katieperry4
diff --git a/‎backend/src/__tests__/jwtUtils.spec.ts‎
Lines changed: 123 additions & 0 deletions b/‎backend/src/__tests__/jwtUtils.spec.ts‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎backend/src/routes/api/notebooks/utils.ts‎
Lines changed: 1 addition & 7 deletions b/‎backend/src/routes/api/notebooks/utils.ts‎
Lines changed: 1 addition & 7 deletions
diff --git a/‎backend/src/routes/api/route/index.ts‎
Lines changed: 0 additions & 17 deletions b/‎backend/src/routes/api/route/index.ts‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎backend/src/routes/api/status/adminAllowedUsers.ts‎
Lines changed: 42 additions & 86 deletions b/‎backend/src/routes/api/status/adminAllowedUsers.ts‎
Lines changed: 42 additions & 86 deletions
diff --git a/‎backend/src/routes/api/status/statusUtils.ts‎
Lines changed: 5 additions & 1 deletion b/‎backend/src/routes/api/status/statusUtils.ts‎
Lines changed: 5 additions & 1 deletion
@@ -0,0 +1,123 @@
+/* eslint-disable no-restricted-properties */
+// Disabling no-restricted-properties for this test file as we need Buffer.toString()
+// for base64url encoding to create test JWT tokens
+import { extractUsernameFromJWT, getUsernameFromToken } from '../utils/jwtUtils';
+import { FastifyRequest } from 'fastify';
+
+// Helper function to create base64url encoded JWT tokens for testing
+const createTestToken = (payload: object): string => {
+  const payloadString = JSON.stringify(payload);
+  const base64 = Buffer.from(payloadString).toString('base64');
+  const base64url = base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+  return `header.${base64url}.signature`;
+};
+
+describe('JWT Username Extraction', () => {
+  describe('extractUsernameFromJWT', () => {
+    it('should extract username from preferred_username claim', () => {
+      const token = createTestToken({
+        preferred_username: 'testuser',
+        sub: 'some-uuid',
+      });
+
+      const username = extractUsernameFromJWT(token);
+      expect(username).toBe('testuser');
+    });
+
+    it('should fallback to username claim', () => {
+      const token = createTestToken({
+        username: 'testuser',
+        sub: 'some-uuid',
+      });
+
+      const username = extractUsernameFromJWT(token);
+      expect(username).toBe('testuser');
+    });
+
+    it('should fallback to sub claim', () => {
+      const token = createTestToken({
+        sub: 'user@example.com',
+      });
+
+      const username = extractUsernameFromJWT(token);
+      expect(username).toBe('user@example.com');
+    });
+
+    it('should fallback to email claim (before @)', () => {
+      const token = createTestToken({
+        email: 'testuser@example.com',
+      });
+
+      const username = extractUsernameFromJWT(token);
+      expect(username).toBe('testuser');
+    });
+
+    it('should handle invalid tokens gracefully', () => {
+      const username = extractUsernameFromJWT('invalid-token');
+      expect(username).toBeNull();
+    });
+
+    it('should handle malformed tokens gracefully', () => {
+      const username = extractUsernameFromJWT('header.payload');
+      expect(username).toBeNull();
+    });
+
+    it('should handle invalid JSON in payload', () => {
+      // Manually create an invalid token with non-JSON payload
+      const invalidPayload = 'not-json';
+      const base64 = Buffer.from(invalidPayload).toString('base64');
+      const base64url = base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+      const token = `header.${base64url}.signature`;
+
+      const username = extractUsernameFromJWT(token);
+      expect(username).toBeNull();
+    });
+
+    it('should return null if no username claims present', () => {
+      const token = createTestToken({
+        iss: 'https://issuer.example.com',
+        aud: 'my-app',
+      });
+
+      const username = extractUsernameFromJWT(token);
+      expect(username).toBeNull();
+    });
+  });
+
+  describe('getUsernameFromToken', () => {
+    it('should extract username from request headers', () => {
+      const token = createTestToken({
+        preferred_username: 'testuser',
+      });
+
+      const mockRequest = {
+        headers: {
+          'x-forwarded-access-token': token,
+        },
+      } as unknown as FastifyRequest;
+
+      const username = getUsernameFromToken(mockRequest);
+      expect(username).toBe('testuser');
+    });
+
+    it('should return null if token header is missing', () => {
+      const mockRequest = {
+        headers: {},
+      } as FastifyRequest;
+
+      const username = getUsernameFromToken(mockRequest);
+      expect(username).toBeNull();
+    });
+
+    it('should return null if token is invalid', () => {
+      const mockRequest = {
+        headers: {
+          'x-forwarded-access-token': 'invalid-token',
+        },
+      } as unknown as FastifyRequest;
+
+      const username = getUsernameFromToken(mockRequest);
+      expect(username).toBeNull();
+    });
+  });
+});
@@ -8,29 +8,23 @@ import {
   generateNotebookNameFromUsername,
   getNamespaces,
   getNotebook,
-  getRoute,
   updateNotebook,
 } from '../../../utils/notebookUtils';
 
