add copy UAA token button to page header

norman-abramovitz · bmo-at-a9s · norman-abramovitz · commit f086171bfa4e · 2026-04-13T14:13:50.000-07:00
Ports upstream PR #5169 (author: Jan-Robin Aumann) to modern Stratos patterns on feature/Angular-21. Backend (clean port): - api/structs.go — JSON tags on TokenRecord so it can be serialised - session.go — new AuthTokenEnvelope struct and retrieveToken handler. The handler reads user_id from the signed session cookie, verifies the session, then returns the UAA TokenRecord for that user only. No client-supplied user identifier anywhere — users can only ever retrieve their own token. - main.go — GET /api/v1/auth/token route Frontend (rewritten for Angular 21 patterns): - store/types/auth.types.ts — TokenData + AuthTokenEnvelope interfaces - store/public-api.ts — exported via `export type` - page-header.component.ts — uses inject(HttpClient) + inject(SnackBarService), firstValueFrom(), and navigator.clipboard.writeText(). No ngx-clipboard dependency. - page-header.component.html — new vpn_key button + dropdown in the Tailwind toggle pattern (isTokenMenuOpen), @if control flow, no mat-* Security hardening over the upstream PR: the original kept each token in a hidden <div>{{ token$ | async }}</div> buffer for the clipboard-copy library to read, which left the raw tokens live in the DOM where browser extensions could scrape them. This port skips the DOM buffer entirely — the token is fetched on-demand when the user clicks Copy and written straight to the clipboard API. The /auth/token envelope is also re-fetched every time the menu opens (via shareReplay(1) in a per-open observable) so users can't receive a stale or expired token from a process-lifetime cache. Co-authored-by: Jan-Robin Aumann <jaumann@anynines.com>
diff --git a/src/frontend/packages/core/src/shared/components/page-header/page-header.component.html b/src/frontend/packages/core/src/shared/components/page-header/page-header.component.html
@@ -72,6 +72,39 @@
             <!-- Theme toggle -->
             <app-theme-toggle></app-theme-toggle>
 
+            <!-- Copy UAA token button -->
+            @if (!hideMenu && !logoutOnly && !environment.hideUserMenu) {
+              <div class="relative">
+                <button class="page-header-menu-button p-2 text-header-text hover:bg-white/10 rounded-md transition-colors"
+                  (click)="toggleTokenMenu()"
+                  title="Copy UAA tokens">
+                  <span class="material-icons">vpn_key</span>
+                </button>
+                @if (isTokenMenuOpen) {
+                  <div
+                    class="absolute right-0 top-full mt-2 bg-content-bg rounded-lg shadow-lg border border-content-border z-50">
+                    <div class="page-header-token p-4 w-64">
+                      <h3 class="page-header-token-title text-lg font-semibold text-content-text mb-3">UAA Tokens</h3>
+                      <div class="space-y-2">
+                        <button class="w-full text-left px-3 py-2 text-sm text-content-text hover:bg-content-secondary rounded-md transition-colors border border-content-border"
+                          (click)="copyToken(authToken$, 'Auth token'); closeTokenMenu()">
+                          Copy Auth Token
+                        </button>
+                        <button class="w-full text-left px-3 py-2 text-sm text-content-text hover:bg-content-secondary rounded-md transition-colors border border-content-border"
+                          (click)="copyToken(refreshToken$, 'Refresh token'); closeTokenMenu()">
+                          Copy Refresh Token
+                        </button>
+                      </div>
+                      <div class="mt-3 pt-3 border-t border-content-border">
+                        <div class="text-xs font-medium text-content-muted mb-1">Token expiry</div>
+                        <div class="text-sm text-content-text break-words">{{ (tokenExpiry$ | async) | date:'medium' }}</div>
+                      </div>
+                    </div>
+                  </div>
+                }
+              </div>
+            }
+
             <!-- History button -->
             @if (showHistory) {
               <div class="relative">
diff --git a/src/frontend/packages/core/src/shared/components/page-header/page-header.component.ts b/src/frontend/packages/core/src/shared/components/page-header/page-header.component.ts
@@ -1,5 +1,6 @@
 import { Portal, TemplatePortal } from '@angular/cdk/portal';
 import { CommonModule } from '@angular/common';
+import { HttpClient } from '@angular/common/http';
 import { ChangeDetectionStrategy, ChangeDetectorRef, AfterViewInit, Component, Input, OnDestroy, TemplateRef, ViewChild, inject } from '@angular/core';
 import { RouterModule, ActivatedRoute, Router } from '@angular/router';
 import { Store } from '@ngrx/store';
@@ -14,10 +15,12 @@ import {
   AppState,
   selectIsMobile,
   UserProfileInfo,
+  AuthTokenEnvelope,
 } from '@stratosui/store';
 import { getTime } from 'date-fns';
-import { combineLatest, Observable } from 'rxjs';
+import { combineLatest, firstValueFrom, Observable, shareReplay } from 'rxjs';
 import { map, startWith } from 'rxjs/operators';
+import { SnackBarService } from '../../services/snackbar.service';
 
