@eventcatalog/core 2.43.5 → 2.44.0

package/dist/analytics/analytics.cjs

@@ -37,7 +37,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "2.43.5";
+var version = "2.44.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/analytics/analytics.js

@@ -1,7 +1,7 @@
 import {
   raiseEvent
-} from "../chunk-FLVILMI6.js";
-import "../chunk-JVRNO62X.js";
+} from "../chunk-NUHIER2H.js";
+import "../chunk-C4NENBPQ.js";
 export {
   raiseEvent
 };

package/dist/analytics/log-build.cjs

@@ -106,7 +106,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "2.43.5";
+var version = "2.44.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/analytics/log-build.js

@@ -1,8 +1,8 @@
 import {
   log_build_default
-} from "../chunk-ROUO6U5X.js";
-import "../chunk-FLVILMI6.js";
-import "../chunk-JVRNO62X.js";
+} from "../chunk-MF3FQSRF.js";
+import "../chunk-NUHIER2H.js";
+import "../chunk-C4NENBPQ.js";
 import "../chunk-E7TXTI7G.js";
 export {
   log_build_default as default

package/dist/{chunk-JVRNO62X.js → chunk-C4NENBPQ.js}

@@ -1,5 +1,5 @@
 // package.json
-var version = "2.43.5";
+var version = "2.44.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/{chunk-ROUO6U5X.js → chunk-MF3FQSRF.js}

@@ -1,6 +1,6 @@
 import {
   raiseEvent
-} from "./chunk-FLVILMI6.js";
+} from "./chunk-NUHIER2H.js";
 import {
   getEventCatalogConfigFile,
   verifyRequiredFieldsAreInCatalogConfigFile

package/dist/{chunk-FLVILMI6.js → chunk-NUHIER2H.js}

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-JVRNO62X.js";
+} from "./chunk-C4NENBPQ.js";
 
 // src/analytics/analytics.js
 import axios from "axios";

package/dist/constants.cjs

@@ -25,7 +25,7 @@ __export(constants_exports, {
 module.exports = __toCommonJS(constants_exports);
 
 // package.json
-var version = "2.43.5";
+var version = "2.44.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/constants.js

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-JVRNO62X.js";
+} from "./chunk-C4NENBPQ.js";
 export {
   VERSION
 };

package/dist/eventcatalog.cjs

@@ -157,7 +157,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "2.43.5";
+var version = "2.44.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/eventcatalog.js

@@ -6,8 +6,8 @@ import {
 } from "./chunk-DCLTVJDP.js";
 import {
   log_build_default
-} from "./chunk-ROUO6U5X.js";
-import "./chunk-FLVILMI6.js";
+} from "./chunk-MF3FQSRF.js";
+import "./chunk-NUHIER2H.js";
 import {
   catalogToAstro,
   checkAndConvertMdToMdx
@@ -15,7 +15,7 @@ import {
 import "./chunk-EXAALOQA.js";
 import {
   VERSION
-} from "./chunk-JVRNO62X.js";
+} from "./chunk-C4NENBPQ.js";
 import {
   isAuthEnabled,
   isBackstagePluginEnabled,

package/eventcatalog/auth.config.ts

@@ -7,6 +7,7 @@ import { isAuthEnabled, isSSR } from '@utils/feature';
 import Google from '@auth/core/providers/google';
 import Auth0 from '@auth/core/providers/auth0';
 import Entra from '@auth/core/providers/microsoft-entra-id';
+import jwt from 'jsonwebtoken';
 
