Feature_user management_tools_and_LINT_fixes#799
Open
ChrisChilders-USDA wants to merge 31 commits into
Open
Conversation
Ensure authenticated guest requests receive assemblies and tracks. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Read client IDs from the file contents after loading MICROSOFT_CLIENT_ID_FILE, GOOGLE_CLIENT_ID_FILE, and LOGINGOV_CLIENT_ID_FILE, and cover the behavior with tests. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
- Keep local login dialog open on invalid credentials with explicit error - Add signed-in identity indicator updates in plugin menu/session flows - Refresh root/plugin/server README docs with current integration status Assisted-by: GitHub Copilot (GPT-5.3-Codex)
- add organism/scientific name support to assembly add/change flows - add Edit Assemblies admin panel and menu action - reorder Organism before Assembly in workspace/admin tables - harden plugin rebuild clean step to avoid mount-related apollo.js 404 Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Assisted-by: GitHub Copilot (GPT-5.3-Codex)
- revoke other Apollo tokens on successful login\n- normalize guest role to readOnly and enforce submit guard\n- add explicit login/logout menu actions with guest transition\n- refresh effective access after permission/group membership edits\n- add Replace/Add view semantics in My Workspace\n- document Node/Jest compatibility and new auth/access behaviors\n\nAssisted-by: GitHub Copilot (GPT-5.3-Codex)
- add lint remediation runbook with baseline/process/findings\n- apply first wave of manual lint fixes in plugin auth/session files\n- fix hooks ordering in logout dialog and stabilize effect deps\n- remove several no-useless-undefined/array-type/conditional issues\n\nAssisted-by: GitHub Copilot (GPT-5.3-Codex)
Tighten typings and remove unsafe patterns in top collaboration-server lint offenders while preserving behavior. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Tighten DataGrid and account-iteration typing in remaining plugin hotspot files while preserving behavior. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Type live-session access in ApolloInternetAccount model and remove repeated unknown-cast notify paths. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Centralize session/view narrowing and use Apollo account type-guard loops in location broadcast paths. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Use constructor-derived dependency types and typed JWT fixtures to reduce test-side casts in changes service spec. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Replace never-casts with constructor-derived types across small specs and normalize remediation log chronology. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Replace final never-cast in changes service spec fixture with constructor-derived DeleteFeatureChange init typing. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Import jest globals explicitly in small specs to avoid ambient typing dependency across environments. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Brings repo lint to clean pass and records remediation waves through final warning cleanup. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Fixes CI-reported TypeScript issues in collaboration server update normalization and login.gov proxy typing. Also applies compact, high-visibility tab styling across Manage Users tabs. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Refactors source assignment to if/else to satisfy unicorn/no-nested-ternary in CI lint job. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Adds audit/resubmission guidance for feature_user_management_and_lint, including USDA and GMOD delta strategy, scope characterization, and checklist. Updates lint remediation log with final CI-green follow-up notes. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Documents severity-ranked audit findings, CI/build evidence, and resubmission reviewer guide for feature_user_management_and_lint. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Documents file-by-file diagnostics, planned fixes, and validation steps for remaining jbrowse-plugin-apollo TypeScript warnings. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Resolves Phase 2 TypeScript diagnostics in auth selection narrowing, ManageUsers grid typing, MyAssemblyPermissions React event typing, and session config/account helper typing. Updates lint remediation log with Phase 2 completion evidence. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
Removes unnecessary authType condition, avoids unsafe stringification in ManageUsers option labels, deduplicates React imports, and drops an unused eslint-disable directive. Assisted-by: GitHub Copilot (GPT-5.3-Codex)
- remove USDA-specific GHCR smoke workflow - remove internal branch audit and lint remediation docs - replace local absolute oclif doc links with canonical upstream link Assisted-by: GitHub Copilot (GPT-5.3-Codex)
- restore generated CLI docs to pre-hook state - retain only canonical oclif source links in CLI help docs Assisted-by: GitHub Copilot (GPT-5.3-Codex)
There was a problem hiding this comment.
Pull request overview
This PR expands Apollo3’s authorization and user-management capabilities by introducing assembly-level ACLs (including group-based grants), enhancing plugin login/logout UX (including Login.gov scaffolding and local auth improvements), and extending assemblies with a scientific name field, alongside multiple CI/Lint/test tooling updates.
Changes:
- Add per-assembly annotation permissions (direct + group-derived), with server-side enforcement on reads/writes and new CLI/docs support.
- Improve JBrowse Apollo plugin auth UX (explicit login/logout actions, “My workspace” view of permitted assemblies, token revocation, guest handling) and add Login.gov scaffolding.
- Extend assembly model/UI to include
scientificName, plus tooling adjustments (Node version checks, Jest deps, Docker build simplification, lint fixes).
