Topics + Topic

.github/workflows/cypress-tests.yml

@@ -34,7 +34,7 @@ jobs:
         mkcert -cert-file localhost.pem -key-file localhost-key.pem \
           localhost 127.0.0.1 ::1 oidc-simulator host.docker.internal
 
-        # Copy mkcert root CA to the certs directory for Docker containers
+        # Copy mkcert root CA for other containers
         cp "$(mkcert -CAROOT)/rootCA.pem" ./rootCA.pem
 
         # List generated files for debugging
@@ -89,11 +89,14 @@ jobs:
       if: always()
       run: |
         # Show logs from critical services for debugging
+        echo "=== NGINX Proxy logs ==="
+        docker compose -f docker-compose.test.yml logs nginx-proxy || true
+
         echo "=== OIDC Simulator logs ==="
-        docker compose -f docker-compose.test.yml logs oidc-simulator | tail -100
+        docker compose -f docker-compose.test.yml logs oidc-simulator || true
 
         echo "=== Server logs ==="
-        docker compose -f docker-compose.test.yml logs server | tail -100
+        docker compose -f docker-compose.test.yml logs server || true
 
     - name: Run auth setup test
       run: |

.github/workflows/jest-server-test.yml

@@ -65,13 +65,13 @@ jobs:
       run: |
         # Build all services except server (tests run on host)
         docker compose -f docker-compose.test.yml --env-file test.env build \
-          math postgres file-server maildev oidc-simulator
+          math postgres file-server maildev oidc-simulator dynamodb
 
     - name: Start services
       run: |
         # Start only required services in detached mode (exclude server)
         docker compose -f docker-compose.test.yml --env-file test.env up -d \
-          math postgres file-server maildev oidc-simulator
+          math postgres file-server maildev oidc-simulator dynamodb
 
         # Wait for services to be ready
         echo "Waiting for services to start..."
@@ -88,6 +88,11 @@ jobs:
 
         echo "Checking oidc-simulator..."
         curl -k -f https://localhost:3000/.well-known/jwks.json || true
+
+        echo "Checking DynamoDB..."
+        curl -f http://localhost:8000 || true
+        # Alternative check using AWS CLI if available
+        aws dynamodb list-tables --endpoint-url http://localhost:8000 --region us-east-1 2>/dev/null || true
 
     - name: Setup Node.js
       uses: actions/setup-node@v4
@@ -114,6 +119,7 @@ jobs:
         export DATABASE_URL=postgres://postgres:PdwPNS2mDN73Vfbc@localhost:5432/polis-test
         export MAILDEV_HOST=localhost
         export STATIC_FILES_HOST=localhost
+        export DYNAMODB_ENDPOINT=http://localhost:8000
 
         # Run the tests on the host machine
         npm test -- --ci --coverage --maxWorkers=2
@@ -138,6 +144,9 @@ jobs:
 
         echo "=== Math logs ==="
         docker compose -f docker-compose.test.yml logs math | tail -50
+
+        echo "=== DynamoDB logs ==="
+        docker compose -f docker-compose.test.yml logs dynamodb | tail -100
 
     - name: Clean up
       if: always()

Makefile

@@ -102,8 +102,8 @@ start-FULL-REBUILD: echo_vars stop rm-ALL ## Remove and restart all Docker conta
 	docker compose ${COMPOSE_FILE_ARGS} --env-file ${ENV_FILE} build --no-cache
 	docker compose ${COMPOSE_FILE_ARGS} --env-file ${ENV_FILE} up ${DETACH_ARG}
 
-rebuild-web: echo_vars ## Rebuild and restart just the file-server container and its static assets
-	docker compose ${COMPOSE_FILE_ARGS} --env-file ${ENV_FILE} up ${DETACH_ARG} --build --force-recreate file-server
+rebuild-web: echo_vars ## Rebuild and restart just the file-server container and its static assets, and client-participation-alpha
+	docker compose ${COMPOSE_FILE_ARGS} --env-file ${ENV_FILE} up ${DETACH_ARG} --build --force-recreate file-server client-participation-alpha
 
 build-web-assets: ## Build and extract static web assets for cloud deployment to `build` dir
 	docker compose ${COMPOSE_FILE_ARGS} --env-file ${ENV_FILE} create --build --force-recreate file-server

client-admin/src/components/conversation-admin/seed-comment.js

@@ -117,7 +117,7 @@ const ModerateCommentsSeed = ({ params }) => {
           Upload a CSV of seed comments
         </Heading>
         <input onChange={handleFileChange} type="file" id="csvFile" accept=".csv"></input>
-        <Button onClick={handleSubmitSeedBulk}>{getButtonText()}</Button>
+        <Button onClick={handleSubmitSeedBulk} data-testid="upload-csv-button">{getButtonText()}</Button>
       </Box>
     </Box>
   )

client-participation-alpha/.astro/data-store.json

@@ -1 +1 @@
-[["Map",1,2],"meta::meta",["Map",3,4,5,6],"astro-version","5.11.0","astro-config-digest","{\"root\":{},\"srcDir\":{},\"publicDir\":{},\"outDir\":{},\"cacheDir\":{},\"compressHTML\":true,\"base\":\"/\",\"trailingSlash\":\"ignore\",\"output\":\"server\",\"scopedStyleStrategy\":\"attribute\",\"build\":{\"format\":\"directory\",\"client\":{},\"server\":{},\"assets\":\"_astro\",\"serverEntry\":\"entry.mjs\",\"redirects\":true,\"inlineStylesheets\":\"auto\",\"concurrency\":1},\"server\":{\"open\":false,\"host\":false,\"port\":4321,\"streaming\":true,\"allowedHosts\":[]},\"redirects\":{},\"image\":{\"endpoint\":{\"route\":\"/_image\",\"entrypoint\":\"astro/assets/endpoint/node\"},\"service\":{\"entrypoint\":\"astro/assets/services/sharp\",\"config\":{}},\"domains\":[],\"remotePatterns\":[],\"responsiveStyles\":false},\"devToolbar\":{\"enabled\":true},\"markdown\":{\"syntaxHighlight\":{\"type\":\"shiki\",\"excludeLangs\":[\"math\"]},\"shikiConfig\":{\"langs\":[],\"langAlias\":{},\"theme\":\"github-dark\",\"themes\":{},\"wrap\":false,\"transformers\":[]},\"remarkPlugins\":[],\"rehypePlugins\":[],\"remarkRehype\":{},\"gfm\":true,\"smartypants\":true},\"security\":{\"checkOrigin\":true},\"env\":{\"schema\":{},\"validateSecrets\":false},\"experimental\":{\"clientPrerender\":false,\"contentIntellisense\":false,\"headingIdCompat\":false,\"preserveScriptOrder\":false,\"liveContentCollections\":false,\"csp\":false},\"legacy\":{\"collections\":false},\"session\":{\"driver\":\"fs-lite\",\"options\":{\"base\":\"/Users/colinmegill/polis/client-participation-alpha/node_modules/.astro/sessions\"}}}"]
+[["Map",1,2],"meta::meta",["Map",3,4,5,6],"astro-version","5.11.0","astro-config-digest","{\"root\":{},\"srcDir\":{},\"publicDir\":{},\"outDir\":{},\"cacheDir\":{},\"compressHTML\":true,\"base\":\"/\",\"trailingSlash\":\"ignore\",\"output\":\"server\",\"scopedStyleStrategy\":\"attribute\",\"build\":{\"format\":\"directory\",\"client\":{},\"server\":{},\"assets\":\"_astro\",\"serverEntry\":\"entry.mjs\",\"redirects\":true,\"inlineStylesheets\":\"auto\",\"concurrency\":1},\"server\":{\"open\":false,\"host\":\"0.0.0.0\",\"port\":4321,\"streaming\":true,\"allowedHosts\":[]},\"redirects\":{},\"image\":{\"endpoint\":{\"route\":\"/_image\",\"entrypoint\":\"astro/assets/endpoint/node\"},\"service\":{\"entrypoint\":\"astro/assets/services/sharp\",\"config\":{}},\"domains\":[],\"remotePatterns\":[],\"responsiveStyles\":false},\"devToolbar\":{\"enabled\":true},\"markdown\":{\"syntaxHighlight\":{\"type\":\"shiki\",\"excludeLangs\":[\"math\"]},\"shikiConfig\":{\"langs\":[],\"langAlias\":{},\"theme\":\"github-dark\",\"themes\":{},\"wrap\":false,\"transformers\":[]},\"remarkPlugins\":[],\"rehypePlugins\":[],\"remarkRehype\":{},\"gfm\":true,\"smartypants\":true},\"security\":{\"checkOrigin\":true},\"env\":{\"schema\":{},\"validateSecrets\":false},\"experimental\":{\"clientPrerender\":false,\"contentIntellisense\":false,\"headingIdCompat\":false,\"preserveScriptOrder\":false,\"liveContentCollections\":false,\"csp\":false},\"legacy\":{\"collections\":false},\"session\":{\"driver\":\"fs-lite\",\"options\":{\"base\":\"/Users/bennie/code/src/github.com/compdemocracy/polis/client-participation-alpha/node_modules/.astro/sessions\"}}}"]

