JIT WIP, username in metrics

Author: simonredfern

src/lib/components/MissingRoleAlert.svelte

@@ -10,9 +10,11 @@
     errorCode?: string;
     message?: string;
     bankId?: string;
+    /** When true, JIT will auto-grant this role on first use — show as informational, not blocking */
+    jitCovered?: boolean;
   }
 
-  let { roles, errorCode, message, bankId }: Props = $props();
+  let { roles, errorCode, message, bankId, jitCovered = false }: Props = $props();
 
   let isExpanded = $state(false);
   let isSubmitting = $state(false);
@@ -110,15 +112,19 @@
   }
 </script>
 
-<div class="alert alert-missing-role" class:expanded={isExpanded}>
+<div class="alert" class:alert-missing-role={!jitCovered} class:alert-jit-covered={jitCovered} class:expanded={isExpanded}>
   <button
     type="button"
     class="alert-header"
     onclick={() => isExpanded = !isExpanded}
   >
-    <span class="alert-icon">🔒</span>
+    <span class="alert-icon">{jitCovered ? "⚡" : "🔒"}</span>
     <span class="alert-title">
-      <strong>Missing Entitlement{roles.length > 1 ? "s" : ""}:</strong>
+      {#if jitCovered}
+        <strong>JIT Entitlement{roles.length > 1 ? "s" : ""}:</strong>
+      {:else}
+        <strong>Missing Entitlement{roles.length > 1 ? "s" : ""}:</strong>
+      {/if}
       <span class="role-preview">{roles.join(", ")}</span>
     </span>
     {#if errorCode}
@@ -163,7 +169,11 @@
         <MessageBox message={submitError} type="error" />
       {/if}
 
-      {#if submitSuccess}
+      {#if jitCovered}
+        <div class="jit-info">
+          This entitlement will be <strong>automatically granted</strong> when you use this feature. No action needed.
+        </div>
+      {:else if submitSuccess}
         <div class="submit-success">
           Thanks, an Entitlement Request has been generated. Please ask your administrator to accept it using the <a href="/rbac/entitlement-requests" class="entitlement-requests-link">Entitlement Requests page</a>.
         </div>
@@ -185,10 +195,12 @@
         </div>
       {/if}
 
-      <div class="tip-box">
-        <strong>💡 Tip:</strong> If you have recently been granted this entitlement,
-        you should <strong>log out and log back in</strong> again.
-      </div>
+      {#if !jitCovered}
+        <div class="tip-box">
+          <strong>💡 Tip:</strong> If you have recently been granted this entitlement,
+          you should <strong>log out and log back in</strong> again.
+        </div>
+      {/if}
     </div>
   {/if}
 </div>
@@ -216,6 +228,23 @@
     color: rgb(var(--color-warning-200));
   }
 
+  .alert-jit-covered {
+    background: #f0fdf4;
+    border: 2px solid #86efac;
+    color: #166534;
+    padding: 0.75rem 1rem;
+  }
+
+  .alert-jit-covered.expanded {
+    padding: 1rem 1.25rem;
+  }
+
+  :global([data-mode="dark"]) .alert-jit-covered {
+    background: rgba(34, 197, 94, 0.1);
+    border-color: rgba(34, 197, 94, 0.4);
+    color: #4ade80;
+  }
+
   .alert-header {
     display: flex;
     align-items: center;
@@ -316,6 +345,14 @@
     color: rgb(var(--color-warning-100));
   }
 
+  .alert-jit-covered .entitlement-name {
+    color: #166534;
+  }
+
+  :global([data-mode="dark"]) .alert-jit-covered .entitlement-name {
+    color: #4ade80;
+  }
+
   .bank-code {
     background: rgba(0, 0, 0, 0.1);
     padding: 0.125rem 0.5rem;
@@ -394,6 +431,23 @@
     }
   }
 
+  .jit-info {
+    margin-top: 1rem;
+    padding: 0.75rem;
+    background: rgba(34, 197, 94, 0.1);
+    border: 1px solid rgba(34, 197, 94, 0.3);
+    border-radius: 4px;
+    color: #166534;
+    font-size: 0.875rem;
+    font-weight: 500;
+  }
+
+  :global([data-mode="dark"]) .jit-info {
+    background: rgba(34, 197, 94, 0.15);
+    border-color: rgba(34, 197, 94, 0.4);
+    color: #4ade80;
+  }
+
   .submit-success {
     margin-top: 1rem;
     padding: 0.75rem;

src/lib/components/PageRoleCheck.svelte

@@ -10,15 +10,16 @@
     optional?: RoleRequirement[];
     requirementType?: "OR" | "AND";
     currentBankId?: string;
+    jitEnabled?: boolean;
     children?: Snippet;
   }
 
