@promptbook/cli 0.112.0-100 → 0.112.0-102

package/apps/agents-server/src/components/LoginForm/LoginForm.tsx

@@ -1,9 +1,9 @@
 'use client';
 
 import { loginAction } from '@/src/app/actions';
-import { KeyRound, Loader2, Lock, User } from 'lucide-react';
+import { Loader2, Lock, ShieldCheck, User } from 'lucide-react';
 import { SecretInput } from '@/src/components/SecretInput/SecretInput';
-import { usePathname, useRouter, useSearchParams } from 'next/navigation';
+import { useRouter } from 'next/navigation';
 import { useCallback, useEffect, useState } from 'react';
 import { ForgottenPasswordDialog } from '../ForgottenPasswordDialog/ForgottenPasswordDialog';
 import { RegisterUserDialog } from '../RegisterUserDialog/RegisterUserDialog';
@@ -36,43 +36,11 @@ type LoginFormProps = {
 };
 
 /**
- * Authentication-method payload returned by `/api/auth/methods`.
+ * Public Shibboleth status returned by the login status endpoint.
  */
-type AuthenticationMethodsResponse = {
-    /**
-     * Enabled authentication methods.
-     */
-    readonly methods?: ReadonlyArray<string>;
-    /**
-     * Shibboleth login metadata.
-     */
-    readonly shibboleth?: {
-        readonly isEnabled?: boolean;
-        readonly providerLabel?: string;
-        readonly loginUrl?: string;
-    };
-};
-
-/**
- * Client-side state describing visible login methods.
- */
-type LoginMethodState = {
-    /**
-     * Whether password login should be shown.
-     */
-    readonly isPasswordEnabled: boolean;
-    /**
-     * Whether Shibboleth login should be shown.
-     */
-    readonly isShibbolethEnabled: boolean;
-    /**
-     * User-facing Shibboleth provider label.
-     */
-    readonly shibbolethProviderLabel: string;
-    /**
-     * Route that starts Shibboleth authentication.
-     */
-    readonly shibbolethLoginUrl: string;
+type ShibbolethLoginStatus = {
+    readonly isActive: boolean;
+    readonly isConfigured: boolean;
 };
 
 /**
@@ -86,21 +54,11 @@ export function LoginForm(props: LoginFormProps) {
     const [adminEmail, setAdminEmail] = useState<string>('support@ptbk.io');
     const [isForgottenPasswordOpen, setIsForgottenPasswordOpen] = useState(false);
     const [isRegisterUserOpen, setIsRegisterUserOpen] = useState(false);
+    const [shibbolethLoginStatus, setShibbolethLoginStatus] = useState<ShibbolethLoginStatus | null>(null);
     const [username, setUsername] = useState('');
     const [password, setPassword] = useState('');
-    const [loginMethods, setLoginMethods] = useState<LoginMethodState>({
-        isPasswordEnabled: true,
-        isShibbolethEnabled: false,
-        shibbolethProviderLabel: 'Shibboleth',
-        shibbolethLoginUrl: '/api/auth/shibboleth/login',
-    });
     const hasUnsavedChanges = username.length > 0 || password.length > 0;
     const router = useRouter();
-    const pathname = usePathname();
-    const searchParams = useSearchParams();
-    const search = searchParams?.toString();
-    const redirectTo = `${pathname || '/'}${search ? `?${search}` : ''}`;
-    const shibbolethLoginHref = `${loginMethods.shibbolethLoginUrl}?redirectTo=${encodeURIComponent(redirectTo)}`;
 
     useEffect(() => {
         // Fetch admin email on component mount
@@ -118,20 +76,13 @@ export function LoginForm(props: LoginFormProps) {
     }, []);
 
     useEffect(() => {
-        fetch('/api/auth/methods')
+        fetch('/api/auth/shibboleth/status')
             .then((response) => response.json())
-            .then((data: AuthenticationMethodsResponse) => {
-                const methods = data.methods || ['PASSWORD'];
-
-                setLoginMethods({
-                    isPasswordEnabled: methods.includes('PASSWORD'),
-                    isShibbolethEnabled: Boolean(data.shibboleth?.isEnabled),
-                    shibbolethProviderLabel: data.shibboleth?.providerLabel || 'Shibboleth',
-                    shibbolethLoginUrl: data.shibboleth?.loginUrl || '/api/auth/shibboleth/login',
-                });
+            .then((data: ShibbolethLoginStatus) => {
+                setShibbolethLoginStatus(data);
             })
             .catch((error) => {
-                console.error('Failed to fetch authentication methods:', error);
+                console.error('Failed to fetch Shibboleth status:', error);
             });
     }, []);
 
