ldraney/pal-e-app
Archived
1
0
Fork 0
Code Issues 17 Pull requests 4 Projects Releases Packages Wiki Activity Actions

feat: extract Keycloak roles + role-based post-login routing #105

Merged
forgejo_admin merged 2 commits from 102-role-extraction-routing into main 2026-04-13 14:45:21 +00:00
Conversation 3 Commits 2 Files changed 7 +1272 -13
forgejo_admin commented 2026-04-13 00:03:33 +00:00
Contributor
Copy link

Summary

Extract Keycloak token claims (roles, email, sub) into reusable helpers and a reactive user identity store. Add post-login redirect routing: admin users go to /dashboard, regular authenticated users go to /notes. Landing page stays public with no forced login.

Changes

  • src/lib/keycloak.ts -- Added getUserRoles(), hasRole(), getUserEmail(), getUserSub(), getPrimaryRole(), getRoleRedirectPath(), getTokenParsed(). Updated module docstring for pal-e-app naming.
  • src/lib/stores/user.svelte.ts -- New reactive Svelte 5 store with syncFromKeycloak(), getIdentity(), hasRole(), hasAnyRole(). Typed UserIdentity interface.
  • src/routes/+layout.svelte -- Import new keycloak helpers + user store. Sync store on init. Post-login redirect from "/" based on role (admin -> /dashboard, user -> /notes). Uses replaceState to avoid back-button loops.

Test Plan

  • npm run build passes clean (verified)
  • Landing page loads without forced login (check-sso preserved, no onLoad change)
  • Authenticated user on "/" redirects to /notes (or /dashboard if admin role present)
  • Direct navigation to any route (e.g. /boards/foo) is not intercepted -- redirect only fires on "/"
  • Empty realm_access.roles returns [] gracefully (no crash when pal-e realm has no roles configured)
  • User store populates username, email, sub, roles from token

Review Checklist

  • Build passes (npm run build)
  • No forced login on landing page -- check-sso silent init preserved
  • Empty roles handled gracefully (no crash)
  • Post-login redirect only fires on "/" path, not deep links
  • replaceState used to prevent back-button loop
  • Matches westside-app keycloak.js pattern for role extraction

Related Notes

None.

Related

Closes #102

## Summary Extract Keycloak token claims (roles, email, sub) into reusable helpers and a reactive user identity store. Add post-login redirect routing: admin users go to /dashboard, regular authenticated users go to /notes. Landing page stays public with no forced login. ## Changes - `src/lib/keycloak.ts` -- Added getUserRoles(), hasRole(), getUserEmail(), getUserSub(), getPrimaryRole(), getRoleRedirectPath(), getTokenParsed(). Updated module docstring for pal-e-app naming. - `src/lib/stores/user.svelte.ts` -- New reactive Svelte 5 store with syncFromKeycloak(), getIdentity(), hasRole(), hasAnyRole(). Typed UserIdentity interface. - `src/routes/+layout.svelte` -- Import new keycloak helpers + user store. Sync store on init. Post-login redirect from "/" based on role (admin -> /dashboard, user -> /notes). Uses replaceState to avoid back-button loops. ## Test Plan - `npm run build` passes clean (verified) - Landing page loads without forced login (check-sso preserved, no onLoad change) - Authenticated user on "/" redirects to /notes (or /dashboard if admin role present) - Direct navigation to any route (e.g. /boards/foo) is not intercepted -- redirect only fires on "/" - Empty realm_access.roles returns [] gracefully (no crash when pal-e realm has no roles configured) - User store populates username, email, sub, roles from token ## Review Checklist - [x] Build passes (`npm run build`) - [x] No forced login on landing page -- check-sso silent init preserved - [x] Empty roles handled gracefully (no crash) - [x] Post-login redirect only fires on "/" path, not deep links - [x] replaceState used to prevent back-button loop - [x] Matches westside-app keycloak.js pattern for role extraction ## Related Notes None. ## Related Closes #102
feat: extract Keycloak roles + role-based post-login routing
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
d41cddc723 
Add getUserRoles(), hasRole(), getUserEmail(), getUserSub(),
getPrimaryRole(), and getRoleRedirectPath() to keycloak.ts.
Create reactive user identity store at src/lib/stores/user.svelte.ts
that syncs from Keycloak token claims. Wire post-login redirect in
+layout.svelte: admin -> /dashboard, user -> /notes. Landing page
remains public (no forced login). Empty roles handled gracefully.

