# Temp User Implementation Guide ## Database Schema Changes Required To implement the temp user type functionality, you need to add the following columns to your NocoDB Login table: ### Required Columns: 1. **UserType** (Single Select) - Options: "admin", "user", "temp" - Default: "user" - Description: Defines the user's permission level ### Optional Columns for Time-Based Expiration: 2. **ExpiresAt** (DateTime, nullable) - When the account expires (for temp users) 3. **CreatedAt** (DateTime, default: now()) - When the account was created 4. **ExpireDays** (Integer, nullable) - Number of days until expiration (set by admin) ## Temp User Permissions ### ✅ Allowed Actions: - Login and view map (if not expired) - Add new locations - Edit existing locations ### ❌ Restricted Actions: - Delete locations - Access shifts page (/shifts.html) - Access user profile page (/user.html) - Access admin panel (/admin.html) - Search database (only documentation search available) - Move location markers - **Login after expiration date** (expired temp users are blocked) ## Expiration Validation The system now includes comprehensive expiration validation for temp users: 1. **Login Validation**: Expired temp users cannot login 2. **Session Validation**: Expired temp users are automatically logged out 3. **Middleware Checks**: All authenticated routes verify temp user expiration 4. **Frontend Handling**: Expired users receive clear error messages ### Expiration Flow: 1. User attempts login → System checks if temp user is expired → Blocks login if expired 2. Authenticated user makes request → Middleware checks expiration → Logs out if expired 3. Frontend auth check → Detects expiration → Shows message and redirects to login ## Implementation Summary The implementation adds: 1. **Backend Changes:** - New middleware functions: `requireNonTemp`, `requireDeletePermission` - Updated auth controller to handle `userType` in sessions - **Expiration validation during login** (prevents expired temp users from logging in) - **Session expiration checks** in all auth middleware - Protected routes for shifts and user pages - Updated users controller to support user type and expiration - Optional account expiration service 2. **Frontend Changes:** - User type checking in authentication - **Expiration handling** in auth check with user feedback - Conditional UI element hiding for temp users - Restricted search functionality - Visual indicators (temp badge) - Updated admin panel for creating temp users - **Login page expiration message** display 3. **Admin Panel Enhancements:** - User type selection dropdown (admin/user/temp) - Expiration days field for temp users - Enhanced user table with type and expiration display - Visual indicators for expiring accounts 4. **Database Integration:** - Session storage of user type - User type validation during login - Optional expiration date handling ## Testing Checklist 1. Create test users in NocoDB with different UserType values 2. Test login with each user type 3. **Test that expired temp users cannot login** 4. **Test that expired temp users are logged out during session** 5. Verify temp users cannot access restricted features 6. Test that temp users can add and edit but not delete locations 7. Confirm UI elements are properly hidden for temp users 8. **Verify expiration messages are displayed correctly** 9. **Test admin panel temp user creation with expiration dates** ## Security Notes - Temp users have limited permissions enforced at both frontend and backend levels - All restricted routes return 403 errors for temp users - **Expired temp users are blocked from login and automatically logged out** - **Expiration validation occurs at multiple checkpoints** (login, middleware, auth check) - Session includes userType for authorization checks - Frontend restrictions are backed by server-side validation - **Clear user feedback for expired accounts** prevents confusion ## Future Enhancements - Email notifications before account expiration - Bulk management of temp accounts - Admin dashboard widgets for temp account monitoring - Configurable default expiration periods