@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

package/dist/modules/sso/backend/sso/config/[id]/page.js

@@ -0,0 +1,749 @@
+"use client";
+import { Fragment, jsx, jsxs } from "react/jsx-runtime";
+import React from "react";
+import { useParams, useRouter, useSearchParams } from "next/navigation";
+import { Page, PageBody } from "@open-mercato/ui/backend/Page";
+import { Button } from "@open-mercato/ui/primitives/button";
+import { FormHeader } from "@open-mercato/ui/backend/forms";
+import { LoadingMessage, ErrorMessage } from "@open-mercato/ui/backend/detail";
+import { apiCall, apiCallOrThrow } from "@open-mercato/ui/backend/utils/apiCall";
+import { flash } from "@open-mercato/ui/backend/FlashMessages";
+import { useConfirmDialog } from "@open-mercato/ui/backend/confirm-dialog";
+import { useT } from "@open-mercato/shared/lib/i18n/context";
+import { useGuardedMutation } from "@open-mercato/ui/backend/injection/useGuardedMutation";
+function SsoConfigDetailPage() {
+  const params = useParams();
+  const configId = params?.slug && Array.isArray(params.slug) ? params.slug[2] : Array.isArray(params?.id) ? params.id[0] : params?.id;
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  const t = useT();
+  const { confirm, ConfirmDialogElement } = useConfirmDialog();
+  const [config, setConfig] = React.useState(null);
+  const [isLoading, setIsLoading] = React.useState(true);
+  const [error, setError] = React.useState(null);
+  const [activeTab, setActiveTab] = React.useState("general");
+  const [showActivationBanner, setShowActivationBanner] = React.useState(searchParams?.get("created") === "1");
+  const [activationError, setActivationError] = React.useState(null);
+  const [isActivating, setIsActivating] = React.useState(false);
+  const { runMutation, retryLastMutation } = useGuardedMutation({
+    contextId: `sso-config:${configId ?? "pending"}`
+  });
+  const runMutationWithContext = React.useCallback(
+    async (operation, mutationPayload) => {
+      return runMutation({
+        operation,
+        mutationPayload,
+        context: { configId, retryLastMutation }
+      });
+    },
+    [configId, retryLastMutation, runMutation]
+  );
+  const [name, setName] = React.useState("");
+  const [issuer, setIssuer] = React.useState("");
+  const [clientId, setClientId] = React.useState("");
+  const [newClientSecret, setNewClientSecret] = React.useState("");
+  const [showSecretField, setShowSecretField] = React.useState(false);
+  const [jitEnabled, setJitEnabled] = React.useState(true);
+  const [autoLinkByEmail, setAutoLinkByEmail] = React.useState(true);
+  const [isSaving, setIsSaving] = React.useState(false);
+  const [domainInput, setDomainInput] = React.useState("");
+  const [domainError, setDomainError] = React.useState("");
+  const fetchConfig = React.useCallback(async () => {
+    setIsLoading(true);
+    const call = await apiCall(`/api/sso/config/${configId}`);
+    if (call.ok && call.result) {
+      const c = call.result;
+      setConfig(c);
+      setName(c.name ?? "");
+      setIssuer(c.issuer ?? "");
+      setClientId(c.clientId ?? "");
+      setJitEnabled(c.jitEnabled);
+      setAutoLinkByEmail(c.autoLinkByEmail);
+      setError(null);
+    } else {
+      setError(t("sso.admin.error.loadFailed", "Failed to load SSO configuration"));
+    }
+    setIsLoading(false);
+  }, [configId, t]);
+  React.useEffect(() => {
+    fetchConfig();
+  }, [fetchConfig]);
+  const handleSave = async () => {
+    setIsSaving(true);
+    try {
+      const payload = { name, issuer, clientId, jitEnabled, autoLinkByEmail };
+      if (newClientSecret) payload.clientSecret = newClientSecret;
+      await runMutationWithContext(
+        () => apiCallOrThrow(
+          `/api/sso/config/${configId}`,
+          {
+            method: "PUT",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify(payload)
+          },
+          { errorMessage: t("sso.admin.error.saveFailed", "Failed to save SSO configuration") }
+        ),
+        payload
+      );
+      flash(t("sso.admin.saved", "SSO configuration saved"), "success");
+      setNewClientSecret("");
+      setShowSecretField(false);
+      fetchConfig();
+    } catch {
+    } finally {
+      setIsSaving(false);
+    }
+  };
+  const handleToggleActivation = async () => {
+    if (!config) return;
+    setActivationError(null);
+    setIsActivating(true);
+    try {
+      await runMutationWithContext(
+        () => apiCallOrThrow(
+          `/api/sso/config/${configId}/activate`,
+          {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ active: !config.isActive })
+          },
+          { errorMessage: t("sso.admin.error.activationFailed", "Failed to update activation status") }
+        ),
+        { active: !config.isActive }
+      );
+      flash(
+        config.isActive ? t("sso.admin.deactivated", "SSO configuration deactivated") : t("sso.admin.activated", "SSO configuration activated"),
+        "success"
+      );
+      setShowActivationBanner(false);
+      fetchConfig();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      const isNoDomains = message.toLowerCase().includes("no allowed domains");
