First of three commits porting the vanilla settings.html (13 sub-sections
total) to the React tree. This commit delivers the Settings page shell
plus the three Security sub-sections. Integrations (Nextcloud, Documents)
and Voice + Content land in the two follow-ups.
client/src/pages/Settings.tsx
Page shell that fetches /api/auth/me and conditionally renders the
local-auth sections only when user.canLocalAuth !== false. SSO-only
users see a brief "managed by your identity provider" notice instead —
matches vanilla behavior, which hides those cards for SSO accounts.
Change Password: three-field form (current / new / confirm) with
client-side validation (8+ chars, match). POSTs /api/auth/change-password.
On success the server destroys all OTHER sessions, so the component
invalidates the ['sessions'] query so the Active Sessions card below
refreshes without a full reload. passwordWarning (pwned-password hint)
surfaces as a follow-up info toast.
Two-Factor Auth: status line ("Enabled" / "Not enabled") reads
user.totp_enabled. Enable button POSTs /api/auth/setup-2fa, renders the
returned QR + secret, accepts the 6-digit code and POSTs /verify-2fa.
First-enable shows a one-shot BackupCodesDisplay modal with Copy + close.
Disable flow is inline (password field + Confirm Disable + Cancel, no
modal) — matches the vanilla UX. Backup-codes remaining count pulls
from /api/auth/2fa/backup-codes/count; a Regenerate button opens a
ConfirmModal with requirePassword=true and POSTs /2fa/backup-codes.
Active Sessions: useQuery on /api/sessions renders one row per session
with the current one highlighted. Per-row Revoke opens a ConfirmModal;
Revoke All Other Sessions opens another ConfirmModal. Both DELETE calls
invalidate ['sessions'] on success.
client/src/components/ConfirmModal.tsx
Reusable styled confirmation dialog — replaces vanilla showConfirm().
Supports a danger variant (destructive button styling) and an optional
password-input variant for confirm-by-password flows. Escape closes,
backdrop click closes, Enter in the password field submits. Carries
data-testid hooks (confirm-modal-ok, confirm-modal-cancel) so Playwright
can drive it without ever hitting window.confirm().
shared/types.ts + client/src/shared/types.ts
Additive changes only:
- AuthUser gains optional canLocalAuth, totp_enabled, email_verified,
nextcloud_url/user/folder, created_at — all fields the server
already returns from /api/auth/me but the type had never described.
- SessionRow reshape to match the wire format the server actually
returns (snake_case ip_address / device_label / created_at /
last_activity), replacing the speculative camelCase draft. No
existing consumer of SessionRow existed outside Settings, so the
rename is a no-op for current code.
- New types for 2FA + change-password response shapes (Setup2faOk,
Verify2faOk, BackupCodesCountOk, RegenBackupCodesOk,
ChangePasswordOk, RevokeAllSessionsOk).
client/src/App.tsx
Adds <Route path="/settings" element={<Settings />} />.
client/src/components/Layout.tsx
Flips the Settings nav entry to available: true.
e2e/tests/settings-react-security.spec.js
Five smoke tests against /app/settings mirroring the coverage of
settings-faq-dictation.spec.js for the vanilla tree: field/button
presence for all three sections, password-mismatch inline error,
revoke-all click surfaces the styled modal (with an explicit
page.on('dialog') guard to catch any future regression to native
confirm()).
Note: the e2e container image currently predates the /app/* route
(its /app/public/app/ directory is absent), so running this spec requires
a rebuild — deferred to Daniel's call. Client tsc -b, server tsc --noEmit,
and vite build all pass locally.
276 lines
7.8 KiB
TypeScript
276 lines
7.8 KiB
TypeScript
// ============================================================
|
|
// SHARED TYPES — consumed by both server (src/routes/*.ts) and
|
|
// client (client/src/*). A response-shape change here breaks the
|
|
// build on both sides until they agree.
|
|
//
|
|
// This is the single most important file in the TypeScript
|
|
// migration. Three of the bugs we hit before this point were
|
|
// response-shape mismatches (refine returned `content` vs
|
|
// `refined`, sick-visit endpoint path mismatch, hospital-course
|
|
// key mismatch). Typing the wire protocol makes them compile-time
|
|
// errors.
|
|
//
|
|
// Keep this file strictly about wire protocol — no DB row shapes,
|
|
// no server-internal helpers. Anything that crosses the network.