Closes #102

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-04-13 00:06:39 +00:00
Author
Contributor
Copy link

PR #105 Review

DOMAIN REVIEW

Stack: SvelteKit / TypeScript / Keycloak OIDC (keycloak-js)

Keycloak token handling: The role extraction from realm_access.roles is correct. Null checks are thorough -- tokenParsed guard, optional chaining on realm_access, fallback to empty array. The as casts are the standard pattern for keycloak-js since KeycloakTokenParsed does not strongly type custom claims.

Svelte 5 store pattern: user.svelte.ts uses $state at module scope correctly for Svelte 5 runes. The syncFromKeycloak() write-gate pattern is clean. Interface is well-typed.

Redirect logic: Only fires on pathname === '/', uses replaceState: true to avoid back-button loops. Does not intercept deep links. Correct approach.

Route targets verified: Both /dashboard/+page.svelte and /notes/+page.svelte exist in the repo. Redirects will not 404.

No forced login regression: The initKeycloak() call is unchanged -- no onLoad parameter added, so the landing page remains public. Correct.

BLOCKERS

1. No test coverage for new functionality.

This PR adds 7 new exported functions in keycloak.ts, an entire new store module (user.svelte.ts), and redirect logic in the layout. There are zero unit tests for any of it. The repo has E2E tests (e2e/auth.spec.ts) but no unit tests for keycloak helpers or the user store. The test plan lists only manual verification steps and npm run build.

At minimum, the pure functions (getUserRoles, hasRole, getPrimaryRole, getRoleRedirectPath, syncFromKeycloak, getIdentity, hasRole, hasAnyRole) are trivially unit-testable with a mocked keycloak.tokenParsed. This is a BLOCKER per the review criteria: "New functionality with zero test coverage."

NITS

1. DRY: duplicated role extraction logic.

Role parsing from realm_access is implemented twice with identical logic:

  • keycloak.ts:getUserRoles() lines 107-112
  • user.svelte.ts:syncFromKeycloak() line 56: (tokenParsed.realm_access as { roles?: string[] })?.roles ?? []

The store should call getUserRoles() (or better, the store should be the single owner of parsed identity, and keycloak.ts should not duplicate it). Not blocking since this is not an auth/security path divergence risk (both read the same token), but it will drift if one is updated without the other.

2. Store not synced on token refresh.

syncFromKeycloak() is called once on mount. The existing onTokenExpired handler in keycloak.ts (line 35-39) refreshes the token but does not re-sync the store. If a user's roles change in Keycloak mid-session, the store will hold stale data until page reload. Consider hooking syncFromKeycloak into the token refresh callback.

3. clientId default still says pal-e-docs-app.

The PR updates the docstring comment from pal-e-docs-app to pal-e-app, but keycloak.ts line 13 still has clientId: ... || 'pal-e-docs-app' as the fallback. This is out of scope for this PR (it is a pre-existing issue), but worth noting since the docstring update creates a contradiction. Consider a follow-up ticket.

4. getIdentity() returns the mutable reactive object.

getIdentity() returns the identity reference directly. In Svelte 5, this is fine for reactivity (consumers reading properties will track), but the docstring says "Read-only access" while nothing prevents getIdentity().roles.push('admin'). A shallow spread or Object.freeze would enforce the contract. Minor.

5. hasRole name collision.

Both keycloak.ts and user.svelte.ts export a function named hasRole. Consumers must be careful about which import they use. The keycloak version reads the token directly; the store version reads cached state. Consider naming one keycloakHasRole or removing the duplication.

SOP COMPLIANCE

  • Branch named after issue: 102-role-extraction-routing matches issue #102
  • PR body has Summary, Changes, Test Plan, Related sections
  • Related references plan slug -- no plan slug referenced (only "Closes #102"). Acceptable if this is standalone board work without a parent plan.
  • No secrets committed
  • No scope creep -- all changes are directly related to role extraction and routing
  • Commit messages are descriptive (PR title matches issue title)

PROCESS OBSERVATIONS

  • Test infrastructure gap: The repo has E2E tests but no unit test setup for src/lib/ modules. Adding vitest (or similar) for pure function testing would significantly reduce change failure rate for auth-adjacent code. The keycloak helpers and user store are ideal first candidates.
  • Deployment risk: Low. The redirect is additive (only fires on "/") and the helpers are not yet consumed beyond the layout. No breaking change to existing behavior.

