frontend/src/pages/ProfilePage.tsx

import { useState } from 'react';

import { Alert } from '@/components/ui/Alert';
import { Button } from '@/components/ui/Button';
import { Card } from '@/components/ui/Card';
import { SectionHeader } from '@/components/ui/SectionHeader';
import { Tag } from '@/components/ui/Tag';
import { TextField } from '@/components/ui/TextField';
import { ApiError, apiPost } from '@/lib/api';
import { useAuth } from '@/lib/auth';

export function ProfilePage() {
  const { state, logout } = useAuth();
  const user = state.user!;
  const [current, setCurrent] = useState('');
  const [next, setNext] = useState('');
  const [confirm, setConfirm] = useState('');
  const [busy, setBusy] = useState(false);
  const [msg, setMsg] = useState<{ kind: 'ok' | 'err'; text: string } | null>(null);

  async function handleChangePassword(e: React.FormEvent) {
    e.preventDefault();
    setMsg(null);
    if (next !== confirm) {
      setMsg({ kind: 'err', text: 'New passwords do not match.' });
      return;
    }
    if (next.length < 8) {
      setMsg({ kind: 'err', text: 'New password must be at least 8 characters.' });
      return;
    }
    setBusy(true);
    try {
      await apiPost('/auth/change-password', {
        current_password: current,
        new_password: next,
      });
      setMsg({ kind: 'ok', text: 'Password updated. You will be signed out for security.' });
      setCurrent('');
      setNext('');
      setConfirm('');
      setTimeout(() => logout(), 1500);
    } catch (err) {
      if (err instanceof ApiError) {
        const payload = err.payload as { error?: string; message?: string } | null;
        setMsg({
          kind: 'err',
          text: payload?.message ?? payload?.error ?? `HTTP ${err.status}`,
        });
      } else {
        setMsg({ kind: 'err', text: err instanceof Error ? err.message : 'Update failed.' });
      }
    } finally {
      setBusy(false);
    }
  }

  return (
    <>
      <SectionHeader prefix="Account" highlight="Profile" accent="cyan" />
      <div className="grid gap-4 [grid-template-columns:repeat(auto-fill,minmax(420px,1fr))]">
        <Card accent="cyan" title="Identity" sub={user.is_admin ? 'admin account' : 'operator account'}>
          <p>
            <span className="text-text-dim">email&nbsp;</span>
            <code className="accent-fill-cyan px-2 py-[2px] rounded-sm font-mono text-4xs">
              {user.email}
            </code>
          </p>
          <p className="mt-2">
            <span className="text-text-dim">display&nbsp;</span>
            <code className="accent-fill-cyan px-2 py-[2px] rounded-sm font-mono text-4xs">
              {user.display_name ?? '—'}
            </code>
          </p>
          <p className="mt-2">
            <span className="text-text-dim">locale&nbsp;</span>
            <code className="accent-fill-cyan px-2 py-[2px] rounded-sm font-mono text-4xs">
              {user.locale}
            </code>
          </p>
        </Card>

        <Card accent="purple" title="Groups" sub={user.groups.length ? '' : 'no groups assigned'}>
          {user.groups.length === 0 && <p className="text-text-dim">No groups yet.</p>}
          {user.groups.map((g) => (
            <Tag key={g} accent="purple">
              {g}
            </Tag>
          ))}
        </Card>

        <Card accent="orange" title="Permissions" sub={user.permissions.length ? '' : user.is_admin ? 'admin (all)' : 'no perms'}>
          {user.is_admin && <Tag accent="orange">ADMIN — bypasses checks</Tag>}
          {user.permissions.map((p) => (
            <Tag key={p} accent="orange">
              {p}
            </Tag>
          ))}
        </Card>