 // Need to try and read the eventcatalog.auth.js file and get the auth providers from there
 const catalogDirectory = process.env.PROJECT_DIR || process.cwd();
@@ -23,8 +24,7 @@ const getAuthProviders = async () => {
       const githubConfig = authConfig.providers.github;
       providers.push(
         GitHub({
-          clientId: githubConfig.clientId,
-          clientSecret: githubConfig.clientSecret,
+          ...githubConfig,
         })
       );
       console.log('✅ GitHub provider configured');
@@ -35,8 +35,7 @@ const getAuthProviders = async () => {
       const googleConfig = authConfig.providers.google;
       providers.push(
         Google({
-          clientId: googleConfig.clientId,
-          clientSecret: googleConfig.clientSecret,
+          ...googleConfig,
         })
       );
       console.log('✅ Google provider configured');
@@ -47,9 +46,12 @@ const getAuthProviders = async () => {
       const oktaConfig = authConfig.providers.okta;
       providers.push(
         Okta({
-          clientId: oktaConfig.clientId,
-          clientSecret: oktaConfig.clientSecret,
-          issuer: oktaConfig.issuer,
+          authorization: {
+            params: {
+              scope: 'openid email profile groups',
+            },
+          },
+          ...oktaConfig,
         })
       );
       console.log('✅ Okta provider configured');
@@ -60,22 +62,27 @@ const getAuthProviders = async () => {
       const auth0Config = authConfig.providers.auth0;
       providers.push(
         Auth0({
-          clientId: auth0Config.clientId,
-          clientSecret: auth0Config.clientSecret,
-          issuer: auth0Config.issuer,
+          authorization: {
+            params: {
+              scope: 'openid email profile groups',
+            },
+          },
+          ...auth0Config,
         })
       );
       console.log('✅ Auth0 provider configured');
     }
 
-    // Microsoft Entra ID provider
     if (authConfig.providers?.entra) {
       const entraConfig = authConfig.providers.entra;
       providers.push(
         Entra({
-          clientId: entraConfig.clientId,
-          clientSecret: entraConfig.clientSecret,
-          issuer: entraConfig.issuer,
+          authorization: {
+            params: {
+              scope: 'openid profile email',
+            },
+          },
+          ...entraConfig,
         })
       );
       console.log('✅ Microsoft Entra ID provider configured');
@@ -87,7 +94,6 @@ const getAuthProviders = async () => {
 
     return providers;
   } catch (error) {
-    console.log('No eventcatalog.auth.js found or error loading config:', (error as Error).message);
     return [];
   }
 };
@@ -105,7 +111,6 @@ const getAuthConfig = async () => {
 
     // If custom auth config is specified (Enterprise feature)
     if (authConfig?.customAuthConfig) {
-      console.log('🚀 Loading custom auth configuration:', authConfig.customAuthConfig);
       try {
         const customConfig = await import(/* @vite-ignore */ join(catalogDirectory, authConfig.customAuthConfig));
         return customConfig.default;
@@ -125,6 +130,45 @@ const getAuthConfig = async () => {
           // Just allow everyone who can authenticate with the provider
           return true;
         },
+        async jwt({ token, account, profile }: { token: any; account: Account | null; profile?: Profile }) {
+          // Persist provider info in JWT
+          if (account && profile) {
+            token.provider = account.provider;
+            token.login = (profile as any).login || (profile as any).preferred_username;
+
+            // Handle groups from different providers
+            if (account.provider === 'microsoft-entra-id') {
+              token.groups = (profile as any).roles || (profile as any).groups || [];
+            } else if (account.provider === 'okta') {
+              // For Okta, try profile first, then decode access token
+              token.groups = (profile as any).groups || [];
+              token.roles = (profile as any).roles || [];
+
+              // If no groups in profile, decode the access token
+              if ((!token.groups || token.groups.length === 0) && account.access_token) {
+                try {
+                  // Import jwt at the top of your file if not already imported
+                  const decodedAccessToken = jwt.decode(account.access_token);
+
+                  if (decodedAccessToken && typeof decodedAccessToken === 'object') {
+                    token.groups = (decodedAccessToken as any).groups || [];
+                    token.roles = (decodedAccessToken as any).roles || [];
+                  }
+                } catch (error) {
+                  console.error('🔍 Error decoding Okta access token:', error);
+                }
+              }
+            } else if (account.provider === 'auth0') {
+              token.groups = (profile as any)['https://eventcatalog.dev/groups'] || [];
+              token.roles = (profile as any)['https://eventcatalog.dev/roles'] || [];
+            }
+
+            // Store access token for potential API calls
+            token.accessToken = account.access_token;
+          }
+
+          return token;
+        },
         async session({ session, token }: { session: Session; token: any }) {
           // Add provider info to session
           if (token?.provider) {
@@ -133,15 +177,23 @@ const getAuthConfig = async () => {
           if (token?.login) {
             (session.user as any).username = token.login;
           }
-          return session;
-        },
-        async jwt({ token, account, profile }: { token: any; account: Account | null; profile?: Profile }) {
-          // Persist provider info in JWT
-          if (account && profile) {
-            token.provider = account.provider;
-            token.login = (profile as any).login || (profile as any).preferred_username;
+
+          // Add groups to session
+          if (token?.groups) {
+            (session.user as any).groups = token.groups;
           }
-          return token;
+
+          // Add roles if available
+          if (token?.roles) {
+            (session.user as any).roles = token.roles;
+          }
+
+          // Add access token to session
+          if (token?.accessToken) {
+            (session as any).accessToken = token.accessToken;
+          }
+
+          return session;
         },
       },
       pages: {

