feat: sessions not revoked after password/role/ user activation status change

[duttarnab]

closes #2543

Summary by CodeRabbit

• New Features

  • Show a warning alert in the commit modal when changing a user's password, status, or admin role indicating the user's session will be revoked.
  • Perform an automatic session revoke when those specific fields are modified.

• Localization

  • Added session-revocation message translations for English, Spanish, French, and Portuguese.

• Bug Fixes

  • Improve detection of whether an attribute previously had a value to avoid false positives when evaluating changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds UI and logic to revoke a user's active sessions when administrators modify specific user fields (password, status, admin role). Introduces localized messages, surfaces an alert in the commit dialog, and calls a revoke-session mutation from user-management flows.

Changes

Cohort / File(s)	Summary
Translations admin-ui/app/locales/{en,es,fr,pt}/translation.json	Added revokeUserSession translation key in English, Spanish, French, and Portuguese.
Commit Dialog admin-ui/app/routes/Apps/Gluu/GluuCommitDialog.tsx, admin-ui/app/routes/Apps/Gluu/types/GluuCommitDialog.ts	Added optional alertMessage and alertSeverity props/typing and conditional rendering of a Material‑UI Alert; imported Alert and Box.
Password Change Modal admin-ui/plugins/user-management/components/PasswordChangeModal.tsx	Made password submit async; after patching password, invokes useRevokeUserSession mutation; manages local alertMessage/alertSeverity and passes them to GluuCommitDialog.
User Edit Page admin-ui/plugins/user-management/components/UserEditPage.tsx	Made submit async; uses useRevokeUserSession and conditionally calls mutateAsync({ userDn }) when revoke-trigger fields changed.
User Form admin-ui/plugins/user-management/components/UserForm.tsx	Detects modified revoke-trigger fields, sets local alertMessage/alertSeverity, and forwards them to GluuCommitDialog.
Constants admin-ui/plugins/user-management/helper/constants.ts	Added exported revokeSessionWhenFieldsModifiedInUserForm = ['userPassword','status','jansAdminUIRole'].
Attribute Utilities admin-ui/plugins/user-management/utils/attributeTransformUtils.ts	Modified hadOriginalValue to only consider originalAttr.value (removed check for non-empty values array).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Admin as Admin (Browser)
    participant UI as Admin UI
    participant API as Backend API
    participant Session as Session Service

    Admin->>UI: Edit user (password/status/role)
    UI->>UI: Compare modified fields with revoke-trigger list
    alt revoke-trigger present
      UI->>UI: Set alertMessage & alertSeverity
      UI-->>Admin: Show warning in GluuCommitDialog (Alert)
    end
    Admin->>UI: Confirm submit
    UI->>API: Submit user update
    API->>API: Persist changes
    API-->>UI: Return success
    alt revoke-trigger present
      UI->>API: Call revoke-session mutation (useRevokeUserSession)
      API->>Session: Invalidate user sessions/tokens
      Session-->>API: Revocation complete
      API-->>UI: Mutation resolved
    end
    UI-->>Admin: Show final status

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• Fix(admin-ui): roles not removable from user profile and apply action not triggered #2496: Edits the same user-management helpers and GluuCommitDialog props/types touched here.
• feat(flex): integrate new cedarling flow on Admin UI #2425: Modifies GluuCommitDialog implementation that this change extends with alert rendering.
• fix(admin-ui): the searched claims are not displayed on Users page #2445 #2446: Overlaps on UserEditPage/UserForm/PasswordChangeModal flows and revoke-trigger handling.

Suggested Reviewers

• syntrydy
• moabu

Poem

🐰 I hop through code with tiny feet,

When passwords or roles and statuses meet.
I whisper a warning, then sweep sessions away —
Safe naps for users at the end of the day. ✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	A change to attributeTransformUtils.ts modifies hadOriginalValue logic unrelated to session revocation requirements.	Review whether the hadOriginalValue change is necessary for session revocation or separate it into a distinct PR.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main feature: enabling session revocation when password, role, or user activation status changes.
Linked Issues check	✅ Passed	The PR implements session revocation for password, role, and status changes as required by issue #2543.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch admin-ui-issue-2543

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 511b3cc and 9b68f54.

📒 Files selected for processing (5)

• admin-ui/app/locales/en/translation.json
• admin-ui/plugins/user-management/components/PasswordChangeModal.tsx
• admin-ui/plugins/user-management/components/UserEditPage.tsx
• admin-ui/plugins/user-management/components/UserForm.tsx
• admin-ui/plugins/user-management/helper/constants.ts

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-06T08:23:20.948Z

Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2418
File: admin-ui/plugins/user-management/components/UserForm.tsx:290-297
Timestamp: 2025-11-06T08:23:20.948Z
Learning: In the UserForm component (admin-ui/plugins/user-management/components/UserForm.tsx), the Back button should fall back to '/user/usersmanagement' when browser history is unavailable, not '/home/dashboard', as this keeps users in the user management context. This aligns with the new requirement that users should be redirected to the respective listing screen of the component rather than the dashboard.

Applied to files:

• admin-ui/plugins/user-management/components/UserForm.tsx
• admin-ui/plugins/user-management/components/UserEditPage.tsx

📚 Learning: 2025-11-10T14:18:58.310Z

Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.

Applied to files:

• admin-ui/plugins/user-management/components/UserEditPage.tsx

🧬 Code graph analysis (2)

admin-ui/plugins/user-management/components/UserForm.tsx (1)

admin-ui/plugins/user-management/helper/constants.ts (1)

• revokeSessionWhenFieldsModifiedInUserForm (1-5)

admin-ui/plugins/user-management/components/UserEditPage.tsx (3)

admin-ui/plugins/user-management/types/ComponentTypes.ts (2)

• UserEditFormValues (5-13)
• ModifiedFields (16-16)

admin-ui/plugins/auth-server/components/Scopes/types/formTypes.ts (1)

• ModifiedFields (17-19)

admin-ui/plugins/user-management/helper/constants.ts (1)

• revokeSessionWhenFieldsModifiedInUserForm (1-5)

🔇 Additional comments (2)

admin-ui/app/locales/en/translation.json (1)

890-890: LGTM! Grammatical correction applied.

The subject-verb agreement issue flagged in the previous review has been corrected. The message now properly uses "fields have" (plural) instead of "field has".

admin-ui/plugins/user-management/helper/constants.ts (1)

1-5: LGTM! Single source of truth established.

This constant properly addresses the previous review feedback about duplicated field lists. Both UserForm.tsx and UserEditPage.tsx now import this shared constant, eliminating maintenance risk.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

admin-ui/app/routes/Apps/Gluu/GluuCommitDialog.tsx (1)

283-294: Consider extending PropTypes for new alert props (optional)

For runtime prop validation parity with TypeScript, it would be good to add alertMessage (string) and alertSeverity (string, ideally constrained) to GluuCommitDialog.propTypes.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ece094b and f3696b3.

📒 Files selected for processing (10)

• admin-ui/app/locales/en/translation.json
• admin-ui/app/locales/es/translation.json
• admin-ui/app/locales/fr/translation.json
• admin-ui/app/locales/pt/translation.json
• admin-ui/app/routes/Apps/Gluu/GluuCommitDialog.tsx
• admin-ui/app/routes/Apps/Gluu/types/GluuCommitDialog.ts
• admin-ui/plugins/user-management/components/PasswordChangeModal.tsx
• admin-ui/plugins/user-management/components/UserEditPage.tsx
• admin-ui/plugins/user-management/components/UserForm.tsx
• admin-ui/plugins/user-management/utils/attributeTransformUtils.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-06T08:23:20.948Z

Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2418
File: admin-ui/plugins/user-management/components/UserForm.tsx:290-297
Timestamp: 2025-11-06T08:23:20.948Z
Learning: In the UserForm component (admin-ui/plugins/user-management/components/UserForm.tsx), the Back button should fall back to '/user/usersmanagement' when browser history is unavailable, not '/home/dashboard', as this keeps users in the user management context. This aligns with the new requirement that users should be redirected to the respective listing screen of the component rather than the dashboard.

Applied to files:

• admin-ui/plugins/user-management/components/UserForm.tsx

🧬 Code graph analysis (2)

admin-ui/app/routes/Apps/Gluu/GluuCommitDialog.tsx (1)

admin-ui/app/components/index.tsx (2)

• FormGroup (70-70)
• Alert (36-36)

admin-ui/plugins/user-management/components/UserEditPage.tsx (2)

admin-ui/plugins/user-management/types/ComponentTypes.ts (2)

• UserEditFormValues (5-13)
• ModifiedFields (16-16)

admin-ui/plugins/auth-server/components/Scopes/types/formTypes.ts (1)

• ModifiedFields (17-19)

🔇 Additional comments (9)

admin-ui/app/locales/es/translation.json (1)

888-888: LGTM! Spanish translation added correctly.

The translation key revokeUserSession has been added appropriately to support the session revocation notification feature. The Spanish text clearly communicates that the user's session will be revoked when password, status, or admin role fields are modified.

admin-ui/plugins/user-management/utils/attributeTransformUtils.ts (1)

104-110: The CustomObjectAttribute type from the external 'JansConfigApi' library supports both properties. Multiple files in the codebase confirm this: validations.ts accesses both attr.value (singular) and attr.values (array), and userAuditHelpers.ts uses attr.values as an array. The function change is correct and properly handles both cases.

admin-ui/app/locales/fr/translation.json (1)

821-821: French revokeUserSession string looks correct and consistent

Key name and wording align with the intended behavior (revocation on password/status/admin-role change) and with other locales.

admin-ui/app/routes/Apps/Gluu/types/GluuCommitDialog.ts (1)

22-23: Types for alert props are appropriate

Optional alertMessage and alertSeverity accurately model how the dialog uses these props and match the allowed severities.

admin-ui/app/locales/pt/translation.json (1)

816-816: Portuguese revokeUserSession string is clear and aligned with behavior

Message correctly communicates that the session will be revoked when password, status, or admin role are modified.

admin-ui/plugins/user-management/components/UserForm.tsx (1)

120-122: Back navigation correctly returns to user management list

Using navigateBack(ROUTES.USER_MANAGEMENT) keeps users in the user‑management context rather than sending them to the dashboard, which matches the documented navigation preference.

Based on learnings, this aligns with the desired fallback behavior.

admin-ui/plugins/user-management/components/PasswordChangeModal.tsx (2)

50-53: Session‑revoke warning wiring into GluuCommitDialog looks good

Local alertMessage/alertSeverity are set when the password form is submitted and passed into GluuCommitDialog, so users see a clear warning about session revocation before confirming the change.

Also applies to: 147-152, 215-222

---

116-132: Plaintext password logging is already mitigated with redaction

The logPasswordChange function calls redactSensitiveData before logging the audit payload (line 231 of userAuditHelpers.ts). This function explicitly redacts jsonPatchString and other sensitive fields, replacing them with [REDACTED] placeholders before the payload reaches the audit logger.

The password is never persisted to logs in plaintext.

Likely an incorrect or invalid review comment.

admin-ui/app/routes/Apps/Gluu/GluuCommitDialog.tsx (1)

46-47: Alert integration into commit dialog is functionally sound

The dialog cleanly supports optional alerts via alertMessage/alertSeverity, rendering them above the change list only when present. This aligns with the new session‑revocation UX without affecting existing callers.

Also applies to: 174-180

[sonarqubecloud]

Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud