiots.Portal.Web.Auth.Constants;
+using XtremeIdiots.Portal.Web.Extensions;
+using XtremeIdiots.Portal.Web.Services;
+using XtremeIdiots.Portal.Web.ViewModels;
+
+namespace XtremeIdiots.Portal.Web.Controllers;
+
+/// <summary>
+/// Controller for the admin dashboard, providing an at-a-glance operational overview.
+/// </summary>
+[Authorize(Policy = AuthPolicies.AccessDashboard)]
+public class DashboardController(
+    IRepositoryApiClient repositoryApiClient,
+    IAgentTelemetryService agentTelemetryService,
+    TelemetryClient telemetryClient,
+    ILogger<DashboardController> logger,
+    IConfiguration configuration) : BaseController(telemetryClient, logger, configuration)
+{
+    /// <summary>
+    /// Displays the admin dashboard with summary cards, server health, moderation trends, and admin leaderboard.
+    /// </summary>
+    [HttpGet]
+    public async Task<IActionResult> Index(CancellationToken cancellationToken = default)
+    {
+        return await ExecuteWithErrorHandlingAsync(async () =>
+        {
+            var viewModel = new DashboardViewModel();
+
+            // Fetch all data sources in parallel
+            var summaryTask = repositoryApiClient.Dashboard.V1.GetDashboardSummary(cancellationToken);
+            var leaderboardTask = repositoryApiClient.Dashboard.V1.GetAdminLeaderboard(30, cancellationToken);
+            var trendTask = repositoryApiClient.Dashboard.V1.GetModerationTrend(30, cancellationToken);
+            var utilizationTask = repositoryApiClient.Dashboard.V1.GetServerUtilization(cancellationToken);
+
+            await Task.WhenAll(summaryTask, leaderboardTask, trendTask, utilizationTask).ConfigureAwait(false);
+
+            // Summary
+            var summaryResponse = await summaryTask.ConfigureAwait(false);
+            if (summaryResponse.IsSuccess && summaryResponse.Result?.Data is not null)
+            {
+                viewModel.Summary = summaryResponse.Result.Data;
+            }
+
+            // Admin leaderboard
+            var leaderboardResponse = await leaderboardTask.ConfigureAwait(false);
+            if (leaderboardResponse.IsSuccess && leaderboardResponse.Result?.Data?.Items is not null)
+            {
+                viewModel.AdminLeaderboard = [.. leaderboardResponse.Result.Data.Items];
+            }
+
+            // Moderation trend
+            var trendResponse = await trendTask.ConfigureAwait(false);
+            if (trendResponse.IsSuccess && trendResponse.Result?.Data?.Items is not null)
+            {
+                viewModel.ModerationTrend = [.. trendResponse.Result.Data.Items];
+            }
+
+            // Server utilization
+            var utilizationResponse = await utilizationTask.ConfigureAwait(false);
+            if (utilizationResponse.IsSuccess && utilizationResponse.Result?.Data is not null)
+            {
+                viewModel.ServerUtilization = utilizationResponse.Result.Data;
+            }
+
+            // Agent telemetry (non-critical — dashboard renders without it)
+            try
+            {
+                viewModel.AgentStatuses = await agentTelemetryService.GetAllServersStatusAsync(cancellationToken).ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                Logger.LogWarning(ex, "Failed to retrieve agent telemetry for dashboard");
+                viewModel.AgentTelemetryUnavailable = true;
+            }
+
+            TrackSuccessTelemetry("DashboardLoaded", nameof(Index));
+
+            Logger.LogInformation("User {UserId} loaded admin dashboard", User.XtremeIdiotsId());
+
+            return View(viewModel);
+        }, nameof(Index)).ConfigureAwait(false);
+    }
+}

src/XtremeIdiots.Portal.Web/Extensions/PolicyExtensions.cs

@@ -44,6 +44,8 @@ public static void AddXtremeIdiotsPolicies(this AuthorizationOptions options)
 
         options.AddPolicy(AuthPolicies.AccessHome, policy => policy.Requirements.Add(new AccessHome()));
 
+        options.AddPolicy(AuthPolicies.AccessDashboard, policy => policy.Requirements.Add(new AccessDashboard()));
+
         options.AddPolicy(AuthPolicies.AccessProfile, policy => policy.Requirements.Add(new AccessProfile()));
 
         options.AddPolicy(AuthPolicies.AccessMaps, policy => policy.Requirements.Add(new AccessMaps()));

src/XtremeIdiots.Portal.Web/Extensions/ServiceCollectionExtensions.cs

@@ -16,6 +16,7 @@ public static void AddXtremeIdiotsAuth(this IServiceCollection services)
         services.AddSingleton<IAuthorizationHandler, CredentialsAuthHandler>();
         services.AddSingleton<IAuthorizationHandler, DemosAuthHandler>();
         services.AddSingleton<IAuthorizationHandler, GameServersAuthHandler>();
+        services.AddSingleton<IAuthorizationHandler, DashboardAuthHandler>();
         services.AddSingleton<IAuthorizationHandler, HomeAuthHandler>();
         services.AddSingleton<IAuthorizationHandler, ProfileAuthHandler>();
         services.AddSingleton<IAuthorizationHandler, MapsAuthHandler>();

src/XtremeIdiots.Portal.Web/ViewModels/DashboardViewModel.cs

@@ -0,0 +1,40 @@
+using XtremeIdiots.Portal.Repository.Abstractions.Models.V1.Dashboard;
+using XtremeIdiots.Portal.Web.Services;
+
+namespace XtremeIdiots.Portal.Web.ViewModels;
+
+/// <summary>
+/// View model for the admin dashboard, aggregating data from multiple API sources.
+/// </summary>
+public class DashboardViewModel
+{
+    /// <summary>
+    /// Aggregated summary counts from the repository API (servers, players, bans, reports, actions).
+    /// </summary>
+    public DashboardSummaryDto? Summary { get; set; }
+
+    /// <summary>
+    /// Admin activity leaderboard entries.
+    /// </summary>
+    public List<AdminLeaderboardEntryDto> AdminLeaderboard { get; set; } = [];
+
+    /// <summary>
+    /// Daily moderation action counts for trend visualisation.
+    /// </summary>
+    public List<ModerationTrendDataPointDto> ModerationTrend { get; set; } = [];
+
+    /// <summary>
+    /// Per-server utilization data (avg/peak players).
+    /// </summary>
+    public ServerUtilizationCollectionDto? ServerUtilization { get; set; }
+
+    /// <summary>
+    /// Agent telemetry summaries for all servers (from Application Insights, not the repository API).
+    /// </summary>
+    public IReadOnlyList<AgentServerSummary> AgentStatuses { get; set; } = [];
+
+    /// <summary>
+    /// True if agent telemetry data failed to load.
+    /// </summary>
+    public bool AgentTelemetryUnavailable { get; set; }
+}