feat: integrate Keycloak authentication and add Transcript GraphQL access

Author: keenthekeen

.github/workflows/build-pr.yml

@@ -8,57 +8,39 @@ on:
 
 jobs:
   laravel-tests:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
+    environment: Testing
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
         with:
-          # Make sure the actual branch is checked out when running on pull requests
-          ref: ${{ github.head_ref }}
-          # This is important to fetch the changes to the previous commit
-          fetch-depth: 0
-      - uses: shivammathur/setup-php@v2
+          php-version: '8.4'
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+      - name: Setup Node.js & pnpm
+        uses: actions/setup-node@v4
         with:
-          php-version: '8.3'
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+          node-version: lts/*
+          cache: 'pnpm'
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
         with:
-          node-version: 22.x
-      - uses: pnpm/action-setup@v2
-        name: Install pnpm
-        with:
-          version: 10
-          run_install: false
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v3
-        name: Setup pnpm cache
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          path: vendor
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
           restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+            ${{ runner.os }}-composer-
       - name: Copy .env
         run: php -r "file_exists('.env') || copy('.env.example', '.env');"
-      - name: Install Dependencies
+      - name: Install PHP Dependencies
         run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
-      - name: Generate key
+      - name: Generate Laravel key
         run: php artisan key:generate
-      - name: Directory Permissions
+      - name: Set Directory Permissions
         run: chmod -R 777 storage bootstrap/cache
-      - name: Create Database
-        run: |
-          mkdir -p database
-          touch database/database.sqlite
-      - name: Install JS Dependencies
-        run: pnpm install
-      - name: Build JS assets
-        run: pnpm run build
-      - name: Execute tests
-        env:
-          DB_CONNECTION: sqlite
-          DB_DATABASE: database/database.sqlite
-        run: php artisan test
+      - name: Install & Build JS
+        run: pnpm install && pnpm run build
+      - name: Run Tests
+        run: ./vendor/bin/pest --parallel

app/Exceptions/Handler.php

@@ -0,0 +1,11 @@
+<?php declare(strict_types=1);
+
+namespace App\GraphQL\Types\User;
+
+use App\Models\User;
+
+final readonly class Transcript {
+    public function __invoke(User $user, array $args): array {
+        return $user->getActivityTranscript()->toArray();
+    }
+}

app/GraphQL/Types/User/Transcript.php

@@ -6,6 +6,7 @@
 use App\ProjectClosureStatus;
 use Carbon\Carbon;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -122,6 +123,10 @@ public function getNumber(): string {
         return $this->year . '-' . $this->number;
     }
 
+    public function identifier(): Attribute {
+        return Attribute::make(fn() => "{$this->year}-{$this->number}");
+    }
+
     public static function latestOfYear(?int $year): ?self {
         return self::where('year', $year ?? (date('Y') + 543))->orderByDesc('number')->first();
     }

app/Models/Project.php

@@ -116,6 +116,7 @@ public function getActivityTranscript() {
             ->sortByDesc('project.period_end')
             ->map(function ($participant): array {
             return ($participant->project_type == 'App\Models\Project') ? [
+                'id' => $participant->id,
                 'identifier' => $participant->project->year.'-'.$participant->project->number,
                 'project_id' => $participant->project->id,
                 'name' => $participant->project->name,
@@ -127,6 +128,7 @@ public function getActivityTranscript() {
                 'approve_status' => $participant->approve_status,
                 'title' => $participant->title,
             ] : [
+                'id' => $participant->id,
                 'identifier' => 'A'.$participant->project->id,
                 'activity_id' => $participant->project->id,
                 'name' => $participant->project->name,

app/Models/User.php

@@ -6,7 +6,9 @@
 use App\Models\Project;
 use App\Models\User;
 use Illuminate\Auth\Access\Response;
+use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Gate;
 
 class AuthServiceProvider extends ServiceProvider
@@ -57,7 +59,19 @@ public function boot()
             return in_array('faculty', $userRoles) or in_array('activity', $userRoles);
         });
         Gate::define('view-transcript', function (User $user) {
-            return in_array('view_transcript', explode(',', $user->roles)) or $user->can('create-activity');
+            return in_array('view_transcript', explode(',', $user->roles)) or $user->can('create-activity') or $user->can('admin-action');
+        });
+
+        // API permissions
+        Gate::define('api-access', function (AuthenticatableContract $user) {
+            if ($user instanceof User) {
+                return $user->can('view-transcript');
+            }
+            if ($user instanceof \KeycloakGuard\User) {
+                return Auth::hasScope('students_activity');
+            }
+
+            return false;
         });
     }
 }

app/Providers/AuthServiceProvider.php

@@ -3,12 +3,14 @@
 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
+use KeycloakGuard\Exceptions\TokenException;
+use Sentry\Laravel\Integration;
 
 return Application::configure(basePath: dirname(__DIR__))
     ->withRouting(
         web: __DIR__.'/../routes/web.php',
-        commands: __DIR__.'/../routes/console.php',
         api: __DIR__.'/../routes/api.php',
+        commands: __DIR__.'/../routes/console.php',
         health: '/up',
     )
     ->withMiddleware(function (Middleware $middleware) {
@@ -20,5 +22,12 @@
         ]);
     })
     ->withExceptions(function (Exceptions $exceptions) {
-        //
+        $exceptions->render(function (TokenException $e) {
+            return response()->json([
+                'message' => $e->getMessage(),
+            ], 401);
+        });
+        if (app()->bound('sentry') and config('app.env') === 'production') {
+            Integration::handles($exceptions);
+        }
     })->create();

bootstrap/app.php

@@ -18,7 +18,10 @@
         "laravel/sanctum": "^4.0",
         "laravel/socialite": "^5.2",
         "laravel/tinker": "^2.7",
+        "mll-lab/laravel-graphiql": "^4.0",
+        "nuwave/lighthouse": "^6.63",
         "openpsa/ranger": "^0.5.2",
+        "overtrue/laravel-keycloak-guard": "dev-master",
         "phpoffice/phpspreadsheet": "^5.0",
         "phpoffice/phpword": "^1.2",
         "sentry/sentry-laravel": "^4.4",
@@ -31,10 +34,16 @@
         "fakerphp/faker": "^1.9.1",
         "mockery/mockery": "^1.4.2",
         "nunomaduro/collision": "^8.1",
-        "pestphp/pest": "^3.0",
-        "pestphp/pest-plugin-laravel": "^3.0",
+        "pestphp/pest": "^4.0",
+        "pestphp/pest-plugin-laravel": "^4.0",
         "spatie/laravel-ignition": "^2.0"
     },
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/keenthekeen/laravel-keycloak-guard.git"
+        }
+    ],
     "autoload": {
         "psr-4": {
             "App\\": "app/",