feat: SSH UI

.github/workflows/ci.yml

@@ -19,12 +19,12 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x]
+        node-version: [20.x]
         mongodb-version: [4.4]
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
       with:
         egress-policy: audit
 
@@ -45,6 +45,12 @@ jobs:
     - name: Install dependencies
       run: npm i
 
+    # for now only check the types of the server
+    # tsconfig isn't quite set up right to respect what vite accepts
+    # for the frontend code
+    - name: Check Types (Server)
+      run: npm run check-types:server
+
     - name: Test
       id: test
       run: |
@@ -77,7 +83,7 @@ jobs:
         path: build
 
     - name: Run cypress test
-      uses: cypress-io/github-action@be1bab96b388bbd9ce3887e397d373c8557e15af # v6.9.2
+      uses: cypress-io/github-action@6c143abc292aa835d827652c2ea025d098311070 # v6.10.1
       with: 
         start: npm start &
         wait-on: "http://localhost:3000"

.github/workflows/codeql.yml

@@ -51,7 +51,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2
+      uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2
       with:
         egress-policy: audit
 
@@ -60,7 +60,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
+      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -74,7 +74,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
+      uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -87,6 +87,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
+      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2
         with:
           egress-policy: audit
 

.github/workflows/experimental-inventory-ci.yml

@@ -19,12 +19,12 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x]
+        node-version: [20.x]
         mongodb-version: [4.4]
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

.github/workflows/experimental-inventory-cli-publish.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

.github/workflows/experimental-inventory-publish.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

.github/workflows/lint.yml

@@ -2,8 +2,8 @@ name: Code Cleanliness
 
 on: [pull_request]
 
-env: # environment variables (available in any part of the action)
-  NODE_VERSION: 18
+env:
+  NODE_VERSION: 20
 
 permissions:
   contents: read
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps: # list of steps
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2
         with:
           egress-policy: audit
 

.github/workflows/npm.yml

@@ -10,15 +10,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       # Setup .npmrc file to publish to npm
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
-          node-version: '20.x'
+          node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
       - run: npm ci
       - run: npm run build

.github/workflows/pr-lint.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

.github/workflows/release.yml

@@ -52,7 +52,7 @@
 #       - uses: actions/checkout@8459bc0 # v4
 #       - uses: actions/setup-node@c2ac33f # v4, Setup .npmrc file to publish to npm
 #         with:
-#           node-version: '18.x'
+#           node-version: '20.x'
 #           registry-url: 'https://registry.npmjs.org'
 #       - run: npm ci
 #       - run: npm publish --access=public

.github/workflows/sample-publish.yml

@@ -13,15 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       # Setup .npmrc file to publish to npm
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
-          node-version: '20.x'
+          node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
       - name: publish sample package
         run: npm install --include peer && npm publish --access=public

.github/workflows/scorecard.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 
@@ -42,7 +42,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -72,6 +72,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           sarif_file: results.sarif

.github/workflows/unused-dependencies.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2
         with:
           egress-policy: audit
 
@@ -18,7 +18,7 @@ jobs:
       - name: 'Setup Node.js'
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
-          node-version: '20.x'
+          node-version: '22.x'
       - name: 'Run depcheck'
         run: |
           npx depcheck --skip-missing --ignores="tsx,@babel/*,@commitlint/*,eslint,eslint-*,husky,mocha,ts-mocha,ts-node,concurrently,nyc,prettier,typescript,tsconfig-paths,vite-tsconfig-paths"

README.md

@@ -115,6 +115,8 @@ Drop a note, ask a question or just say hello in our [community Slack channel](h
 
 If you can't access Slack, you can also [subscribe to our mailing list](mailto:git-proxy+subscribe@lists.finos.org).
 
-Join our [fortnightly Zoom meeting](https://zoom.us/j/97235277537?pwd=aDJsaE8zcDJpYW1vZHJmSTJ0RXNZUT09) on Monday, 11AM EST (odd week numbers). Send an e-mail to [help@finos.org](mailto:help@finos.org) to get a calendar invitation.
+🤝 Join our [fortnightly Zoom meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595) on Monday, 4PM BST (odd week numbers). 
+🌍 [Convert to your local time](https://www.timeanddate.com/worldclock)
+📅 [Click here](https://calendar.google.com/calendar/event?action=TEMPLATE&tmeid=MTRvbzM0NG01dWNvNGc4OGJjNWphM2ZtaTZfMjAyNTA2MDJUMTUwMDAwWiBzYW0uaG9sbWVzQGNvbnRyb2wtcGxhbmUuaW8&tmsrc=sam.holmes%40control-plane.io&scp=ALL) for the recurring Google Calendar meeting invite. Alternatively, send an e-mail to [help@finos.org](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595#:~:text=Need-,an,-invite%3F) to get a calendar invitation. 
 