package/eventcatalog/src/middleware-auth.ts

@@ -0,0 +1,283 @@
+// src/middleware/auth.ts
+import type { MiddlewareHandler } from 'astro';
+import { getSession } from 'auth-astro/server';
+import { isAuthEnabled } from '@utils/feature';
+import jwt from 'jsonwebtoken';
+
+// Define the types in this file
+export interface NormalizedUser {
+  id: string;
+  email: string;
+  name?: string;
+  picture?: string;
+  roles: string[];
+  permissions: string[];
+  groups: string[];
+  metadata: Record<string, any>;
+  provider: 'auth0' | 'okta' | 'microsoft' | 'google' | 'unknown';
+  raw: {
+    user: any;
+    token: any;
+  };
+}
+
+// Type the locals object with matching utilities
+interface TypedLocals {
+  session: any;
+  user: NormalizedUser;
+  hasRole: (role: string) => boolean;
+  hasPermission: (permission: string) => boolean;
+  hasGroup: (group: string) => boolean;
+  findMatchingRule: (rules: Record<string, () => boolean>, pathname: string) => (() => boolean) | null;
+  matchesPattern: (pattern: string, pathname: string) => boolean;
+}
+
+// Wildcard matching utilities
+export function matchesPattern(pattern: string, pathname: string): boolean {
+  const regexPattern = pattern
+    .replace(/\*/g, '[^/]+') // * matches any characters except /
+    .replace(/\*\*/g, '.*'); // ** matches any characters including /
+
+  const regex = new RegExp(`^${regexPattern}$`);
+  return regex.test(pathname);
+}
+
+function calculateSpecificity(pattern: string): number {
+  let score = 0;
+  score += (pattern.length - (pattern.match(/\*/g) || []).length) * 10;
+  score -= (pattern.match(/\*/g) || []).length * 5;
+  return score;
+}
+
+export function findMatchingRule(rules: Record<string, () => boolean>, pathname: string) {
+  const matches = [];
+
+  for (const [pattern, rule] of Object.entries(rules)) {
+    if (matchesPattern(pattern, pathname)) {
+      matches.push({ pattern, rule, specificity: calculateSpecificity(pattern) });
+    }
+  }
+
+  // Sort by specificity (most specific first)
+  matches.sort((a, b) => b.specificity - a.specificity);
+
+  return matches.length > 0 ? matches[0].rule : null;
+}
+
+export const authMiddleware: MiddlewareHandler = async (context, next) => {
+  const { request, redirect, locals } = context;
+  const url = new URL(request.url);
+  const pathname = url.pathname;
+
+  // If auth is disabled and we are on an auth route, redirect to home
+  if (!isAuthEnabled() && pathname.includes('/auth')) {
+    return redirect('/');
+  }
+
+  // Auth is disabled, skip auth check
+  if (!isAuthEnabled()) {
+    return next();
+  }
+
+  // Skip system/browser requests
+  const systemRoutes = ['/.well-known/', '/favicon.ico', '/robots.txt', '/sitemap.xml', '/_astro/', '/__astro'];
+  const publicRoutes = ['/auth/login', '/auth/signout', '/auth/error', '/api/auth'];
+
+  if (
+    pathname.startsWith('/_') ||
+    systemRoutes.some((route) => pathname.startsWith(route)) ||
+    pathname.startsWith('/.well-known/') ||
+    publicRoutes.some((route) => pathname.startsWith(route))
+  ) {
+    return next();
+  }
+
+  try {
+    const session = await getSession(request);
+
+    if (!session) {
+      const callbackUrl = encodeURIComponent(pathname + url.search);
+      return redirect(`/auth/login?callbackUrl=${callbackUrl}`);
+    }
+
+    // Normalize user data across providers
+    const normalizedUser = normalizeUserData(session);
+
+    // Type assertion for locals
+    const typedLocals = locals as TypedLocals;
+
+    // Add session and normalized user to locals
+    typedLocals.session = session;
+    typedLocals.user = normalizedUser;
+
+    // Add helper functions for customer middleware
+    typedLocals.hasRole = (role: string) => normalizedUser.roles.includes(role);
+    typedLocals.hasPermission = (permission: string) => normalizedUser.permissions.includes(permission);
+    typedLocals.hasGroup = (group: string) => {
+      return normalizedUser.groups.includes(group);
+    };
+
+    // Add wildcard matching utilities to locals
+    typedLocals.findMatchingRule = findMatchingRule;
+    typedLocals.matchesPattern = matchesPattern;
+  } catch (error) {
+    console.error('Session error:', error);
+    const callbackUrl = encodeURIComponent(pathname + url.search);
+    return redirect(`/auth/login?callbackUrl=${callbackUrl}`);
+  }
+
+  return next();
+};
+