        <Card accent="rose" title="Change password">
          <form onSubmit={handleChangePassword} className="space-y-3">
            <TextField
              label="Current password"
              type="password"
              autoComplete="current-password"
              value={current}
              onChange={(e) => setCurrent(e.target.value)}
              required
            />
            <TextField
              label="New password"
              type="password"
              autoComplete="new-password"
              value={next}
              onChange={(e) => setNext(e.target.value)}
              required
              hint="Min 8 characters."
            />
            <TextField
              label="Confirm new password"
              type="password"
              autoComplete="new-password"
              value={confirm}
              onChange={(e) => setConfirm(e.target.value)}
              required
            />
            {msg && <Alert accent={msg.kind === 'ok' ? 'green' : 'red'}>{msg.text}</Alert>}
            <Button type="submit" accent="rose" disabled={busy}>
              {busy ? 'Updating…' : 'Update password'}
            </Button>
          </form>
        </Card>
      </div>
    </>
  );
}
feat(m2): auth, JWT, invitations, bootstrap, RTOps SPA pages Crypto + tokens - app/core/security.py: Argon2id PasswordHasher (time_cost=2, memory_cost= 64 MiB, parallelism=2) + opaque-token SHA-256 helpers (raw token shown once, only the hash lives in the DB). - app/core/jwt_tokens.py: HS256, claims iss/sub/type/jti/iat/exp. Access 1h, refresh 30d. Services - services/auth.py: login, refresh with token rotation + reuse-detection chain revoke, logout (idempotent), change_password (forces logout-all). - services/invitations.py: create, preview, accept, revoke. Default 7d TTL. - services/bootstrap.py: seeds the 3 system groups (admin/redteam/blueteam), consumes the install token, attaches the first user to admin. - core/install_token.py: mints, persists in settings, marks consumed, regenerate hook for /diag/reset. API - POST /setup (consume install token, create 1st admin) + GET /setup (status). - POST /auth/{login,refresh,logout,change-password} + GET /auth/me. - POST /invitations + GET /invitations + GET /invitations/preview/<token> + POST /invitations/accept/<token> + POST /invitations/<id>/revoke. - POST /diag/reset: test-only kill switch (truncate auth tables + mint fresh install token). Allowed in dev too (with WARNING log) so the e2e suite can run against a make-up stack; production locked out. Middleware - @require_auth populates g.current_user (snapshot dataclass, session closed before request handler runs). - @require_perm(*codes): atomic perm union check; admin group bypasses. Perm catalogue lands in M3, scaffolding here. - flask-limiter: 10/min/IP on /auth/login & /auth/refresh, 5/min on /auth/change-password & /setup, 10–20/min on invitation endpoints. Disabled in APP_ENV=test. CLI - flask --app app.cli metamorph print-install-token [--force] - flask --app app.cli metamorph seed-mitre (M4 placeholder) Refresh cookie metamorph_refresh: HttpOnly + Secure (localhost is a secure context for modern browsers) + SameSite=Strict + Path=/api/v1/auth/. Email validation: app.api._validation.Email permissive RFC-shape regex so internal TLDs (.local/.corp/.test) are accepted — pydantic.EmailStr's deliverability check is too strict for red-team labs. Frontend - lib/{api,auth}.ts: access token in module memory, refresh cookie, automatic 401-retry via /auth/refresh, useAuth() hook. - components/{Layout,RequireAuth}.tsx + ui/{TextField,Alert}.tsx. - pages/{Login,Setup,Register,Profile}. Testing - tests/test_auth_flow.py: 15 integration tests (24 backend total). - e2e/tests/m2-auth.spec.ts: 8 Playwright tests (20 e2e total). - tasks/testing-m2.md. DoD: make test-api → 24 passed, make e2e → 20 passed; spec-reviewer pass applied (Secure unconditional, refresh limit 10/min/IP). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-11 06:16:48 +02:00			`import { useState } from 'react';`

			`import { Alert } from '@/components/ui/Alert';`
			`import { Button } from '@/components/ui/Button';`
			`import { Card } from '@/components/ui/Card';`
			`import { SectionHeader } from '@/components/ui/SectionHeader';`
			`import { Tag } from '@/components/ui/Tag';`
			`import { TextField } from '@/components/ui/TextField';`
			`import { ApiError, apiPost } from '@/lib/api';`
			`import { useAuth } from '@/lib/auth';`

			`export function ProfilePage() {`
			`const { state, logout } = useAuth();`
			`const user = state.user!;`
			`const [current, setCurrent] = useState('');`
			`const [next, setNext] = useState('');`
			`const [confirm, setConfirm] = useState('');`
			`const [busy, setBusy] = useState(false);`
			`const [msg, setMsg] = useState<{ kind: 'ok' \| 'err'; text: string } \| null>(null);`