 Otherwise, if you have a deeper query or require more support, please [raise an issue](https://github.com/finos/git-proxy/issues).

config.schema.json

@@ -10,7 +10,32 @@
     "sessionMaxAgeHours": { "type": "number" },
     "api": {
       "description": "Third party APIs",
-      "type": "object"
+      "type": "object",
+      "properties": {
+        "ls": {
+          "type": "object",
+          "description": "Configuration used in conjunction with ActiveDirectory auth, which relates to a REST API used to check user group membership, as opposed to direct querying via LDAP.<br />If this configuration is set direct querying of group membership via LDAP will be disabled.",
+          "properties": {
+            "userInADGroup": {
+              "type": "string",
+              "description": "URL template for a GET request that confirms a user's membership of a specific group. Should respond with a non-empty 200 status if the user is a member of the group, an empty response or non-200 status indicates that the user is not a group member. If set, this URL will be queried and direct queries via LDAP will be disabled. The template should contain the following string placeholders, which will be replaced to produce the final URL:<ul><li>\"&lt;domain&gt;\": AD domain,</li><li>\"&lt;name&gt;\": The group name to check membership of.</li><li>\"&lt;id&gt;\": The username to check group membership for.</li></ul>",
+              "examples": [
+                "https://somedomain.com/some/path/checkUserGroups?domain=<domain>&name=<name>&id=<id>"
+              ]
+            }
+          }
+        },
+        "github": {
+          "type": "object",
+          "properties": {
+            "baseUrl": {
+              "type": "string",
+              "format": "uri",
+              "examples": ["https://api.github.com"]
+            }
+          }
+        }
+      }
     },
     "commitConfig": {
       "description": "Enforce rules and patterns on commits including e-mail and message",
@@ -199,12 +224,98 @@
     },
     "authentication": {
       "type": "object",
-      "properties": {
-        "type": { "type": "string" },
-        "enabled": { "type": "boolean" },
-        "options": { "type": "object" }
-      },
-      "required": ["type", "enabled"]
+      "description": "Configuration for an authentication source",
+      "oneOf": [
+        {
+          "title": "Local Auth Config",
+          "description": "Configuration for the use of the local database as the authentication source.",
+          "properties": {
+            "type": { "type": "string", "const": "local" },
+            "enabled": { "type": "boolean" }
+          },
+          "required": ["type", "enabled"]
+        },
+        {
+          "title": "Active Directory Auth Config",
+          "description": "Configuration for Active Directory authentication.",
+          "properties": {
+            "type": { "type": "string", "const": "ActiveDirectory" },
+            "enabled": { "type": "boolean" },
+            "adminGroup": {
+              "type": "string",
+              "description": "Group that indicates that a user is an admin"
+            },
+            "userGroup": {
+              "type": "string",
+              "description": "Group that indicates that a user should be able to login to the Git Proxy UI and can work as a reviewer"
+            },
+            "domain": { "type": "string", "description": "Active Directory domain" },
+            "adConfig": {
+              "type": "object",
+              "description": "Additional Active Directory configuration supporting LDAP connection which can be used to confirm group membership. For the full set of available options see the activedirectory 2 NPM module docs at https://www.npmjs.com/package/activedirectory2#activedirectoryoptions <br /><br />Please note that if the Third Party APIs config `api.ls.userInADGroup` is set then the REST API it represents is used in preference to direct querying of group memebership via LDAP.",
+              "properties": {
+                "url": {
+                  "type": "string",
+                  "description": "Active Directory server to connect to, e.g. `ldap://ad.example.com`."
+                },
+                "baseDN": {
+                  "type": "string",
+                  "description": "The root DN from which all searches will be performed, e.g. `dc=example,dc=com`."
+                },
+                "username": {
+                  "type": "string",
+                  "description": "An account name capable of performing the operations desired."
+                },
+                "password": {
+                  "type": "string",
+                  "description": "Password for the given `username`."
+                }
+              },
+              "required": ["url", "baseDN", "username", "password"]
+            }
+          },
+          "required": ["type", "enabled", "adminGroup", "userGroup", "domain"]
+        },
+        {
+          "title": "Open ID Connect Auth Config",
+          "description": "Configuration for Open ID Connect authentication.",
+          "properties": {
+            "type": { "type": "string", "const": "openidconnect" },
+            "enabled": { "type": "boolean" },
+            "oidcConfig": {
+              "type": "object",
+              "description": "Additional OIDC configuration.",
+              "properties": {
+                "issuer": { "type": "string" },
+                "clientID": { "type": "string" },
+                "clientSecret": { "type": "string" },
+                "callbackURL": { "type": "string" },
+                "scope": { "type": "string" }
+              },
+              "required": ["issuer", "clientID", "clientSecret", "callbackURL", "scope"]
+            }
+          },
+          "required": ["type", "enabled", "oidcConfig"]
+        },
+        {
+          "title": "JWT Auth Config",
+          "description": "Configuration for JWT authentication.",
+          "properties": {
+            "type": { "type": "string", "const": "jwt" },
+            "enabled": { "type": "boolean" },
+            "jwtConfig": {
+              "type": "object",
+              "description": "Additional JWT configuration.",
+              "properties": {
+                "clientID": { "type": "string" },
+                "authorityURL": { "type": "string" }
+              },
+              "required": ["clientID", "authorityURL"]
+            }
+          },
+          "required": ["type", "enabled", "jwtConfig"]
+        }
+      ]
     },
     "routeAuthRule": {
       "type": "object",

cypress/e2e/login.cy.js

@@ -31,6 +31,16 @@ describe('Login page', () => {
     cy.url().should('include', '/dashboard/repo');
   })
 
+  it('should show an error snackbar on invalid login', () => {
+    cy.get('[data-test="username"]').type('wronguser');
+    cy.get('[data-test="password"]').type('wrongpass');
+    cy.get('[data-test="login"]').click();
+
+    cy.get('.MuiSnackbarContent-message')
+      .should('be.visible')
+      .and('contain', 'You entered an invalid username or password...');
+  });
+
   describe('OIDC login button', () => {
     it('should exist', () => {
       cy.get('[data-test="oidc-login"]').should('exist');