+// Normalize user data from different providers
+function normalizeUserData(session: any): NormalizedUser {
+  const user = session.user;
+  const accessToken = session.accessToken;
+  let decodedToken = null;
+
+  if (accessToken) {
+    try {
+      decodedToken = jwt.decode(accessToken);
+    } catch (e) {
+      console.warn('Could not decode access token');
+    }
+  }
+
+  const provider = detectProvider(session);
+
+  switch (provider) {
+    case 'auth0':
+      return normalizeAuth0User(user, decodedToken);
+    case 'okta':
+      return normalizeOktaUser(user, decodedToken);
+    case 'microsoft':
+      return normalizeMicrosoftUser(user, decodedToken);
+    case 'google':
+      return normalizeGoogleUser(user, decodedToken);
+    default:
+      return normalizeGenericUser(user, decodedToken);
+  }
+}
+
+function detectProvider(session: any): string {
+  const account = session.account;
+  if (account?.provider) return account.provider;
+
+  if (session.user?.sub?.startsWith('auth0|')) return 'auth0';
+  if (session.user?.iss?.includes('okta.com') || session.user?.provider?.includes('okta')) return 'okta';
+  if (session.user?.iss?.includes('microsoft')) return 'microsoft';
+  if (session.user?.iss?.includes('google')) return 'google';
+
+  return 'unknown';
+}
+
+function normalizeAuth0User(user: any, token: any): NormalizedUser {
+  return {
+    id: user.sub || user.id,
+    email: user.email,
+    name: user.name,
+    picture: user.picture,
+    roles: token?.['https://eventcatalog.dev/roles'] || [],
+    permissions: token?.permissions || [],
+    groups: token?.['https://eventcatalog.dev/groups'] || [],
+    metadata: token?.['https://eventcatalog.dev/app_metadata'] || {},
+    provider: 'auth0',
+    raw: { user, token },
+  };
+}
+
+function normalizeOktaUser(user: any, token: any): NormalizedUser {
+  // Try to get groups from multiple sources
+  let groups: string[] = [];
+  let roles: string[] = [];
+
+  // Source 1: User object (from session)
+  if (user.groups && Array.isArray(user.groups)) {
+    groups = user.groups;
+  }
+
+  // Source 2: Decoded token (from access token)
+  if ((!groups || groups.length === 0) && token?.groups && Array.isArray(token.groups)) {
+    groups = token.groups;
+  }
+
+  // Source 3: Roles
+  if (user.roles && Array.isArray(user.roles)) {
+    roles = user.roles;
+  } else if (token?.roles && Array.isArray(token.roles)) {
+    roles = token.roles;
+  }
+
+  return {
+    id: user.sub || user.id,
+    email: user.email,
+    name: user.name,
+    picture: user.picture,
+    roles: roles,
+    permissions: [],
+    groups: groups,
+    metadata: {
+      department: token?.department || user.department,
+      title: token?.title || user.title,
+      locale: token?.locale || user.locale,
+    },
+    provider: 'okta',
+    raw: { user, token },
+  };
+}
+
+function normalizeMicrosoftUser(user: any, token: any): NormalizedUser {
+  // Groups should now be available directly on the user object from the session callback
+  const groups = user.groups || token?.groups || [];
+  const roles = user.roles || token?.roles || [];
+
+  return {
+    id: user.sub || user.oid,
+    email: user.email || user.preferred_username,
+    name: user.name,
+    picture: user.picture,
+    roles: roles,
+    permissions: [],
+    groups: groups,
+    metadata: {
+      department: token?.extension_Department,
+      jobTitle: token?.jobTitle,
+      companyName: token?.companyName,
+    },
+    provider: 'microsoft',
+    raw: { user, token },
+  };
+}
+
+function normalizeGoogleUser(user: any, token: any): NormalizedUser {
+  return {
+    id: user.sub || user.id,
+    email: user.email,
+    name: user.name,
+    picture: user.picture,
+    roles: [],
+    permissions: [],
+    groups: [],
+    metadata: {
+      domain: token?.hd,
+      locale: token?.locale,
+    },
+    provider: 'google',
+    raw: { user, token },
+  };
+}
+
+function normalizeGenericUser(user: any, token: any): NormalizedUser {
+  return {
+    id: user.sub || user.id || user.email,
+    email: user.email,
+    name: user.name,
+    picture: user.picture,
+    roles: user.roles || token?.roles || [],
+    permissions: user.permissions || token?.permissions || [],
+    groups: user.groups || token?.groups || [],
+    metadata: {},
+    provider: 'unknown',
+    raw: { user, token },
+  };
+}