-  let { userEntitlements, required, optional, requirementType = "OR", currentBankId, children }: Props =
+  let { userEntitlements, required, optional, requirementType = "OR", currentBankId, jitEnabled = false, children }: Props =
     $props();
 
   // Check required roles using the configured logic (AND or OR)
   let requiredCheck = $derived.by(() => {
-    return checkRoles(userEntitlements || [], required || [], currentBankId, requirementType);
+    return checkRoles(userEntitlements || [], required || [], currentBankId, requirementType, jitEnabled);
   });
 
   let showContent = $derived(requiredCheck.hasAllRoles);
@@ -51,7 +52,7 @@
   // Check optional roles (informational — content still renders)
   let optionalCheck = $derived.by(() => {
     if (!optional || optional.length === 0) return null;
-    return checkRoles(userEntitlements || [], optional, currentBankId);
+    return checkRoles(userEntitlements || [], optional, currentBankId, "OR", jitEnabled);
   });
 
   let missingOptionalRoles = $derived(
@@ -84,6 +85,14 @@
 {/if}
 
 {#if showContent && children}
+  {#if requiredCheck.jitRoles.length > 0}
+    <div class="jit-note" data-testid="jit-entitlements-note">
+      <span class="note-icon">&#x26A1;</span>
+      <span>
+        Just In Time Entitlements active: {requiredCheck.jitRoles.map((r) => r.role).join(", ")} will be auto-granted on first use.
+      </span>
+    </div>
+  {/if}
   {#if scopeMessage}
     <div class="scope-note">
       <span class="note-icon">&#x2139;&#xFE0F;</span>
@@ -177,6 +186,26 @@
     color: #fbbf24;
   }
 
+  .jit-note {
+    display: flex;
+    align-items: flex-start;
+    gap: 0.5rem;
+    padding: 0.75rem 1rem;
+    margin-bottom: 1rem;
+    background: #f0fdf4;
+    border: 1px solid #86efac;
+    border-radius: 0.5rem;
+    color: #166534;
+    font-size: 0.875rem;
+    line-height: 1.5;
+  }
+
+  :global([data-mode="dark"]) .jit-note {
+    background: rgba(34, 197, 94, 0.1);
+    border-color: rgba(34, 197, 94, 0.3);
+    color: #4ade80;
+  }
+
   .optional-role-note {
     display: flex;
     align-items: flex-start;

src/lib/components/metrics/MetricsQueryForm.svelte

@@ -11,7 +11,7 @@
       direction: string;
       consumer_id: string;
       user_id: string;
-      user_name: string;
+      username: string;
       anon: string;
       url: string;
       app_name: string;
@@ -268,11 +268,11 @@
         />
       </div>
       <div class="form-field">
-        <label for="user_name">User ID</label>
+        <label for="username">User ID</label>
         <input
           type="text"
-          id="user_name"
-          bind:value={queryForm.user_name}
+          id="username"
+          bind:value={queryForm.username}
           placeholder="Filter by user ID"
           onblur={handleFieldChange}
           class="form-input"

src/lib/config/navigation.ts

@@ -36,6 +36,7 @@ import {
   Radio,
   FileSignature,
   Search,
+  ToggleLeft,
 } from "@lucide/svelte";
 import { env } from "$env/dynamic/public";
 
@@ -121,6 +122,11 @@ function buildSystemItems(): NavigationItem[] {
       label: "Database Pool",
       iconComponent: Waves,
     },
+    {
+      href: "/system/features",
+      label: "Features",
+      iconComponent: ToggleLeft,
+    },
     {
       href: "/system/featured-collections",
       label: "Featured Collections",

src/lib/utils/jwt.ts

@@ -7,7 +7,6 @@ export interface JWTPayload {
   [key: string]: any;
   sub?: string;
   username?: string;
-  user_name?: string;
   login?: string;
   user_id?: string;
   preferred_username?: string;
@@ -36,7 +35,6 @@ export function extractUsernameFromJWT(jwt: string): string {
     if (decoded.name) userInfo.push(`name:${decoded.name}`);
     if (decoded.preferred_username) userInfo.push(`preferred_username:${decoded.preferred_username}`);
     if (decoded.username) userInfo.push(`username:${decoded.username}`);
-    if (decoded.user_name) userInfo.push(`user_name:${decoded.user_name}`);
     if (decoded.login) userInfo.push(`login:${decoded.login}`);
 
     // System identifiers

src/lib/utils/roleChecker.ts

@@ -30,6 +30,8 @@ export interface RoleCheckResult {
   hasAllRoles: boolean;
   missingRoles: RoleRequirement[];
   hasRoles: RoleRequirement[];
+  /** Roles the user doesn't explicitly have, but JIT will auto-grant on use */
+  jitRoles: RoleRequirement[];
 }
 
