Access request workflow UI (still v0.13.0)#111
Merged
Conversation
added 3 commits
April 23, 2026 13:30
When a user logs in successfully against the IDP but the Endpoint denies entry, the AuthGuard now holds the raw token in component state (never in localStorage) and offers a 'Request access' button below the 403 message. Clicking it opens a small form with an optional justification; submitting calls POST /user/access-requests with the held token through a bare axios client and shows a success panel that tells the user an administrator will review the request. Duplicate requests (409), feature-disabled deployments (503) and session-invalid errors (401/403) are translated into actionable messages inline rather than surfaced as generic failures. The reciprocal token- and credentials-based login forms are hidden while the success panel is shown so the user is not invited to try again while a pending request already exists. Both authAPI.setAndValidateToken and authAPI.login now attach a deniedToken property to the Error they raise on 403, letting the AuthGuard recover the token without asking the user to re-enter it. Refs #110
Introduce a new admin-only page that lists access requests and lets the
administrator approve or reject each pending one from the browser.
- pages/AccessRequests.js: three-tab view (Pending, Approved, Rejected)
backed by the backend list endpoint. For each pending row the admin
can open an inline panel to either approve (choosing member or admin
grant, with optional notes) or reject (with optional notes). Approved
and rejected rows display decider, timestamp, grant and notes.
Backend errors (403 non-admin, 503 disabled, AAI 4xx/502 on approve)
are surfaced inline rather than swallowed.
- App.js: register the /access-requests route.
- components/Navigation.js: fetch /user/info on mount and show the new
Access Requests link only when the user holds either ndp_admin or
the endpoint-scoped {UUID}_admin role. A non-admin never sees the
link in the top nav.
Refs #110
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
localStorage, so an unauthorized user is never considered signed in. On success the screen replaces the error with a confirmation panel./access-requests) lists pending, approved and rejected requests in three tabs. Administrators can approve a pending request with amemberoradmingrant (plus optional notes) or reject it (plus optional notes). Errors coming back from the AAI grant on approve (403 insufficient privileges, 404, 502) are surfaced inline./user/infopayload contains eitherndp_adminor an endpoint-scoped admin role. Everyone else never sees the link.Closes #110
Test plan
black --check --diff .passesflake8 api/ tests/ --max-line-length=88 --extend-ignore=E203,W503,E501,F401passesmember, user re-logs and enters the app) — to be done by the reviewer before releasing 0.13.0.Notes
{AFFINITIES_EP_UUID}must already exist in Keycloak before the first approve (same caveat documented in Access request workflow backend (v0.13.0) #109). Lazy group creation is still a candidate follow-up.