Reviewing files that changed from the base of the PR and between 2da0188 and 019e943.

• api/v2/api.gen.go
• api/v2/api.yaml
• internal/common/config/config.go
• internal/common/config/config_test.go
• internal/common/config/definition.go
• internal/common/config/loader.go
• internal/common/config/loader_test.go
• internal/service/auth/service.go
• internal/service/frontend/api/v2/users.go
• internal/service/frontend/auth/oidc.go
• internal/service/frontend/server.go
• internal/service/oidcprovision/service.go
• internal/service/oidcprovision/service_test.go
• ui/src/api/v2/schema.ts
• ui/src/pages/login.tsx
• ui/src/pages/users/ResetPasswordModal.tsx
• ui/src/pages/users/UserFormModal.tsx
• ui/src/pages/users/index.tsx

• GitHub Check: Test on ubuntu-latest
• GitHub Check: Build

internal/service/oidcprovision/service.go (1)

243-276: LGTM! Clear refactor that improves readability.

The introduction of hasWhitelist and hasAllowedDomains guard variables makes the access control logic more explicit and easier to follow. The logic correctly implements an OR relationship where either the whitelist or allowed domains can independently permit access, with explicit denial when restrictions exist but the email matches neither.

internal/service/oidcprovision/service_test.go (1)

483-494: LGTM! Good test coverage for whitelist-only scenarios.

These test cases properly validate the behavior when only a whitelist is configured (no allowed domains), covering both the allow and deny paths. The tests align with the refactored logic in the service code.

ui/src/pages/login.tsx (2)

3-3: Nice reuse of TOKEN_KEY instead of a duplicate constant.

---

84-84: Background tweak looks fine and keeps dark-mode compatibility.

api/v2/api.yaml (1)

4355-4369: UpdateUserRequest.isDisabled addition is consistent with PATCH semantics.
Minor: consider adjusting the description to explicitly say “If omitted, the disabled status is not changed.”

internal/service/auth/service.go (1)

286-291: IsDisabled plumbing in service is clean; consider a policy guard upstream.
This correctly applies the flag and existing auth checks already block disabled users. The remaining concern is policy (self-disable / last active admin) which likely belongs in the API layer (or a dedicated policy check).

Also applies to: 322-325

ui/src/api/v2/schema.ts (2)

1910-1916: Schema additions for isDisabled and authProvider are correctly sourced from the OpenAPI definition.

Verified that api/v2/api.yaml contains both UpdateUserRequest.isDisabled and User.authProvider (enum: builtin/oidc) and User.isDisabled definitions, which are properly reflected in the auto-generated schema.ts file. The file header confirms it is auto-generated by openapi-typescript and should not be manually edited.

---

5583-5586: UserAuthProvider enum is correctly configured with consistent string values across all layers.

The enum values (builtin, oidc) match in the OpenAPI spec (api/v2/api.yaml), backend constants (api/v2/api.gen.go), and the auto-generated frontend schema (ui/src/api/v2/schema.ts). No action required.

api/v2/api.gen.go (2)

1175-1183: IsDisabled *bool is the right PATCH shape; ensure semantics are documented/handled consistently.

Using *bool allows “no change” vs “explicitly enable/disable”. Just ensure callers understand: omit = unchanged, true = disable, false = enable.

---

11484-11622: Generated swaggerSpec blob regenerated correctly with pinned version v2.5.0.

Verification confirms api/v2/api.gen.go was regenerated using the pinned oapi-codegen v2.5.0. Both generated files (api/v1/api.gen.go and api/v2/api.gen.go) are in sync with the same version marker and show no staleness.

internal/common/config/loader.go (4)

437-447: LGTM! Clean parsing for flexible config formats.

The use of parseStringList enables both YAML lists and comma-separated environment variable strings, which improves configuration flexibility. The AutoSignup defaulting to true aligns with the expected OIDC user experience.

---

450-462: LGTM! Role mapping configuration properly loaded.

The RoleMapping configuration is cleanly loaded from the nested config structure, maintaining consistency with the new model where DefaultRole is part of RoleMapping.

---

511-513: LGTM! Sensible default for OIDC role.

Defaulting RoleMapping.DefaultRole to "viewer" follows the principle of least privilege for auto-provisioned OIDC users.

---

1125-1125: LGTM! Environment binding properly nested.

The environment binding AUTH_OIDC_DEFAULT_ROLE correctly maps to the nested auth.oidc.roleMapping.defaultRole config key.

internal/common/config/definition.go (2)

184-185: LGTM! DefaultRole field properly added to role mapping definition.

The field is correctly placed within OIDCRoleMappingDef with appropriate mapstructure tag, aligning with the PR's goal of moving default role handling into the RoleMapping structure.

---

228-230: LGTM! Documentation updated to reflect new behavior.

The docstrings correctly document that OIDC is automatically enabled when required fields are configured, and that AutoSignup defaults to true.

Also applies to: 240-240

ui/src/pages/users/index.tsx (4)

56-77: LGTM! Remote node support properly integrated.