Reviewed changes
Copilot reviewed 100 out of 102 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| yarn.lock | Dependency lock updates (jest-util, passport-openidconnect, oauth). |
| README.md | Repo-level integration workflow/status notes. |
| packages/website/docs/03-guides/04-cli/permissions.md | New CLI docs for apollo permissions commands. |
| packages/website/docs/03-guides/04-cli/index.md | Link CLI permissions guidance from CLI index. |
| packages/website/docs/03-guides/04-cli/help.md | Fix upstream link to oclif help source. |
| packages/website/docs/03-guides/04-cli/config.md | Document logingov accessType option. |
| packages/website/docs/02-installation/05-assembly-acl-rollout.md | New runbook for assembly ACL rollout. |
| packages/website/docs/02-installation/04-configuration-options.md | Add Login.gov env vars + assembly ACL notes. |
| packages/website/docs/02-installation/03-login-management.md | Document Login.gov + assembly ACL rollout guidance. |
| packages/jbrowse-plugin-apollo/src/types.ts | Harden Apollo internet account type guard with isAlive. |
| packages/jbrowse-plugin-apollo/src/session/session.ts | Session behavior updates: track visibility, auth signature, workspace assembly filtering. |
| packages/jbrowse-plugin-apollo/src/menus/topLevelMenuAdmin.ts | Add “Edit Assemblies” admin menu entry. |
| packages/jbrowse-plugin-apollo/src/menus/topLevelMenu.ts | Add signed-in indicator, My workspace, explicit login/logout menu actions. |
| packages/jbrowse-plugin-apollo/src/LinearApolloSixFrameDisplay/stateModel/base.ts | Guard selectedFeature getter against session access failures. |
| packages/jbrowse-plugin-apollo/src/LinearApolloDisplay/stateModel/base.ts | Guard selectedFeature getter against session access failures. |
| packages/jbrowse-plugin-apollo/src/components/ViewCheckResults.tsx | Apply shared DataGrid styling. |
| packages/jbrowse-plugin-apollo/src/components/ViewChangeLog.tsx | Apply shared DataGrid styling. |
| packages/jbrowse-plugin-apollo/src/components/MyAssemblyPermissions.tsx | New “My workspace” dialog listing permitted assemblies with open actions. |
| packages/jbrowse-plugin-apollo/src/components/manageUsersAssemblyPermissions.ts | New helper logic for Manage Users assembly-permission rows/normalization. |
| packages/jbrowse-plugin-apollo/src/components/manageUsersAssemblyPermissions.test.ts | Unit tests for Manage Users ACL helper logic. |
| packages/jbrowse-plugin-apollo/src/components/MANAGE_USERS_ASSEMBLY_ACL_NOTES.md | Developer notes for Manage Users ACL UI implementation. |
| packages/jbrowse-plugin-apollo/src/components/LogOut.tsx | Logout now transitions to guest and removes privileged tracks without full reload. |
| packages/jbrowse-plugin-apollo/src/components/index.ts | Export new components (EditAssemblies, MyAssemblyPermissions). |
| packages/jbrowse-plugin-apollo/src/components/EditAssemblies.tsx | New dialog to update assembly display/scientific name. |
| packages/jbrowse-plugin-apollo/src/components/dataGridStyles.ts | New shared DataGrid sx styling constant. |
| packages/jbrowse-plugin-apollo/src/components/AddRefSeqAliases.tsx | Apply shared DataGrid styling. |
| packages/jbrowse-plugin-apollo/src/components/AddAssemblyAliases.tsx | Apply shared DataGrid styling. |
| packages/jbrowse-plugin-apollo/src/components/AddAssembly.tsx | Add scientificName input and include it in add-assembly changes. |
| packages/jbrowse-plugin-apollo/src/ChangeManager.ts | Prevent guest/read-only from submitting changes; role derivation from token. |
| packages/jbrowse-plugin-apollo/src/ApolloInternetAccount/tokenUtils.ts | New helper to revoke tokens from other Apollo accounts. |
| packages/jbrowse-plugin-apollo/src/ApolloInternetAccount/tokenUtils.test.ts | Unit tests for token revocation helper. |
| packages/jbrowse-plugin-apollo/src/ApolloInternetAccount/model.ts | Add Login.gov + local auth selection, token revocation behavior, safer session access. |
| packages/jbrowse-plugin-apollo/src/ApolloInternetAccount/components/LoginButtons.tsx | Add Login.gov login button. |
| packages/jbrowse-plugin-apollo/src/ApolloInternetAccount/components/AuthTypeSelector.tsx | Add local auth form + Login.gov option + auto-guest selection support. |
| packages/jbrowse-plugin-apollo/README.md | Document auth UX + permissions updates + Node/Jest constraints. |
| packages/jbrowse-plugin-apollo/package.json | Add node check for tests; adjust clean script; pin jest-util 29.x. |
| packages/apollo-shared/src/Changes/AddAssemblyFromFileChange.ts | Include scientificName in serialized change payload. |