+      if (isNoDomains) {
+        setActivationError(t("sso.admin.error.noDomainsForActivation", "Add at least one allowed email domain before activating"));
+        setActiveTab("domains");
+      } else {
+        setActivationError(message);
+      }
+    } finally {
+      setIsActivating(false);
+    }
+  };
+  const handleTestConnection = async () => {
+    try {
+      const call = await runMutationWithContext(
+        () => apiCallOrThrow(
+          `/api/sso/config/${configId}/test`,
+          { method: "POST" },
+          { errorMessage: t("sso.admin.error.testFailed", "Connection test failed") }
+        )
+      );
+      if (call.result?.ok) {
+        flash(t("sso.admin.test.success", "Discovery successful \u2014 issuer is reachable"), "success");
+      } else {
+        flash(call.result?.error || t("sso.admin.test.failed", "Discovery failed"), "error");
+      }
+    } catch {
+    }
+  };
+  const handleDelete = async () => {
+    if (!config) return;
+    if (config.isActive) {
+      flash(t("sso.admin.error.deleteActive", "Cannot delete an active SSO configuration \u2014 deactivate it first"), "error");
+      return;
+    }
+    const confirmed = await confirm({
+      title: t("sso.admin.delete.title", "Delete SSO Configuration"),
+      text: t("sso.admin.delete.confirm", "Are you sure? This will remove the SSO configuration."),
+      confirmText: t("common.delete", "Delete"),
+      variant: "destructive"
+    });
+    if (!confirmed) return;
+    await runMutationWithContext(
+      () => apiCallOrThrow(`/api/sso/config/${configId}`, { method: "DELETE" }, {
+        errorMessage: t("sso.admin.error.deleteFailed", "Failed to delete SSO configuration")
+      }),
+      { id: configId }
+    );
+    flash(t("sso.admin.delete.success", "SSO configuration deleted"), "success");
+    router.push("/backend/sso");
+  };
+  const handleAddDomain = async () => {
+    const normalized = domainInput.trim().toLowerCase();
+    if (!normalized) return;
+    const domainRegex = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/;
+    if (!domainRegex.test(normalized) || !normalized.includes(".")) {
+      setDomainError(t("sso.admin.wizard.domain.invalid", "Invalid domain format"));
+      return;
+    }
+    try {
+      await runMutationWithContext(
+        () => apiCallOrThrow(
+          `/api/sso/config/${configId}/domains`,
+          {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ domain: normalized })
+          },
+          { errorMessage: t("sso.admin.error.domainAddFailed", "Failed to add domain") }
+        ),
+        { domain: normalized }
+      );
+      setDomainInput("");
+      setDomainError("");
+      fetchConfig();
+    } catch {
+    }
+  };
+  const handleRemoveDomain = async (domain) => {
+    try {
+      await runMutationWithContext(
+        () => apiCallOrThrow(
+          `/api/sso/config/${configId}/domains?domain=${encodeURIComponent(domain)}`,
+          { method: "DELETE" },
+          { errorMessage: t("sso.admin.error.domainRemoveFailed", "Failed to remove domain") }
+        ),
+        { domain }
+      );
+      fetchConfig();
+    } catch {
+    }
+  };
+  if (isLoading) return /* @__PURE__ */ jsx(Page, { children: /* @__PURE__ */ jsx(PageBody, { children: /* @__PURE__ */ jsx(LoadingMessage, { label: t("common.loading", "Loading...") }) }) });
+  if (error || !config) return /* @__PURE__ */ jsx(Page, { children: /* @__PURE__ */ jsx(PageBody, { children: /* @__PURE__ */ jsx(ErrorMessage, { label: error || t("common.notFound", "Not found") }) }) });
+  const tabs = [
+    { id: "general", label: t("sso.admin.tab.general", "General") },
+    { id: "domains", label: t("sso.admin.tab.domains", "Domains") },
+    { id: "roles", label: t("sso.admin.tab.roles", "Role Mappings") },
+    { id: "scim", label: t("sso.admin.tab.scim", "Provisioning") },
+    { id: "activity", label: t("sso.admin.tab.activity", "Activity") }
+  ];
+  const statusBadge = /* @__PURE__ */ jsx("span", { className: `inline-flex items-center rounded-full px-2 py-1 text-xs font-medium ${config.isActive ? "bg-green-50 text-green-700" : "bg-gray-100 text-gray-600"}`, children: config.isActive ? t("sso.admin.status.active", "Active") : t("sso.admin.status.inactive", "Inactive") });
+  return /* @__PURE__ */ jsx(Page, { children: /* @__PURE__ */ jsxs(PageBody, { children: [
+    /* @__PURE__ */ jsxs("div", { className: "flex flex-col gap-6 max-w-3xl", children: [
+      showActivationBanner && !config.isActive && /* @__PURE__ */ jsxs("div", { className: "rounded-lg border border-blue-200 bg-blue-50 p-4", children: [
+        /* @__PURE__ */ jsx("p", { className: "text-sm font-medium text-blue-900 mb-3", children: t("sso.admin.banner.created", "Your SSO configuration has been created. Would you like to activate it now?") }),
+        activationError && /* @__PURE__ */ jsx("p", { className: "text-sm text-destructive mb-3", children: activationError }),
+        /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2", children: [
+          /* @__PURE__ */ jsx(Button, { size: "sm", onClick: handleToggleActivation, disabled: isActivating, children: isActivating ? t("common.activating", "Activating...") : t("sso.admin.banner.activateNow", "Activate Now") }),