 import { CurrentUserPermissionsService } from '../../../core/permissions/current-user-permissions.service';
 import { StratosCurrentUserPermissions } from '../../../core/permissions/stratos-user-permissions.checker';
@@ -62,6 +65,8 @@ export class PageHeaderComponent implements OnDestroy, AfterViewInit {
   private endpointsService = inject(EndpointsService);
   private currentUserPermissionsService = inject(CurrentUserPermissionsService);
   private cdr = inject(ChangeDetectorRef);
+  private http = inject(HttpClient);
+  private snackBarService = inject(SnackBarService);
 
   public canAPIKeys$: Observable<boolean>;
   public breadcrumbDefinitions: IHeaderBreadcrumbLink[] = null;
@@ -77,6 +82,7 @@ export class PageHeaderComponent implements OnDestroy, AfterViewInit {
   // Menu state for Tailwind dropdowns
   public isHistoryMenuOpen = false;
   public isUserMenuOpen = false;
+  public isTokenMenuOpen = false;
 
   @ViewChild('pageHeaderTmpl', { static: true }) pageHeaderTmpl!: TemplateRef<any>;
 
@@ -158,6 +164,9 @@ export class PageHeaderComponent implements OnDestroy, AfterViewInit {
   public user$: Observable<UserProfileInfo>;
   public allowGravatar$: Observable<boolean>;
   public canLogout$: Observable<boolean>;
+  public authToken$!: Observable<string>;
+  public refreshToken$!: Observable<string>;
+  public tokenExpiry$!: Observable<Date | null>;
 
   public actionsKey: string;
 
@@ -238,7 +247,38 @@ export class PageHeaderComponent implements OnDestroy, AfterViewInit {
     this.canLogout$ = this.currentUserPermissionsService.can(StratosCurrentUserPermissions.CAN_NOT_LOGOUT).pipe(
       map(noLogout => !noLogout)
     );
+  }
+
+  // Fetch fresh token envelope — called every time the token menu opens so
+  // the user can't grab a stale/expired token from a cached observable. The
+  // three derived observables share one HTTP call via shareReplay(1).
+  private refreshTokenObservables() {
+    const env$ = this.http
+      .get<AuthTokenEnvelope>(`/api/${environment.proxyAPIVersion}/auth/token`)
+      .pipe(shareReplay(1));
+
+    this.authToken$ = env$.pipe(map(res => res.data?.auth_token ?? ''));
+    this.refreshToken$ = env$.pipe(map(res => res.data?.refresh_token ?? ''));
+    this.tokenExpiry$ = env$.pipe(
+      map(res => res.data ? new Date(res.data.token_expiry * 1000) : null)
+    );
+  }
 
+  // Copy a token value to the clipboard without ever rendering it in the DOM.
+  // The token$ observable is resolved at click time and piped straight into
+  // the browser clipboard API — no hidden <div>{{ token }}</div> buffer.
+  async copyToken(token$: Observable<string>, label: string) {
+    try {
+      const value = await firstValueFrom(token$);
+      if (!value) {
+        this.snackBarService.show(`No ${label} available`, 'Close');
+        return;
+      }
+      await navigator.clipboard.writeText(value);
+      this.snackBarService.show(`${label} copied to clipboard`, 'Close');
+    } catch {
+      this.snackBarService.show(`Failed to copy ${label}`, 'Close');
+    }
   }
 
   ngOnDestroy() {
@@ -267,14 +307,25 @@ export class PageHeaderComponent implements OnDestroy, AfterViewInit {
   toggleHistoryMenu() {
     this.isHistoryMenuOpen = !this.isHistoryMenuOpen;
     if (this.isHistoryMenuOpen) {
-      this.isUserMenuOpen = false; // Close user menu when opening history
+      this.isUserMenuOpen = false;
+      this.isTokenMenuOpen = false;
     }
   }
 
   toggleUserMenu() {
     this.isUserMenuOpen = !this.isUserMenuOpen;
     if (this.isUserMenuOpen) {
-      this.isHistoryMenuOpen = false; // Close history menu when opening user menu
+      this.isHistoryMenuOpen = false;
+      this.isTokenMenuOpen = false;
+    }
+  }
+
+  toggleTokenMenu() {
+    this.isTokenMenuOpen = !this.isTokenMenuOpen;
+    if (this.isTokenMenuOpen) {
+      this.isHistoryMenuOpen = false;
+      this.isUserMenuOpen = false;
+      this.refreshTokenObservables();
     }
   }
 
@@ -286,4 +337,8 @@ export class PageHeaderComponent implements OnDestroy, AfterViewInit {
     this.isHistoryMenuOpen = false;
   }
 
+  closeTokenMenu() {
+    this.isTokenMenuOpen = false;
+  }
+
 }
diff --git a/src/frontend/packages/store/src/public-api.ts b/src/frontend/packages/store/src/public-api.ts
@@ -9,7 +9,7 @@ export { LocalStorageService, LocalStorageSyncTypes } from './helpers/local-stor
 // Used by store testing module
 export { getDefaultRequestState } from './reducers/api-request-reducer/types';
 export { getDefaultPaginationEntityState } from './reducers/pagination-reducer/pagination-reducer-reset-pagination';
-export type { SessionDataEndpoint } from './types/auth.types';
+export type { AuthTokenEnvelope, SessionDataEndpoint, TokenData } from './types/auth.types';
 export { getDefaultRolesRequestState } from './types/current-user-roles.types';
 export type { BaseEntityValues } from './types/entity.types';
 export type {
diff --git a/src/frontend/packages/store/src/types/auth.types.ts b/src/frontend/packages/store/src/types/auth.types.ts
@@ -81,6 +81,27 @@ export interface SessionDataEnvelope {
   data?: SessionData;
 }
 
+export interface TokenData {
+  token_guid: string;
+  auth_token: string;
+  refresh_token: string;
+  token_expiry: number;
+  disconnected: boolean;
+  auth_type: string;
+  metadata: string;
+  system_shared: boolean;
+  linked_guid: string;
+  certificate: string;
+  certificate_key: string;
+  enabled: boolean;
+}
+
+export interface AuthTokenEnvelope {
+  status: string;
+  error?: string;
+  data?: TokenData;
+}
+
 export interface Diagnostics {
   deploymentType?: string;
   gitClientVersion?: string;
diff --git a/src/jetstream/api/structs.go b/src/jetstream/api/structs.go
@@ -139,18 +139,18 @@ type BackupTokenRecord struct {
 
 // TokenRecord repsrents and endpoint or uaa token
 type TokenRecord struct {
-	TokenGUID      string
-	AuthToken      string
-	RefreshToken   string
-	TokenExpiry    int64
-	Disconnected   bool
-	AuthType       string
-	Metadata       string
-	SystemShared   bool
-	LinkedGUID     string // Indicates the GUID of the token that this token is linked to (if any)
-	Certificate    string
-	CertificateKey string
-	Enabled        bool
+	TokenGUID      string `json:"token_guid"`
+	AuthToken      string `json:"auth_token"`
+	RefreshToken   string `json:"refresh_token"`
+	TokenExpiry    int64  `json:"token_expiry"`
+	Disconnected   bool   `json:"disconnected"`
+	AuthType       string `json:"auth_type"`
+	Metadata       string `json:"metadata"`
+	SystemShared   bool   `json:"system_shared"`
+	LinkedGUID     string `json:"linked_guid"` // Indicates the GUID of the token that this token is linked to (if any)
+	Certificate    string `json:"certificate"`
+	CertificateKey string `json:"certificate_key"`
+	Enabled        bool   `json:"enabled"`
 }
 
 type CFInfo struct {
diff --git a/src/jetstream/main.go b/src/jetstream/main.go
@@ -928,6 +928,9 @@ func (p *portalProxy) registerRoutes(e *echo.Echo, needSetupMiddleware bool) {
 	// Verify Session
 	api.GET("/v1/auth/verify", p.verifySession)
 
+	// Retrieve UAA token for the current session (for operator tooling, e.g. cf CLI curl commands)
+	api.GET("/v1/auth/token", p.retrieveToken)
+
 	// Always serve the backend API from /pp
 	pp := e.Group("/pp")
 
diff --git a/src/jetstream/session.go b/src/jetstream/session.go
@@ -50,6 +50,13 @@ type SessionInfoEnvelope struct {
 	Data   *api.Info `json:"data"`
 }
 
+// AuthTokenEnvelope -- contains response status, data and/or errors for the UAA token retrieval endpoint
+type AuthTokenEnvelope struct {
+	Status string           `json:"status"`
+	Error  string           `json:"error"`
+	Data   *api.TokenRecord `json:"data"`
+}
+
 func (e *SessionValueNotFound) Error() string {
 	return fmt.Sprintf("Session value not found %s", e.msg)
 }
@@ -318,3 +325,61 @@ func (p *portalProxy) verifySession(c echo.Context) error {
 		},
 	)
 }
+
+func (p *portalProxy) retrieveToken(c echo.Context) error {
+	log.Debug("retrieveToken")
+
+	p.StratosAuthService.BeforeVerifySession(c)
+
+	sessionExpireTime, err := p.GetSessionInt64Value(c, "exp")
+	if err != nil {
+		return c.JSON(
+			http.StatusOK,
+			AuthTokenEnvelope{
+				Status: "error",
+				Error:  err.Error(),
+			},
+		)
+	}
+
+	sessionUser, err := p.GetSessionStringValue(c, "user_id")
+	if err != nil {
+		return c.JSON(
+			http.StatusOK,
+			AuthTokenEnvelope{
+				Status: "error",
+				Error:  err.Error(),
+			},
+		)
+	}
+
+	err = p.StratosAuthService.VerifySession(c, sessionUser, sessionExpireTime)
+	if err != nil {
+		return c.JSON(
+			http.StatusOK,
+			AuthTokenEnvelope{
+				Status: "error",
+				Error:  err.Error(),
+			},
+		)
+	}
+
+	record, err := p.GetUAATokenRecord(sessionUser)
+	if err != nil {
+		return c.JSON(
+			http.StatusOK,
+			AuthTokenEnvelope{
+				Status: "error",
+				Error:  err.Error(),
+			},
+		)
+	}
+
+	return c.JSON(
+		http.StatusOK,
+		AuthTokenEnvelope{
+			Status: "ok",
+			Data:   &record,
+		},
+	)
+}