client-participation-alpha/.astro/settings.json

@@ -1,5 +1,5 @@
 {
 	"_variables": {
-		"lastUpdateCheck": 1753121227723
+		"lastUpdateCheck": 1754517865792
 	}
 }

client-participation-alpha/.astro/types.d.ts

@@ -1,2 +1 @@
 /// <reference types="astro/client" />
-/// <reference path="content.d.ts" />

client-participation-alpha/README-AUTH.md

@@ -0,0 +1,191 @@
+# Authentication and JWT Handling in Client-Participation-Alpha
+
+## Overview
+
+The alpha client now has centralized JWT and authentication handling that mirrors the legacy client's approach but with modern patterns. All JWT tokens are automatically extracted and stored from API responses, and authentication headers are automatically added to requests.
+
+## Key Components
+
+### 1. `auth.ts` - Authentication Management
+
+- `setJwtToken(token)` - Stores JWT tokens per conversation (extracts conversation_id from token)
+- `getConversationToken(conversation_id)` - Retrieves stored JWT for a specific conversation
+- `handleJwtFromResponse(response)` - Automatically extracts and stores JWT from API responses
+- `getConversationIdFromUrl()` - Extracts conversation_id from URL path (e.g., /alpha/2demo → "2demo")
+
+### 2. `net.js` - Network Layer with Auto-Auth
+
+- Automatically adds authentication headers to all requests
+- Automatically extracts and stores JWT tokens from all responses
+- Handles both OIDC tokens and conversation-specific JWTs
+- Provides consistent error handling with auth error details
+
+## Usage Examples
+
+### Simple API Call (JWT handled automatically)
+
+```javascript
+import PolisNet from '../lib/net';
+
+// Make an API call - JWT will be automatically added to headers if available
+// and automatically extracted/stored from response
+const result = await PolisNet.polisPost('/api/v3/votes', {
+  conversation_id: 'abc123',
+  tid: 42,
+  vote: 1
+});
+// No need to manually handle result.auth.token - it's done automatically!
+```
+
+### Component Example
+
+```javascript
+import PolisNet from '../lib/net';
+import { getConversationToken } from '../lib/auth';
+
+export function MyComponent({ conversation_id }) {
+  const submitData = async (data) => {
+    // Get current participant info if needed
+    const token = getConversationToken(conversation_id);
+    const pid = token?.pid;
+
+    try {
+      // Make API call - auth headers added automatically
+      const response = await PolisNet.polisPost('/api/v3/comments', {
+        conversation_id,
+        pid,
+        txt: data.text
+      });
+
+      // JWT token from response.auth.token is automatically stored
+      // No manual handling needed!
+
+      return response;
+    } catch (error) {
+      // Error includes responseText for server error messages
+      console.error('API Error:', error.responseText || error.message);
+      throw error;
+    }
+  };
+}
+```
+
+## URL Structure and Conversation ID
+
+The conversation_id is extracted from the URL path, not query parameters:
+
+- `https://pol.is/alpha/2demo` → conversation_id: "2demo"
+- `http://localhost:4321/3xyz` → conversation_id: "3xyz"
+- `https://edge.pol.is/alpha/4abc` → conversation_id: "4abc"
+
+The pattern matches:
+
+- `/alpha/:conversation_id` (production)
+- `/:conversation_id` (development)
+
+Conversation IDs always start with a digit followed by alphanumeric characters.
+
+## Authentication Flow
+
+1. **Initial Page Load (SSR)**
+   - Server fetches initial data with participationInit