 export const getNotebookStatus = async (
   fastify: KubeFastifyInstance,
   namespace: string,
   name: string,
-): Promise<{ notebook: Notebook; isRunning: boolean; podUID: string; notebookLink: string }> => {
+): Promise<{ notebook: Notebook; isRunning: boolean; podUID: string }> => {
   const notebook = await getNotebook(fastify, namespace, name);
   const hasStopAnnotation = !!notebook.metadata.annotations?.['kubeflow-resource-stopped'];
   const [isRunning, podUID] = hasStopAnnotation
     ? [false, '']
     : await listNotebookStatus(fastify, namespace, name);
-  const route = await getRoute(fastify, namespace, name).catch((e) => {
-    fastify.log.warn(`Failed getting route ${notebook.metadata.name}: ${e.message}`);
-    return undefined;
-  });
   return {
     notebook,
     isRunning,
     podUID,
-    notebookLink: route ? `https://${route.spec.host}/notebook/${namespace}/${name}` : '',
   };
 };
 
 
@@ -1,68 +1,21 @@
 import { FastifyRequest } from 'fastify';
 import { KubeFastifyInstance } from '../../../types';
 import { getUserInfo } from '../../../utils/userUtils';
-import {
-  getAdminUserList,
-  getAllowedUserList,
-  getClusterAdminUserList,
-  isUserAdmin,
-  KUBE_SAFE_PREFIX,
-} from '../../../utils/adminUtils';
+import { isUserAdmin, KUBE_SAFE_PREFIX } from '../../../utils/adminUtils';
 import { getNotebooks } from '../../../utils/notebookUtils';
 
 type AllowedUser = {
   username: string;
   privilege: 'Admin' | 'User';
   lastActivity: string;
 };
-type AllowedUserMap = { [username: string]: AllowedUser };
-type UserActivityMap = { [username: string]: string };
 
-const convertUserListToMap = (
-  userList: string[],
-  privilege: 'Admin' | 'User',
-  activityMap: UserActivityMap,
-): AllowedUserMap =>
-  userList.reduce<AllowedUserMap>((acc, rawUsername) => {
-    let username = rawUsername;
-    if (username.startsWith(KUBE_SAFE_PREFIX)) {
-      // Users who start with this designation are non-k8s names
-      username = username.slice(KUBE_SAFE_PREFIX.length);
-    }
-
-    return {
-      ...acc,
-      [username]: { username, privilege, lastActivity: activityMap[username] ?? null },
-    };
-  }, {});
-
-const getUserActivityFromNotebook = async (
-  fastify: KubeFastifyInstance,
-  namespace: string,
-): Promise<UserActivityMap> => {
-  const notebooks = await getNotebooks(fastify, namespace);
-
-  return notebooks.items
-    .map<[string | undefined, string | undefined]>((notebook) => [
-      notebook.metadata.annotations?.['opendatahub.io/username'],
-      notebook.metadata.annotations?.['notebooks.kubeflow.org/last-activity'] ||
-        notebook.metadata.annotations?.['kubeflow-resource-stopped'] ||
-        'Now',
-    ])
-    .filter(
-      (arr): arr is [string, string] =>
-        Array.isArray(arr) && typeof arr[0] === 'string' && typeof arr[1] === 'string',
-    )
-    .reduce<UserActivityMap>(
-      (acc, [username, lastActivity]) => ({
-        ...acc,
-        [username]: lastActivity,
-      }),
-      {},
-    );
-};
-
-/** @deprecated -- Jupyter Tile reliance; group and user fetching is incompatible with OpenShift Console growth */
+/**
+ * Get list of users with active notebooks (Group API independent).
+ * This works in both traditional OpenShift and BYO OIDC environments.
+ *
+ * @deprecated -- Jupyter Tile reliance; limited functionality in BYO OIDC
+ */
 export const getAllowedUsers = async (
   fastify: KubeFastifyInstance,
   request: FastifyRequest<{ Params: { namespace: string } }>,
@@ -71,43 +24,46 @@ export const getAllowedUsers = async (
   const userInfo = await getUserInfo(fastify, request);
   const currentUser = userInfo.userName;
   const isAdmin = await isUserAdmin(fastify, request);
+
   if (!isAdmin) {
-    // Privileged call -- return nothing
-    fastify.log.warn(
-      `A request for all allowed users & their status was made as a non Admin (by ${currentUser})`,
-    );
+    fastify.log.warn(`A request for all allowed users was made as a non Admin (by ${currentUser})`);
     return [];
   }
 
