pediatric-ai-scribe-v3/shared/types.ts
Daniel 9dce93cf67 feat(client): port Settings — Security (password, 2FA, sessions)
First of three commits porting the vanilla settings.html (13 sub-sections
total) to the React tree. This commit delivers the Settings page shell
plus the three Security sub-sections. Integrations (Nextcloud, Documents)
and Voice + Content land in the two follow-ups.

client/src/pages/Settings.tsx
  Page shell that fetches /api/auth/me and conditionally renders the
  local-auth sections only when user.canLocalAuth !== false. SSO-only
  users see a brief "managed by your identity provider" notice instead —
  matches vanilla behavior, which hides those cards for SSO accounts.

  Change Password: three-field form (current / new / confirm) with
  client-side validation (8+ chars, match). POSTs /api/auth/change-password.
  On success the server destroys all OTHER sessions, so the component
  invalidates the ['sessions'] query so the Active Sessions card below
  refreshes without a full reload. passwordWarning (pwned-password hint)
  surfaces as a follow-up info toast.

  Two-Factor Auth: status line ("Enabled" / "Not enabled") reads
  user.totp_enabled. Enable button POSTs /api/auth/setup-2fa, renders the
  returned QR + secret, accepts the 6-digit code and POSTs /verify-2fa.
  First-enable shows a one-shot BackupCodesDisplay modal with Copy + close.
  Disable flow is inline (password field + Confirm Disable + Cancel, no
  modal) — matches the vanilla UX. Backup-codes remaining count pulls
  from /api/auth/2fa/backup-codes/count; a Regenerate button opens a
  ConfirmModal with requirePassword=true and POSTs /2fa/backup-codes.

  Active Sessions: useQuery on /api/sessions renders one row per session
  with the current one highlighted. Per-row Revoke opens a ConfirmModal;
  Revoke All Other Sessions opens another ConfirmModal. Both DELETE calls
  invalidate ['sessions'] on success.

client/src/components/ConfirmModal.tsx
  Reusable styled confirmation dialog — replaces vanilla showConfirm().
  Supports a danger variant (destructive button styling) and an optional
  password-input variant for confirm-by-password flows. Escape closes,
  backdrop click closes, Enter in the password field submits. Carries
  data-testid hooks (confirm-modal-ok, confirm-modal-cancel) so Playwright
  can drive it without ever hitting window.confirm().

shared/types.ts + client/src/shared/types.ts
  Additive changes only:
    - AuthUser gains optional canLocalAuth, totp_enabled, email_verified,
      nextcloud_url/user/folder, created_at — all fields the server
      already returns from /api/auth/me but the type had never described.
    - SessionRow reshape to match the wire format the server actually
      returns (snake_case ip_address / device_label / created_at /
      last_activity), replacing the speculative camelCase draft. No
      existing consumer of SessionRow existed outside Settings, so the
      rename is a no-op for current code.
    - New types for 2FA + change-password response shapes (Setup2faOk,
      Verify2faOk, BackupCodesCountOk, RegenBackupCodesOk,
      ChangePasswordOk, RevokeAllSessionsOk).

client/src/App.tsx
  Adds <Route path="/settings" element={<Settings />} />.

client/src/components/Layout.tsx
  Flips the Settings nav entry to available: true.

e2e/tests/settings-react-security.spec.js
  Five smoke tests against /app/settings mirroring the coverage of
  settings-faq-dictation.spec.js for the vanilla tree: field/button
  presence for all three sections, password-mismatch inline error,
  revoke-all click surfaces the styled modal (with an explicit
  page.on('dialog') guard to catch any future regression to native
  confirm()).

Note: the e2e container image currently predates the /app/* route
(its /app/public/app/ directory is absent), so running this spec requires
a rebuild — deferred to Daniel's call. Client tsc -b, server tsc --noEmit,
and vite build all pass locally.
2026-04-23 23:31:14 +02:00