+          /* @__PURE__ */ jsx(Button, { variant: "outline", size: "sm", onClick: () => setShowActivationBanner(false), children: t("sso.admin.banner.notYet", "Not Yet") })
+        ] })
+      ] }),
+      /* @__PURE__ */ jsx(
+        FormHeader,
+        {
+          mode: "detail",
+          backHref: "/backend/sso",
+          backLabel: t("sso.admin.detail.backToList", "Back to SSO"),
+          title: config.name || config.issuer || t("sso.admin.detail.title", "SSO Configuration"),
+          statusBadge,
+          actionsContent: /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2", children: [
+            /* @__PURE__ */ jsx(Button, { type: "button", variant: "outline", size: "sm", onClick: handleTestConnection, children: t("sso.admin.action.test", "Verify Discovery") }),
+            /* @__PURE__ */ jsx(
+              Button,
+              {
+                type: "button",
+                variant: config.isActive ? "outline" : "default",
+                size: "sm",
+                onClick: handleToggleActivation,
+                children: config.isActive ? t("sso.admin.action.deactivate", "Deactivate") : t("sso.admin.action.activate", "Activate")
+              }
+            ),
+            /* @__PURE__ */ jsx(Button, { type: "button", variant: "outline", size: "sm", onClick: handleDelete, className: "text-destructive", children: t("common.delete", "Delete") })
+          ] })
+        }
+      ),
+      /* @__PURE__ */ jsx("div", { className: "flex gap-1 border-b", children: tabs.map((tab) => /* @__PURE__ */ jsx(
+        Button,
+        {
+          type: "button",
+          variant: "ghost",
+          size: "sm",
+          className: `h-auto rounded-none border-b-2 px-4 py-2 hover:bg-transparent ${activeTab === tab.id ? "border-primary text-foreground" : "border-transparent text-muted-foreground"}`,
+          onClick: () => setActiveTab(tab.id),
+          children: tab.label
+        },
+        tab.id
+      )) }),
+      activeTab === "general" && /* @__PURE__ */ jsxs("div", { className: "rounded-lg border bg-card p-4", children: [
+        /* @__PURE__ */ jsx("h2", { className: "mb-4 text-sm font-semibold uppercase text-muted-foreground", children: t("sso.admin.section.oidcSettings", "OIDC Settings") }),
+        /* @__PURE__ */ jsxs("div", { className: "space-y-4", children: [
+          /* @__PURE__ */ jsxs("div", { children: [
+            /* @__PURE__ */ jsx("label", { className: "block text-sm font-medium mb-1", children: t("sso.admin.field.name", "Configuration Name") }),
+            /* @__PURE__ */ jsx(
+              "input",
+              {
+                type: "text",
+                className: "w-full rounded-md border px-3 py-2 text-sm",
+                value: name,
+                onChange: (e) => setName(e.target.value)
+              }
+            )
+          ] }),
+          /* @__PURE__ */ jsxs("div", { children: [
+            /* @__PURE__ */ jsx("label", { className: "block text-sm font-medium mb-1", children: t("sso.admin.field.protocol", "Protocol") }),
+            /* @__PURE__ */ jsx("input", { type: "text", className: "w-full rounded-md border px-3 py-2 text-sm bg-muted", value: config.protocol.toUpperCase(), disabled: true })
+          ] }),
+          /* @__PURE__ */ jsxs("div", { children: [
+            /* @__PURE__ */ jsx("label", { className: "block text-sm font-medium mb-1", children: t("sso.admin.field.issuer", "Issuer URL") }),
+            /* @__PURE__ */ jsx(
+              "input",
+              {
+                type: "url",
+                className: "w-full rounded-md border px-3 py-2 text-sm",
+                value: issuer,
+                onChange: (e) => setIssuer(e.target.value)
+              }
+            )
+          ] }),
+          /* @__PURE__ */ jsxs("div", { children: [
+            /* @__PURE__ */ jsx("label", { className: "block text-sm font-medium mb-1", children: t("sso.admin.field.clientId", "Client ID") }),
+            /* @__PURE__ */ jsx(
+              "input",
+              {
+                type: "text",
+                className: "w-full rounded-md border px-3 py-2 text-sm",
+                value: clientId,
+                onChange: (e) => setClientId(e.target.value)
+              }
+            )
+          ] }),
+          /* @__PURE__ */ jsxs("div", { children: [
+            /* @__PURE__ */ jsx("label", { className: "block text-sm font-medium mb-1", children: t("sso.admin.field.clientSecret", "Client Secret") }),
+            config.hasClientSecret && !showSecretField ? /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2", children: [
+              /* @__PURE__ */ jsx("span", { className: "text-sm text-muted-foreground", children: t("sso.admin.field.secretSet", "Client secret is configured") }),
+              /* @__PURE__ */ jsx(Button, { type: "button", variant: "outline", size: "sm", onClick: () => setShowSecretField(true), children: t("sso.admin.field.changeSecret", "Change") })
+            ] }) : /* @__PURE__ */ jsx(
+              "input",
+              {