@@ -180,105 +131,105 @@ export function LoginForm(props: LoginFormProps) {
         [onSuccess, refreshAfterSuccess, router, t],
     );
 
+    /**
+     * Starts Shibboleth login while preserving the current page as RelayState.
+     */
+    const handleShibbolethLogin = useCallback(() => {
+        const returnTo =
+            typeof window === 'undefined'
+                ? '/'
+                : `${window.location.pathname}${window.location.search}${window.location.hash}`;
+        window.location.href = `/api/auth/shibboleth/login?returnTo=${encodeURIComponent(returnTo)}`;
+    }, []);
+
     return (
         <form onSubmit={handleSubmit} className={`space-y-4 ${className || ''}`}>
-            {loginMethods.isShibbolethEnabled && (
-                <a
-                    href={shibbolethLoginHref}
-                    className="w-full inline-flex items-center justify-center rounded-md text-sm font-medium h-10 px-4 py-2 border border-gray-300 bg-white text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 transition-colors"
-                >
-                    <KeyRound className="mr-2 w-4 h-4" />
-                    {t('login.shibbolethAction', { provider: loginMethods.shibbolethProviderLabel })}
-                </a>
-            )}
-
-            {loginMethods.isPasswordEnabled && loginMethods.isShibbolethEnabled && (
-                <div className="flex items-center gap-3 text-xs font-semibold uppercase text-gray-400">
-                    <span className="h-px flex-1 bg-gray-200" />
-                    <span>{t('login.methodDivider')}</span>
-                    <span className="h-px flex-1 bg-gray-200" />
+            <div className="space-y-2">
+                <label htmlFor="username" className="text-sm font-medium text-gray-700 block">
+                    {t('login.usernameLabel')}
+                </label>
+                <div className="relative">
+                    <div className="absolute inset-y-0 left-0 pl-3 flex items-center pointer-events-none text-gray-400">
+                        <User className="w-4 h-4" />
+                    </div>
+                    <input
+                        id="username"
+                        name="username"
+                        type="text"
+                        value={username}
+                        onChange={(event) => setUsername(event.target.value)}
+                        required
+                        className="block w-full pl-10 h-10 rounded-md border border-gray-300 bg-white px-3 py-2 text-sm placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:border-transparent disabled:opacity-50"
+                        placeholder={t('login.usernamePlaceholder')}
+                    />
                 </div>
+            </div>
+
+            <div className="space-y-2">
+                <SecretInput
+                    id="password"
+                    name="password"
+                    value={password}
+                    onChange={(event) => setPassword(event.target.value)}
+                    label={t('login.passwordLabel')}
+                    placeholder={t('login.passwordPlaceholder')}
+                    required
+                    startIcon={<Lock className="w-4 h-4" />}
+                />
+            </div>
+
+            {error && (
+                <div className="p-3 text-sm text-red-500 bg-red-50 border border-red-200 rounded-md">{error}</div>
             )}
 