-  const activityMap = await getUserActivityFromNotebook(fastify, namespace);
+  // Get users from notebook resources only (no Group API required)
+  const notebooks = await getNotebooks(fastify, namespace);
+
+  const usersMap = new Map<string, AllowedUser>();
+
+  for (const notebook of notebooks.items) {
+    let username = notebook.metadata.annotations?.['opendatahub.io/username'];
+    if (!username) {
+      continue;
+    }
+
+    // Handle kube-safe prefix
+    if (username.startsWith(KUBE_SAFE_PREFIX)) {
+      const buffer = Buffer.from(username.slice(KUBE_SAFE_PREFIX.length), 'base64');
+      username = String(buffer);
+    }
 
-  const withNotebookUsers = Object.keys(activityMap);
-  // TODO: Move away from this group listing design...
-  const adminUsers = await getAdminUserList(fastify);
-  const allowedUsers = await getAllowedUserList(fastify);
-  // get cluster admins that have a notebook
-  const clusterAdminUsers = (await getClusterAdminUserList(fastify)).filter((user) =>
-    withNotebookUsers.includes(user),
-  );
+    const lastActivity =
+      notebook.metadata.annotations?.['notebooks.kubeflow.org/last-activity'] ||
+      notebook.metadata.annotations?.['kubeflow-resource-stopped'] ||
+      'Now';
 
-  const usersWithNotebooksMap: AllowedUserMap = convertUserListToMap(
-    withNotebookUsers,
-    'User',
-    activityMap,
-  );
-  const allowedUsersMap: AllowedUserMap = convertUserListToMap(allowedUsers, 'User', activityMap);
-  const adminUsersMap: AllowedUserMap = convertUserListToMap(adminUsers, 'Admin', activityMap);
-  const clusterAdminUsersMap: AllowedUserMap = convertUserListToMap(
-    clusterAdminUsers,
-    'Admin',
-    activityMap,
-  );
+    // In BYO OIDC, we can't determine admin status from Groups
+    // Default to 'User' unless explicitly marked
+    const isNotebookOwnerAdmin = notebook.metadata.labels?.['opendatahub.io/user-type'] === 'admin';
+
+    const existing = usersMap.get(username);
+    const privilege = existing?.privilege === 'Admin' || isNotebookOwnerAdmin ? 'Admin' : 'User';
+    usersMap.set(username, {
+      username,
+      privilege,
+      lastActivity,
+    });
+  }
 
-  const returnUsers: AllowedUserMap = {
-    ...usersWithNotebooksMap,
-    ...allowedUsersMap,
-    ...adminUsersMap,
-    ...clusterAdminUsersMap,
-  };
-  return Object.values(returnUsers);
+  return Array.from(usersMap.values());
 };
@@ -4,6 +4,7 @@ import { getUserInfo } from '../../../utils/userUtils';
 import { createCustomError } from '../../../utils/requestUtils';
 import { isUserAdmin, isUserAllowed } from '../../../utils/adminUtils';
 import { isImpersonating } from '../../../devFlags';
+import { getSegmentUserId } from '../../../utils/segmentUtils';
 
 export const status = async (
   fastify: KubeFastifyInstance,
@@ -19,10 +20,13 @@ export const status = async (
 
   const { server } = currentCluster;
 
-  const { userName, userID } = await getUserInfo(fastify, request);
+  const { userName, userID: devSandboxUserId } = await getUserInfo(fastify, request);
   const isAdmin = await isUserAdmin(fastify, request);
   const isAllowed = isAdmin ? true : await isUserAllowed(fastify, request);
 
+  // Get segment user ID with fallbacks
+  const userID = devSandboxUserId || (await getSegmentUserId(fastify, request, userName));
+
   if (!kubeContext && !kubeContext.trim()) {
     const error = createCustomError(
       'failed to get kube status',