+                type: "password",
+                className: "w-full rounded-md border px-3 py-2 text-sm",
+                value: newClientSecret,
+                onChange: (e) => setNewClientSecret(e.target.value),
+                placeholder: config.hasClientSecret ? t("sso.admin.field.secretPlaceholder", "Enter new secret to replace existing") : t("sso.admin.field.secretRequired", "Enter client secret")
+              }
+            )
+          ] }),
+          /* @__PURE__ */ jsxs("div", { className: "space-y-3 pt-2", children: [
+            /* @__PURE__ */ jsxs("label", { className: "flex items-center gap-3", children: [
+              /* @__PURE__ */ jsx(
+                "input",
+                {
+                  type: "checkbox",
+                  checked: jitEnabled,
+                  onChange: (e) => setJitEnabled(e.target.checked),
+                  disabled: config.hasActiveScimTokens,
+                  className: "accent-primary"
+                }
+              ),
+              /* @__PURE__ */ jsxs("div", { children: [
+                /* @__PURE__ */ jsx("span", { className: "text-sm font-medium", children: t("sso.admin.field.jitEnabled", "Just-in-Time Provisioning") }),
+                /* @__PURE__ */ jsx("span", { className: "text-xs text-muted-foreground ml-2", children: config.hasActiveScimTokens ? t("sso.admin.field.jitDisabledByScim", "Unavailable \u2014 SCIM directory sync is active. Revoke SCIM tokens to enable JIT.") : t("sso.admin.field.jitEnabledDesc", "Automatically create user accounts on first SSO login") })
+              ] })
+            ] }),
+            /* @__PURE__ */ jsxs("label", { className: "flex items-center gap-3", children: [
+              /* @__PURE__ */ jsx(
+                "input",
+                {
+                  type: "checkbox",
+                  checked: autoLinkByEmail,
+                  onChange: (e) => setAutoLinkByEmail(e.target.checked),
+                  className: "accent-primary"
+                }
+              ),
+              /* @__PURE__ */ jsxs("div", { children: [
+                /* @__PURE__ */ jsx("span", { className: "text-sm font-medium", children: t("sso.admin.field.autoLinkByEmail", "Auto-link by Email") }),
+                /* @__PURE__ */ jsx("span", { className: "text-xs text-muted-foreground ml-2", children: t("sso.admin.field.autoLinkByEmailDesc", "Automatically link existing users by matching email address") })
+              ] })
+            ] })
+          ] }),
+          /* @__PURE__ */ jsx("div", { className: "pt-4", children: /* @__PURE__ */ jsx(Button, { onClick: handleSave, disabled: isSaving, children: isSaving ? t("common.saving", "Saving...") : t("common.save", "Save") }) })
+        ] })
+      ] }),
+      activeTab === "domains" && /* @__PURE__ */ jsxs("div", { className: "rounded-lg border bg-card p-4", children: [
+        /* @__PURE__ */ jsx("h2", { className: "mb-4 text-sm font-semibold uppercase text-muted-foreground", children: t("sso.admin.section.allowedDomains", "Allowed Domains") }),
+        /* @__PURE__ */ jsx("p", { className: "text-sm text-muted-foreground mb-4", children: t("sso.admin.wizard.domains.description", "Users with email addresses matching these domains will be redirected to your SSO provider.") }),
+        /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2 mb-4", children: [
+          /* @__PURE__ */ jsx(
+            "input",
+            {
+              type: "text",
+              className: "flex-1 rounded-md border px-3 py-2 text-sm",
+              placeholder: t("sso.admin.wizard.domains.placeholder", "example.com"),
+              value: domainInput,
+              onChange: (e) => {
+                setDomainInput(e.target.value);
+                setDomainError("");
+              },
+              onKeyDown: (e) => {
+                if (e.key === "Enter") {
+                  e.preventDefault();
+                  handleAddDomain();
+                }
+              }
+            }
+          ),
+          /* @__PURE__ */ jsx(Button, { type: "button", variant: "outline", onClick: handleAddDomain, children: t("common.add", "Add") })
+        ] }),
+        domainError && /* @__PURE__ */ jsx("p", { className: "text-sm text-destructive mb-2", children: domainError }),
+        config.allowedDomains.length > 0 ? /* @__PURE__ */ jsx("div", { className: "space-y-2", children: config.allowedDomains.map((domain) => /* @__PURE__ */ jsxs("div", { className: "flex items-center justify-between p-3 border rounded-md", children: [
+          /* @__PURE__ */ jsx("code", { className: "text-sm font-mono", children: domain }),
+          /* @__PURE__ */ jsx(Button, { type: "button", variant: "ghost", size: "sm", onClick: () => handleRemoveDomain(domain), children: t("common.remove", "Remove") })
+        ] }, domain)) }) : /* @__PURE__ */ jsx("p", { className: "text-sm text-muted-foreground py-4 text-center", children: t("sso.admin.domains.empty", "No domains configured. Add at least one domain before activating SSO.") })
+      ] }),
+      activeTab === "roles" && config && /* @__PURE__ */ jsx("div", { className: "rounded-lg border bg-card p-4", children: /* @__PURE__ */ jsx(