			`async function handleChangePassword(e: React.FormEvent) {`
			`e.preventDefault();`
			`setMsg(null);`
			`if (next !== confirm) {`
			`setMsg({ kind: 'err', text: 'New passwords do not match.' });`
			`return;`
			`}`
			`if (next.length < 8) {`
			`setMsg({ kind: 'err', text: 'New password must be at least 8 characters.' });`
			`return;`
			`}`
			`setBusy(true);`
			`try {`
			`await apiPost('/auth/change-password', {`
			`current_password: current,`
			`new_password: next,`
			`});`
			`setMsg({ kind: 'ok', text: 'Password updated. You will be signed out for security.' });`
			`setCurrent('');`
			`setNext('');`
			`setConfirm('');`
			`setTimeout(() => logout(), 1500);`
			`} catch (err) {`
			`if (err instanceof ApiError) {`
			`const payload = err.payload as { error?: string; message?: string } \| null;`
			`setMsg({`
			`kind: 'err',`
			text: payload?.message ?? payload?.error ?? `HTTP ${err.status}`,
			`});`
			`} else {`
			`setMsg({ kind: 'err', text: err instanceof Error ? err.message : 'Update failed.' });`
			`}`
			`} finally {`
			`setBusy(false);`
			`}`
			`}`

			`return (`
			`<>`
			`<SectionHeader prefix="Account" highlight="Profile" accent="cyan" />`
			`<div className="grid gap-4 [grid-template-columns:repeat(auto-fill,minmax(420px,1fr))]">`
			`<Card accent="cyan" title="Identity" sub={user.is_admin ? 'admin account' : 'operator account'}>`
			`<p>`
			`<span className="text-text-dim">email </span>`
			`<code className="accent-fill-cyan px-2 py-[2px] rounded-sm font-mono text-4xs">`
			`{user.email}`
			`</code>`
			`</p>`
			`<p className="mt-2">`
			`<span className="text-text-dim">display </span>`
			`<code className="accent-fill-cyan px-2 py-[2px] rounded-sm font-mono text-4xs">`
			`{user.display_name ?? '—'}`
			`</code>`
			`</p>`
			`<p className="mt-2">`
			`<span className="text-text-dim">locale </span>`
			`<code className="accent-fill-cyan px-2 py-[2px] rounded-sm font-mono text-4xs">`
			`{user.locale}`
			`</code>`
			`</p>`
			`</Card>`

			`<Card accent="purple" title="Groups" sub={user.groups.length ? '' : 'no groups assigned'}>`
			`{user.groups.length === 0 && <p className="text-text-dim">No groups yet.</p>}`
			`{user.groups.map((g) => (`
			`<Tag key={g} accent="purple">`
			`{g}`
			`</Tag>`
			`))}`
			`</Card>`

			`<Card accent="orange" title="Permissions" sub={user.permissions.length ? '' : user.is_admin ? 'admin (all)' : 'no perms'}>`
			`{user.is_admin && <Tag accent="orange">ADMIN — bypasses checks</Tag>}`
			`{user.permissions.map((p) => (`
			`<Tag key={p} accent="orange">`
			`{p}`
			`</Tag>`
			`))}`
			`</Card>`

			`<Card accent="rose" title="Change password">`
			`<form onSubmit={handleChangePassword} className="space-y-3">`
			`<TextField`
			`label="Current password"`
			`type="password"`
			`autoComplete="current-password"`
			`value={current}`
			`onChange={(e) => setCurrent(e.target.value)}`
			`required`
			`/>`
			`<TextField`
			`label="New password"`
			`type="password"`
			`autoComplete="new-password"`
			`value={next}`
			`onChange={(e) => setNext(e.target.value)}`
			`required`
			`hint="Min 8 characters."`
			`/>`
			`<TextField`
			`label="Confirm new password"`
			`type="password"`
			`autoComplete="new-password"`
			`value={confirm}`
			`onChange={(e) => setConfirm(e.target.value)}`
			`required`
			`/>`
			`{msg && <Alert accent={msg.kind === 'ok' ? 'green' : 'red'}>{msg.text}</Alert>}`
			`<Button type="submit" accent="rose" disabled={busy}>`
			`{busy ? 'Updating…' : 'Update password'}`
			`</Button>`
			`</form>`
			`</Card>`
			`</div>`
			`</>`
			`);`
			`}`