fix(admin-ui): prevent admin login failure when admin roles are removed

[faisalsiddique4400]

fix(admin-ui): prevent admin login failure when admin roles are removed (#2685)

Summary

This PR fixes an issue where the admin user was unable to log in after the jansAdminUIRole or other roles were removed from the user profile.

Issue

If roles such as jansAdminUIRole, jansAdminRole, or userRole were removed from the admin user and the changes were saved, the user could no longer log in to the Admin UI, even after resetting the password.

Fix

• Updated the role validation and handling logic to ensure users can still authenticate even if certain admin roles are removed.
• Ensured that users without specific roles can still log in with the appropriate default access behavior.

Result

• Users can now log in successfully even if their admin roles were previously removed.
• Prevents complete access lockout for users whose roles were modified.

🔗 Ticket

Closes: #2685

Summary by CodeRabbit

• New Features

  • Added a user-friendly toast notification that displays when a user lacks valid permissions, including a countdown timer before automatic logout.

• Documentation

  • Added multilingual support for the new logout notification in English, Spanish, French, and Portuguese.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds support for graceful logout handling when users lack valid roles. It introduces a new translation key "no_valid_role_logout" across all supported languages (English, Spanish, French, Portuguese) and updates the AppAuthProvider component to display a toast notification with a 10-second countdown before redirecting to logout, replacing the previous alert behavior.

Changes

Cohort / File(s)	Summary
Translation files admin-ui/app/locales/en/translation.json, admin-ui/app/locales/es/translation.json, admin-ui/app/locales/fr/translation.json, admin-ui/app/locales/pt/translation.json	Adds new translation entry no_valid_role_logout with a logout countdown message containing a {{seconds}} placeholder across all language files.
Authentication provider admin-ui/app/utils/AppAuthProvider.tsx	Replaces alert-based invalid role handling with toast notifications. Adds GluuToast component import and rendering, imports toast from react-toastify, and implements a 10-second delay before redirecting to logout endpoint upon role validation failure.

Sequence Diagram

sequenceDiagram
    participant User
    participant AppAuthProvider
    participant OAuth as OAuth/Token Provider
    participant Toast as GluuToast Notification
    participant Timer as Delay Timer
    participant Logout as Logout Endpoint

    User->>AppAuthProvider: Initiate login
    AppAuthProvider->>OAuth: Request user info & validate
    OAuth-->>AppAuthProvider: Return user data
    AppAuthProvider->>AppAuthProvider: Verify user roles
    
    alt Invalid Role Detected
        AppAuthProvider->>Toast: Display logout warning with countdown
        Toast-->>User: Show notification (no_valid_role_logout message)
        AppAuthProvider->>Timer: Start 10-second timer
        Timer-->>AppAuthProvider: Timer elapsed
        AppAuthProvider->>Logout: Redirect to logout endpoint
        Logout-->>User: Logout & redirect to login
    else Valid Role
        AppAuthProvider-->>User: Grant access
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat(flex): integrate new cedarling flow on Admin UI #2425: Modifies the same AppAuthProvider component to integrate policyStore fetching within the authentication flow, creating potential interaction points with these role-validation changes.

Suggested labels

comp-admin-ui

Suggested reviewers

• syntrydy
• moabu
• duttarnab

Poem

🐰 A user without their precious role,
Now sees a toast that's kind and whole!
Ten seconds to say their last goodbye,
With countdown gentle—no harsh cry.
A graceful exit, dignified and right,
No alert popups to give a fright! 🎭✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: preventing admin login failure when admin roles are removed, which directly matches the PR's primary objective.
Linked Issues check	✅ Passed	The code changes address issue #2685 by adding role validation error handling and logout mechanisms. Translation additions support the new user-facing message about invalid roles, and AppAuthProvider implements the toast notification and delayed logout for invalid role scenarios.
Out of Scope Changes check	✅ Passed	All changes are in-scope: translation files add the 'no_valid_role_logout' message referenced in the code, and AppAuthProvider implements role validation error handling with toast notifications aligned with issue #2685 requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch admin-ui-issue-2685

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@admin-ui/app/locales/es/translation.json`:
- Line 1008: Replace the single "no_valid_role_logout" string with i18next
pluralized keys "no_valid_role_logout_one" and "no_valid_role_logout_other"
(preserving the Spanish text variants, e.g., "1 segundo" vs "{{count}}
segundos"), and update the consuming code that renders this message to call the
translator with count: LOGOUT_DELAY_SECONDS (not seconds: LOGOUT_DELAY_SECONDS)
so i18next selects the correct plural form; reference the translation key
"no_valid_role_logout" and the constant LOGOUT_DELAY_SECONDS when making these
changes.

In `@admin-ui/app/locales/fr/translation.json`:
- Around line 953-954: Split the "no_valid_role_logout" translation into plural
forms (no_valid_role_logout_one and no_valid_role_logout_other) mirroring the
existing sessionTimeout pattern (use singular "seconde" vs plural "secondes"),
and update the caller in AppAuthProvider (the code around the logout/countdown
logic in AppAuthProvider.tsx) to pass a numeric "count" prop instead of
"seconds" when invoking the i18n lookup so the pluralization system is used;
locate usages of the key "no_valid_role_logout" and replace them to use the new
plural-aware keys via the i18n count parameter.

In `@admin-ui/app/utils/AppAuthProvider.tsx`:
- Around line 248-254: The missing-role path should not force a logout redirect
or call endSession; update the toast display in AppAuthProvider so that the
toast.error call for t('messages.no_valid_role_logout', { seconds:
LOGOUT_DELAY_SECONDS }) does not set onClose to redirect to sessionEndpoint (or
otherwise trigger endSession) and instead simply informs the user (keep
autoClose if desired) so fallback/default access behavior can proceed; edit the
block containing redirect, sessionEndpoint, toast.error, LOGOUT_DELAY_SECONDS
and remove/disable the redirect/onClose behavior that forces logout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cd6500e4-b34c-454c-9573-eae362c8030d

📥 Commits

Reviewing files that changed from the base of the PR and between 39f6277 and ae16ac3.

📒 Files selected for processing (5)

• admin-ui/app/locales/en/translation.json
• admin-ui/app/locales/es/translation.json
• admin-ui/app/locales/fr/translation.json
• admin-ui/app/locales/pt/translation.json
• admin-ui/app/utils/AppAuthProvider.tsx