+        RoleMappingsTab,
+        {
+          configId,
+          appRoleMappings: config.appRoleMappings ?? {},
+          onSaved: fetchConfig,
+          runMutationWithContext
+        }
+      ) }),
+      activeTab === "scim" && /* @__PURE__ */ jsx("div", { className: "rounded-lg border bg-card p-4", children: /* @__PURE__ */ jsx(ScimProvisioningTab, { configId, jitEnabled: config.jitEnabled, issuer: config.issuer ?? void 0, onProvisioningChange: fetchConfig, runMutationWithContext }) }),
+      activeTab === "activity" && /* @__PURE__ */ jsx("div", { className: "rounded-lg border bg-card p-4", children: /* @__PURE__ */ jsx(SsoActivityTab, { configId }) })
+    ] }),
+    ConfirmDialogElement
+  ] }) });
+}
+function RoleMappingsTab({
+  configId,
+  appRoleMappings,
+  onSaved,
+  runMutationWithContext
+}) {
+  const t = useT();
+  const [mappings, setMappings] = React.useState(appRoleMappings);
+  const [idpRoleInput, setIdpRoleInput] = React.useState("");
+  const [localRoleInput, setLocalRoleInput] = React.useState("");
+  const [roleOptions, setRoleOptions] = React.useState([]);
+  const [isSaving, setIsSaving] = React.useState(false);
+  const [inputError, setInputError] = React.useState("");
+  React.useEffect(() => {
+    setMappings(appRoleMappings);
+  }, [appRoleMappings]);
+  React.useEffect(() => {
+    const loadRoles = async () => {
+      const call = await apiCall(
+        "/api/auth/roles?page=1&pageSize=50",
+        void 0,
+        { fallback: { items: [] } }
+      );
+      if (call.ok && Array.isArray(call.result?.items)) {
+        const options = call.result.items.map((item) => {
+          const name = typeof item?.name === "string" ? item.name.trim() : "";
+          if (!name || name === "superadmin") return null;
+          return { value: name, label: name };
+        }).filter((opt) => !!opt);
+        setRoleOptions(options);
+        if (options.length > 0 && !localRoleInput) {
+          setLocalRoleInput(options[0].value);
+        }
+      }
+    };
+    loadRoles();
+  }, []);
+  const handleAdd = () => {
+    const trimmed = idpRoleInput.trim();
+    if (!trimmed) {
+      setInputError(t("sso.admin.roles.error.emptyIdpRole", "IdP role name is required"));
+      return;
+    }
+    if (!localRoleInput) {
+      setInputError(t("sso.admin.roles.error.emptyLocalRole", "Select a local role"));
+      return;
+    }
+    if (mappings[trimmed]) {
+      setInputError(t("sso.admin.roles.error.duplicate", "This IdP role is already mapped"));
+      return;
+    }
+    setMappings({ ...mappings, [trimmed]: localRoleInput });
+    setIdpRoleInput("");
+    setInputError("");
+  };
+  const handleRemove = (idpRole) => {
+    const updated = { ...mappings };
+    delete updated[idpRole];
+    setMappings(updated);
+  };
+  const handleSave = async () => {
+    setIsSaving(true);
+    try {
+      await runMutationWithContext(
+        () => apiCallOrThrow(
+          `/api/sso/config/${configId}`,
+          {
+            method: "PUT",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ appRoleMappings: mappings })
+          },
+          { errorMessage: t("sso.admin.roles.error.saveFailed", "Failed to save role mappings") }
+        ),
+        { appRoleMappings: mappings }
+      );
+      flash(t("sso.admin.roles.saved", "Role mappings saved"), "success");
+      onSaved();
+    } catch {
+    } finally {
+      setIsSaving(false);
+    }
+  };
+  const mappingEntries = Object.entries(mappings);
+  return /* @__PURE__ */ jsxs("div", { children: [
+    /* @__PURE__ */ jsx("p", { className: "text-sm text-muted-foreground mb-4", children: t("sso.admin.roles.description", "Map IdP app role names to local roles. On each SSO login, SSO-sourced roles are synced \u2014 roles no longer sent by the IdP are removed, while manually-assigned roles are preserved.") }),
+    /* @__PURE__ */ jsxs("div", { className: "flex items-end gap-2 mb-4", children: [
+      /* @__PURE__ */ jsxs("div", { className: "flex-1", children: [
+        /* @__PURE__ */ jsx("label", { className: "block text-xs font-medium mb-1", children: t("sso.admin.roles.idpRole", "IdP Role Name") }),
+        /* @__PURE__ */ jsx(
+          "input",
+          {
+            type: "text",
+            className: "w-full rounded-md border px-3 py-2 text-sm",
+            placeholder: t("sso.admin.roles.idpRolePlaceholder", "e.g. OpenMercato.Admin"),
+            value: idpRoleInput,
+            onChange: (e) => {
+              setIdpRoleInput(e.target.value);
+              setInputError("");
+            },
+            onKeyDown: (e) => {
+              if (e.key === "Enter") {
+                e.preventDefault();
+                handleAdd();
+              }
+            }
+          }
+        )
+      ] }),
+      /* @__PURE__ */ jsxs("div", { className: "flex-1", children: [
+        /* @__PURE__ */ jsx("label", { className: "block text-xs font-medium mb-1", children: t("sso.admin.roles.localRole", "Local Role") }),
+        /* @__PURE__ */ jsx(
+          "select",
+          {
+            className: "w-full rounded-md border px-3 py-2 text-sm bg-background",