VERDICT: NOT APPROVED

One blocker: zero test coverage for new functionality. The 7 new keycloak helpers and the entire user store module are pure functions that are trivially unit-testable. Add tests covering at minimum: getUserRoles with/without realm_access, getPrimaryRole for admin/user/unauthenticated, getRoleRedirectPath mapping, and syncFromKeycloak with valid/invalid/missing token data.

## PR #105 Review ### DOMAIN REVIEW **Stack:** SvelteKit / TypeScript / Keycloak OIDC (keycloak-js) **Keycloak token handling:** The role extraction from `realm_access.roles` is correct. Null checks are thorough -- `tokenParsed` guard, optional chaining on `realm_access`, fallback to empty array. The `as` casts are the standard pattern for keycloak-js since `KeycloakTokenParsed` does not strongly type custom claims. **Svelte 5 store pattern:** `user.svelte.ts` uses `$state` at module scope correctly for Svelte 5 runes. The `syncFromKeycloak()` write-gate pattern is clean. Interface is well-typed. **Redirect logic:** Only fires on `pathname === '/'`, uses `replaceState: true` to avoid back-button loops. Does not intercept deep links. Correct approach. **Route targets verified:** Both `/dashboard/+page.svelte` and `/notes/+page.svelte` exist in the repo. Redirects will not 404. **No forced login regression:** The `initKeycloak()` call is unchanged -- no `onLoad` parameter added, so the landing page remains public. Correct. ### BLOCKERS **1. No test coverage for new functionality.** This PR adds 7 new exported functions in `keycloak.ts`, an entire new store module (`user.svelte.ts`), and redirect logic in the layout. There are zero unit tests for any of it. The repo has E2E tests (`e2e/auth.spec.ts`) but no unit tests for keycloak helpers or the user store. The test plan lists only manual verification steps and `npm run build`. At minimum, the pure functions (`getUserRoles`, `hasRole`, `getPrimaryRole`, `getRoleRedirectPath`, `syncFromKeycloak`, `getIdentity`, `hasRole`, `hasAnyRole`) are trivially unit-testable with a mocked `keycloak.tokenParsed`. This is a BLOCKER per the review criteria: "New functionality with zero test coverage." ### NITS **1. DRY: duplicated role extraction logic.** Role parsing from `realm_access` is implemented twice with identical logic: - `keycloak.ts:getUserRoles()` lines 107-112 - `user.svelte.ts:syncFromKeycloak()` line 56: `(tokenParsed.realm_access as { roles?: string[] })?.roles ?? []` The store should call `getUserRoles()` (or better, the store should be the single owner of parsed identity, and `keycloak.ts` should not duplicate it). Not blocking since this is not an auth/security path divergence risk (both read the same token), but it will drift if one is updated without the other. **2. Store not synced on token refresh.** `syncFromKeycloak()` is called once on mount. The existing `onTokenExpired` handler in `keycloak.ts` (line 35-39) refreshes the token but does not re-sync the store. If a user's roles change in Keycloak mid-session, the store will hold stale data until page reload. Consider hooking `syncFromKeycloak` into the token refresh callback. **3. `clientId` default still says `pal-e-docs-app`.** The PR updates the docstring comment from `pal-e-docs-app` to `pal-e-app`, but `keycloak.ts` line 13 still has `clientId: ... || 'pal-e-docs-app'` as the fallback. This is out of scope for this PR (it is a pre-existing issue), but worth noting since the docstring update creates a contradiction. Consider a follow-up ticket. **4. `getIdentity()` returns the mutable reactive object.** `getIdentity()` returns the `identity` reference directly. In Svelte 5, this is fine for reactivity (consumers reading properties will track), but the docstring says "Read-only access" while nothing prevents `getIdentity().roles.push('admin')`. A shallow spread or `Object.freeze` would enforce the contract. Minor. **5. `hasRole` name collision.** Both `keycloak.ts` and `user.svelte.ts` export a function named `hasRole`. Consumers must be careful about which import they use. The keycloak version reads the token directly; the store version reads cached state. Consider naming one `keycloakHasRole` or removing the duplication. ### SOP COMPLIANCE - [x] Branch named after issue: `102-role-extraction-routing` matches issue #102 - [x] PR body has Summary, Changes, Test Plan, Related sections - [ ] Related references plan slug -- no plan slug referenced (only "Closes #102"). Acceptable if this is standalone board work without a parent plan. - [x] No secrets committed - [x] No scope creep -- all changes are directly related to role extraction and routing - [x] Commit messages are descriptive (PR title matches issue title) ### PROCESS OBSERVATIONS - **Test infrastructure gap:** The repo has E2E tests but no unit test setup for `src/lib/` modules. Adding vitest (or similar) for pure function testing would significantly reduce change failure rate for auth-adjacent code. The keycloak helpers and user store are ideal first candidates. - **Deployment risk:** Low. The redirect is additive (only fires on "/") and the helpers are not yet consumed beyond the layout. No breaking change to existing behavior. ### VERDICT: NOT APPROVED One blocker: zero test coverage for new functionality. The 7 new keycloak helpers and the entire user store module are pure functions that are trivially unit-testable. Add tests covering at minimum: `getUserRoles` with/without `realm_access`, `getPrimaryRole` for admin/user/unauthenticated, `getRoleRedirectPath` mapping, and `syncFromKeycloak` with valid/invalid/missing token data.
fix: address QA review -- add tests, fix DRY/refresh/naming issues
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
d7a8f3902c 
- Add vitest + jsdom + 26 unit tests for all keycloak helper functions
- Fix DRY: user store delegates to getUserRoles() instead of duplicating
  realm_access parsing
- Fix stale store: add onTokenRefresh() callback, wire in layout so
  store re-syncs on token refresh
- Fix naming collision: rename store hasRole -> userHasRole to avoid
  ambiguity with keycloak.ts hasRole
- Fix clientId default: pal-e-docs-app -> pal-e-app to match docstring
- Add test:unit script, wire vitest into vite.config.ts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-04-13 00:11:14 +00:00
Author
Contributor
Copy link

