4.2 KiB
4.2 KiB
Temp User Implementation Guide
Database Schema Changes Required
To implement the temp user type functionality, you need to add the following columns to your NocoDB Login table:
Required Columns:
- UserType (Single Select)
- Options: "admin", "user", "temp"
- Default: "user"
- Description: Defines the user's permission level
Optional Columns for Time-Based Expiration:
-
ExpiresAt (DateTime, nullable)
- When the account expires (for temp users)
-
CreatedAt (DateTime, default: now())
- When the account was created
-
ExpireDays (Integer, nullable)
- Number of days until expiration (set by admin)
Temp User Permissions
✅ Allowed Actions:
- Login and view map (if not expired)
- Add new locations
- Edit existing locations
❌ Restricted Actions:
- Delete locations
- Access shifts page (/shifts.html)
- Access user profile page (/user.html)
- Access admin panel (/admin.html)
- Search database (only documentation search available)
- Move location markers
- Login after expiration date (expired temp users are blocked)
Expiration Validation
The system now includes comprehensive expiration validation for temp users:
- Login Validation: Expired temp users cannot login
- Session Validation: Expired temp users are automatically logged out
- Middleware Checks: All authenticated routes verify temp user expiration
- Frontend Handling: Expired users receive clear error messages
Expiration Flow:
- User attempts login → System checks if temp user is expired → Blocks login if expired
- Authenticated user makes request → Middleware checks expiration → Logs out if expired
- Frontend auth check → Detects expiration → Shows message and redirects to login
Implementation Summary
The implementation adds:
-
Backend Changes:
- New middleware functions:
requireNonTemp,requireDeletePermission - Updated auth controller to handle
userTypein sessions - Expiration validation during login (prevents expired temp users from logging in)
- Session expiration checks in all auth middleware
- Protected routes for shifts and user pages
- Updated users controller to support user type and expiration
- Optional account expiration service
- New middleware functions:
-
Frontend Changes:
- User type checking in authentication
- Expiration handling in auth check with user feedback
- Conditional UI element hiding for temp users
- Restricted search functionality
- Visual indicators (temp badge)
- Updated admin panel for creating temp users
- Login page expiration message display
-
Admin Panel Enhancements:
- User type selection dropdown (admin/user/temp)
- Expiration days field for temp users
- Enhanced user table with type and expiration display
- Visual indicators for expiring accounts
-
Database Integration:
- Session storage of user type
- User type validation during login
- Optional expiration date handling
Testing Checklist
- Create test users in NocoDB with different UserType values
- Test login with each user type
- Test that expired temp users cannot login
- Test that expired temp users are logged out during session
- Verify temp users cannot access restricted features
- Test that temp users can add and edit but not delete locations
- Confirm UI elements are properly hidden for temp users
- Verify expiration messages are displayed correctly
- Test admin panel temp user creation with expiration dates
Security Notes
- Temp users have limited permissions enforced at both frontend and backend levels
- All restricted routes return 403 errors for temp users
- Expired temp users are blocked from login and automatically logged out
- Expiration validation occurs at multiple checkpoints (login, middleware, auth check)
- Session includes userType for authorization checks
- Frontend restrictions are backed by server-side validation
- Clear user feedback for expired accounts prevents confusion
Future Enhancements
- Email notifications before account expiration
- Bulk management of temp accounts
- Admin dashboard widgets for temp account monitoring
- Configurable default expiration periods