+            value: localRoleInput,
+            onChange: (e) => setLocalRoleInput(e.target.value),
+            children: roleOptions.map((opt) => /* @__PURE__ */ jsx("option", { value: opt.value, children: opt.label }, opt.value))
+          }
+        )
+      ] }),
+      /* @__PURE__ */ jsx(Button, { variant: "outline", onClick: handleAdd, children: t("common.add", "Add") })
+    ] }),
+    inputError && /* @__PURE__ */ jsx("p", { className: "text-sm text-destructive mb-2", children: inputError }),
+    mappingEntries.length > 0 ? /* @__PURE__ */ jsx("div", { className: "space-y-2 mb-4", children: mappingEntries.map(([idpRole, localRole]) => /* @__PURE__ */ jsxs("div", { className: "flex items-center justify-between p-3 border rounded-md", children: [
+      /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2", children: [
+        /* @__PURE__ */ jsx("code", { className: "text-sm font-mono", children: idpRole }),
+        /* @__PURE__ */ jsx("span", { className: "text-muted-foreground text-sm", children: "\u2192" }),
+        /* @__PURE__ */ jsx("span", { className: "text-sm font-medium", children: localRole })
+      ] }),
+      /* @__PURE__ */ jsx(Button, { variant: "ghost", size: "sm", onClick: () => handleRemove(idpRole), children: t("common.remove", "Remove") })
+    ] }, idpRole)) }) : /* @__PURE__ */ jsx("p", { className: "text-sm text-muted-foreground py-4 text-center mb-4", children: t("sso.admin.roles.empty", "No role mappings configured. IdP role names will be matched directly against local role names.") }),
+    /* @__PURE__ */ jsx(Button, { onClick: handleSave, disabled: isSaving, children: isSaving ? t("common.saving", "Saving...") : t("common.save", "Save") })
+  ] });
+}
+function ScimProvisioningTab({ configId, jitEnabled, issuer, onProvisioningChange, runMutationWithContext }) {
+  const isGoogleProvider = issuer?.includes("accounts.google.com") === true;
+  const t = useT();
+  const { confirm, ConfirmDialogElement } = useConfirmDialog();
+  const [tokens, setTokens] = React.useState([]);
+  const [logs, setLogs] = React.useState([]);
+  const [isLoading, setIsLoading] = React.useState(true);
+  const [showCreateForm, setShowCreateForm] = React.useState(false);
+  const [tokenName, setTokenName] = React.useState("");
+  const [isCreating, setIsCreating] = React.useState(false);
+  const [newlyCreatedToken, setNewlyCreatedToken] = React.useState(null);
+  const fetchData = React.useCallback(async () => {
+    setIsLoading(true);
+    const [tokensCall, logsCall] = await Promise.all([
+      apiCall(`/api/sso/scim/tokens?ssoConfigId=${configId}`),
+      apiCall(`/api/sso/scim/logs?ssoConfigId=${configId}`)
+    ]);
+    if (tokensCall.ok && tokensCall.result) setTokens(tokensCall.result.items);
+    if (logsCall.ok && logsCall.result) setLogs(logsCall.result.items);
+    setIsLoading(false);
+  }, [configId]);
+  React.useEffect(() => {
+    fetchData();
+  }, [fetchData]);
+  const handleCreateToken = async () => {
+    if (!tokenName.trim()) return;
+    setIsCreating(true);
+    try {
+      const result = await runMutationWithContext(
+        () => apiCallOrThrow(
+          "/api/sso/scim/tokens",
+          {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ ssoConfigId: configId, name: tokenName.trim() })
+          },
+          { errorMessage: t("sso.admin.scim.error.createFailed", "Failed to create SCIM token") }
+        ),
+        { ssoConfigId: configId, name: tokenName.trim() }
+      );
+      if (result.result) {
+        setNewlyCreatedToken(result.result.token);
+        setShowCreateForm(false);
+        setTokenName("");
+        fetchData();
+        onProvisioningChange();
+      }
+    } catch {
+    } finally {
+      setIsCreating(false);
+    }
+  };
+  const handleRevokeToken = async (tokenId) => {
+    const confirmed = await confirm({
+      title: t("sso.admin.scim.revoke.title", "Revoke Token"),
+      text: t("sso.admin.scim.revoke.confirm", "Are you sure? This token will no longer authenticate SCIM requests."),
+      confirmText: t("sso.admin.scim.revoke.action", "Revoke"),
+      variant: "destructive"
+    });
+    if (!confirmed) return;
+    try {
+      await runMutationWithContext(
+        () => apiCallOrThrow(`/api/sso/scim/tokens/${tokenId}`, { method: "DELETE" }, {
+          errorMessage: t("sso.admin.scim.error.revokeFailed", "Failed to revoke token")
+        }),
+        { tokenId }
+      );
+      flash(t("sso.admin.scim.revoked", "Token revoked"), "success");
+      fetchData();
+      onProvisioningChange();
+    } catch {
+    }
+  };
+  const handleCopyEndpoint = () => {
+    const url = `${window.location.origin}/api/sso/scim/v2`;
+    navigator.clipboard.writeText(url).then(() => {
+      flash(t("sso.admin.scim.endpointCopied", "SCIM endpoint URL copied"), "success");
+    });
+  };
+  const handleCopyToken = () => {
+    if (!newlyCreatedToken) return;
+    navigator.clipboard.writeText(newlyCreatedToken).then(() => {
+      flash(t("sso.admin.scim.tokenCopied", "Token copied to clipboard"), "success");
+    });
+  };
+  if (isLoading) return /* @__PURE__ */ jsx(LoadingMessage, { label: t("common.loading", "Loading...") });
