feat(console): OAuth client rotation/revoke UI + secret status [v1.10.0]#18
Conversation
Consumes package v1.10.0. Application Details gains an "OAuth client" section: shows client_id + secret_status badge (ok/expiring/expired/revoked/public), secret_expires_at, and a grace-until badge during a rollover. Actions: Rotate secret (issues a new one shown once, old kept for the grace window — zero downtime) and Revoke client. IamRolesSeeder gains iam:clients.manage (drift-guard + super-admin role). Green: SPA build (tsc) + oxlint, php artisan test 19/19 (drift-guard), pint, Playwright golden-path (now onboards an app AND rotates its client secret end to end). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 90bca0d4fc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const res = await apiPost<Row>(`applications/${encodeURIComponent(appKey)}/rotate-secret`) | ||
| setNewSecret(asText(pick(res, ['client_secret']))) | ||
| toast.success('Secret rotated — the old one stays valid during the grace window.') | ||
| void load() |
There was a problem hiding this comment.
Keep the rotated secret visible if refresh fails
When the rotate POST has already succeeded, this immediate load() can still fail independently (for example a transient network/server error or session redirect). load() sets loading and then failed, and the render path returns null, so the one-time newSecret from the successful response disappears before the operator can copy it. Because that secret cannot be fetched again, keep the rotate response visible and refresh the status without hiding the credentials on a refresh failure.
Useful? React with 👍 / 👎.
Consumes v1.10.0: Applications Details shows OAuth client secret status + Rotate (zero-downtime) / Revoke actions. IamRolesSeeder gains iam:clients.manage. Green: build+lint, 19 tests, E2E (onboard + rotate).