| packages/apollo-shared/src/Changes/AddAssemblyFromExternalChange.ts | Include scientificName in serialized change payload. |
| packages/apollo-shared/src/Changes/AddAssemblyAndFeaturesFromFileChange.ts | Include scientificName in serialized change payload. |
| packages/apollo-schemas/src/user.schema.ts | Add passwordHash field (not selected by default). |
| packages/apollo-schemas/src/index.ts | Export new schemas for ACL + groups. |
| packages/apollo-schemas/src/groupMembership.schema.ts | New group membership schema. |
| packages/apollo-schemas/src/groupAssemblyPermission.schema.ts | New group→assembly permission schema with edit→view invariant. |
| packages/apollo-schemas/src/group.schema.ts | New group schema. |
| packages/apollo-schemas/src/assemblyPermission.schema.ts | New user→assembly permission schema with edit→view invariant. |
| packages/apollo-schemas/src/assembly.schema.ts | Add scientificName field to assemblies. |
| packages/apollo-collaboration-server/src/utils/strategies/microsoft.strategy.ts | Treat disabled as not-configured for remote auth. |
| packages/apollo-collaboration-server/src/utils/strategies/login-gov.strategy.ts | New Login.gov OIDC strategy implementation. |
| packages/apollo-collaboration-server/src/utils/strategies/google.strategy.ts | Treat disabled as not-configured for remote auth. |
| packages/apollo-collaboration-server/src/utils/logingov.guard.ts | New guard to pass redirect state for Login.gov. |
| packages/apollo-collaboration-server/src/users/users.service.ts | Add local user creation + password hashing/verification. |
| packages/apollo-collaboration-server/src/users/users.controller.ts | Add admin endpoint to create local users. |
| packages/apollo-collaboration-server/src/users/dto/create-user.dto.ts | Add DTO for local user creation including password. |
| packages/apollo-collaboration-server/src/jbrowse/jbrowse.service.ts | Adjust config gating semantics for unauthenticated vs Role.None. |
| packages/apollo-collaboration-server/src/jbrowse/jbrowse.service.spec.ts | Rewrite tests without Nest TestingModule; add Role.None behavior coverage. |
| packages/apollo-collaboration-server/src/features/features.service.ts | Enforce view permissions on feature read paths. |
| packages/apollo-collaboration-server/src/features/features.service.spec.ts | Rewrite tests without Nest TestingModule. |
| packages/apollo-collaboration-server/src/features/features.module.ts | Import AssemblyPermissionsModule. |
| packages/apollo-collaboration-server/src/features/features.controller.ts | Thread req.user into service methods for ACL enforcement. |
| packages/apollo-collaboration-server/src/features/features.controller.spec.ts | Rewrite tests without Nest TestingModule. |
| packages/apollo-collaboration-server/src/declare.d.ts | Add local typings for passport-openidconnect. |
| packages/apollo-collaboration-server/src/changes/changes.service.ts | Enforce edit ACL for assembly-scoped writes and filter change history reads by view perms. |
| packages/apollo-collaboration-server/src/changes/changes.service.spec.ts | Add tests for ACL enforcement and filtering behavior. |
| packages/apollo-collaboration-server/src/changes/changes.module.ts | Import AssemblyPermissionsModule. |
| packages/apollo-collaboration-server/src/changes/changes.controller.ts | Thread req.user into change-history queries. |
| packages/apollo-collaboration-server/src/changes/changes.controller.spec.ts | Rewrite tests without Nest TestingModule. |
| packages/apollo-collaboration-server/src/changes/changeHandlers.service.ts | Persist scientificName and seed default access group + permissions on assembly creation. |
| packages/apollo-collaboration-server/src/changes/ASSEMBLY_ACL_NOTES.md | New notes describing write-path/read-path ACL approach for changes. |
| packages/apollo-collaboration-server/src/authentication/authentication.service.ts | Add Login.gov + local auth support; improve client id parsing; factor token issuance. |
| packages/apollo-collaboration-server/src/authentication/authentication.service.spec.ts | Update/getLoginTypes tests (direct + file-based IDs). |
| packages/apollo-collaboration-server/src/authentication/authentication.module.ts | Register LoginGovStrategy. |
| packages/apollo-collaboration-server/src/authentication/authentication.controller.ts | Add Login.gov and local auth endpoints; include logingov in login routing. |
| packages/apollo-collaboration-server/src/assemblyPermissions/README.md | New module documentation for assembly permissions. |
| packages/apollo-collaboration-server/src/assemblyPermissions/dto/update-assembly-permission.dto.ts | New DTO for permission upserts. |
