feat(profile): add developer settings page with API token display

[jordane]

Create comprehensive developer settings page accessible via user menu. Features secure API token display with masking, copy functionality, and proper authentication. Includes responsive table design and security guidelines for developers.

Key features:

• Real-time API token retrieval from OIDC bearer token
• Token masking with fixed-width display for better UX
• One-click copy to clipboard with toast notifications
• Security best practices documentation
• Responsive table layout with consistent styling

🤖 Generated with Claude Code

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a Developer API Access feature: new ProfileDeveloperComponent to load, mask, and copy a developer API token; new client API method; server endpoint GET /api/profile/developer; route registration; and header/profile menu updates to navigate to the new page.

Changes

Cohort / File(s)	Summary of changes
Developer Profile UI apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html, apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts	New standalone component that fetches developer token via UserService, shows loading state, displays masked/unmasked token, and supports toggle visibility and copy-to-clipboard with toast messages.
Profile routing apps/lfx-one/src/app/modules/profile/profile.routes.ts	Adds path: 'developer' route that lazy-loads ProfileDeveloperComponent.
Header navigation apps/lfx-one/src/app/shared/components/header/header.component.ts	Changes Developer Settings menu item to use internal routerLink to /profile/developer instead of opening a new tab.
Profile layout menu apps/lfx-one/src/app/layouts/profile-layout/profile-layout.component.ts	Adds "Developer Settings" item to the profile menu pointing to /profile/developer.
Client service API apps/lfx-one/src/app/shared/services/user.service.ts	Adds getDeveloperTokenInfo() returning Observable<{ token: string; type: string }> from /api/profile/developer.
Server API apps/lfx-one/src/server/controllers/profile.controller.ts, apps/lfx-one/src/server/routes/profile.route.ts	Adds GET /api/profile/developer route and ProfileController.getDeveloperTokenInfo to return current user's token and type with auth checks, token extraction, and error handling.
Project dashboard minor change apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html	Wraps "Add Committee" button in conditional rendering so it only shows when project()?.writer is truthy.

Sequence Diagram(s)

sequenceDiagram
  participant U as User
  participant H as Header
  participant R as Router
  participant C as ProfileDeveloperComponent
  participant S as UserService
  participant API as /api/profile/developer
  participant Ctrl as ProfileController
  participant Auth as Auth Context

  U->>H: Click "Developer Settings"
  H->>R: routerLink /profile/developer
  R->>C: instantiate
  rect rgba(200,210,255,0.18)
    C->>S: getDeveloperTokenInfo()
    S->>API: GET /api/profile/developer
    API->>Ctrl: handle request
    Ctrl->>Auth: validate & extract user/token
    Auth-->>Ctrl: user & token
    Ctrl-->>API: { token, type }
    API-->>S: 200 OK with token data
    S-->>C: token data
    C-->>C: set loading=false
  end
  C-->>U: render masked token

  alt User copies token
    U->>C: Click copy
    C-->>U: clipboard + toast
  end

  alt Toggle visibility
    U->>C: Toggle visibility
    C-->>U: masked/unmasked token
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(meeting): refactor meeting module and update environment config #86 — Adjusts Developer Settings header/menu behavior; closely related to the header navigation change here.
• feat(profile): implement complete profile management system #83 — Broad profile-related changes (routes/controllers); likely overlaps with added profile routes and server controller additions.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The changeset includes one modification that appears unrelated to the Developer Settings page objective: in project-dashboard/project.component.html, an "Add Committee" button is now conditionally rendered based on project()?.writer permissions. This change to committee button visibility within the project dashboard does not relate to implementing the Developer Settings page or fixing the menu link described in LFXV2-584, and appears to be an out-of-scope modification.	The change to apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html should be removed from this PR as it addresses a different concern (committee permissions) unrelated to the Developer Settings page implementation. Consider moving this change to a separate PR that specifically addresses project committee permissions or access control, ensuring each PR maintains a single, focused purpose aligned with its linked issue.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "feat(profile): add developer settings page with API token display" accurately describes the main change in the changeset. The PR introduces a new Developer Settings page within the profile module that displays API tokens with masking, copy functionality, and security guidelines. The title is concise, follows conventional commit format, and clearly summarizes the primary purpose of the changes without being overly vague or misleading.
Linked Issues Check	✅ Passed	The linked issue LFXV2-584 requires providing a functional destination for the existing Developer Settings menu link and implementing a Developer Settings UI. The changeset fully addresses these objectives by creating the ProfileDeveloperComponent with API token display functionality, adding the /profile/developer route, and updating the header navigation to route to this new page instead of opening a blank link. All coding-related requirements from the linked issue are satisfied.
Description Check	✅ Passed	The PR description is directly related to the changeset and provides meaningful context about the implementation. It describes the developer settings page, API token functionality, masking behavior, clipboard integration, and security guidelines—all of which are present in the code changes across the component files, services, and routes. While detailed, the description accurately reflects what was implemented in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jme/LFXV2-584

---

Tip

🧪 Early access (models): enabled

We are currently testing Sonnet 4.5 code review models, which should lead to better review quality. However, this model may result in higher noise levels in the review comments. Please disable the early access features if the noise level causes any inconvenience.

Note:

• Public repositories are always opted into early access features.
• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR introduces a comprehensive developer settings page that allows users to view and manage their API tokens through a secure interface accessible from the user menu. The implementation provides real-time token retrieval with proper authentication and user-friendly security features.

• Adds a new developer settings route and component with secure API token display
• Implements token masking, visibility toggle, and clipboard copy functionality
• Updates navigation to route to the new developer settings page instead of external link

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
apps/lfx-one/src/server/routes/profile.route.ts	Adds new GET endpoint for developer token information
apps/lfx-one/src/server/controllers/profile.controller.ts	Implements controller method to retrieve and return user's bearer token
apps/lfx-one/src/app/shared/services/user.service.ts	Adds service method to fetch developer token info from API
apps/lfx-one/src/app/shared/components/header/header.component.ts	Updates developer settings menu item to use internal routing
apps/lfx-one/src/app/modules/profile/profile.routes.ts	Adds route configuration for developer settings page
apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts	Main component implementing token display, masking, and copy functionality
apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html	Template with responsive table layout and security guidelines

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

🚀 Deployment Status

Your branch has been deployed to: https://ui-pr-105.dev.v2.cluster.linuxfound.info

Deployment Details:

• Environment: Development
• Namespace: ui-pr-105
• ArgoCD App: ui-pr-105

The deployment will be automatically removed when this PR is closed.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html (1)

1-103: Fix Prettier formatting failure

CI flagged this template for Prettier violations. Please run the project’s Prettier config (e.g., npm run lint -- --fix or npx prettier --write apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html) so the pipeline passes.

🧹 Nitpick comments (1)

apps/lfx-one/src/app/shared/services/user.service.ts (1)

127-132: Introduce a typed interface for token payload

Define a DeveloperTokenInfo interface and use it here for consistency and reuse.

-  public getDeveloperTokenInfo(): Observable<{ token: string; type: string }> {
-    return this.http.get<{ token: string; type: string }>('/api/profile/developer').pipe(take(1));
+  public getDeveloperTokenInfo(): Observable<DeveloperTokenInfo> {
+    return this.http.get<DeveloperTokenInfo>('/api/profile/developer').pipe(take(1));
   }

Add near the top of this file (or in shared interfaces if preferred):

export interface DeveloperTokenInfo {
  token: string;
  type: 'Bearer' | string;
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a08bc3a and 6d25c08.

📒 Files selected for processing (7)

• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html (1 hunks)
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts (1 hunks)
• apps/lfx-one/src/app/modules/profile/profile.routes.ts (1 hunks)
• apps/lfx-one/src/app/shared/components/header/header.component.ts (1 hunks)
• apps/lfx-one/src/app/shared/services/user.service.ts (1 hunks)
• apps/lfx-one/src/server/controllers/profile.controller.ts (1 hunks)
• apps/lfx-one/src/server/routes/profile.route.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Use TypeScript interfaces instead of union types for better maintainability
When defining PrimeNG-related types, reference the official PrimeNG component interfaces

Files:

• apps/lfx-one/src/app/shared/services/user.service.ts
• apps/lfx-one/src/app/shared/components/header/header.component.ts
• apps/lfx-one/src/app/modules/profile/profile.routes.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts
• apps/lfx-one/src/server/routes/profile.route.ts
• apps/lfx-one/src/server/controllers/profile.controller.ts

**/*.{ts,tsx,js,jsx,mjs,cjs,html,css,scss}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-one/src/app/shared/services/user.service.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html
• apps/lfx-one/src/app/shared/components/header/header.component.ts
• apps/lfx-one/src/app/modules/profile/profile.routes.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts
• apps/lfx-one/src/server/routes/profile.route.ts
• apps/lfx-one/src/server/controllers/profile.controller.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-one/src/app/shared/services/user.service.ts
• apps/lfx-one/src/app/shared/components/header/header.component.ts
• apps/lfx-one/src/app/modules/profile/profile.routes.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts
• apps/lfx-one/src/server/routes/profile.route.ts
• apps/lfx-one/src/server/controllers/profile.controller.ts

apps/lfx-one/src/**/*.html

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-one/src/**/*.html: Always add data-testid attributes when creating new Angular components for reliable test targeting
Use data-testid naming convention [section]-[component]-[element]

Files:

• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html

🧬 Code graph analysis (1)

apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts (1)

apps/lfx-one/src/app/shared/components/header/header.component.ts (1)

• Component (22-141)

🪛 GitHub Actions: Quality Checks

apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html

[warning] 1-1: Code style issues found in the above file. Run Prettier with --write to fix.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-push

🔇 Additional comments (4)

apps/lfx-one/src/server/routes/profile.route.ts (1)

46-48: Route wiring looks correct; confirm auth middleware applies

Good addition and placement. Please confirm this router is mounted behind the same auth middleware as other profile routes so the token endpoint is not publicly reachable.

apps/lfx-one/src/app/shared/components/header/header.component.ts (1)

58-61: Switch to routerLink is correct

Internal navigation to /profile/developer aligns with the new lazy route.

apps/lfx-one/src/app/modules/profile/profile.routes.ts (1)

19-22: Route addition LGTM

Lazy loading the Developer component under /profile/developer matches the header link and service usage.

apps/lfx-one/src/server/controllers/profile.controller.ts (1)

624-637: Remove unnecessary cast – global augmentation already declares bearerToken
apps/lfx-one/src/types/express.d.ts augments Express.Request with bearerToken?: string, so casting or local type refinement isn’t required.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6d25c08 and 30c46ad.

📒 Files selected for processing (3)

• apps/lfx-one/src/app/layouts/profile-layout/profile-layout.component.ts (1 hunks)
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html (1 hunks)
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.html

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Use TypeScript interfaces instead of union types for better maintainability
When defining PrimeNG-related types, reference the official PrimeNG component interfaces

Files:

• apps/lfx-one/src/app/layouts/profile-layout/profile-layout.component.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts

**/*.{ts,tsx,js,jsx,mjs,cjs,html,css,scss}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-one/src/app/layouts/profile-layout/profile-layout.component.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-one/src/app/layouts/profile-layout/profile-layout.component.ts
• apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts

🧬 Code graph analysis (1)

apps/lfx-one/src/app/modules/profile/developer/profile-developer.component.ts (1)

apps/lfx-one/src/app/layouts/profile-layout/profile-layout.component.ts (1)

• Component (18-235)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: E2E Tests / Playwright E2E Tests
• GitHub Check: build-and-push

[github-actions]

✅ E2E Tests Passed

Browser: chromium
Status: passed

All E2E tests passed successfully.

Test Configuration

• Node.js: 22
• Command: e2e
• Browser: chromium
• Base URL: http://localhost:4200

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/lfx-one/src/server/controllers/profile.controller.ts (1)

650-655: Harden cache/cdn semantics: add CDN-Cache-Control and Vary: Authorization

Nice job adding no-store. Add headers below to keep edge caches honest and prevent cache key collisions across different Authorization values.

       res.set({
         ['Cache-Control']: 'no-store, no-cache, must-revalidate, private',
+        ['CDN-Cache-Control']: 'no-store',
+        Vary: 'Authorization',
         Pragma: 'no-cache',
         Expires: '0',
       });

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 30c46ad and ac6ae1a.

📒 Files selected for processing (1)

• apps/lfx-one/src/server/controllers/profile.controller.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Use TypeScript interfaces instead of union types for better maintainability
When defining PrimeNG-related types, reference the official PrimeNG component interfaces

Files:

• apps/lfx-one/src/server/controllers/profile.controller.ts

**/*.{ts,tsx,js,jsx,mjs,cjs,html,css,scss}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-one/src/server/controllers/profile.controller.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-one/src/server/controllers/profile.controller.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: E2E Tests / Playwright E2E Tests

🔇 Additional comments (3)

apps/lfx-one/src/server/controllers/profile.controller.ts (3)

602-662: CSRF/CORS posture: ensure cross‑origin reads can’t exfiltrate the token

If auth uses cookies, a cross‑origin GET could be credentialed; ensure CORS for this route does not allow credentialed reads from arbitrary origins, or move raw‑token exposure to POST with CSRF as suggested.

Repo check:

#!/bin/bash
# Find CORS configuration and this route
rg -nP "cors\\(|Access-Control-Allow|allowedOrigins|credentials\\s*:\\s*true" -g "apps/**/src/**/*.ts" -C3
rg -n "/api/profile/developer" -g "apps/**/src/**/*.ts" -C3

Expected: credentials not broadly enabled for untrusted origins; route not exposed cross‑origin.

---

602-604: Reconsider exposing the raw bearer token via a GET endpoint

Even with no-store, returning the full token to JS expands exfiltration blast radius (XSS, third‑party scripts). Prefer “masked by default” on GET and expose the raw token only behind an explicit user gesture via POST with CSRF/session checks (if cookies are used). This aligns with the UI’s masking goal and least‑privilege.

Example (keep GET masked; add separate POST for copy action):

- * GET /api/profile/developer - Get current user's developer token information
+ * GET /api/profile/developer - Get masked developer token metadata
+ * POST /api/profile/developer/token - Return raw token on explicit user action (no-store + CSRF)

If keeping GET, at minimum add an option to return only masked token. I can draft the route/middleware if desired.

---

639-658: Return masked token by default; avoid sending the raw token in JSON

Send only a masked form and metadata; reserve raw token for an explicit POST as suggested.

Apply within this handler:

-      // Return token information
-      const tokenInfo = {
-        token: bearerToken,
-        type: 'Bearer',
-      };
+      // Return masked token information only
+      const mask = (t: string) => (t.length <= 10 ? '•••••' : `${t.slice(0, 6)}••••••••${t.slice(-4)}`);
+      const tokenInfo = {
+        tokenMasked: mask(bearerToken),
+        type: 'Bearer',
+        length: bearerToken.length,
+      };

If the frontend currently expects token, add a temporary dual field (tokenMasked now, migrate UI, then remove token). I can provide a short migration diff for the UI.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html (1)

262-263: Add data-testid attribute for reliable test targeting.

The button should include a data-testid attribute following the convention [section]-[component]-[element].

As per coding guidelines.

Apply this diff:

-                          <lfx-button label="Add Committee" icon="fa-light fa-people-group" severity="secondary" size="small" (onClick)="openCreateDialog()">
+                          <lfx-button label="Add Committee" icon="fa-light fa-people-group" severity="secondary" size="small" (onClick)="openCreateDialog()" data-testid="committees-empty-add-button">
                           </lfx-button>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ac6ae1a and cea7fbe.

📒 Files selected for processing (1)

• apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

apps/lfx-one/src/**/*.html

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-one/src/**/*.html: Always add data-testid attributes when creating new Angular components for reliable test targeting
Use data-testid naming convention [section]-[component]-[element]

Files:

• apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html

**/*.{ts,tsx,js,jsx,mjs,cjs,html,css,scss}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: E2E Tests / Playwright E2E Tests

🔇 Additional comments (1)

apps/lfx-one/src/app/modules/project/dashboard/project-dashboard/project.component.html (1)

261-264: LGTM! Consistent permission gating.

The conditional rendering based on project()?.writer correctly restricts the "Add Committee" action to users with write permissions, matching the pattern used for the "Create Meeting" button elsewhere in this template.

[github-actions]

🧹 Deployment Removed

The deployment for PR #105 has been removed.