The fetchUsers function correctly includes the remoteNode query parameter with a sensible default of 'local', and the dependency array properly includes appBarContext.selectedRemoteNode to trigger re-fetches when the selection changes.

---

109-132: LGTM! Toggle disabled implementation is clean.

The handleToggleDisabled function properly:

• Uses PATCH method for partial updates
• Toggles isDisabled based on current state
• Handles errors gracefully
• Refreshes the user list on success

---

159-166: LGTM! Table header properly expanded.

New columns for Auth, Status, Created, and Updated are appropriately sized and maintain consistency with the existing table design.

---

183-206: LGTM! User status and auth provider display is well implemented.

The implementation follows the coding guidelines:

• Uses appropriate opacity (opacity-60) for disabled users
• Applies proper dark mode support with text-red-600 dark:text-red-400
• Maintains compact table design with text-sm sizing

internal/common/config/loader_test.go (2)

177-180: LGTM! Test expectations correctly updated.

The test expectations properly reflect the new OIDC configuration structure:

• AutoSignup: true as the default
• RoleMapping with DefaultRole: "viewer"

This aligns with the implementation changes in loader.go.

---

397-400: LGTM! YAML loading test updated consistently.

The YAML configuration test expectations mirror the environment variable test, ensuring consistent behavior across configuration sources.

internal/common/config/config_test.go (3)

384-417: LGTM! Test correctly validates incomplete OIDC handling.

The test properly verifies that:

1. Incomplete OIDC configuration (missing clientId) does not cause validation errors
2. IsConfigured() returns false for incomplete configurations
3. The error message clarifies the expected behavior

This aligns with the design where OIDC is opt-in based on field presence rather than an explicit flag.

---

419-449: LGTM! Role validation test uses new structure.

The test correctly uses RoleMapping.DefaultRole and validates that invalid roles are rejected with an appropriate error message.

---

517-550: LGTM! Comprehensive role validation coverage.

The test validates all valid roles (admin, manager, operator, viewer) using the new RoleMapping.DefaultRole structure.

internal/common/config/config.go (4)

177-178: LGTM! DefaultRole properly moved into OIDCRoleMapping.

Moving DefaultRole into the OIDCRoleMapping struct provides a cleaner separation of concerns - role-related configuration is now consolidated in one place.

---

214-239: LGTM! Clean IsConfigured() implementation.

The IsConfigured() method provides a clear, single source of truth for determining if OIDC is properly configured. The check for all four required fields (ClientId, ClientSecret, ClientUrl, Issuer) ensures OIDC won't be enabled with partial configuration.

This is a good replacement for an explicit Enabled boolean flag as it derives the enabled state from the presence of required configuration.

---

416-421: LGTM! Validation gate uses IsConfigured().

Using IsConfigured() to gate OIDC validation ensures that incomplete configurations are silently ignored (OIDC just won't be available) rather than causing validation errors.

---

451-453: LGTM! Error message references correct config path.

The error message correctly references roleMapping.defaultRole which matches the YAML configuration path, making it easy for users to locate and fix the issue.

Reviewing files that changed from the base of the PR and between 019e943 and 7d529cb.

• internal/common/config/config.go
• internal/common/config/config_test.go
• internal/common/config/loader.go
• internal/service/frontend/api/v2/users.go
• internal/service/frontend/auth/oidc.go
• ui/src/pages/login.tsx
• ui/src/pages/users/ResetPasswordModal.tsx
• ui/src/pages/users/UserFormModal.tsx
• ui/src/pages/users/index.tsx

• GitHub Check: Test on ubuntu-latest
• GitHub Check: Build

internal/common/config/loader.go (5)

437-439: LGTM: Flexible configuration parsing.

The use of parseStringList for Scopes and Whitelist enables both YAML list and comma-separated string formats, improving configuration flexibility.

---

447-447: LGTM: Consistent domain parsing.

Using parseStringList for AllowedDomains maintains consistency with the other OIDC configuration fields.

---

450-462: LGTM: Role mapping configuration.

The role mapping configuration is correctly loaded from the definition, including the DefaultRole field. The nil checks ensure safe access.

---

511-513: LGTM: Secure default role.

Defaulting to "viewer" is a secure choice, providing read-only access by default for auto-signed-up users.

---

443-446: The AutoSignup default to true is intentional and already documented in the code comments (config.go line 230: "Auto-create users on first login (default: true)"). This is not a breaking change—it is the designed behavior for OIDC-based authentication in builtin mode. No additional documentation action is required.

internal/service/frontend/api/v2/users.go (1)

151-164: LGTM: Self-disable protection implemented correctly.

The self-disable protection is well-implemented:

• Checks only when attempting to disable (*request.Body.IsDisabled == true)
• Compares current user ID with target user ID
• Returns appropriate Forbidden error

The check gracefully handles missing user context (when ok is false), though this scenario is unlikely since requireAdmin already validates authentication.

ui/src/pages/users/ResetPasswordModal.tsx (3)

1-3: LGTM: Standard context usage.

The AppBarContext is correctly imported and consumed to access the selected remote node.

Also applies to: 38-38

---

77-79: LGTM: Defensive authentication check.