| packages/apollo-collaboration-server/src/assemblyPermissions/assemblyPermissions.service.ts | New service implementing direct + group-derived permissions. |
| packages/apollo-collaboration-server/src/assemblyPermissions/assemblyPermissions.service.spec.ts | Unit tests for core service behaviors. |
| packages/apollo-collaboration-server/src/assemblyPermissions/assemblyPermissions.module.ts | New module wiring for permissions + group schemas. |
| packages/apollo-collaboration-server/src/assemblyPermissions/assemblyPermissions.integration.spec.ts | Integration-style route wiring tests with mocked service. |
| packages/apollo-collaboration-server/src/assemblyPermissions/assemblyPermissions.controller.ts | New admin API for grants + groups + memberships; mine endpoint. |
| packages/apollo-collaboration-server/src/assemblyPermissions/assemblyPermissions.controller.spec.ts | Controller definition test. |
| packages/apollo-collaboration-server/src/assemblies/dto/create-assembly.dto.ts | Add scientificName to create DTO. |
| packages/apollo-collaboration-server/src/assemblies/assemblies.service.ts | Normalize scientificName on create/update; fix update query. |
| packages/apollo-collaboration-server/src/assemblies/assemblies.controller.ts | Add admin update endpoint for assemblies. |
| packages/apollo-collaboration-server/src/app.module.ts | Add validation config for Login.gov and local auth; register AssemblyPermissionsModule. |
| packages/apollo-collaboration-server/README.md | Add local dev/auth/health documentation. |
| packages/apollo-collaboration-server/package.json | Jest config updates for ESM; allow configurable CLI test port; add deps. |
| packages/apollo-cli/src/test/test.ts | Make test server address configurable; add permissions command test. |
| packages/apollo-cli/src/test/test_docker.ts | Make docker test server address configurable. |
| packages/apollo-cli/src/test/README.md | Document APOLLO_TEST_ADDRESS usage; minor formatting fix. |
| packages/apollo-cli/src/permissionsUtils.ts | New helpers to resolve user and assembly ids for permissions CLI. |
| packages/apollo-cli/src/commands/permissions/revoke.ts | New CLI command to revoke assembly permissions. |
| packages/apollo-cli/src/commands/permissions/README.md | Docs for permissions command implementations. |
| packages/apollo-cli/src/commands/permissions/list.ts | New CLI command to list assembly permissions. |
| packages/apollo-cli/src/commands/permissions/grant.ts | New CLI command to grant assembly permissions. |
| packages/apollo-cli/src/ApolloConf.ts | Allow logingov accessType in config/schema docs. |
| packages/apollo-cli/README.md | Update generated CLI README to include permissions commands and link fixes. |
| packages/apollo-cli/package.json | Add permissions command topic + focused test script. |
| package.json | Add node-compat check and run it before workspace tests. |
| Dockerfile | Simplify image build to focus workspace production deps. |
| CONTRIBUTING.md | Document Node 20/22 requirement and workarounds. |
| .nvmrc | Pin Node 22 for contributors. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+142
to
+147
| const derivedKey = (await scrypt( | ||
| password, | ||
| Buffer.from(saltHex, 'hex'), | ||
| 64, | ||
| )) as Buffer | ||
| return timingSafeEqual(derivedKey, Buffer.from(hashHex, 'hex')) |
Comment on lines
131
to
138
| @@ -61,26 +137,53 @@ export class FeaturesService { | |||
| count += await this.featureModel.countDocuments(filter) | |||
| } | |||
Comment on lines
+147
to
+153
| const refSeqs: RefSeqDocument[] = await this.refSeqModel | ||
| .find({ assembly: { $in: allowedAssemblyIds } }) | ||
| .exec() | ||
| for (const refSeq of refSeqs) { | ||
| filter.refSeq = refSeq._id.toString() | ||
| count += await this.featureModel.countDocuments(filter) | ||
| } |
Comment on lines
+18
to
+21
| - `GET /auth/types` | ||
| - `POST /auth/local` | ||
| - `POST /auth/guest` | ||
|
|
| running command... | ||
| $ apollo (--version) | ||
| @apollo-annotation/cli/1.0.0 linux-x64 node-v24.15.0 | ||
| @apollo-annotation/cli/1.0.0 darwin-arm64 node-v26.0.0 |
| "check:node": "node -e \"const major=Number(process.versions.node.split('.')[0]); if (major>=26){console.error('Apollo plugin Jest tooling is not compatible with Node '+process.versions.node+'. Use Node 20 or 22.'); process.exit(1)} console.log('Node version OK for plugin tests:', process.versions.node)\"", | ||
| "setup": "rimraf .jbrowse && jbrowse create .jbrowse", | ||
| "clean": "rimraf dist", | ||
| "clean": "mkdir -p dist && find dist -mindepth 1 -maxdepth 1 -exec rm -rf {} +", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This branch includes: