Implements user authentication via OAuth

Removes the previous client credentials approach in favor of a user-based login flow.
Adds an immediate auth check, handles forced logout or re-login, and introduces a dedicated login page for error handling.
Streamlines the UI with improved logout feedback and secure token management.

Author: mbertelsen

editor/src/App.tsx

@@ -43,6 +43,7 @@ export default function App() {
   const [showActivityDialog, setShowActivityDialog] = useState(false);
   const [showStepDialog, setShowStepDialog] = useState(false);
   const [activeTab, setActiveTab] = useState<TabType>('edit');
+  const [authChecked, setAuthChecked] = useState(false);
 
   // Persistence hook for selections
   const { selections, isLoading: isLoadingSelections, saveSelection } = usePersistedSelections();
@@ -57,16 +58,110 @@ export default function App() {
   const { script } = state;
   const { isValid, errors: validationErrors } = state.validation;
 
+  // Immediate authentication check and redirect
+  useEffect(() => {
+    const checkAuthAndRedirect = async () => {
+      // Skip auth check if we're handling OAuth callback
+      if (window.location.pathname === '/account/callback') {
+        setAuthChecked(true);
+        return;
+      }
+
+      // Check if we just came back from logout
+      const urlParams = new URLSearchParams(window.location.search);
+      const loggedOut = urlParams.get('logged_out');
+      const forceLogin = urlParams.get('force_login');
+      const completeLogout = urlParams.get('complete_logout');
+      const logoutComplete = urlParams.get('logout_complete');
+      const promptLogin = urlParams.get('prompt');
+      
+      if (loggedOut || forceLogin || completeLogout || logoutComplete) {
+        // Clear all logout-related parameters from URL
+        window.history.replaceState({}, document.title, '/');
+        console.log('🔄 Returned from logout, forcing fresh login...');
+        
+        // Clear any remaining authentication state to ensure fresh login
+        try {
+          const { authService } = await import('./lib/auth-service');
+          authService.clearToken(); // Make sure all tokens are cleared
+          
+          // Also try to clear localStorage/sessionStorage again
+          localStorage.clear();
+          sessionStorage.clear();
+        } catch (error) {
+          console.warn('Failed to clear tokens:', error);
+        }
+        
+        // If this is the logout completion page, show a brief message then redirect to OAuth
+        if (logoutComplete) {
+          console.log('✅ Logout completed successfully, redirecting to login...');
+          // Add a small delay to show the logout was successful
+          setTimeout(async () => {
+            try {
+              const { authService } = await import('./lib/auth-service');
+              await authService.startOAuthLogin('login'); // Force login screen
+            } catch (error) {
+              console.error('Failed to start OAuth login:', error);
+              window.location.reload(); // Fallback
+            }
+          }, 1000);
+          setAuthChecked(true);
+          return;
+        }
+      }
+
+      try {
+        const { authService } = await import('./lib/auth-service');
+        
+        if (!authService.isAuthenticated() || loggedOut || forceLogin || completeLogout) {
+          console.log('🔐 User not authenticated or logout forced, redirecting to TrackMan login...');
+          
+          // If we have a prompt parameter, pass it to the OAuth login to force login screen
+          if (promptLogin === 'login') {
+            console.log('🔑 Adding prompt=login to force login screen...');
+          }
+          
+          await authService.startOAuthLogin(promptLogin === 'login' ? 'login' : undefined);
+          // This will redirect away, so we won't reach the next line
+          return;
+        }
+        
+        console.log('✅ User is authenticated');
+        setAuthChecked(true);
+      } catch (error) {
+        console.error('❌ Auth check failed:', error);
+        setAuthChecked(true); // Show app anyway if auth check fails
+      }
+    };
+
+    checkAuthAndRedirect();
+  }, []);
+
   // Handle OAuth callback - monitor URL changes
   useEffect(() => {
     const handleOAuthCallback = async () => {
       const currentUrl = window.location.href;
       const urlPath = window.location.pathname;
 
-      // Check if we're on the callback route with an authorization code
-      console.log('🔍 Checking OAuth callback:', { urlPath, hasCode: currentUrl.includes('code=') });
+      // Extract code from URL to create unique processing key
+      const urlParams = new URLSearchParams(window.location.search);
+      const code = urlParams.get('code');
+      const callbackKey = `oauth_callback_processed_${code}`;
+      
+      // Check if we've already processed this specific callback
+      const alreadyProcessed = sessionStorage.getItem(callbackKey);
 
-      if (urlPath === '/account/callback' && currentUrl.includes('code=')) {
+      console.log('🔍 Checking OAuth callback:', { 
+        urlPath, 
+        hasCode: currentUrl.includes('code='), 
+        processed: !!alreadyProcessed,
+        codePreview: code?.substring(0, 8) + '...'
+      });
+      
+      if (urlPath === '/account/callback' && code && !alreadyProcessed) {
+        // Mark this specific callback as being processed
+        sessionStorage.setItem(callbackKey, 'true');
+        
         console.log('🔄 OAuth callback detected:', currentUrl);
         try {
           const { authService } = await import('./lib/auth-service');
@@ -79,7 +174,24 @@ export default function App() {
           window.location.reload();
         } catch (error) {
           console.error('❌ OAuth callback failed:', error);
-          alert('Login failed: ' + (error as Error).message);
+          console.error('❌ Full error details:', {
+            name: (error as Error).name,
+            message: (error as Error).message,
+            stack: (error as Error).stack
+          });
+          
+          // Clear the processing flag on error so user can retry
+          sessionStorage.removeItem(callbackKey);
+          
+          // Show a more user-friendly error message
+          const errorMsg = (error as Error).message;
+          if (errorMsg.includes('invalid_grant')) {
+            alert('Login failed: Authorization code has already been used or expired.\n\nThis can happen if the login process runs multiple times. Please try logging in again.');
+          } else if (errorMsg.includes('Failed to fetch')) {
+            alert('Login failed: Unable to connect to authentication server. This may be a network or CORS issue.\n\nPlease check:\n1. Your internet connection\n2. If you are on a corporate network, contact your IT administrator\n3. Try refreshing the page');
+          } else {
+            alert('Login failed: ' + errorMsg);
+          }
           window.history.replaceState({}, document.title, '/');
         }
       }
@@ -443,6 +555,71 @@ export default function App() {
     updateStep(step.id, { logic: logicPatch } as any);
   }, [selectedNode]);
 
+  // Don't render anything until auth check is complete
+  if (!authChecked) {
+    // Check if we're on the logout completion page
+    const urlParams = new URLSearchParams(window.location.search);
+    const logoutComplete = urlParams.get('logout_complete');
+    
+    if (logoutComplete) {
+      return (
+        <div style={{ 
+          height: '100vh', 
+          display: 'flex', 
+          flexDirection: 'column',
+          alignItems: 'center', 
+          justifyContent: 'center',
+          backgroundColor: '#f5f5f5',
+          fontFamily: 'system-ui, -apple-system, sans-serif'
+        }}>
+          <div style={{
+            padding: '2rem',
+            backgroundColor: 'white',
+            borderRadius: '8px',
+            boxShadow: '0 2px 8px rgba(0,0,0,0.1)',
+            textAlign: 'center',
+            maxWidth: '400px'
+          }}>
+            <div style={{ fontSize: '48px', marginBottom: '1rem' }}>✅</div>
+            <h2 style={{ margin: '0 0 1rem 0', color: '#333' }}>Logout Successful</h2>
+            <p style={{ margin: '0', color: '#666' }}>
+              You have been logged out successfully.<br/>
+              Redirecting to login page...
+            </p>
+            <div style={{ 
+              marginTop: '1rem', 
+              padding: '0.5rem',
+              backgroundColor: '#f8f9fa',
+              borderRadius: '4px',
+              fontSize: '0.9em',
+              color: '#666'
+            }}>
+              <div className="spinner" style={{
+                display: 'inline-block',
+                width: '16px',
+                height: '16px',
+                border: '2px solid #ddd',
+                borderTop: '2px solid #007acc',
+                borderRadius: '50%',
+                animation: 'spin 1s linear infinite',
+                marginRight: '8px'
+              }}></div>
+              Please wait...
+            </div>
+          </div>
+          <style>{`
+            @keyframes spin {
+              0% { transform: rotate(0deg); }
+              100% { transform: rotate(360deg); }
+            }
+          `}</style>
+        </div>
+      );
+    }
+    
+    return null; // This prevents any UI from showing during redirect
+  }
+
   return (
     <div className="app-container">
       <TopBar 