The early token validation prevents unnecessary API calls and provides clear error messaging when not authenticated.

---

80-81: LGTM: Proper remoteNode handling.

The remoteNode parameter is correctly:

• Retrieved from context with a sensible 'local' fallback
• URL-encoded to handle special characters
• Appended as a query parameter

ui/src/pages/users/UserFormModal.tsx (4)

1-3: LGTM: Consistent context usage.

The AppBarContext usage is consistent with other user management components.

Also applies to: 50-50

---

85-88: LGTM: Consistent authentication and remoteNode handling.

The token validation and remoteNode extraction match the pattern used in other user management modals.

---

92-93: LGTM: Correct HTTP method and remoteNode integration.

Using PATCH for partial updates is semantically correct, and the remoteNode query parameter is properly integrated.

---

107-107: LGTM: remoteNode added to create endpoint.

The remoteNode parameter is consistently added to the create user endpoint.

ui/src/pages/login.tsx (5)

3-3: LGTM: Centralized token key constant.

Using TOKEN_KEY from AuthContext ensures consistent token storage key usage across the application.

---

34-46: LGTM: Clean OIDC callback flow.

The token callback handling is well-implemented:

• Stores token in localStorage using the centralized key
• Navigates immediately with replace: true to prevent back-button issues
• Early return prevents interference with error/welcome message logic
• Clear comment explains the flow

---

49-50: LGTM: Fixed double-decoding bug.

Removing decodeURIComponent is correct since searchParams.get() already decodes URL parameters. The previous code would have double-decoded, potentially causing issues with certain error messages.

---

55-55: LGTM: Complete effect dependencies.

Adding navigate and from to the dependency array follows React best practices, even though these values are typically stable.

---

85-85: LGTM: Refined background styling.

The change to bg-muted/50 provides a softer, more visually refined login page appearance while maintaining light/dark mode compatibility.

internal/service/frontend/auth/oidc.go (2)

35-39: LGTM! Sensible retry configuration.

The retry constants (3 attempts with 500ms delays) provide reasonable resilience against transient network issues during OIDC provider initialization without excessive delays.

---

538-539: LGTM! Consistent URL path normalization.

The trailing slash trimming ensures clean URL construction and matches the pattern used in the callback handler (line 526).

ui/src/pages/users/index.tsx (4)

59-77: LGTM! Proper remoteNode parameter handling.

The implementation correctly:

• Defaults to 'local' when no remote node is selected
• URL-encodes the parameter value
• Updates the useCallback dependency array to include selectedRemoteNode

---

160-164: LGTM! Compact table column layout.

The updated header widths accommodate the new Auth and Status columns while maintaining the compact, high-information-density design specified in the coding guidelines.

---

171-183: LGTM! Correct colspan updates and disabled user styling.

The colspan values correctly reflect the new column count (7), and the opacity-60 class provides a subtle visual indicator for disabled users without cluttering the interface.

---

197-206: LGTM! Clear status indicators with dark mode support.

The Auth and Status columns provide clear visual indicators:

• Authentication provider (SSO vs Local) is immediately visible
• Disabled status uses red color coding with proper dark mode variants
• Text hierarchy maintains readability

Based on coding guidelines requiring dark mode support for all UI components.

internal/common/config/config.go (4)

178-190: LGTM! Improved configuration structure.

Moving DefaultRole into the OIDCRoleMapping struct improves logical grouping of role-related configuration. The documentation clearly indicates the default value.

---

418-454: LGTM! Validation correctly updated for new structure.

The validation logic properly uses IsConfigured() for gating and accesses the nested RoleMapping.DefaultRole field. The error message accurately reflects the configuration path.

---

456-467: LGTM! Improved email scope validation.

The refactored validation:

• Uses idiomatic slices.Contains for cleaner code
• Clearly errors when email scope is required but missing (whitelist/allowedDomains configured)
• Provides helpful warning for potential future issues

This improves the developer experience by catching configuration issues early.

---

217-240: LGTM! Clean auto-detection pattern.

The IsConfigured() method provides a clean API for determining OIDC availability based on required fields, eliminating the need for an explicit Enabled flag. This is more intuitive and reduces configuration errors.

The AutoSignup default is properly handled: the loader uses a nullable *bool input, applies a true default when not specified, then assigns it to the non-nullable bool field in the final config struct.

internal/common/config/config_test.go (4)

384-417: LGTM! Test correctly validates auto-detection behavior.

The renamed test clearly documents the new behavior: incomplete OIDC configuration doesn't error (OIDC simply isn't enabled). The assertion using IsConfigured() properly validates this.

---

419-449: LGTM! Test validates nested role mapping correctly.

The test properly uses the nested RoleMapping.DefaultRole structure and verifies the validation error message matches the implementation.

---

451-481: LGTM! Valid configuration test updated correctly.

The test uses the new nested RoleMapping structure and includes the email scope to ensure clean validation without warnings.

---

483-549: LGTM! Comprehensive email scope validation tests.

The tests correctly cover both scenarios:

1. Missing email scope without access control → warning
2. Missing email scope with whitelist configured → error

This validates the improved validation logic from config.go.