Addressed all QA findings in commit d7a8f39:

Blocker fixed:

  • Added vitest + jsdom, created src/lib/keycloak.test.ts with 26 unit tests covering all 7 new exported functions plus isAuthenticated and getUserName.

Nits fixed:

  1. DRY -- User store now calls getUserRoles() from keycloak.ts instead of duplicating realm_access parsing.
  2. Token refresh -- Added onTokenRefresh() callback in keycloak.ts, wired in +layout.svelte so syncFromKeycloak() re-runs on every token refresh.
  3. clientId default -- Changed from pal-e-docs-app to pal-e-app to match the docstring and repo name.
  4. hasRole collision -- Renamed store's hasRole to userHasRole (and hasAnyRole to userHasAnyRole) to disambiguate from keycloak.ts hasRole.

Build passes. 26/26 tests pass.

Addressed all QA findings in commit d7a8f39: **Blocker fixed:** - Added vitest + jsdom, created `src/lib/keycloak.test.ts` with 26 unit tests covering all 7 new exported functions plus `isAuthenticated` and `getUserName`. **Nits fixed:** 1. **DRY** -- User store now calls `getUserRoles()` from keycloak.ts instead of duplicating `realm_access` parsing. 2. **Token refresh** -- Added `onTokenRefresh()` callback in keycloak.ts, wired in +layout.svelte so `syncFromKeycloak()` re-runs on every token refresh. 3. **clientId default** -- Changed from `pal-e-docs-app` to `pal-e-app` to match the docstring and repo name. 4. **hasRole collision** -- Renamed store's `hasRole` to `userHasRole` (and `hasAnyRole` to `userHasAnyRole`) to disambiguate from keycloak.ts `hasRole`. Build passes. 26/26 tests pass.
forgejo_admin commented 2026-04-13 00:17:13 +00:00
Author
Contributor
Copy link

PR #105 Review

DOMAIN REVIEW

Tech stack: SvelteKit 5 / TypeScript / Keycloak OIDC / Vitest

keycloak.ts -- Clean additions. Seven new exported functions for role extraction, routing, and token access. The role hierarchy (admin > user) is simple and correct. getUserRoles() safely handles missing realm_access with multiple fallback paths. onTokenRefresh callback pattern is well-designed for store sync. The clientId default changed from pal-e-docs-app to pal-e-app -- consistent with the repo rename (issue #98).

user.svelte.ts -- Good use of Svelte 5 $state for reactive identity. Delegates role extraction to keycloak.ts (no DRY violation). syncFromKeycloak() properly resets to defaults when unauthenticated. The userHasRole / userHasAnyRole naming avoids collision with keycloak.ts hasRole -- documented in comments.