|
|
// ============================================================
|
|
|
|
// ── Envelope ─────────────────────────────────────────────────
|
|
// Every route returns either `{success: true, ...extraFields}` or
|
|
// `{success: false, error: string}`. The generic `T` is the shape
|
|
// of the extra fields on success. Client code does:
|
|
// const r: ApiResponse<HpiOk> = await fetch(...).then(r => r.json());
|
|
// if (r.success) console.log(r.hpi);
|
|
// else showToast(r.error);
|
|
export interface ApiErr {
|
|
success: false;
|
|
error: string;
|
|
}
|
|
export type ApiResponse<T> = ({ success: true } & T) | ApiErr;
|
|
|
|
// Model tag accompanies every AI response — LiteLLM pass-through.
|
|
export interface WithModel {
|
|
model: string;
|
|
}
|
|
|
|
// ── AI generation responses ──────────────────────────────────
|
|
// Keys match exactly what each route returns today. Do not rename
|
|
// without updating the server-side res.json() call in the same commit.
|
|
|
|
// /api/generate-hpi-encounter
|
|
// /api/generate-hpi-dictation
|
|
export interface HpiOk extends WithModel {
|
|
hpi: string;
|
|
}
|
|
|
|
// /api/generate-soap
|
|
export interface SoapOk extends WithModel {
|
|
soap: string;
|
|
}
|
|
|
|
// /api/sick-visit/note (NOT /api/generate-sick-visit — that path does not exist)
|
|
// /api/well-visit/note
|
|
export interface VisitNoteOk extends WithModel {
|
|
note: string;
|
|
}
|
|
|
|
// /api/generate-hospital-course
|
|
export interface HospitalCourseOk extends WithModel {
|
|
hospitalCourse: string;
|
|
format?: string;
|
|
}
|
|
|
|
// /api/generate-chart-review
|
|
export interface ChartReviewOk extends WithModel {
|
|
review: string;
|
|
}
|
|
|
|
// /api/generate-pe-narrative
|
|
export interface PeNarrativeOk extends WithModel {
|
|
narrative: string;
|
|
summary: {
|
|
normal: number;
|
|
abnormal: number;
|
|
notAssessed: number;
|
|
};
|
|
}
|
|
|
|
// /api/generate-milestone-narrative
|
|
export interface MilestoneNarrativeOk extends WithModel {
|
|
narrative: string;
|
|
summary: {
|
|
achieved: number;
|
|
notAchieved: number;
|
|
notAssessed: number;
|
|
};
|
|
}
|
|
|
|
// /api/generate-milestone-summary
|
|
export interface MilestoneSummaryOk extends WithModel {
|
|
summary: string;
|
|
}
|
|
|
|
// /api/well-visit/shadess
|
|
export interface ShadessOk extends WithModel {
|
|
assessment: string;
|
|
}
|
|
|
|
// /api/refine
|
|
export interface RefineOk extends WithModel {
|
|
refined: string;
|
|
}
|
|
|
|
// /api/shorten (via refine.js router)
|
|
export interface ShortenOk extends WithModel {
|
|
shortened: string;
|
|
}
|
|
|
|
// /api/clarify and /hospital-course/clarify
|
|
export interface ClarifyOk extends WithModel {
|
|
questions: string;
|
|
}
|
|
|
|
// /api/suggest-billing-codes
|
|
export interface BillingCodesOk extends WithModel {
|
|
icd10: Array<{ code: string; description: string; reason?: string }>;
|
|
cpt: Array<{ code: string; description: string; reason?: string }>;
|
|
}
|
|
|
|
// /api/transcribe
|
|
export interface TranscribeOk {
|
|
text: string;
|
|
provider: string;
|
|
duration: number;
|
|
}
|
|
|
|
// /api/tts
|
|
export interface TtsOk {
|
|
audioBase64: string;
|
|
}
|
|
|
|
// /api/models
|
|
export interface ModelsOk {
|
|
models: Array<{ id: string; label?: string }>;
|
|
}
|
|
|
|
// ── Auth ─────────────────────────────────────────────────────
|
|
export interface AuthUser {
|
|
id: number;
|
|
email: string;
|
|
name: string;
|
|
role?: string;
|
|
isVerified?: boolean;
|
|
has2FA?: boolean;
|
|
// canLocalAuth: false for SSO-auto-created accounts whose password is a
|
|
// random hex blob that can never verify. Settings hides password/2FA UI
|
|
// for those users. totp_enabled / email_verified / nextcloud_* mirror
|
|
// DB columns returned by /api/auth/me.
|
|
canLocalAuth?: boolean;
|
|
totp_enabled?: boolean;
|
|
email_verified?: boolean;
|
|
nextcloud_url?: string | null;
|
|
nextcloud_user?: string | null;
|
|
nextcloud_folder?: string | null;
|
|
created_at?: string;
|
|
}
|
|
|
|
// /api/auth/login (two-phase: may also return requires2FA / needsVerification)
|
|
export interface LoginOk {
|
|
token: string;
|
|
user: AuthUser;
|
|
sessionId?: string;
|
|
}
|
|
|
|
export interface LoginRequires2FA {
|
|
success: true;
|
|
requires2FA: true;
|
|
}
|
|
|
|
export interface LoginNeedsVerification {
|
|
success: true;
|
|
needsVerification: true;
|
|
}
|
|
|
|
// /api/auth/me
|
|
export interface MeOk {
|
|
user: AuthUser;
|
|
}
|
|
|
|
// ── Sessions ─────────────────────────────────────────────────
|
|
// Keys match the wire shape returned by /api/sessions (snake_case from
|
|
// the DB columns, deliberately unchanged to keep the existing vanilla
|
|
// client working during migration).
|
|
export interface SessionRow {
|
|
id: string;
|
|
ip_address?: string | null;
|
|
device_label?: string | null;
|
|
created_at: string;
|
|
last_activity: string;
|
|
}
|
|
export interface SessionsOk {
|
|
sessions: SessionRow[];
|
|
currentSessionId: string | null;
|
|
}
|
|
export interface RevokeAllSessionsOk {
|
|
revoked?: number;
|
|
}
|
|
|
|
// ── 2FA + password change ────────────────────────────────────
|
|
// /api/auth/setup-2fa
|
|
export interface Setup2faOk {
|
|
secret: string;
|
|
qrCode: string;
|
|
}
|
|
// /api/auth/verify-2fa — backupCodes populated only on first enable
|
|
export interface Verify2faOk {
|
|
backupCodes: string[] | null;
|
|
}
|
|
// /api/auth/2fa/backup-codes/count
|
|
export interface BackupCodesCountOk {
|
|
remaining: number;
|
|
}
|
|
// /api/auth/2fa/backup-codes (regenerate)
|
|
export interface RegenBackupCodesOk {
|
|
codes: string[];
|
|
message?: string;
|
|
}
|
|
// /api/auth/change-password
|
|
export interface ChangePasswordOk {
|
|
message: string;
|
|
passwordWarning?: string;
|
|
}
|
|
|
|
// ── Extensions (pagers/directory) ────────────────────────────
|
|
export interface Extension {
|
|
id: number;
|
|
location: string;
|
|
name: string;
|
|
number: string;
|
|
type: 'extension' | 'pager';
|
|
notes?: string;
|
|
deletedAt?: string | null;
|
|
}
|
|
export interface ExtensionsListOk {
|
|
items: Extension[];
|
|
}
|
|
|
|
// ── Memories (saved templates / style hints) ─────────────────
|
|
export interface Memory {
|
|
id: number;
|
|
category: string;
|
|
name: string;
|
|
content: string;
|
|
}
|
|
export interface MemoriesListOk {
|
|
items: Memory[];
|
|
}
|
|
|
|
// ── Learning hub ─────────────────────────────────────────────
|
|
export interface LearningContentItem {
|
|
id: number | string;
|
|
slug?: string;
|
|
title: string;
|
|
category?: string;
|
|
excerpt?: string;
|
|
body?: string;
|
|
}
|
|
export interface LearningFeedOk {
|
|
content: LearningContentItem[];
|
|
total?: number;
|
|
}
|
|
|
|
// ── Encounters (saved drafts) ────────────────────────────────
|
|
export interface EncounterSummary {
|
|
id: number;
|
|
label: string;
|
|
type: 'encounter' | 'dictation' | 'hospital' | 'chart' | 'wellvisit' | 'sickvisit' | 'soap';
|
|
createdAt: string;
|
|
updatedAt: string;
|
|
}
|
|
export interface EncountersListOk {
|
|
items: EncounterSummary[];
|
|
}
|
|
|
|
// ── Health ───────────────────────────────────────────────────
|
|
export interface HealthOk {
|
|
ok: boolean;
|
|
}
|