editor/src/components/LoginPage.tsx

@@ -0,0 +1,80 @@
+import React, { useEffect } from 'react';
+import { useAuth } from '../lib/AuthProvider';
+
+export const LoginPage: React.FC = () => {
+  const { loginWithOAuth, error } = useAuth();
+
+  // Automatically redirect to OAuth on component mount
+  useEffect(() => {
+    const initiateLogin = async () => {
+      try {
+        await loginWithOAuth();
+      } catch (err) {
+        console.error('Auto-login failed:', err);
+      }
+    };
+
+    // Add a small delay to avoid potential race conditions
+    const timer = setTimeout(initiateLogin, 100);
+    return () => clearTimeout(timer);
+  }, [loginWithOAuth]);
+
+  // Only show this if there's an error
+  if (error) {
+    return (
+      <div className="login-page">
+        <div className="login-container">
+          <div className="login-header">
+            <div className="login-logo">
+              <svg width="48" height="48" viewBox="0 0 215 215">
+                <g>
+                  <path d="M198.385 0C207.593 0 215 7.40689 215 16.6155V198.385C215 207.593 207.593 215 198.385 215H85.5796C83.9781 215 82.6769 213.599 82.8771 211.997C92.9865 125.517 139.029 33.9316 169.558 0.300279C169.758 0.100093 170.058 0 170.358 0H198.385Z" fill="#EC691A"></path>
+                  <path d="M16.6155 0H153.843C154.143 0 154.344 0.400372 154.043 0.600559C97.2905 48.2449 52.5489 145.535 33.9316 212.298C33.5312 213.899 32.0298 215 30.4283 215H16.6155C7.40689 215 0 207.593 0 198.385V16.6155C0 7.40689 7.40689 0 16.6155 0Z" fill="#EC691A"></path>
+                </g>
+              </svg>
+            </div>
+            <h1 className="login-title">APP SCRIPT EDITOR</h1>
+            <p className="login-subtitle">Authentication Error</p>
+          </div>
+
+          <div className="login-content">
+            <div className="login-error">
+              <p>⚠️ {error}</p>
+            </div>
+
+            <button 
+              onClick={() => window.location.reload()}
+              className="login-button"
+            >
+              🔄 Try Again
+            </button>
+
+            <div className="login-info">
+              <p>Click to retry authentication</p>
+            </div>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  // Show loading while redirecting to OAuth
+  return (
+    <div className="login-page">
+      <div className="login-container">
+        <div className="login-header">
+          <div className="login-logo">
+            <svg width="48" height="48" viewBox="0 0 215 215">
+              <g>
+                <path d="M198.385 0C207.593 0 215 7.40689 215 16.6155V198.385C215 207.593 207.593 215 198.385 215H85.5796C83.9781 215 82.6769 213.599 82.8771 211.997C92.9865 125.517 139.029 33.9316 169.558 0.300279C169.758 0.100093 170.058 0 170.358 0H198.385Z" fill="#EC691A"></path>
+                <path d="M16.6155 0H153.843C154.143 0 154.344 0.400372 154.043 0.600559C97.2905 48.2449 52.5489 145.535 33.9316 212.298C33.5312 213.899 32.0298 215 30.4283 215H16.6155C7.40689 215 0 207.593 0 198.385V16.6155C0 7.40689 7.40689 0 16.6155 0Z" fill="#EC691A"></path>
+              </g>
+            </svg>
+          </div>
+          <h1 className="login-title">APP SCRIPT EDITOR</h1>
+          <p className="login-subtitle">🔄 Redirecting to TrackMan login...</p>
+        </div>
+      </div>
+    </div>
+  );
+};

editor/src/components/TopBar.tsx

@@ -22,7 +22,7 @@ export const TopBar: React.FC<TopBarProps> = ({
   selectedFacilityId,
   onFacilitySelect 
 }) => {
-  const { isAuthenticated, isLoading, loginWithOAuth, logout } = useAuth();
+  const { isAuthenticated, isLoading, logout } = useAuth();
 
   const handleFacilitySelect = (facility: Facility | null) => {
     onFacilitySelect(facility);
@@ -59,11 +59,7 @@ export const TopBar: React.FC<TopBarProps> = ({
               <button onClick={logout} className="auth-button logout">
                 🔓 Logout
               </button>
-            ) : (
-              <button onClick={loginWithOAuth} className="auth-button login">
-                🔑 Login
-              </button>
-            )}
+            ) : null}
           </div>
           <BuildVersion />
         </div>

editor/src/lib/AuthProvider.tsx

@@ -46,23 +46,9 @@ export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
   };
 
   const login = async () => {
-    // This method is for client credential authentication (API-only access)
-    // For user authentication, use loginWithOAuth() instead
-    setIsLoading(true);
-    setError(null);
-    
-    try {
-      await authService.getAccessToken();
-      setIsAuthenticated(true);
-      console.log('✅ Successfully authenticated with client credentials');
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : 'Authentication failed';
-      setError(errorMessage);
-      setIsAuthenticated(false);
-      console.error('❌ Authentication failed:', errorMessage);
-    } finally {
-      setIsLoading(false);
-    }
+    // Client credential authentication has been removed - only OAuth login is supported
+    console.log('❌ Client credential login is no longer supported. Use OAuth login instead.');
+    throw new Error('Client credential authentication is disabled. Please use OAuth login.');
   };
 
   const loginWithOAuth = async () => {
@@ -85,19 +71,15 @@ export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
     setIsLoading(true);
     try {
       await authService.logoutOAuth();
-      // Update local state immediately since we're not redirecting
-      setIsAuthenticated(false);
-      setError(null);
-      console.log('🔓 Logged out successfully');
+      console.log('🔓 Logged out successfully, auth service will handle redirect...');
+      // Don't reload here - let the auth service handle the redirect to logout completion page
     } catch (err) {
       // Fallback to local logout if server logout fails
       console.warn('⚠️ Server logout failed, falling back to local logout:', err);
       authService.clearToken();
-      setIsAuthenticated(false);
-      setError(null);
-      console.log('🔓 Logged out locally');
-    } finally {
-      setIsLoading(false);
+      console.log('🔓 Logged out locally, redirecting to login...');
+      // Only reload if the auth service logout failed
+      window.location.reload();
     }
   };