Summary

This PR adds the initial portal/ frontend for the SSH Certificate Signer dashboard described in #465.

The portal provides a generic HPC/science gateway interface for users to view, inspect, filter, and revoke short-lived OpenSSH certificates issued by the SSH Certificate Signer service.

Current behavior

Portal application

• Provides a Next.js 15 frontend under portal/.

• Uses TypeScript and Tailwind CSS v4.

• Uses shadcn/ui components for common UI primitives including buttons, dialogs, tables, badges, and skeleton loading states.

• Provides a generic Custos/HPC portal layout with:

  • sidebar navigation
  • authenticated header area
  • current user display
  • placeholder routes for future portal sections

• Includes a help/support button that uses a mailto: link to open the user’s default email client with a prefilled example support request.

• Keeps UI language generic for HPC SSH certificate management and avoids deployment-specific branding.

Authentication/session behavior

• Uses NextAuth v5 for OIDC-based authentication.
• Configures CILogon as the OIDC provider.
• Wraps the portal in a session provider so authenticated session state is available to client components.
• Displays the current session user in the portal header.
• Supports sign-out through NextAuth.
• Includes .env.local.example to document required local authentication and API configuration values.

The CILogon integration expects deployment/local environment variables for the OIDC issuer, client ID, client secret, callback URL, and Auth.js/NextAuth secret. No provider secrets are hardcoded.

Signer API proxy

• Provides a Next.js API proxy for Signer API calls under /api/v1/*.
• For GET requests, the proxy reads the server-side session and forwards the session access token to the Signer backend as a bearer token.
• For POST requests, the proxy preserves the client-credentials style flow used by the current revoke path.
• The portal integrates with:
  • GET /api/v1/userinfo
  • GET /api/v1/certificates
  • GET /api/v1/certificates/{serial}
  • POST /api/v1/revoke

SSH Certificates dashboard

• Displays a certificate list page for issued SSH certificates.
• Supports loading, empty, and error states.
• Supports status filtering for:
  • Active
  • Expired
  • Revoked
  • All
• Supports username/principal filtering where supported by the available API/data.
• Displays certificate status using distinct visual indicators for active, expired, and revoked certificates.
• Provides a certificate detail route from each row’s More action.
• Displays certificate metadata such as:
  • serial number
  • principal
  • key ID
  • public key fingerprint
  • CA fingerprint
  • validity period
  • source IP
  • granted extensions
  • revocation information when available
• Provides a revoke confirmation dialog for active certificates.
• Calls POST /api/v1/revoke for revocation requests.

Tests and project hygiene

• Includes unit tests for frontend data loading around:
  • current user info
  • certificate list data
  • certificate detail data
  • revoke state
• Includes Playwright E2E coverage for the list → detail → revoke flow.
• Ignores local logs, environment files, Playwright reports, and test artifacts.

How to run

From portal/:

npm install
npm run dev

The portal expects the SSH Certificate Signer backend to be running separately and exposing the /api/v1/* endpoints used by the portal.

For local development, configure the portal environment using .env.local.example.

For local CILogon testing, the OIDC application should include the local callback URL used by the portal, for example:

http://localhost:5173/api/auth/callback/cilogon

Notes / future work

• The issue originally proposed a Vite React SPA, but this implementation uses Next.js based on current project direction. The signer dashboard behavior and API integration remain aligned with Implement Signer Service user dashboard #465.
• Real certificate rows depend on issued certificate records existing in the Signer backend/database.
• CILogon is configured as the OIDC provider through NextAuth. Each deployment still needs to provide its own CILogon client ID, client secret, issuer URL, callback URL, and Auth.js/NextAuth secret through environment configuration.
• The Signer backend must be configured to trust and validate the CILogon-issued tokens forwarded by the portal proxy.
• Admin/RBAC behavior is not fully enforced in the frontend. Full role-based authorization should be enforced by backend role data and API authorization.
• Username/principal filtering is implemented only where supported by the available API/data. It should not be treated as a replacement for backend authorization.
• POST /api/v1/revoke is wired against the current backend contract. Backend-side revoked-state reflection in subsequent list/detail responses may continue to evolve.
• Future portal work can expand the placeholder sections into allocation management, project membership, profile management, client/tool management, and other Custos user-facing workflows.