-            {loginMethods.isPasswordEnabled && (
-                <>
-                    <div className="space-y-2">
-                        <label htmlFor="username" className="text-sm font-medium text-gray-700 block">
-                            {t('login.usernameLabel')}
-                        </label>
-                        <div className="relative">
-                            <div className="absolute inset-y-0 left-0 pl-3 flex items-center pointer-events-none text-gray-400">
-                                <User className="w-4 h-4" />
-                            </div>
-                            <input
-                                id="username"
-                                name="username"
-                                type="text"
-                                value={username}
-                                onChange={(event) => setUsername(event.target.value)}
-                                required
-                                className="block w-full pl-10 h-10 rounded-md border border-gray-300 bg-white px-3 py-2 text-sm placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:border-transparent disabled:opacity-50"
-                                placeholder={t('login.usernamePlaceholder')}
-                            />
-                        </div>
-                    </div>
-
-                    <div className="space-y-2">
-                        <SecretInput
-                            id="password"
-                            name="password"
-                            value={password}
-                            onChange={(event) => setPassword(event.target.value)}
-                            label={t('login.passwordLabel')}
-                            placeholder={t('login.passwordPlaceholder')}
-                            required
-                            startIcon={<Lock className="w-4 h-4" />}
-                        />
-                    </div>
-
-                    {error && (
-                        <div className="p-3 text-sm text-red-500 bg-red-50 border border-red-200 rounded-md">
-                            {error}
-                        </div>
-                    )}
-
+            <button
+                type="submit"
+                disabled={isLoading}
+                className="w-full inline-flex items-center justify-center rounded-md text-sm font-medium h-10 px-4 py-2 bg-promptbook-blue-dark text-white hover:bg-promptbook-blue-dark/90 focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 disabled:opacity-50 disabled:pointer-events-none transition-colors"
+            >
+                {isLoading ? (
+                    <>
+                        <Loader2 className="mr-2 w-4 h-4 animate-spin" />
+                        {t('login.loggingIn')}
+                    </>
+                ) : (
+                    t('login.loginAction')
+                )}
+            </button>
+
+            {shibbolethLoginStatus?.isActive && (
+                <div className="space-y-3 border-t border-gray-200 pt-4">
                     <button
-                        type="submit"
-                        disabled={isLoading}
-                        className="w-full inline-flex items-center justify-center rounded-md text-sm font-medium h-10 px-4 py-2 bg-promptbook-blue-dark text-white hover:bg-promptbook-blue-dark/90 focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 disabled:opacity-50 disabled:pointer-events-none transition-colors"
+                        type="button"
+                        disabled={!shibbolethLoginStatus.isConfigured}
+                        onClick={handleShibbolethLogin}
+                        className="w-full inline-flex items-center justify-center rounded-md text-sm font-medium h-10 px-4 py-2 border border-gray-300 bg-white text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 disabled:opacity-50 disabled:pointer-events-none transition-colors"
                     >
-                        {isLoading ? (
-                            <>
-                                <Loader2 className="mr-2 w-4 h-4 animate-spin" />
-                                {t('login.loggingIn')}
-                            </>
-                        ) : (
-                            t('login.loginAction')
-                        )}
+                        <ShieldCheck className="mr-2 w-4 h-4" />
+                        {t('login.shibbolethLoginAction')}
                     </button>
-
-                    <div className="flex justify-between text-sm">
-                        <button
-                            type="button"
-                            onClick={() => setIsForgottenPasswordOpen(true)}
-                            className="text-promptbook-blue hover:text-promptbook-blue-dark underline focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 rounded-sm"
-                        >
-                            {t('login.forgottenPassword')}
-                        </button>
-                        <button
-                            type="button"
-                            onClick={() => setIsRegisterUserOpen(true)}
-                            className="text-promptbook-blue hover:text-promptbook-blue-dark underline focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 rounded-sm"
-                        >
-                            {t('login.registerNewUser')}
-                        </button>
-                    </div>
-                </>
+                    {!shibbolethLoginStatus.isConfigured && (
+                        <p className="text-xs text-amber-700">{t('login.shibbolethNotConfigured')}</p>
+                    )}
+                </div>
             )}
 
-            {!loginMethods.isPasswordEnabled && error && (
-                <div className="p-3 text-sm text-red-500 bg-red-50 border border-red-200 rounded-md">{error}</div>
-            )}
+            <div className="flex justify-between text-sm">
+                <button
+                    type="button"
+                    onClick={() => setIsForgottenPasswordOpen(true)}
+                    className="text-promptbook-blue hover:text-promptbook-blue-dark underline focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 rounded-sm"
+                >
+                    {t('login.forgottenPassword')}
+                </button>
+                <button
+                    type="button"
+                    onClick={() => setIsRegisterUserOpen(true)}
+                    className="text-promptbook-blue hover:text-promptbook-blue-dark underline focus:outline-none focus:ring-2 focus:ring-promptbook-blue focus:ring-offset-2 rounded-sm"
+                >
+                    {t('login.registerNewUser')}
+                </button>
+            </div>
 
             {isForgottenPasswordOpen && (
                 <ForgottenPasswordDialog onClose={() => setIsForgottenPasswordOpen(false)} adminEmail={adminEmail} />

package/apps/agents-server/src/components/Skeleton/ConsolePageLoadingSkeleton.tsx

