ldraney/pal-e-app
Archived
1
0
Fork 0
Code Issues 17 Pull requests 4 Projects Releases Packages Wiki Activity Actions

feat: extract Keycloak roles + role-based post-login routing #102

New issue
Closed
opened 2026-04-12 18:04:22 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-04-12 18:04:22 +00:00
Contributor
Copy link

Type

Feature

Lineage

Depends on dual auth middleware on pal-e-api (backend must accept JWT first). Part of pal-e-app "app definition" compliance.

Repo

forgejo_admin/pal-e-production

User Story

As a pal-e-app user, I want to be routed to a view appropriate to my role after login so that I land on the most relevant page, not the generic landing page.

Context

pal-e-app has Keycloak (realm pal-e, client pal-e-docs-app, PKCE) but never extracts realm_access.roles from the token. The only identity info used is preferred_username displayed in the nav bar. All authenticated users see the same UI. westside-app already does role-based routing — admin→/admin, coach→/coach, player→/my-players. pal-e-app needs the same pattern.

File Targets

Files the agent should modify or create:

  • src/lib/keycloak.ts — add getUserRoles(), hasRole(), getUserEmail(), getUserSub(), getRoleRedirectPath()
  • src/routes/+layout.svelte — add post-login redirect based on role, show role badge in nav
  • src/lib/stores/user.ts (new) — reactive store with { sub, email, name, roles, isAdmin }

Files the agent should NOT touch:

  • src/routes/notes/ — identity-aware views are a separate ticket
  • src/routes/dashboard/ — personalization is a separate ticket

Acceptance Criteria

  • getUserRoles() returns roles array from Keycloak token
  • Admin user redirected to /dashboard after login
  • Regular user redirected to /notes after login
  • Username + role badge visible in nav bar when authenticated
  • User identity store accessible from any component via import

Test Expectations

  • Manual test: log in as admin → lands on /dashboard
  • Manual test: log in as regular user → lands on /notes
  • Manual test: role badge shows in nav
  • Verify: no existing functionality broken (landing page, sign in, sign out, note editing)
  • Run command: npm run build

Constraints

  • Match the pattern westside-app uses in src/lib/keycloak.js (role extraction, redirect paths)
  • keycloak.ts is TypeScript — maintain type safety
  • Don't force login on landing page — keep check-sso silent init pattern
  • Roles in Keycloak pal-e realm may not exist yet — handle empty roles gracefully (default to /notes)

Checklist

  • PR opened
  • Build passes (npm run build)
  • No unrelated changes

Related

  • pal-e-app — project this affects
  • definition-app — the app definition driving this work
### Type Feature ### Lineage Depends on dual auth middleware on pal-e-api (backend must accept JWT first). Part of pal-e-app "app definition" compliance. ### Repo `forgejo_admin/pal-e-production` ### User Story As a **pal-e-app user**, I want to be routed to a view appropriate to my role after login so that I land on the most relevant page, not the generic landing page. ### Context pal-e-app has Keycloak (realm `pal-e`, client `pal-e-docs-app`, PKCE) but never extracts `realm_access.roles` from the token. The only identity info used is `preferred_username` displayed in the nav bar. All authenticated users see the same UI. westside-app already does role-based routing — admin→/admin, coach→/coach, player→/my-players. pal-e-app needs the same pattern. ### File Targets Files the agent should modify or create: - `src/lib/keycloak.ts` — add `getUserRoles()`, `hasRole()`, `getUserEmail()`, `getUserSub()`, `getRoleRedirectPath()` - `src/routes/+layout.svelte` — add post-login redirect based on role, show role badge in nav - `src/lib/stores/user.ts` (new) — reactive store with `{ sub, email, name, roles, isAdmin }` Files the agent should NOT touch: - `src/routes/notes/` — identity-aware views are a separate ticket - `src/routes/dashboard/` — personalization is a separate ticket ### Acceptance Criteria - [ ] `getUserRoles()` returns roles array from Keycloak token - [ ] Admin user redirected to /dashboard after login - [ ] Regular user redirected to /notes after login - [ ] Username + role badge visible in nav bar when authenticated - [ ] User identity store accessible from any component via import ### Test Expectations - [ ] Manual test: log in as admin → lands on /dashboard - [ ] Manual test: log in as regular user → lands on /notes - [ ] Manual test: role badge shows in nav - [ ] Verify: no existing functionality broken (landing page, sign in, sign out, note editing) - Run command: `npm run build` ### Constraints - Match the pattern westside-app uses in `src/lib/keycloak.js` (role extraction, redirect paths) - keycloak.ts is TypeScript — maintain type safety - Don't force login on landing page — keep `check-sso` silent init pattern - Roles in Keycloak `pal-e` realm may not exist yet — handle empty roles gracefully (default to /notes) ### Checklist - [ ] PR opened - [ ] Build passes (`npm run build`) - [ ] No unrelated changes ### Related - `pal-e-app` — project this affects - `definition-app` — the app definition driving this work
Commenting is not possible because the repository is archived.
No Branch/Tag specified
Branches Tags
main
110-revert-rename
107-feat-extractboardcontext-slug-extraction
104-board-html-content
226-fix-wget-auth
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend
No labels
domain:backend
domain:devops
domain:frontend
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-app#102
No description provided.