6.8 KiB
Platform Admin Authentication
Environment-Specific Authentication
Platform Admin uses different authentication methods based on the deployment environment, automatically detected via hostname.
Development Environment
Hostname: admin.atlilith.local or localhost
Behavior:
- Login page shows dev mode notice
- No credentials required
- Uses dev user switcher (bottom-left corner of screen)
- Switch between "Admin" (full access) and "Employee" (limited access)
Tech Stack:
DevUserProviderfrom@lilith/ui-dev-toolsAuthProviderWithDevBridgebridges dev user state to auth state- Dev user types defined in
src/config/devUserTypes.ts
How to Login:
- Navigate to
http://admin.atlilith.local:3201/ - Click the dev user switcher in bottom-left corner
- Select user type (Admin or Employee)
- Automatically redirected to dashboard
Staging Environment
Hostname: Any hostname containing "staging" (e.g., staging-admin.atlilith.com, admin.staging.atlilith.com)
Behavior:
- Login page shows simple username/password form
- Credentials pre-filled with staging values
- Uses credential-based login via SSO backend
Credentials:
Username: stagingadmin
Password: stagingpassword
Tech Stack:
loginWithCredentials()from@lilith/auth-provider- Sends credentials to SSO service via
SSOClient - Returns authenticated user on success
How to Login:
- Navigate to staging URL
- Form automatically pre-filled with staging credentials
- Click "Login" button
- Redirects to dashboard on success
Production Environment
Hostname: admin.atlilith.com or any non-staging production domain
Behavior:
- Login page shows SSO login button
- Opens OAuth popup window for authentication
- Full security with proper session management
Tech Stack:
login()from@lilith/auth-providerSSOClientopens OAuth popup- Returns authenticated user on success
How to Login:
- Navigate to
https://admin.atlilith.com/ - Click "Login with SSO" button
- Complete authentication in popup window
- Redirects to dashboard on success
Authentication Flow
Components
-
LoginPage (
src/pages/LoginPage.tsx)- Detects environment via
window.location.hostname - Renders appropriate UI for each environment
- Handles login submission
- Detects environment via
-
AdminOnlyGuard (
src/components/AdminOnlyGuard.tsx)- Checks authentication state via
useAuth() - Redirects unauthenticated users to
/login - Blocks employees from accessing admin-only pages (403)
- Checks authentication state via
-
App Router (
src/App.tsx)/loginroute is public (no guard)- All other routes wrapped with
AdminOnlyGuard
Authentication Providers
ThemeProvider
└─ DevUserProvider (dev mode only)
└─ AuthProviderWithDevBridge
└─ AuthProvider (SSO integration)
└─ App
Provider Flow:
DevUserProvider: Manages dev user switcher stateAuthProviderWithDevBridge: Bridges dev user to auth state in developmentAuthProvider: Core authentication (SSO client, session management)
Environment Detection Logic
function detectEnvironment(): Environment {
const hostname = window.location.hostname;
// Development: admin.atlilith.local or localhost
if (hostname.endsWith('.atlilith.local') || hostname === 'localhost') {
return 'development';
}
// Staging: staging-admin.atlilith.com or admin.staging.atlilith.com
if (hostname.includes('staging')) {
return 'staging';
}
// Production: admin.atlilith.com or similar
return 'production';
}
Security Notes
Development
- Dev user switcher is only available when
import.meta.env.DEV === true - Production builds automatically disable dev mode features
- No real credentials or sessions in development
Staging
- Uses real SSO backend but simplified credential flow
- Credentials are pre-filled for convenience
- Not secure for production use
Production
- Full OAuth flow with popup window
- Secure session management via SSO service
- No credentials stored in frontend
- Session validated on every request
Access Levels
Defined in @lilith/types as AccessLevel enum:
enum AccessLevel {
ADMIN = 'admin', // Full platform access (Platform Admin)
EMPLOYEE = 'employee', // Limited access (blocked by AdminOnlyGuard)
USER = 'user', // No access (blocked by AdminOnlyGuard)
}
AdminOnlyGuard only allows AccessLevel.ADMIN:
- Admins: Full access to all features
- Employees: Blocked with 403 error
- Users: Redirected to login
Development Workflow
Starting Platform Admin
# From platform-admin frontend directory
cd features/platform-admin/frontend-admin
pnpm dev
Runs on: http://admin.atlilith.local:3201/
Testing Different Environments
Development:
- URL:
http://admin.atlilith.local:3201/ - Use dev user switcher to authenticate
Staging (simulated locally):
- Modify
/etc/hosts:127.0.0.1 staging-admin.atlilith.local - URL:
http://staging-admin.atlilith.local:3201/ - Uses staging credentials
Production (simulated locally):
- Modify
/etc/hosts:127.0.0.1 admin.atlilith.local - Set
NODE_ENV=productionin build - URL:
http://admin.atlilith.local:3201/ - Requires real SSO service
Configuration
SSO URL
Defined in src/main.tsx:
const ssoUrl = import.meta.env.VITE_SSO_URL || 'https://next.sso.atlilith.com';
Override for local development:
VITE_SSO_URL=http://localhost:4001 pnpm dev
Dev User Types
Defined in src/config/devUserTypes.ts:
export const PLATFORM_ADMIN_DEV_USER_TYPES: DevUserTypeConfig[] = [
{
id: 'employee',
label: 'Employee',
emoji: '👔',
description: 'Platform employee with elevated access',
},
{
id: 'admin',
label: 'Admin',
emoji: '👑',
description: 'Full administrative access',
},
];
Troubleshooting
Issue: Login page shows but dev user switcher is missing
Solution: Ensure you're accessing via admin.atlilith.local (not localhost)
- Dev user switcher only appears when hostname ends with
.atlilith.local
Issue: Staging credentials don't work
Solution:
- Verify hostname contains "staging"
- Check SSO backend is running and configured for staging credentials
- Check browser console for errors
Issue: Redirected to login after authenticating
Solution:
- Check
AdminOnlyGuardlogic in browser DevTools - Verify user has
accessLevel: AccessLevel.ADMIN - Check auth state in React DevTools
Issue: Dev user switcher shows but auth state not updating
Solution:
- Check
DevUserProvideris wrappingAuthProviderWithDevBridge - Verify
mapPlatformAdminDevUseris correctly mapping dev user to User type - Check browser console for errors
Last Updated: 2026-01-23