+  return /* @__PURE__ */ jsxs("div", { className: "space-y-6", children: [
+    isGoogleProvider && /* @__PURE__ */ jsx("div", { className: "rounded-lg border border-blue-200 bg-blue-50 p-4", children: /* @__PURE__ */ jsx("p", { className: "text-sm text-blue-900", children: t("sso.admin.scim.googleNotSupported", "Google Workspace does not support SCIM provisioning. Users are provisioned via Just-In-Time (JIT) on first login.") }) }),
+    !isGoogleProvider && jitEnabled && /* @__PURE__ */ jsx("div", { className: "rounded-lg border border-amber-200 bg-amber-50 p-4", children: /* @__PURE__ */ jsx("p", { className: "text-sm text-amber-900", children: t("sso.admin.scim.jitActiveWarning", "SCIM provisioning is unavailable while JIT provisioning is enabled. Disable JIT in the General tab to configure SCIM.") }) }),
+    isGoogleProvider ? null : /* @__PURE__ */ jsxs(Fragment, { children: [
+      /* @__PURE__ */ jsxs("div", { children: [
+        /* @__PURE__ */ jsx("h3", { className: "text-sm font-medium mb-2", children: t("sso.admin.scim.endpointUrl", "SCIM Endpoint URL") }),
+        /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2", children: [
+          /* @__PURE__ */ jsx("code", { className: "flex-1 rounded-md border bg-muted px-3 py-2 text-sm font-mono", children: typeof window !== "undefined" ? `${window.location.origin}/api/sso/scim/v2` : "/api/sso/scim/v2" }),
+          /* @__PURE__ */ jsx(Button, { variant: "outline", size: "sm", onClick: handleCopyEndpoint, children: t("common.copy", "Copy") })
+        ] })
+      ] }),
+      newlyCreatedToken && /* @__PURE__ */ jsxs("div", { className: "rounded-lg border border-amber-200 bg-amber-50 p-4", children: [
+        /* @__PURE__ */ jsx("p", { className: "text-sm font-medium text-amber-900 mb-2", children: t("sso.admin.scim.tokenCreated", "Your SCIM token has been created. Copy it now \u2014 it will not be shown again.") }),
+        /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2 mb-2", children: [
+          /* @__PURE__ */ jsx("code", { className: "flex-1 rounded-md border bg-white px-3 py-2 text-xs font-mono break-all", children: newlyCreatedToken }),
+          /* @__PURE__ */ jsx(Button, { variant: "outline", size: "sm", onClick: handleCopyToken, children: t("common.copy", "Copy") })
+        ] }),
+        /* @__PURE__ */ jsx(Button, { variant: "ghost", size: "sm", onClick: () => setNewlyCreatedToken(null), children: t("common.dismiss", "Dismiss") })
+      ] }),
+      /* @__PURE__ */ jsxs("div", { children: [
+        /* @__PURE__ */ jsxs("div", { className: "flex items-center justify-between mb-3", children: [
+          /* @__PURE__ */ jsx("h3", { className: "text-sm font-medium", children: t("sso.admin.scim.tokens", "Bearer Tokens") }),
+          !showCreateForm && /* @__PURE__ */ jsx(Button, { variant: "outline", size: "sm", onClick: () => setShowCreateForm(true), disabled: jitEnabled, children: t("sso.admin.scim.generateToken", "Generate Token") })
+        ] }),
+        showCreateForm && /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2 mb-4", children: [
+          /* @__PURE__ */ jsx(
+            "input",
+            {
+              type: "text",
+              className: "flex-1 rounded-md border px-3 py-2 text-sm",
+              placeholder: t("sso.admin.scim.tokenNamePlaceholder", "Token name (e.g., Entra ID Production)"),
+              value: tokenName,
+              onChange: (e) => setTokenName(e.target.value),
+              onKeyDown: (e) => {
+                if (e.key === "Enter") {
+                  e.preventDefault();
+                  handleCreateToken();
+                }
+              },
+              autoFocus: true
+            }
+          ),
+          /* @__PURE__ */ jsx(Button, { size: "sm", onClick: handleCreateToken, disabled: isCreating || !tokenName.trim(), children: isCreating ? t("common.creating", "Creating...") : t("common.create", "Create") }),
+          /* @__PURE__ */ jsx(Button, { variant: "ghost", size: "sm", onClick: () => {
+            setShowCreateForm(false);
+            setTokenName("");
+          }, children: t("common.cancel", "Cancel") })
+        ] }),
+        tokens.length === 0 ? /* @__PURE__ */ jsx("div", { className: "text-center py-8 border rounded-md", children: /* @__PURE__ */ jsx("p", { className: "text-sm text-muted-foreground", children: t("sso.admin.scim.noTokens", "SCIM provisioning is not configured. Generate a bearer token to enable your identity provider to sync users automatically.") }) }) : /* @__PURE__ */ jsx("div", { className: "space-y-2", children: tokens.map((token) => /* @__PURE__ */ jsxs("div", { className: "flex items-center justify-between p-3 border rounded-md", children: [
+          /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-3", children: [
+            /* @__PURE__ */ jsxs("div", { children: [
+              /* @__PURE__ */ jsx("span", { className: "text-sm font-medium", children: token.name }),
+              /* @__PURE__ */ jsxs("span", { className: "text-xs text-muted-foreground ml-2 font-mono", children: [
+                token.tokenPrefix,
+                "..."
