mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-19 12:43:14 -06:00
6e31770cee
Adds POST /api/admin/users so an admin can create a user directly with a known password and assign them to a workspace + role - for self-hosted instances with no outbound email, where invites never deliver. Server (routes/admin.js, mounted /api/admin with requireAuth + activityLogger): - Gated by canAdminWorkspace(db, req.user, targetWorkspace): 404 if the workspace is missing, 403 if not an admin of it. This scopes org_admins to their own org and excludes platform_operator (no user/role mgmt, #13). - Validates email (invite-create regex), role in WORKSPACE_ROLES, password min-8 (the /me rule). 409 on duplicate email - never overwrites. - One transaction: global users row (auth_provider 'local', bcrypt.hashSync(pw,10), must_change_password from the flag) + a workspace_members row written inline (same footprint as an accepted invite; accept-invite left untouched). - Explicit audit row admin_create_user; never logs the password; response excludes password/hash. - HOSTED_INSTANCE: never calls sendSignupEmails and stamps both welcome_email_sent_at / activation_nudge_sent_at, so an admin-created user gets no welcome email and never enters the activation-nudge sweep. must_change_password (frontend-first enforcement, per spec): - Migration adds users.must_change_password INTEGER NOT NULL DEFAULT 0; surfaced via requireAuth + /me + login responses. - route() in app.js forces users with the flag to a #/change-password screen (new force-password-change view, reuses PUT /api/auth/me) and blocks every other view until set. The /me update clears the flag. Frontend: "Add User" button beside "Invite member" in the members view (admin-only) opening a modal (email, name, password + generate, role, must-change checkbox); invite and Add User coexist. api.adminCreateUser; EN i18n only. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
567 lines
22 KiB
JavaScript
567 lines
22 KiB
JavaScript
import { connectSocket } from './socket.js';
|
|
import * as dashboard from './views/dashboard.js';
|
|
import * as deviceDetail from './views/device-detail.js';
|
|
import * as contentLibrary from './views/content-library.js';
|
|
import * as settings from './views/settings.js';
|
|
import * as login from './views/login.js';
|
|
import * as billing from './views/billing.js';
|
|
import * as layoutEditor from './views/layout-editor.js';
|
|
import * as schedule from './views/schedule.js';
|
|
import * as widgets from './views/widgets.js';
|
|
import * as videoWall from './views/video-wall.js';
|
|
import * as reports from './views/reports.js';
|
|
import * as activity from './views/activity.js';
|
|
import * as kiosk from './views/kiosk.js';
|
|
import * as onboarding from './views/onboarding.js';
|
|
import * as help from './views/help.js';
|
|
import * as teams from './views/teams.js';
|
|
import * as admin from './views/admin.js';
|
|
import * as adminPlayerDebug from './views/admin-player-debug.js';
|
|
import * as designer from './views/designer.js';
|
|
import * as playlists from './views/playlists.js';
|
|
import * as workspaceMembers from './views/workspace-members.js';
|
|
import * as forcePasswordChange from './views/force-password-change.js';
|
|
import { applyBranding } from './branding.js';
|
|
import { t } from './i18n.js';
|
|
import { isPlatformAdmin } from './utils.js';
|
|
import { renderWorkspaceSwitcher } from './components/workspace-switcher.js';
|
|
import { showToast } from './components/toast.js';
|
|
import { api } from './api.js';
|
|
|
|
const app = document.getElementById('app');
|
|
const sidebar = document.querySelector('.sidebar');
|
|
let currentView = null;
|
|
|
|
// ==================== Slice 2C: accept-invite plumbing ====================
|
|
//
|
|
// Flow shape (covers all six auth entry points - login, register, support,
|
|
// Google, Microsoft, first-user-setup - because they all funnel through
|
|
// onAuthSuccess() in login.js which calls window.location.reload()):
|
|
//
|
|
// 1. Hash route #/accept-invite/{id}:
|
|
// - unauthed: stash inviteId in localStorage, redirect to login
|
|
// - authed: call consumeAcceptInvite() directly (no stash)
|
|
// 2. App boot (every route() call once auth checks pass): if a valid
|
|
// non-stale stash is present, fire consumeAcceptInvite. After login
|
|
// reload lands here and picks it up automatically.
|
|
// 3. consumeAcceptInvite on success: stash toast text, switch workspace,
|
|
// reload. Reload re-fires route() which picks up the toast stash and
|
|
// shows it on dashboard. Reload is needed for the new JWT/socket/
|
|
// sidebar /me to pick up the new workspace context.
|
|
// 4. consumeAcceptInvite on error: showToast directly + clear stash.
|
|
// No reload (no state change to propagate).
|
|
|
|
const PENDING_INVITE_KEY = 'pending_invite';
|
|
const PENDING_INVITE_TOAST_KEY = 'pending_invite_toast';
|
|
// Mirrors the backend INVITE_EXPIRY_DAYS default (7). If an operator changes
|
|
// the backend default, this should be updated to match - tracked in handoff.
|
|
const INVITE_EXPIRY_DAYS_FRONTEND = 7;
|
|
|
|
// Non-reentrant guard: route() can fire multiple times (hashchange events).
|
|
// Once consume is in flight, additional calls no-op until reload completes.
|
|
let _acceptInFlight = false;
|
|
|
|
function stashPendingInvite(inviteId) {
|
|
localStorage.setItem(PENDING_INVITE_KEY, JSON.stringify({
|
|
inviteId,
|
|
stashedAt: Math.floor(Date.now() / 1000),
|
|
}));
|
|
}
|
|
|
|
function readPendingInvite() {
|
|
const raw = localStorage.getItem(PENDING_INVITE_KEY);
|
|
if (!raw) return null;
|
|
let parsed;
|
|
try { parsed = JSON.parse(raw); }
|
|
catch { localStorage.removeItem(PENDING_INVITE_KEY); return null; }
|
|
if (!parsed?.inviteId || !parsed?.stashedAt) {
|
|
localStorage.removeItem(PENDING_INVITE_KEY);
|
|
return null;
|
|
}
|
|
const ageSecs = Math.floor(Date.now() / 1000) - parsed.stashedAt;
|
|
if (ageSecs > INVITE_EXPIRY_DAYS_FRONTEND * 86400) {
|
|
localStorage.removeItem(PENDING_INVITE_KEY);
|
|
return null;
|
|
}
|
|
return parsed.inviteId;
|
|
}
|
|
|
|
function clearPendingInvite() {
|
|
localStorage.removeItem(PENDING_INVITE_KEY);
|
|
}
|
|
|
|
// Map backend error message text to a translated toast string. We match
|
|
// English text because api.js doesn't surface HTTP status codes today;
|
|
// refactor to err.status when that lands - tracked in handoff doc.
|
|
function mapAcceptError(err) {
|
|
const msg = err?.message || '';
|
|
if (/Invite not found/i.test(msg)) return t('accept.error.not_found');
|
|
if (/Invite has expired|Workspace no longer exists/i.test(msg)) return t('accept.error.expired');
|
|
if (/different email address/i.test(msg)) return t('accept.error.wrong_account');
|
|
return t('accept.error.generic');
|
|
}
|
|
|
|
async function consumeAcceptInvite(inviteId) {
|
|
if (_acceptInFlight) return;
|
|
_acceptInFlight = true;
|
|
try {
|
|
const result = await api.acceptInvite(inviteId);
|
|
|
|
// Switch to the joined workspace. New JWT carries the workspace context;
|
|
// reload picks it up for sidebar /me + socket rooms + data fetches. If
|
|
// the switch fails, log and reload anyway - the membership was created
|
|
// so the user can switch manually via the dropdown.
|
|
try {
|
|
const sw = await api.switchWorkspace(result.workspace_id);
|
|
if (sw?.token) localStorage.setItem('token', sw.token);
|
|
} catch (e) {
|
|
console.warn('switchWorkspace after accept failed (non-fatal):', e.message);
|
|
}
|
|
|
|
// Stash the toast text in a scoped key (not a generic pending-toast
|
|
// channel) so app boot below fires it after reload.
|
|
const toastKey = result.already_member ? 'accept.already_member' : 'accept.success';
|
|
localStorage.setItem(PENDING_INVITE_TOAST_KEY, JSON.stringify({
|
|
message: t(toastKey, { name: result.workspace_name }),
|
|
kind: 'success',
|
|
}));
|
|
|
|
clearPendingInvite();
|
|
// history.replaceState mutates the hash WITHOUT firing hashchange.
|
|
// Important: a plain `location.hash = '#/'` would fire hashchange
|
|
// synchronously, causing route() to fire a second time before the
|
|
// reload runs - that second route() call would consume the toast key
|
|
// and attach the toast to a DOM that's about to be destroyed by the
|
|
// reload. Using replaceState bypasses that race so the post-reload
|
|
// route() is the only one that picks up the toast.
|
|
history.replaceState(null, '', window.location.pathname + '#/');
|
|
window.location.reload();
|
|
} catch (err) {
|
|
showToast(mapAcceptError(err), 'error');
|
|
clearPendingInvite();
|
|
_acceptInFlight = false;
|
|
}
|
|
}
|
|
|
|
// Fires once per page load (single-shot key in localStorage). If the
|
|
// previous routeApp cycle stashed a toast across reload, show it now.
|
|
function consumePendingInviteToast() {
|
|
const raw = localStorage.getItem(PENDING_INVITE_TOAST_KEY);
|
|
if (!raw) return;
|
|
localStorage.removeItem(PENDING_INVITE_TOAST_KEY);
|
|
try {
|
|
const { message, kind } = JSON.parse(raw);
|
|
if (message) showToast(message, kind || 'info');
|
|
} catch {}
|
|
}
|
|
|
|
// Map nav-link data-view to its translation key.
|
|
const NAV_LABEL_KEYS = {
|
|
dashboard: 'nav.displays',
|
|
content: 'nav.content',
|
|
playlists: 'nav.playlists',
|
|
layouts: 'nav.layouts',
|
|
widgets: 'nav.widgets',
|
|
schedule: 'nav.schedule',
|
|
walls: 'nav.walls',
|
|
reports: 'nav.reports',
|
|
kiosk: 'nav.kiosk',
|
|
designer: 'nav.designer',
|
|
activity: 'nav.activity',
|
|
teams: 'nav.teams',
|
|
help: 'nav.help',
|
|
settings: 'nav.settings',
|
|
billing: 'nav.subscription',
|
|
admin: 'nav.admin',
|
|
};
|
|
|
|
function renderNavLabels() {
|
|
document.querySelectorAll('.nav-link').forEach((link) => {
|
|
const key = NAV_LABEL_KEYS[link.dataset.view];
|
|
if (!key) return;
|
|
const span = link.querySelector('span');
|
|
if (span) span.textContent = t(key);
|
|
});
|
|
}
|
|
|
|
// Translate any element marked with data-i18n / data-i18n-placeholder /
|
|
// data-i18n-html. Runs on init and on every language change. Used for static
|
|
// HTML in index.html (e.g. the Add-Display modal) where t() can't be inlined
|
|
// at template time.
|
|
function translateStaticDom(root = document) {
|
|
root.querySelectorAll('[data-i18n]').forEach((el) => {
|
|
const key = el.getAttribute('data-i18n');
|
|
el.textContent = t(key);
|
|
});
|
|
root.querySelectorAll('[data-i18n-html]').forEach((el) => {
|
|
el.innerHTML = t(el.getAttribute('data-i18n-html'));
|
|
});
|
|
root.querySelectorAll('[data-i18n-placeholder]').forEach((el) => {
|
|
el.placeholder = t(el.getAttribute('data-i18n-placeholder'));
|
|
});
|
|
}
|
|
|
|
function isAuthenticated() {
|
|
return !!localStorage.getItem('token');
|
|
}
|
|
|
|
function getCurrentUser() {
|
|
try {
|
|
return JSON.parse(localStorage.getItem('user'));
|
|
} catch { return null; }
|
|
}
|
|
|
|
// Refresh the cached user from the server. The server reads plan_id fresh
|
|
// from the DB on every request, but the frontend only wrote `user` into
|
|
// localStorage at login — so plan/role changes made by an admin weren't
|
|
// visible until the user logged out and back in.
|
|
async function refreshCurrentUser() {
|
|
const token = localStorage.getItem('token');
|
|
if (!token) return;
|
|
try {
|
|
const res = await fetch('/api/auth/me', { headers: { Authorization: `Bearer ${token}` } });
|
|
if (!res.ok) return;
|
|
const fresh = await res.json();
|
|
localStorage.setItem('user', JSON.stringify(fresh));
|
|
// Re-render the workspace switcher on every /me refresh - cheap, and keeps
|
|
// the dropdown in sync if a workspace was added/removed in another tab.
|
|
renderWorkspaceSwitcher(fresh);
|
|
window.dispatchEvent(new CustomEvent('user-refreshed', { detail: fresh }));
|
|
} catch {}
|
|
}
|
|
|
|
function route() {
|
|
// Cleanup previous view
|
|
if (currentView && currentView.cleanup) currentView.cleanup();
|
|
|
|
const hash = window.location.hash || '#/';
|
|
|
|
// Slice 2C - direct hits on #/accept-invite/{id}. Handle BEFORE the
|
|
// auth-redirect-to-login because an unauthed visit needs to stash the
|
|
// inviteId so it survives the redirect.
|
|
if (hash.startsWith('#/accept-invite/')) {
|
|
const inviteId = hash.split('#/accept-invite/')[1].split('/')[0];
|
|
if (inviteId) {
|
|
if (!isAuthenticated()) {
|
|
stashPendingInvite(inviteId);
|
|
window.location.hash = '#/login';
|
|
return;
|
|
}
|
|
consumeAcceptInvite(inviteId); // helper handles routing (reload to '#/')
|
|
return;
|
|
}
|
|
}
|
|
|
|
// Auth check - redirect to login if not authenticated
|
|
if (!isAuthenticated() && hash !== '#/login') {
|
|
window.location.hash = '#/login';
|
|
return;
|
|
}
|
|
|
|
// If authenticated and on login page, redirect to dashboard or onboarding
|
|
if (isAuthenticated() && hash === '#/login') {
|
|
window.location.hash = localStorage.getItem('rd_onboarded') ? '#/' : '#/onboarding';
|
|
return;
|
|
}
|
|
|
|
// Slice 2C - past the auth gates. (a) Show any toast stashed across the
|
|
// accept-invite reload boundary. (b) If a stash exists (from an unauthed
|
|
// accept-invite visit + subsequent login/register), consume it now. The
|
|
// helper's in-flight guard prevents double-fire on subsequent hashchanges.
|
|
if (isAuthenticated()) {
|
|
consumePendingInviteToast();
|
|
const stashedInviteId = readPendingInvite();
|
|
if (stashedInviteId) {
|
|
consumeAcceptInvite(stashedInviteId);
|
|
return;
|
|
}
|
|
}
|
|
|
|
// #10: forced first-login password change. An admin-provisioned user carries
|
|
// must_change_password until they set their own password. Block every other
|
|
// authenticated view and force them to the change-password screen; the server
|
|
// clears the flag on a successful PUT /api/auth/me. The screen itself is the
|
|
// one exception (so they can actually change it).
|
|
if (isAuthenticated()) {
|
|
const u = getCurrentUser();
|
|
if (u && u.must_change_password && hash !== '#/change-password') {
|
|
window.location.hash = '#/change-password';
|
|
return;
|
|
}
|
|
if (hash === '#/change-password') {
|
|
if (!u || !u.must_change_password) {
|
|
// Not (or no longer) required - don't strand the user on a dead screen.
|
|
window.location.hash = '#/';
|
|
return;
|
|
}
|
|
sidebar.style.display = 'none';
|
|
app.style.marginLeft = '0';
|
|
const mb = document.getElementById('mobileMenuBtn');
|
|
if (mb) mb.style.display = 'none';
|
|
currentView = forcePasswordChange;
|
|
forcePasswordChange.render(app);
|
|
return;
|
|
}
|
|
}
|
|
|
|
// Onboarding for new users
|
|
if (hash === '#/onboarding' && isAuthenticated()) {
|
|
sidebar.style.display = 'none';
|
|
app.style.marginLeft = '0';
|
|
currentView = onboarding;
|
|
onboarding.render(app);
|
|
return;
|
|
}
|
|
|
|
// Login page - hide sidebar
|
|
if (hash === '#/login') {
|
|
sidebar.style.display = 'none';
|
|
app.style.marginLeft = '0';
|
|
const mb = document.getElementById('mobileMenuBtn');
|
|
if (mb) mb.style.display = 'none';
|
|
currentView = login;
|
|
login.render(app);
|
|
return;
|
|
}
|
|
|
|
// Show sidebar for authenticated views
|
|
sidebar.style.display = '';
|
|
app.style.marginLeft = '';
|
|
const mb = document.getElementById('mobileMenuBtn');
|
|
if (mb) mb.style.display = '';
|
|
|
|
// Update user info in sidebar
|
|
updateSidebarUser();
|
|
|
|
const navLinks = document.querySelectorAll('.nav-link');
|
|
navLinks.forEach(link => {
|
|
link.classList.remove('active');
|
|
if (hash === '#/' && link.dataset.view === 'dashboard') link.classList.add('active');
|
|
else if (hash.startsWith('#/content') && link.dataset.view === 'content') link.classList.add('active');
|
|
else if (hash.startsWith('#/settings') && link.dataset.view === 'settings') link.classList.add('active');
|
|
else if (hash.startsWith('#/billing') && link.dataset.view === 'billing') link.classList.add('active');
|
|
else if ((hash.startsWith('#/layout') || hash === '#/layouts') && link.dataset.view === 'layouts') link.classList.add('active');
|
|
else if ((hash === '#/playlists' || hash.startsWith('#/playlists/')) && link.dataset.view === 'playlists') link.classList.add('active');
|
|
else if (hash === '#/schedule' && link.dataset.view === 'schedule') link.classList.add('active');
|
|
else if (hash === '#/widgets' && link.dataset.view === 'widgets') link.classList.add('active');
|
|
else if ((hash.startsWith('#/wall') || hash === '#/walls') && link.dataset.view === 'walls') link.classList.add('active');
|
|
else if (hash === '#/reports' && link.dataset.view === 'reports') link.classList.add('active');
|
|
else if (hash === '#/activity' && link.dataset.view === 'activity') link.classList.add('active');
|
|
else if (hash === '#/designer' && link.dataset.view === 'designer') link.classList.add('active');
|
|
else if ((hash === '#/kiosk' || hash.startsWith('#/kiosk/')) && link.dataset.view === 'kiosk') link.classList.add('active');
|
|
else if (hash === '#/help' && link.dataset.view === 'help') link.classList.add('active');
|
|
else if (hash.startsWith('#/device/') && link.dataset.view === 'dashboard') link.classList.add('active');
|
|
});
|
|
|
|
// Route to view
|
|
if (hash === '#/' || hash === '#' || hash === '') {
|
|
currentView = dashboard;
|
|
dashboard.render(app);
|
|
} else if (hash.startsWith('#/device/')) {
|
|
const deviceId = hash.split('#/device/')[1].split('/')[0];
|
|
currentView = deviceDetail;
|
|
deviceDetail.render(app, deviceId);
|
|
} else if (hash === '#/content') {
|
|
currentView = contentLibrary;
|
|
contentLibrary.render(app);
|
|
} else if (hash === '#/playlists' || hash.startsWith('#/playlists/')) {
|
|
currentView = playlists;
|
|
playlists.render(app);
|
|
} else if (hash === '#/layouts' || hash.startsWith('#/layout/')) {
|
|
currentView = layoutEditor;
|
|
layoutEditor.render(app);
|
|
} else if (hash === '#/schedule') {
|
|
currentView = schedule;
|
|
schedule.render(app);
|
|
} else if (hash === '#/widgets') {
|
|
currentView = widgets;
|
|
widgets.render(app);
|
|
} else if (hash === '#/walls' || hash.startsWith('#/wall/')) {
|
|
currentView = videoWall;
|
|
videoWall.render(app);
|
|
} else if (hash === '#/reports') {
|
|
currentView = reports;
|
|
reports.render(app);
|
|
} else if (hash === '#/kiosk' || hash.startsWith('#/kiosk/')) {
|
|
currentView = kiosk;
|
|
kiosk.render(app);
|
|
} else if (hash === '#/designer') {
|
|
currentView = designer;
|
|
designer.render(app);
|
|
} else if (hash === '#/activity') {
|
|
currentView = activity;
|
|
activity.render(app);
|
|
} else if (hash === '#/teams' || hash.startsWith('#/team/')) {
|
|
currentView = teams;
|
|
teams.render(app);
|
|
} else if (hash.startsWith('#/workspace/') && hash.includes('/members')) {
|
|
const wsId = hash.split('#/workspace/')[1].split('/')[0];
|
|
currentView = workspaceMembers;
|
|
workspaceMembers.render(app, wsId);
|
|
} else if (hash === '#/help' || hash.startsWith('#/help')) {
|
|
currentView = help;
|
|
help.render(app);
|
|
} else if (hash.startsWith('#/admin/player-debug')) {
|
|
// Match prefix so query params (?page=2&ua=Tizen) route correctly.
|
|
currentView = adminPlayerDebug;
|
|
adminPlayerDebug.render(app);
|
|
} else if (hash === '#/admin') {
|
|
currentView = admin;
|
|
admin.render(app);
|
|
} else if (hash === '#/settings') {
|
|
currentView = settings;
|
|
settings.render(app);
|
|
} else if (hash === '#/billing') {
|
|
currentView = billing;
|
|
billing.render(app);
|
|
} else {
|
|
currentView = dashboard;
|
|
dashboard.render(app);
|
|
}
|
|
}
|
|
|
|
function updateSidebarUser() {
|
|
const user = getCurrentUser();
|
|
if (!user) return;
|
|
|
|
// Show admin nav only for platform admins (legacy 'superadmin' or Phase 1 renamed 'platform_admin')
|
|
const adminNav = document.getElementById('adminNavItem');
|
|
if (adminNav) adminNav.style.display = isPlatformAdmin(user) ? '' : 'none';
|
|
|
|
let userEl = document.getElementById('sidebarUser');
|
|
if (!userEl) {
|
|
const footer = document.querySelector('.sidebar-footer');
|
|
userEl = document.createElement('div');
|
|
userEl.id = 'sidebarUser';
|
|
userEl.style.cssText = 'display:flex;align-items:center;gap:8px;margin-bottom:12px;padding-bottom:12px;border-bottom:1px solid var(--border)';
|
|
footer.insertBefore(userEl, footer.firstChild);
|
|
}
|
|
|
|
userEl.innerHTML = `
|
|
${user.avatar_url ? `<img src="${user.avatar_url}" style="width:28px;height:28px;border-radius:50%">` :
|
|
`<div style="width:28px;height:28px;border-radius:50%;background:var(--accent);display:flex;align-items:center;justify-content:center;font-size:12px;font-weight:600;color:white">${(user.name || user.email)[0].toUpperCase()}</div>`}
|
|
<div style="flex:1;min-width:0">
|
|
<div style="font-size:12px;font-weight:500;white-space:nowrap;overflow:hidden;text-overflow:ellipsis">${user.name || user.email}</div>
|
|
<div style="font-size:10px;color:var(--text-muted)">${user.role}</div>
|
|
</div>
|
|
<button id="logoutBtn" class="btn-icon" title="${t('auth.sign_out')}" style="flex-shrink:0">
|
|
<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
|
|
<path d="M9 21H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4"/>
|
|
<polyline points="16 17 21 12 16 7"/>
|
|
<line x1="21" y1="12" x2="9" y2="12"/>
|
|
</svg>
|
|
</button>
|
|
`;
|
|
|
|
document.getElementById('logoutBtn')?.addEventListener('click', () => {
|
|
localStorage.removeItem('token');
|
|
localStorage.removeItem('user');
|
|
window.location.hash = '#/login';
|
|
window.location.reload();
|
|
});
|
|
}
|
|
|
|
// Initialize
|
|
renderNavLabels();
|
|
translateStaticDom();
|
|
window.addEventListener('language-changed', () => {
|
|
renderNavLabels();
|
|
translateStaticDom();
|
|
});
|
|
|
|
if (isAuthenticated()) {
|
|
connectSocket();
|
|
applyBranding();
|
|
refreshCurrentUser().then(() => updateSidebarUser());
|
|
}
|
|
|
|
// Refresh the cached user on every route transition so plan/role changes
|
|
// made by an admin propagate without requiring a re-login.
|
|
window.addEventListener('hashchange', () => { if (isAuthenticated()) refreshCurrentUser(); });
|
|
|
|
// Register PWA service worker
|
|
if ('serviceWorker' in navigator) {
|
|
navigator.serviceWorker.register('/sw-admin.js').catch(() => {});
|
|
}
|
|
|
|
// Mobile sidebar: open/close via hamburger, backdrop, nav tap, Escape
|
|
const sidebarEl = document.querySelector('.sidebar');
|
|
const backdropEl = document.getElementById('sidebarBackdrop');
|
|
const menuBtn = document.getElementById('mobileMenuBtn');
|
|
|
|
function setMobileNav(open) {
|
|
if (!sidebarEl || !backdropEl) return;
|
|
sidebarEl.classList.toggle('open', open);
|
|
backdropEl.classList.toggle('open', open);
|
|
menuBtn?.setAttribute('aria-expanded', open ? 'true' : 'false');
|
|
}
|
|
|
|
menuBtn?.addEventListener('click', () => {
|
|
setMobileNav(!sidebarEl.classList.contains('open'));
|
|
});
|
|
backdropEl?.addEventListener('click', () => setMobileNav(false));
|
|
window.addEventListener('hashchange', () => setMobileNav(false));
|
|
window.addEventListener('keydown', (e) => {
|
|
if (e.key === 'Escape' && sidebarEl?.classList.contains('open')) setMobileNav(false);
|
|
});
|
|
|
|
// Auto-reload on frontend update (no more hard refresh needed)
|
|
let knownHash = null;
|
|
setInterval(async () => {
|
|
try {
|
|
const res = await fetch('/api/version');
|
|
const { hash } = await res.json();
|
|
if (knownHash === null) { knownHash = hash; return; }
|
|
if (hash !== knownHash) {
|
|
knownHash = hash;
|
|
const toast = document.getElementById('toastContainer');
|
|
if (toast) {
|
|
const notice = document.createElement('div');
|
|
notice.className = 'toast info';
|
|
notice.innerHTML = '<span>Dashboard updated. <a href="javascript:location.reload()" style="color:var(--accent);text-decoration:underline;font-weight:600">Reload now</a></span>';
|
|
toast.appendChild(notice);
|
|
}
|
|
}
|
|
} catch {}
|
|
}, 15000);
|
|
|
|
// Session timeout warning - check JWT expiry every minute
|
|
if (isAuthenticated()) {
|
|
setInterval(() => {
|
|
const token = localStorage.getItem('token');
|
|
if (!token) return;
|
|
try {
|
|
const payload = JSON.parse(atob(token.split('.')[1]));
|
|
const expiresIn = (payload.exp * 1000) - Date.now();
|
|
const minutesLeft = Math.floor(expiresIn / 60000);
|
|
if (minutesLeft <= 0) {
|
|
localStorage.removeItem('token');
|
|
localStorage.removeItem('user');
|
|
window.location.hash = '#/login';
|
|
window.location.reload();
|
|
} else if (minutesLeft <= 30 && minutesLeft % 10 === 0) {
|
|
// Warn at 30, 20, 10 minutes
|
|
const toast = document.getElementById('toastContainer');
|
|
if (toast && !toast.querySelector('.session-warn')) {
|
|
const warn = document.createElement('div');
|
|
warn.className = 'toast info session-warn';
|
|
warn.innerHTML = `<span>Session expires in ${minutesLeft} minutes. <a href="#/login" style="color:var(--accent);text-decoration:underline" onclick="localStorage.removeItem('token');localStorage.removeItem('user')">Re-login</a></span>`;
|
|
toast.appendChild(warn);
|
|
setTimeout(() => warn.remove(), 10000);
|
|
}
|
|
}
|
|
} catch {}
|
|
}, 60000);
|
|
}
|
|
window.addEventListener('hashchange', route);
|
|
route();
|
|
|
|
// Close-modal buttons (replaces inline onclick handlers — required for CSP).
|
|
document.addEventListener('click', (e) => {
|
|
const closer = e.target.closest('[data-close-modal]');
|
|
if (!closer) return;
|
|
const id = closer.dataset.closeModal;
|
|
const modal = document.getElementById(id);
|
|
if (modal) modal.style.display = 'none';
|
|
});
|