@@ -44,7 +44,7 @@ export function ConsolePageLoadingSkeleton({
     const normalizedPanelHeights = panelHeights.length > 0 ? panelHeights : DEFAULT_PANEL_HEIGHTS;
 
     return (
-        <div className="min-h-screen bg-gradient-to-br from-slate-50 via-white to-blue-50">
+        <div className="min-h-screen bg-gradient-to-br from-slate-50 via-white to-blue-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div
                 className={`mx-auto w-full px-4 py-8 sm:px-6 sm:py-10 ${maxWidthClassName}`}
                 role="status"

package/apps/agents-server/src/components/Skeleton/DocumentationRouteLoadingSkeleton.tsx

@@ -32,7 +32,7 @@ export function DocumentationRouteLoadingSkeleton({
     showSidebar = false,
 }: DocumentationRouteLoadingSkeletonProps) {
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div
                 className="container mx-auto px-4 py-16"
                 role="status"

package/apps/agents-server/src/components/Skeleton/HomepageLoadingSkeleton.tsx

@@ -17,7 +17,7 @@ type HomepageLoadingSkeletonProps = {
  */
 export function HomepageLoadingSkeleton({ showGraphPlaceholder = true }: HomepageLoadingSkeletonProps) {
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div
                 className="container mx-auto px-4 py-16"
                 role="status"

package/apps/agents-server/src/components/UsersList/UsersList.tsx

@@ -1,5 +1,6 @@
 'use client';
 
+import Link from 'next/link';
 import { FormEvent, useState } from 'react';
 import { Card } from '../Homepage/Card';
 import { Section } from '../Homepage/Section';
@@ -69,10 +70,25 @@ export function UsersList({ allowCreate = true }: UsersListProps) {
                         <div className="flex justify-between items-start">
                             <div>
                                 <h3 className="text-xl font-semibold text-gray-900">{user.username}</h3>
-                                {user.isAdmin && (
-                                    <span className="inline-block bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded mt-1">
-                                        {t('users.adminRole')}
-                                    </span>
+                                <div className="mt-1 flex flex-wrap gap-2">
+                                    {user.isAdmin && (
+                                        <span className="inline-block bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded">
+                                            {t('users.adminRole')}
+                                        </span>
+                                    )}
+                                    {user.authenticationProvider?.includes('SHIBBOLETH') && (
+                                        <Link
+                                            href="/admin/login-methods/shibboleth"
+                                            className="inline-block bg-emerald-100 text-emerald-800 text-xs px-2 py-1 rounded hover:bg-emerald-200"
+                                        >
+                                            Shibboleth
+                                        </Link>
+                                    )}
+                                </div>
+                                {(user.displayName || user.email) && (
+                                    <p className="text-gray-600 text-sm mt-2">
+                                        {[user.displayName, user.email].filter(Boolean).join(' / ')}
+                                    </p>
                                 )}
                                 <p className="text-gray-500 text-sm mt-2">
                                     {t('users.createdLabel')}: {new Date(user.createdAt).toLocaleDateString()}

package/apps/agents-server/src/components/UsersList/useUsersAdmin.ts

@@ -8,6 +8,9 @@ import { useServerLanguage } from '../ServerLanguage/ServerLanguageProvider';
 export type AdminUser = {
     id: number;
     username: string;
+    email?: string | null;
+    displayName?: string | null;
+    authenticationProvider?: string | null;
     createdAt: string;
     updatedAt: string;
     isAdmin: boolean;