+layout.svelte -- Post-login redirect is guarded correctly: only fires when authenticated && page.url.pathname === '/'. Uses replaceState: true to prevent back-button loops. Deep-link navigation is not intercepted. Token refresh callback registered to keep store in sync.

keycloak.test.ts -- 26 tests covering all new helpers. Mock strategy is sound: mocks keycloak-js constructor, controls tokenParsed and authenticated per test. Good edge case coverage: no token, empty realm_access, missing roles key.

vite.config.ts -- Imports from vitest/config instead of vite, correct for vitest integration.

package.json -- test script now runs test:unit (vitest). vitest@^4.1.4 and jsdom@^29.0.2 added as devDependencies. No production dependency changes beyond what was already there.

BLOCKERS

None.

The new functionality (role extraction helpers, user store, post-login redirect) has 26 unit tests covering happy path, edge cases, and error handling. No unvalidated user input -- all data comes from Keycloak token claims (server-signed JWTs). No secrets or credentials in code. No duplicated auth logic.

NITS

  1. FAB button uses Tailwind classes (fixed bottom-6 right-6 z-40 flex h-14 w-14 ...) -- this predates this PR (exists on main), but per feedback_no_tailwind.md convention, these should eventually be replaced with pure CSS vars. Not introduced by this PR, so not blocking.

  2. Unit tests not wired in CI -- The .woodpecker.yaml test step runs npx playwright test (E2E), not npm run test:unit. The 26 new vitest tests will only run locally, not in the pipeline. This is a pre-existing CI gap (not introduced by this PR) but worth tracking as a follow-up issue so the tests don't silently rot.

  3. Module docstring update -- The keycloak.ts header comment updated pal-e-docs-app to pal-e-app in the description and redirect URI. Good. Minor: the redirect URI comment says pal-e-app.tail5b443a.ts.net/* but the actual Keycloak client may still be registered as pal-e-docs-app if the rename hasn't propagated to Keycloak config. Worth verifying during validation.

  4. getTokenParsed() return type -- Returns Record<string, unknown> | undefined. This is fine for the store sync use case, but a typed KeycloakTokenParsed interface would improve safety if more consumers appear later. Low priority.

  5. No test for user.svelte.ts -- The store module is tested indirectly through keycloak.test.ts (which covers the functions the store delegates to), but syncFromKeycloak(), getIdentity(), userHasRole(), and userHasAnyRole() have no direct unit tests. The Svelte 5 $state reactive primitive requires Svelte compilation in the test environment, which may have been the barrier. Not a blocker given the store is thin delegation, but worth noting.

SOP COMPLIANCE

  • Branch named after issue: 102-role-extraction-routing follows {issue-number}-{kebab-case-purpose}
  • PR body follows template: Summary, Changes, Test Plan, Related sections all present
  • Related references plan slug: No plan slug -- context says "No plan slug" which is acceptable for non-plan work
  • No secrets committed: No credentials, .env files, or API keys in diff
  • No scope creep: All changes directly serve role extraction and post-login routing per issue #102
  • Commit messages: 2 commits, descriptive per PR title

PROCESS OBSERVATIONS

  • Deployment frequency: Clean, focused PR. No risk to DF.
  • Change failure risk: Low. The redirect only fires on / for authenticated users. No existing behavior is broken for unauthenticated users or deep-link navigation.
  • CI gap: Unit tests exist but are not executed in CI. This should be tracked as a separate issue to add a test:unit step to .woodpecker.yaml before the test suite grows further. Tests that only run locally tend to diverge from reality.
  • Validation note: During post-merge validation, verify (a) Keycloak client ID matches after the rename, (b) admin role users actually land on /dashboard, (c) unauthenticated landing page still loads without login prompt.

