Add Next.js SSH certificate portal

[archbilesherman]

Summary

This PR adds the initial portal/ frontend for the SSH Certificate Signer dashboard described in #465.

The portal provides a generic HPC/science gateway interface for users to view, inspect, filter, and revoke short-lived OpenSSH certificates issued by the SSH Certificate Signer service.

Current behavior

Portal application

• Provides a Next.js 15 frontend under portal/.
• Uses TypeScript and Tailwind CSS.
• Uses shadcn/ui components for common UI primitives such as buttons, dialogs, tables, badges, and skeleton loading states.
• Provides a generic Custos/HPC portal layout with:
  • sidebar navigation
  • authenticated header area
  • current user display
  • placeholder routes for future portal sections
• Keeps UI language generic for HPC SSH certificate management and avoids deployment-specific branding.

Authentication/session behavior

• Uses NextAuth v5 scaffolding for OIDC-based authentication.
• Provides a session provider around the portal layout.
• Displays the current session user in the portal header.
• Supports sign-out through NextAuth.
• Includes .env.local.example to document expected local authentication and API configuration values.

Note: OIDC support is present, but production authentication is not fully configured in this PR because no real provider values are defined. Deployments still need to provide the issuer, client ID, client secret, and related environment variables.

Signer API proxy

• Provides a Next.js API proxy for Signer API calls under /api/v1/*.
• For GET requests, the proxy reads the server-side session and forwards the session access token to the Signer backend.
• For POST requests, the proxy preserves the client-credentials style flow used by the current revoke path.
• The portal integrates with:
  • GET /api/v1/userinfo
  • GET /api/v1/certificates
  • GET /api/v1/certificates/{serial}
  • POST /api/v1/revoke

SSH Certificates dashboard

• Displays a certificate list page for issued SSH certificates.
• Supports loading, empty, and error states.
• Supports status filtering for:
  • Active
  • Expired
  • Revoked
  • All
• Supports username/principal filtering where supported by the available API/data.
• Displays certificate status using distinct visual indicators for active, expired, and revoked certificates.
• Provides a certificate detail route from each row’s More action.
• Displays certificate metadata such as serial number, principal, key ID, fingerprints, validity period, source IP, granted extensions, and revocation information when available.
• Provides a revoke confirmation dialog for active certificates.
• Calls POST /api/v1/revoke for revocation requests.

Tests

• Includes unit tests for frontend data loading around:
  • current user info
  • certificate list data
  • certificate detail data
  • revoke state
• Includes Playwright E2E coverage for the list → detail → revoke flow.

How to run

From portal/:

npm install
npm run dev

The portal expects the SSH Certificate Signer backend to be running separately and exposing the /api/v1/* endpoints used by the portal.

Notes / future work

• The issue originally proposed a Vite React SPA, but this implementation uses Next.js based on current project direction. The signer dashboard behavior and API integration remain aligned with Implement Signer Service user dashboard #465.
• OIDC/NextAuth support is present as scaffolding, but production provider configuration still needs to be supplied by the deployment.
• Admin/RBAC behavior is not fully enforced in the frontend. Full role-based authorization should be enforced by backend role data and API authorization.
• POST /api/v1/revoke is wired against the current backend contract. Backend-side revoked-state reflection in subsequent list/detail responses may continue to evolve.
• Future portal work can expand the placeholder sections into allocation management, project membership, profile management, client/tool management, and other Custos user-facing workflows.