package/eventcatalog/src/middleware.ts

@@ -1,62 +1,47 @@
-// src/middleware.ts
 import type { MiddlewareHandler } from 'astro';
-import { getSession } from 'auth-astro/server';
-import { isAuthEnabled } from '@utils/feature';
-
-export const onRequest: MiddlewareHandler = async (context, next) => {
-  const { request, redirect, locals } = context;
-  const url = new URL(request.url);
-  const pathname = url.pathname;
-
-  // If auth is disabled and we are on an auth route, redirect to home
-  if (!isAuthEnabled() && pathname.includes('/auth')) {
-    return redirect('/');
-  }
-
-  // Auth is disabled, skip auth check
-  if (!isAuthEnabled()) {
-    return next();
+import { authMiddleware } from './middleware-auth.ts';
+import { sequence } from 'astro:middleware';
+import { join } from 'node:path';
+import { isSSR } from '@utils/feature';
+
+// Try to load customer's custom RBAC middleware
+let customerRbacMiddleware: MiddlewareHandler | null = null;
+
+try {
+  const catalogDirectory = process.env.PROJECT_DIR || process.cwd();
+  const customerMiddleware = await import(/* @vite-ignore */ join(catalogDirectory, 'middleware.ts'));
+  customerRbacMiddleware = customerMiddleware.rbacMiddleware;
+
+  if (!isSSR()) {
+    // Tell user they need to build in SSR mode
+    console.log(
+      '🔴 Found custom middleware.ts file. To use RBAC, you need to build in SSR mode, by setting output: "server" in your eventcatalog.config.js file.'
+    );
+  } else {
+    console.log('✅ Loaded custom RBAC middleware');
   }
+} catch (error) {
+  console.log('Error loading custom RBAC middleware:', error);
+  // Just silently fail, we don't want to block the app
+}
 