VERDICT: APPROVED

## PR #105 Review ### DOMAIN REVIEW **Tech stack**: SvelteKit 5 / TypeScript / Keycloak OIDC / Vitest **keycloak.ts** -- Clean additions. Seven new exported functions for role extraction, routing, and token access. The role hierarchy (`admin > user`) is simple and correct. `getUserRoles()` safely handles missing `realm_access` with multiple fallback paths. `onTokenRefresh` callback pattern is well-designed for store sync. The `clientId` default changed from `pal-e-docs-app` to `pal-e-app` -- consistent with the repo rename (issue #98). **user.svelte.ts** -- Good use of Svelte 5 `$state` for reactive identity. Delegates role extraction to `keycloak.ts` (no DRY violation). `syncFromKeycloak()` properly resets to defaults when unauthenticated. The `userHasRole` / `userHasAnyRole` naming avoids collision with `keycloak.ts hasRole` -- documented in comments. **+layout.svelte** -- Post-login redirect is guarded correctly: only fires when `authenticated && page.url.pathname === '/'`. Uses `replaceState: true` to prevent back-button loops. Deep-link navigation is not intercepted. Token refresh callback registered to keep store in sync. **keycloak.test.ts** -- 26 tests covering all new helpers. Mock strategy is sound: mocks `keycloak-js` constructor, controls `tokenParsed` and `authenticated` per test. Good edge case coverage: no token, empty realm_access, missing roles key. **vite.config.ts** -- Imports from `vitest/config` instead of `vite`, correct for vitest integration. **package.json** -- `test` script now runs `test:unit` (vitest). `vitest@^4.1.4` and `jsdom@^29.0.2` added as devDependencies. No production dependency changes beyond what was already there. ### BLOCKERS None. The new functionality (role extraction helpers, user store, post-login redirect) has 26 unit tests covering happy path, edge cases, and error handling. No unvalidated user input -- all data comes from Keycloak token claims (server-signed JWTs). No secrets or credentials in code. No duplicated auth logic. ### NITS 1. **FAB button uses Tailwind classes** (`fixed bottom-6 right-6 z-40 flex h-14 w-14 ...`) -- this predates this PR (exists on main), but per `feedback_no_tailwind.md` convention, these should eventually be replaced with pure CSS vars. Not introduced by this PR, so not blocking. 2. **Unit tests not wired in CI** -- The `.woodpecker.yaml` `test` step runs `npx playwright test` (E2E), not `npm run test:unit`. The 26 new vitest tests will only run locally, not in the pipeline. This is a pre-existing CI gap (not introduced by this PR) but worth tracking as a follow-up issue so the tests don't silently rot. 3. **Module docstring update** -- The keycloak.ts header comment updated `pal-e-docs-app` to `pal-e-app` in the description and redirect URI. Good. Minor: the redirect URI comment says `pal-e-app.tail5b443a.ts.net/*` but the actual Keycloak client may still be registered as `pal-e-docs-app` if the rename hasn't propagated to Keycloak config. Worth verifying during validation. 4. **`getTokenParsed()` return type** -- Returns `Record<string, unknown> | undefined`. This is fine for the store sync use case, but a typed `KeycloakTokenParsed` interface would improve safety if more consumers appear later. Low priority. 5. **No test for `user.svelte.ts`** -- The store module is tested indirectly through `keycloak.test.ts` (which covers the functions the store delegates to), but `syncFromKeycloak()`, `getIdentity()`, `userHasRole()`, and `userHasAnyRole()` have no direct unit tests. The Svelte 5 `$state` reactive primitive requires Svelte compilation in the test environment, which may have been the barrier. Not a blocker given the store is thin delegation, but worth noting. ### SOP COMPLIANCE - [x] Branch named after issue: `102-role-extraction-routing` follows `{issue-number}-{kebab-case-purpose}` - [x] PR body follows template: Summary, Changes, Test Plan, Related sections all present - [ ] Related references plan slug: No plan slug -- context says "No plan slug" which is acceptable for non-plan work - [x] No secrets committed: No credentials, .env files, or API keys in diff - [x] No scope creep: All changes directly serve role extraction and post-login routing per issue #102 - [x] Commit messages: 2 commits, descriptive per PR title ### PROCESS OBSERVATIONS - **Deployment frequency**: Clean, focused PR. No risk to DF. - **Change failure risk**: Low. The redirect only fires on `/` for authenticated users. No existing behavior is broken for unauthenticated users or deep-link navigation. - **CI gap**: Unit tests exist but are not executed in CI. This should be tracked as a separate issue to add a `test:unit` step to `.woodpecker.yaml` before the test suite grows further. Tests that only run locally tend to diverge from reality. - **Validation note**: During post-merge validation, verify (a) Keycloak client ID matches after the rename, (b) admin role users actually land on `/dashboard`, (c) unauthenticated landing page still loads without login prompt. ### VERDICT: APPROVED
forgejo_admin deleted branch 102-role-extraction-routing 2026-04-13 14:45:21 +00:00
Commenting is not possible because the repository is archived.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend
No labels
domain:backend
domain:devops
domain:frontend
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-app!105
No description provided.