package/apps/agents-server/src/constants/shibbolethAuth.ts

@@ -0,0 +1,139 @@
+/**
+ * Metadata key that enables Shibboleth authentication in Agents Server.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const IS_SHIBBOLETH_AUTH_ACTIVE_METADATA_KEY = 'IS_SHIBBOLETH_AUTH_ACTIVE' as const;
+
+/**
+ * Metadata key containing a URL with the Identity Provider SAML metadata XML.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const SHIBBOLETH_IDENTITY_PROVIDER_METADATA_URL_METADATA_KEY = 'SHIBBOLETH_IDP_METADATA_URL' as const;
+
+/**
+ * Metadata key containing pasted Identity Provider SAML metadata XML.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const SHIBBOLETH_IDENTITY_PROVIDER_METADATA_XML_METADATA_KEY = 'SHIBBOLETH_IDP_METADATA_XML' as const;
+
+/**
+ * Metadata key overriding the Service Provider entity ID sent to the Shibboleth Identity Provider.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const SHIBBOLETH_SERVICE_PROVIDER_ENTITY_ID_METADATA_KEY = 'SHIBBOLETH_SP_ENTITY_ID' as const;
+
+/**
+ * Metadata key defining accepted email attribute names.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES_METADATA_KEY = 'SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES' as const;
+
+/**
+ * Metadata key defining accepted display-name attribute names.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES_METADATA_KEY = 'SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES' as const;
+
+/**
+ * Metadata key defining accepted institutional identifier attribute names.
+ *
+ * @private internal Shibboleth authentication metadata key
+ */
+export const SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES_METADATA_KEY =
+    'SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES' as const;
+
+/**
+ * Default Shibboleth email attribute names accepted from SAML assertions.
+ *
+ * @private internal Shibboleth authentication metadata default
+ */
+export const DEFAULT_SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES = 'mail email urn:oid:0.9.2342.19200300.100.1.3' as const;
+
+/**
+ * Default Shibboleth display-name attribute names accepted from SAML assertions.
+ *
+ * @private internal Shibboleth authentication metadata default
+ */
+export const DEFAULT_SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES = 'displayName urn:oid:2.16.840.1.113730.3.1.241' as const;
+
+/**
+ * Default Shibboleth institutional identifier attribute names accepted from SAML assertions.
+ *
+ * @private internal Shibboleth authentication metadata default
+ */
+export const DEFAULT_SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES =
+    'unstructuredName eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 uid' as const;
+
+/**
+ * Metadata keys required by the Shibboleth authentication integration.
+ *
+ * @private internal Shibboleth authentication metadata key list
+ */
+export const SHIBBOLETH_AUTHENTICATION_METADATA_KEYS = [
+    IS_SHIBBOLETH_AUTH_ACTIVE_METADATA_KEY,
+    SHIBBOLETH_IDENTITY_PROVIDER_METADATA_URL_METADATA_KEY,
+    SHIBBOLETH_IDENTITY_PROVIDER_METADATA_XML_METADATA_KEY,
+    SHIBBOLETH_SERVICE_PROVIDER_ENTITY_ID_METADATA_KEY,
+    SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES_METADATA_KEY,
+    SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES_METADATA_KEY,
+    SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES_METADATA_KEY,
+] as const;
+
+/**
+ * Shape used by the header/menu layer to decide whether the Shibboleth menu item should appear.
+ *
+ * @private internal Shibboleth menu state
+ */
+export type ShibbolethAuthenticationMenuStatus = {
+    /**
+     * True when Shibboleth login is enabled by metadata.
+     */
+    readonly isActive: boolean;
+    /**
+     * True when the minimum metadata required to contact the Identity Provider is present.
+     */
+    readonly isConfigured: boolean;
+};
+
+/**
+ * Parses a metadata boolean value.
+ *
+ * @param value - Raw metadata value.
+ * @returns Boolean interpretation of the metadata value.
+ *
+ * @private internal Shibboleth metadata parser
+ */
+export function parseShibbolethBooleanMetadata(value: string | null | undefined): boolean {
+    return (value || '').trim().toLowerCase() === 'true';
+}
+
+/**
+ * Resolves the Shibboleth menu status from a metadata map.
+ *
+ * @param metadata - Metadata values keyed by metadata name.
+ * @returns Shibboleth activation/configuration status.
+ *
+ * @private internal Shibboleth menu helper
+ */
+export function resolveShibbolethAuthenticationMenuStatus(
+    metadata: Readonly<Record<string, string | null | undefined>>,
+): ShibbolethAuthenticationMenuStatus {
+    const isActive = parseShibbolethBooleanMetadata(metadata[IS_SHIBBOLETH_AUTH_ACTIVE_METADATA_KEY]);
+    const isIdentityProviderMetadataUrlConfigured = Boolean(
+        (metadata[SHIBBOLETH_IDENTITY_PROVIDER_METADATA_URL_METADATA_KEY] || '').trim(),
+    );
+    const isIdentityProviderMetadataXmlConfigured = Boolean(
+        (metadata[SHIBBOLETH_IDENTITY_PROVIDER_METADATA_XML_METADATA_KEY] || '').trim(),
+    );
+
+    return {
+        isActive,
+        isConfigured: isActive && (isIdentityProviderMetadataUrlConfigured || isIdentityProviderMetadataXmlConfigured),
+    };
+}