-  // Skip system/browser requests
-  const systemRoutes = ['/.well-known/', '/favicon.ico', '/robots.txt', '/sitemap.xml', '/_astro/', '/__astro'];
+const errorHandlingMiddleware: MiddlewareHandler = async (context, next) => {
+  const response = await next();
 
-  // Skip auth check for these routes
-  const publicRoutes = ['/auth/login', '/auth/signout', '/auth/error', '/api/auth'];
+  if (response.status === 403) {
+    const params = new URLSearchParams({
+      path: context.url.pathname,
+      returnTo: context.url.pathname + context.url.search,
+    });
 
-  // Skip static files, system routes, and browser requests
-  if (
-    pathname.startsWith('/_') ||
-    systemRoutes.some((route) => pathname.startsWith(route)) ||
-    pathname.startsWith('/.well-known/')
-  ) {
-    return next();
+    return context.redirect(`/unauthorized?${params.toString()}`);
   }
 
-  // Skip public routes
-  if (publicRoutes.some((route) => pathname.startsWith(route))) {
-    return next();
-  }
+  return response;
+};
 
-  try {
-    // Check if user is logged in
-    const session = await getSession(request);
-
-    if (!session) {
-      const callbackUrl = encodeURIComponent(pathname + url.search);
-      return redirect(`/auth/login?callbackUrl=${callbackUrl}`);
-    }
-
-    // Add session to locals for pages to use
-    // @ts-ignore
-    locals.session = session;
-    // @ts-ignore
-    locals.user = session.user;
-  } catch (error) {
-    console.error('Session error:', error);
-    const callbackUrl = encodeURIComponent(pathname + url.search);
-    return redirect(`/auth/login?callbackUrl=${callbackUrl}`);
-  }
+const middlewareChain = customerRbacMiddleware
+  ? [errorHandlingMiddleware, authMiddleware, customerRbacMiddleware]
+  : [errorHandlingMiddleware, authMiddleware];
 
-  return next();
-};
+export const onRequest = isSSR() ? sequence(...middlewareChain) : undefined;

package/eventcatalog/src/pages/auth/login.astro

@@ -1,11 +1,9 @@
 ---
 import config from '@config';
 const { title, logo } = config;
-import { getSession } from 'auth-astro/server';
 import { join } from 'node:path';
 import { isAuthEnabled, isSSR } from '@utils/feature';
 
-const session = await getSession(Astro.request);
 const catalogDirectory = process.env.PROJECT_DIR || process.cwd();
 
 let hasAuthConfigurationFile = false;
@@ -25,10 +23,20 @@ const shouldShowLogin = hasAuthConfigurationFile && isSSR() && isAuthEnabled() &
 // Check if configuration exists but no providers are set up
 const hasConfigButNoProviders = hasAuthConfigurationFile && isSSR() && isAuthEnabled() && providers.length === 0;
 
-if (session) {
+// If we are not in SSR mode, redirect to home
+if (!isSSR() || !isAuthEnabled()) {
   return Astro.redirect('/');
 }
 