 /**
@@ -302,23 +304,67 @@ export function getPageRoles(routeId: string): PageRoleConfig | undefined {
   return SITE_MAP[key];
 }
 
+/**
+ * Roles excluded from JIT auto-granting (to prevent privilege escalation).
+ */
+const JIT_EXCLUDED_ROLES = new Set([
+  "CanCreateEntitlementAtOneBank",
+  "CanCreateEntitlementAtAnyBank",
+]);
+
+/**
+ * Check whether JIT can cover a missing role for this user.
+ * JIT requires:
+ * - JIT feature enabled on the OBP instance
+ * - User holds CanCreateEntitlementAtAnyBank (system-wide), OR
+ *   CanCreateEntitlementAtOneBank for the relevant bank (bank-scoped roles)
+ * - The missing role is not one of the excluded meta-roles
+ */
+function canJitGrant(
+  requirement: RoleRequirement,
+  userEntitlements: UserEntitlement[],
+  currentBankId?: string,
+): boolean {
+  if (JIT_EXCLUDED_ROLES.has(requirement.role)) return false;
+
+  // CanCreateEntitlementAtAnyBank covers everything
+  const hasAnyBank = userEntitlements.some(
+    (e) => e.role_name === "CanCreateEntitlementAtAnyBank",
+  );
+  if (hasAnyBank) return true;
+
+  // For bank-scoped roles, CanCreateEntitlementAtOneBank at the relevant bank also works
+  if (requirement.bankScoped || requirement.bankId) {
+    const bankId = requirement.bankId || currentBankId;
+    if (!bankId) return false;
+    return userEntitlements.some(
+      (e) => e.role_name === "CanCreateEntitlementAtOneBank" && e.bank_id === bankId,
+    );
+  }
+
+  return false;
+}
+
 /**
  * Check if a user has the required roles.
  *
  * @param userEntitlements - List of entitlements the user has
  * @param requiredRoles - List of roles to check
  * @param currentBankId - The currently selected bank ID (for bankScoped role checks)
  * @param requirementType - "OR" (default): user needs at least one; "AND": user needs all
+ * @param jitEnabled - Whether Just In Time entitlements are enabled on this OBP instance
  * @returns RoleCheckResult with missing and present roles
  */
 export function checkRoles(
   userEntitlements: UserEntitlement[],
   requiredRoles: RoleRequirement[],
   currentBankId?: string,
   requirementType: "OR" | "AND" = "OR",
+  jitEnabled: boolean = false,
 ): RoleCheckResult {
   const missingRoles: RoleRequirement[] = [];
   const hasRoles: RoleRequirement[] = [];
+  const jitRoles: RoleRequirement[] = [];
 
   for (const requirement of requiredRoles) {
     const hasRole = userEntitlements.some((entitlement) => {
@@ -340,22 +386,27 @@ export function checkRoles(
 
     if (hasRole) {
       hasRoles.push(requirement);
+    } else if (jitEnabled && canJitGrant(requirement, userEntitlements, currentBankId)) {
+      jitRoles.push(requirement);
     } else {
       missingRoles.push(requirement);
     }
   }
 
   logger.debug(
-    `Role check (${requirementType}): ${hasRoles.length}/${requiredRoles.length} roles present`,
+    `Role check (${requirementType}): ${hasRoles.length} present, ${jitRoles.length} JIT-covered, ${missingRoles.length} missing / ${requiredRoles.length} total`,
   );
 
+  // JIT-covered roles count as "effectively has" for access decisions
+  const effectiveHasCount = hasRoles.length + jitRoles.length;
+
   let hasAccess: boolean;
   if (requirementType === "AND") {
-    // AND: user needs ALL required roles
+    // AND: user needs ALL required roles (explicitly or via JIT)
     hasAccess = requiredRoles.length === 0 || missingRoles.length === 0;
   } else {
-    // OR: user needs at least one of the required roles
-    hasAccess = requiredRoles.length === 0 || hasRoles.length > 0;
+    // OR: user needs at least one of the required roles (explicitly or via JIT)
+    hasAccess = requiredRoles.length === 0 || effectiveHasCount > 0;
   }
 
   if (!hasAccess) {
@@ -366,6 +417,7 @@ export function checkRoles(
     hasAllRoles: hasAccess,
     missingRoles: hasAccess ? [] : missingRoles,
     hasRoles,
+    jitRoles,
   };
 }
 

src/routes/(protected)/+layout.svelte

@@ -17,6 +17,7 @@
     optional={pageRoles.optional}
     requirementType={pageRoles.requirementType}
     currentBankId={currentBank.bankId}
+    jitEnabled={data.jitEnabled}
   >
     {@render children()}
   </PageRoleCheck>