276 lines
7.8 KiB
TypeScript

// ============================================================
// SHARED TYPES — consumed by both server (src/routes/*.ts) and
// client (client/src/*). A response-shape change here breaks the
// build on both sides until they agree.
//
// This is the single most important file in the TypeScript
// migration. Three of the bugs we hit before this point were
// response-shape mismatches (refine returned `content` vs
// `refined`, sick-visit endpoint path mismatch, hospital-course
// key mismatch). Typing the wire protocol makes them compile-time
// errors.
//
// Keep this file strictly about wire protocol — no DB row shapes,
// no server-internal helpers. Anything that crosses the network.
// ============================================================
// ── Envelope ─────────────────────────────────────────────────
// Every route returns either `{success: true, ...extraFields}` or
// `{success: false, error: string}`. The generic `T` is the shape
// of the extra fields on success. Client code does:
// const r: ApiResponse<HpiOk> = await fetch(...).then(r => r.json());
// if (r.success) console.log(r.hpi);
// else showToast(r.error);
export interface ApiErr {
success: false;
error: string;
}
export type ApiResponse<T> = ({ success: true } & T) | ApiErr;
// Model tag accompanies every AI response — LiteLLM pass-through.
export interface WithModel {
model: string;
}
// ── AI generation responses ──────────────────────────────────
// Keys match exactly what each route returns today. Do not rename
// without updating the server-side res.json() call in the same commit.
// /api/generate-hpi-encounter
// /api/generate-hpi-dictation
export interface HpiOk extends WithModel {
hpi: string;
}
// /api/generate-soap
export interface SoapOk extends WithModel {
soap: string;
}
// /api/sick-visit/note (NOT /api/generate-sick-visit — that path does not exist)
// /api/well-visit/note
export interface VisitNoteOk extends WithModel {
note: string;
}
// /api/generate-hospital-course
export interface HospitalCourseOk extends WithModel {
hospitalCourse: string;
format?: string;
}
// /api/generate-chart-review
export interface ChartReviewOk extends WithModel {
review: string;
}
// /api/generate-pe-narrative
export interface PeNarrativeOk extends WithModel {
narrative: string;
summary: {
normal: number;
abnormal: number;
notAssessed: number;
};
}
// /api/generate-milestone-narrative
export interface MilestoneNarrativeOk extends WithModel {
narrative: string;
summary: {
achieved: number;
notAchieved: number;
notAssessed: number;
};
}
// /api/generate-milestone-summary
export interface MilestoneSummaryOk extends WithModel {
summary: string;
}
// /api/well-visit/shadess
export interface ShadessOk extends WithModel {
assessment: string;
}
// /api/refine
export interface RefineOk extends WithModel {
refined: string;
}
// /api/shorten (via refine.js router)
export interface ShortenOk extends WithModel {
shortened: string;
}
// /api/clarify and /hospital-course/clarify
export interface ClarifyOk extends WithModel {
questions: string;
}
// /api/suggest-billing-codes
export interface BillingCodesOk extends WithModel {
icd10: Array<{ code: string; description: string; reason?: string }>;
cpt: Array<{ code: string; description: string; reason?: string }>;
}
// /api/transcribe
export interface TranscribeOk {
text: string;
provider: string;
duration: number;
}
// /api/tts
export interface TtsOk {
audioBase64: string;
}
// /api/models
export interface ModelsOk {
models: Array<{ id: string; label?: string }>;
}
// ── Auth ─────────────────────────────────────────────────────
export interface AuthUser {
id: number;
email: string;
name: string;
role?: string;
isVerified?: boolean;
has2FA?: boolean;
// canLocalAuth: false for SSO-auto-created accounts whose password is a
// random hex blob that can never verify. Settings hides password/2FA UI
// for those users. totp_enabled / email_verified / nextcloud_* mirror
// DB columns returned by /api/auth/me.
canLocalAuth?: boolean;
totp_enabled?: boolean;
email_verified?: boolean;
nextcloud_url?: string | null;
nextcloud_user?: string | null;
nextcloud_folder?: string | null;
created_at?: string;
}
// /api/auth/login (two-phase: may also return requires2FA / needsVerification)
export interface LoginOk {
token: string;
user: AuthUser;
sessionId?: string;
}
export interface LoginRequires2FA {
success: true;
requires2FA: true;
}
export interface LoginNeedsVerification {
success: true;
needsVerification: true;
}
// /api/auth/me
export interface MeOk {
user: AuthUser;
}
// ── Sessions ─────────────────────────────────────────────────
// Keys match the wire shape returned by /api/sessions (snake_case from
// the DB columns, deliberately unchanged to keep the existing vanilla
// client working during migration).
export interface SessionRow {
id: string;
ip_address?: string | null;
device_label?: string | null;
created_at: string;
last_activity: string;
}
export interface SessionsOk {
sessions: SessionRow[];
currentSessionId: string | null;
}
export interface RevokeAllSessionsOk {
revoked?: number;
}
// ── 2FA + password change ────────────────────────────────────
// /api/auth/setup-2fa
export interface Setup2faOk {
secret: string;
qrCode: string;
}
// /api/auth/verify-2fa — backupCodes populated only on first enable
export interface Verify2faOk {
backupCodes: string[] | null;
}
// /api/auth/2fa/backup-codes/count
export interface BackupCodesCountOk {
remaining: number;
}
// /api/auth/2fa/backup-codes (regenerate)
export interface RegenBackupCodesOk {
codes: string[];
message?: string;
}
// /api/auth/change-password
export interface ChangePasswordOk {
message: string;
passwordWarning?: string;
}
// ── Extensions (pagers/directory) ────────────────────────────
export interface Extension {
id: number;
location: string;
name: string;
number: string;
type: 'extension' | 'pager';
notes?: string;
deletedAt?: string | null;
}
export interface ExtensionsListOk {
items: Extension[];
}
// ── Memories (saved templates / style hints) ─────────────────
export interface Memory {
id: number;
category: string;
name: string;
content: string;
}
export interface MemoriesListOk {
items: Memory[];
}
// ── Learning hub ─────────────────────────────────────────────
export interface LearningContentItem {
id: number | string;
slug?: string;
title: string;
category?: string;
excerpt?: string;
body?: string;
}
export interface LearningFeedOk {
content: LearningContentItem[];
total?: number;
}
// ── Encounters (saved drafts) ────────────────────────────────
export interface EncounterSummary {
id: number;
label: string;
type: 'encounter' | 'dictation' | 'hospital' | 'chart' | 'wellvisit' | 'sickvisit' | 'soap';
createdAt: string;
updatedAt: string;
}
export interface EncountersListOk {
items: EncounterSummary[];
}
// ── Health ───────────────────────────────────────────────────
export interface HealthOk {
ok: boolean;
}