+              ] })
+            ] }),
+            /* @__PURE__ */ jsx("span", { className: `inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium ${token.isActive ? "bg-green-50 text-green-700" : "bg-gray-100 text-gray-500"}`, children: token.isActive ? t("sso.admin.scim.tokenActive", "Active") : t("sso.admin.scim.tokenRevoked", "Revoked") })
+          ] }),
+          /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-2", children: [
+            /* @__PURE__ */ jsx("span", { className: "text-xs text-muted-foreground", children: new Date(token.createdAt).toLocaleDateString() }),
+            token.isActive && /* @__PURE__ */ jsx(Button, { variant: "ghost", size: "sm", onClick: () => handleRevokeToken(token.id), className: "text-destructive", children: t("sso.admin.scim.revoke.action", "Revoke") })
+          ] })
+        ] }, token.id)) })
+      ] }),
+      logs.length > 0 && /* @__PURE__ */ jsxs("div", { children: [
+        /* @__PURE__ */ jsx("h3", { className: "text-sm font-medium mb-3", children: t("sso.admin.scim.recentActivity", "Recent Provisioning Activity") }),
+        /* @__PURE__ */ jsx("div", { className: "border rounded-md overflow-hidden", children: /* @__PURE__ */ jsxs("table", { className: "w-full text-sm", children: [
+          /* @__PURE__ */ jsx("thead", { className: "bg-muted/50", children: /* @__PURE__ */ jsxs("tr", { children: [
+            /* @__PURE__ */ jsx("th", { className: "text-left px-3 py-2 font-medium", children: t("sso.admin.scim.log.time", "Time") }),
+            /* @__PURE__ */ jsx("th", { className: "text-left px-3 py-2 font-medium", children: t("sso.admin.scim.log.operation", "Operation") }),
+            /* @__PURE__ */ jsx("th", { className: "text-left px-3 py-2 font-medium", children: t("sso.admin.scim.log.resource", "Resource") }),
+            /* @__PURE__ */ jsx("th", { className: "text-left px-3 py-2 font-medium", children: t("sso.admin.scim.log.status", "Status") }),
+            /* @__PURE__ */ jsx("th", { className: "text-left px-3 py-2 font-medium", children: t("sso.admin.scim.log.error", "Error") })
+          ] }) }),
+          /* @__PURE__ */ jsx("tbody", { children: logs.map((log) => /* @__PURE__ */ jsxs("tr", { className: "border-t", children: [
+            /* @__PURE__ */ jsx("td", { className: "px-3 py-2 text-xs text-muted-foreground whitespace-nowrap", children: new Date(log.createdAt).toLocaleString() }),
+            /* @__PURE__ */ jsx("td", { className: "px-3 py-2", children: /* @__PURE__ */ jsx("span", { className: "inline-flex items-center rounded px-1.5 py-0.5 text-xs font-medium bg-muted", children: log.operation }) }),
+            /* @__PURE__ */ jsx("td", { className: "px-3 py-2 text-xs", children: log.resourceType }),
+            /* @__PURE__ */ jsx("td", { className: "px-3 py-2", children: /* @__PURE__ */ jsx("span", { className: `text-xs font-medium ${log.responseStatus < 300 ? "text-green-700" : "text-red-600"}`, children: log.responseStatus }) }),
+            /* @__PURE__ */ jsx("td", { className: "px-3 py-2 text-xs text-muted-foreground truncate max-w-[200px]", children: log.errorMessage || "\u2014" })
+          ] }, log.id)) })
+        ] }) })
+      ] })
+    ] }),
+    ConfirmDialogElement
+  ] });
+}
+function SsoActivityTab({ configId }) {
+  const t = useT();
+  const [identities, setIdentities] = React.useState([]);
+  const [isLoading, setIsLoading] = React.useState(true);
+  React.useEffect(() => {
+    const load = async () => {
+      setIsLoading(true);
+      setIdentities([]);
+      setIsLoading(false);
+    };
+    load();
+  }, [configId]);
+  if (isLoading) return /* @__PURE__ */ jsx(LoadingMessage, { label: t("common.loading", "Loading...") });
+  if (identities.length === 0) {
+    return /* @__PURE__ */ jsx("div", { className: "text-center py-8", children: /* @__PURE__ */ jsx("p", { className: "text-sm text-muted-foreground", children: t("sso.admin.activity.empty", "No SSO login activity yet. Activity will appear here once users start logging in via SSO.") }) });
+  }
+  return /* @__PURE__ */ jsx("div", { className: "space-y-2", children: identities.map((identity) => /* @__PURE__ */ jsxs("div", { className: "flex items-center justify-between p-3 border rounded-md", children: [
+    /* @__PURE__ */ jsxs("div", { children: [
+      /* @__PURE__ */ jsx("span", { className: "text-sm font-medium", children: identity.idpEmail }),
+      identity.idpName && /* @__PURE__ */ jsxs("span", { className: "text-sm text-muted-foreground ml-2", children: [
+        "(",
+        identity.idpName,
+        ")"
+      ] })
+    ] }),
+    /* @__PURE__ */ jsx("span", { className: "text-xs text-muted-foreground", children: identity.lastLoginAt ? new Date(identity.lastLoginAt).toLocaleString() : "\u2014" })
+  ] }, identity.id)) });
+}
+export {
+  SsoConfigDetailPage as default
+};
+//# sourceMappingURL=page.js.map