+// If we are in SSR mode, check if the user is already logged in
+if (isSSR() && isAuthEnabled()) {
+  const { getSession } = await import(/* @vite-ignore */ 'auth-astro/server');
+  const session = await getSession(Astro.request);
+  if (session) {
+    return Astro.redirect('/');
+  }
+}
+
 // Provider configurations
 const providerConfig = {
   github: {

package/eventcatalog/src/pages/unauthorized/index.astro

@@ -0,0 +1,84 @@
+---
+import VerticalSideBarLayout from '@layouts/VerticalSideBarLayout.astro';
+---
+
+<VerticalSideBarLayout title="Unauthorized - EventCatalog">
+  <div class="flex h-[calc(100vh-120px)] bg-white">
+    <main class="flex w-full items-center justify-center bg-white text-center sm:p-12">
+      <div class="w-full max-w-xl text-center">
+        <div class="mb-6 inline-flex h-16 w-16 items-center justify-center rounded-2xl bg-red-100">
+          <svg
+            class="h-9 w-9 text-red-600"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+          >
+            <rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
+            <path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
+          </svg>
+        </div>
+
+        <h1 class="text-3xl font-bold text-gray-800 mb-4">Access Denied</h1>
+
+        <p class="max-w-md mx-auto text-base text-gray-500 mb-8">You don't have permission to access this resource.</p>
+
+        <!-- Client-side path display -->
+        <div
+          id="path-container"
+          class="hidden mb-8 w-full max-w-lg mx-auto rounded-lg border border-gray-200 bg-gray-100 p-4 text-left"
+        >
+          <p class="mb-2 text-sm font-medium text-gray-600">Requested path:</p>
+          <code id="requested-path" class="break-all font-mono text-sm text-gray-800"></code>
+        </div>
+
+        <div class="flex flex-col sm:flex-row gap-4 justify-center">
+          <button
+            onclick="history.back()"
+            class="inline-flex items-center justify-center px-4 py-2 text-sm font-medium text-gray-700 bg-white border border-gray-300 rounded-md shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500"
+          >
+            <svg class="w-4 h-4 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 19l-7-7m0 0l7-7m-7 7h18"></path>
+            </svg>
+            Go Back
+          </button>
+
+          <a
+            href="/dashboard"
+            class="inline-flex items-center justify-center px-4 py-2 text-sm font-medium text-white bg-blue-600 border border-transparent rounded-md shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500"
+          >
+            <svg class="w-4 h-4 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path
+                stroke-linecap="round"
+                stroke-linejoin="round"
+                stroke-width="2"
+                d="M3 7v10a2 2 0 002 2h14a2 2 0 002-2V9a2 2 0 00-2-2H5a2 2 0 00-2-2z"></path>
+            </svg>
+            Go to Dashboard
+          </a>
+        </div>
+      </div>
+    </main>
+  </div>
+
+  <!-- Client-side script -->
+  <script>
+    document.addEventListener('DOMContentLoaded', () => {
+      // Get query parameters on the client side
+      const url = new URL(window.location.href);
+      const path = url.searchParams.get('path');
+
+      if (path) {
+        const pathContainer = document.getElementById('path-container');
+        const requestedPath = document.getElementById('requested-path');
+
+        if (pathContainer && requestedPath) {
+          requestedPath.textContent = path;
+          pathContainer.classList.remove('hidden');
+        }
+      }
+    });
+  </script>
+</VerticalSideBarLayout>

package/package.json

@@ -6,7 +6,7 @@
     "url": "https://github.com/event-catalog/eventcatalog.git"
   },
   "type": "module",
-  "version": "2.43.5",
+  "version": "2.44.0",
   "publishConfig": {
     "access": "public"
   },
@@ -74,6 +74,7 @@
     "gray-matter": "^4.0.3",
     "html-to-image": "^1.11.11",
     "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.2",
     "langchain": "^0.3.19",
     "lodash.debounce": "^4.0.8",
     "lodash.merge": "4.6.2",
@@ -104,6 +105,7 @@
     "@types/dagre": "^0.7.52",
     "@types/diff": "^5.2.2",
     "@types/js-yaml": "^4.0.9",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/lodash.debounce": "^4.0.9",
     "@types/lodash.merge": "4.6.9",
     "@types/node": "^20.14.2",