+   - JWT token included in response
+   - Client-side script stores token on hydration
+
+2. **Subsequent API Calls**
+   - `net.js` checks for OIDC token first
+   - Falls back to conversation-specific JWT (extracted from URL path)
+   - Automatically adds to Authorization header
+   - Server responds with updated JWT if needed
+   - `net.js` automatically stores new JWT
+
+3. **Token Priority**
+   - OIDC tokens (if available) take precedence
+   - Conversation-specific JWTs used as fallback (based on current URL)
+   - No token sent if neither available (anonymous access)
+
+## Migration from Manual JWT Handling
+
+### Before (Manual JWT Handling)
+
+```javascript
+// DON'T DO THIS ANYMORE
+const response = await fetch('/api/v3/votes', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify(data)
+});
+
+const result = await response.json();
+
+// Manual JWT extraction and storage
+if (result?.auth?.token) {
+  const token = result.auth.token;
+  const parts = token.split('.');
+  if (parts.length === 3) {
+    const payload = JSON.parse(atob(parts[1]));
+    if (payload.conversation_id) {
+      localStorage.setItem('participant_token_' + payload.conversation_id, token);
+    }
+  }
+}
+```
+
+### After (Centralized Handling)
+
+```javascript
+// DO THIS INSTEAD
+import PolisNet from '../lib/net';
+
+const result = await PolisNet.polisPost('/api/v3/votes', data);
+// JWT handling is automatic - no manual code needed!
+```
+
+## Benefits
+
+1. **DRY Principle** - JWT handling logic in one place
+2. **Consistency** - All API calls handle auth the same way
+3. **Error Handling** - Centralized auth error handling
+4. **Maintainability** - Easy to update auth logic globally
+5. **Type Safety** - TypeScript interfaces for auth objects
+6. **Automatic Token Refresh** - Server can send new tokens anytime
+
+## Comparison with Legacy Client
+
+| Feature | Legacy Client | Alpha Client |
+|---------|--------------|--------------|
+| JWT Storage | `polisStorage.js` | `auth.ts` |
+| Auto JWT Extraction | ✅ `net.js`, `main.js` | ✅ `net.js` |
+| Auto Auth Headers | ✅ `backbonePolis.js` | ✅ `net.js` |
+| OIDC Support | ❌ | ✅ |
+| TypeScript | ❌ | ✅ |
+| Centralized | Partial (3 files) | ✅ (2 files) |
+
+## Testing
+
+When testing components that use the network layer:
+
+```javascript
+// Mock the net module
+jest.mock('../lib/net', () => ({
+  polisPost: jest.fn(),
+  polisGet: jest.fn(),
+  polisPut: jest.fn()
+}));
+
+// In tests
+import PolisNet from '../lib/net';
+
+PolisNet.polisPost.mockResolvedValue({
+  success: true,
+  auth: { token: 'mock-jwt-token' }
+});
+```
+
+## Troubleshooting
+
+1. **No auth header sent**: Check if token exists for conversation
+2. **401 errors**: Token may be expired or invalid
+3. **403 errors**: User lacks permission for action
+4. **Token not stored**: Check browser storage settings
+5. **OIDC vs JWT conflicts**: OIDC takes precedence when available

client-participation-alpha/astro.config.mjs

@@ -14,5 +14,10 @@ export default defineConfig({
   server: {
     host: '0.0.0.0'
   },
-  integrations: [react()]
+  integrations: [
+    react({
+      experimentalDisableStreaming: true,
+      experimentalReactChildren: true
+    })
+  ]
 });

client-participation-alpha/example.env

@@ -0,0 +1,4 @@
+INTERNAL_SERVICE_URL=http://localhost/api/v3
+PUBLIC_SERVICE_URL=http://localhost/api/v3
+PUBLIC_OIDC_CACHE_KEY_ID_TOKEN_SUFFIX=@@user@@
+PUBLIC_OIDC_CACHE_KEY_PREFIX=oidc.user