UI: (Enterprise) Login form customization feature (hashicorp#30700)

* add request for custom login settings to auth route

* add tests to page integration before updating logic

* make tab component tests

* move form state logic to parent page component

* test updates for sanitizing query param in auth route

* add custom login feature

* add test for fetching login settings on ent only

* add changelog

* reword changelog

* rename variable from showOtherMethods to showAlternateView

* cleanup store

* cleanup comments per PR feedback

* abc

* VAULT-34672 render line breaks in description

* update endpoints after testing with live api

* add test coverage

* word

* remove backup types from test-ns for testing

* change to manually log in

* add error handling for no login settings

* add inheritance badge and make list item linkable

Author: hellobontempo

changelog/30700.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+**Login form customization** (enterprise): Adds support to choose a default and/or backup auth methods for the web UI login form to streamline the web UI login experience.
+```

ui/app/components/auth/form-template.hbs

@@ -3,105 +3,103 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<div {{did-insert this.initializeState}}>
-  {{#if this.formComponent}}
-    {{#let (component this.formComponent) as |AuthFormComponent|}}
-      {{! renders Auth::Form::Base or Auth::Form::<Type>}}
-      <AuthFormComponent
-        @authType={{this.selectedAuthMethod}}
-        @cluster={{@cluster}}
-        @onError={{this.handleError}}
-        @onSuccess={{@onSuccess}}
-      >
-        <:namespace>
-          {{#if (has-feature "Namespaces")}}
-            <Auth::NamespaceInput
-              @disabled={{@oidcProviderQueryParam}}
-              @hvdManagedNamespace={{this.flags.hvdManagedNamespaceRoot}}
-              @namespaceValue={{this.namespaceInput}}
-              @updateNamespace={{this.handleNamespaceUpdate}}
-            />
-          {{/if}}
-        </:namespace>
+{{#if this.formComponent}}
+  {{#let (component this.formComponent) as |AuthFormComponent|}}
+    {{! renders Auth::Form::Base or Auth::Form::<Type>}}
+    <AuthFormComponent
+      @authType={{this.selectedAuthMethod}}
+      @cluster={{@cluster}}
+      @onError={{this.handleError}}
+      @onSuccess={{@onSuccess}}
+    >
+      <:namespace>
+        {{#if (has-feature "Namespaces")}}
+          <Auth::NamespaceInput
+            @disabled={{@oidcProviderQueryParam}}
+            @hvdManagedNamespace={{this.flags.hvdManagedNamespaceRoot}}
+            @namespaceValue={{this.namespaceInput}}
+            @updateNamespace={{this.handleNamespaceUpdate}}
+          />
+        {{/if}}
+      </:namespace>
 
-        <:back>
-          {{#if this.showOtherMethods}}
-            <Hds::Button
-              @text="Back"
-              {{on "click" this.toggleView}}
-              @color="tertiary"
-              @icon="arrow-left"
-              data-test-back-button
+      <:back>
+        {{#if this.showAlternateView}}
+          <Hds::Button
+            @text="Back"
+            {{on "click" this.toggleView}}
+            @color="tertiary"
+            @icon="arrow-left"
+            data-test-back-button
+          />
+        {{/if}}
+      </:back>
+
+      {{! DIRECT LINK, TABS OR DROPDOWN }}
+      <:authSelectOptions>
+        <div class="has-bottom-margin-m">
+          {{#if this.tabData}}
+            <Auth::Tabs
+              @authTabData={{this.tabData}}
+              @handleTabClick={{this.setAuthType}}
+              @selectedAuthMethod={{this.selectedAuthMethod}}
             />
+          {{else}}
+            {{! Fallback is dropdown with all auth methods }}
+            <Hds::Form::Select::Field
+              name="selectedAuthMethod"
+              {{on "input" this.setTypeFromDropdown}}
+              data-test-select="auth type"
+              as |F|
+            >
+              <F.Label class="has-top-margin-m">Method</F.Label>
+              <F.Options>
+                {{#each this.supportedAuthTypes as |type|}}
+                  <option selected={{eq this.selectedAuthMethod type}} value={{type}}>
+                    {{auth-display-name type}}
+                  </option>
+                {{/each}}
+              </F.Options>
+            </Hds::Form::Select::Field>
           {{/if}}
-        </:back>
-
-        {{! DIRECT LINK, TABS OR DROPDOWN }}
-        <:authSelectOptions>
-          <div class="has-bottom-margin-m">
-            {{#if this.showCustomAuthOptions}}
-              <Auth::Tabs
-                @authTabData={{this.tabData}}
-                @handleTabClick={{this.setAuthType}}
-                @selectedAuthMethod={{this.selectedAuthMethod}}
-              />
-            {{else}}
-              {{! fallback view is the dropdown with all auth methods }}
-              <Hds::Form::Select::Field
-                name="selectedAuthMethod"
-                {{on "input" this.setTypeFromDropdown}}
-                data-test-select="auth type"
-                as |F|
-              >
-                <F.Label class="has-top-margin-m">Auth method</F.Label>
-                <F.Options>
-                  {{#each this.availableMethodTypes as |type|}}
-                    <option selected={{eq this.selectedAuthMethod type}} value={{type}}>
-                      {{auth-display-name type}}
-                    </option>
-                  {{/each}}
-                </F.Options>
-              </Hds::Form::Select::Field>
-            {{/if}}
-          </div>
-        </:authSelectOptions>
+        </div>
+      </:authSelectOptions>
 
-        <:error>
-          {{#if this.errorMessage}}
-            <MessageError @errorMessage={{this.errorMessage}} />
-          {{/if}}
-        </:error>
+      <:error>
+        {{#if this.errorMessage}}
+          <MessageError @errorMessage={{this.errorMessage}} />
+        {{/if}}
+      </:error>
 
-        <:advancedSettings>
-          {{! custom auth options render their own mount path inputs and token does not support custom paths }}
-          {{#if (and (not this.showCustomAuthOptions) (not-eq this.selectedAuthMethod "token"))}}
-            <Hds::Reveal @text="Advanced settings" data-test-auth-form-options-toggle class="is-fullwidth">
-              <Hds::Form::TextInput::Field name="path" data-test-input="path" as |F|>
-                <F.Label class="has-top-margin-m">Mount path</F.Label>
-                <F.HelperText>
-                  If this authentication method was mounted using a non-default path, input it below. Otherwise Vault will
-                  assume the default path
-                  <Hds::Text::Code class="code-in-text">{{this.selectedAuthMethod}}</Hds::Text::Code>
-                  .</F.HelperText>
-              </Hds::Form::TextInput::Field>
-            </Hds::Reveal>
-          {{/if}}
-        </:advancedSettings>
+      <:advancedSettings>
+        {{! custom auth options render their own mount path inputs and token does not support custom paths }}
+        {{#unless this.hideAdvancedSettings}}
+          <Hds::Reveal @text="Advanced settings" data-test-auth-form-options-toggle class="is-fullwidth">
+            <Hds::Form::TextInput::Field name="path" data-test-input="path" as |F|>
+              <F.Label class="has-top-margin-m">Mount path</F.Label>
+              <F.HelperText>
+                If this authentication method was mounted using a non-default path, input it below. Otherwise Vault will
+                assume the default path
+                <Hds::Text::Code class="code-in-text">{{this.selectedAuthMethod}}</Hds::Text::Code>
+                .</F.HelperText>
+            </Hds::Form::TextInput::Field>
+          </Hds::Reveal>
+        {{/unless}}
+      </:advancedSettings>
 
-        <:footer>
-          {{#if this.showCustomAuthOptions}}
-            <Hds::Button
-              {{on "click" this.toggleView}}
-              @color="tertiary"
-              @icon="arrow-right"
-              @iconPosition="trailing"
-              @isInline={{true}}
-              @text="Sign in with other methods"
-              data-test-other-methods-button
-            />
-          {{/if}}
-        </:footer>
-      </AuthFormComponent>
-    {{/let}}
-  {{/if}}
-</div>
+      <:footer>
+        {{#if (and @alternateView (not this.showAlternateView))}}
+          <Hds::Button
+            {{on "click" this.toggleView}}
+            @color="tertiary"
+            @icon="arrow-right"
+            @iconPosition="trailing"
+            @isInline={{true}}
+            @text="Sign in with other methods"
+            data-test-other-methods-button
+          />
+        {{/if}}
+      </:footer>
+    </AuthFormComponent>
+  {{/let}}
+{{/if}}

ui/app/components/auth/form-template.ts

@@ -10,12 +10,10 @@ import { action } from '@ember/object';
 import { supportedTypes } from 'vault/utils/supported-login-methods';
 import { getRelativePath } from 'core/utils/sanitize-path';
 
-import type AuthService from 'vault/vault/services/auth';
 import type FlagsService from 'vault/services/flags';
-import type Store from '@ember-data/store';
 import type VersionService from 'vault/services/version';
 import type ClusterModel from 'vault/models/cluster';
-import type { UnauthMountsByType, AuthTabMountData } from 'vault/vault/auth/form';
+import type { UnauthMountsByType } from 'vault/vault/auth/form';
 import type { HTMLElementEvent } from 'vault/forms';
 
 /**
@@ -29,71 +27,82 @@ import type { HTMLElementEvent } from 'vault/forms';
  * dynamically renders the corresponding form.
  *
  *
+ * @param {object | null} alternateView - if an alternate view exists, this is the `FormView` (see interface below) data to render that view.
  * @param {string} canceledMfaAuth - saved auth type from a cancelled mfa verification
  * @param {object} cluster - The route model which is the ember data cluster model. contains information such as cluster id, name and boolean for if the cluster is in standby
- * @param {object} directLinkData - mount data built from the "with" query param. If param is a mount path and maps to a visible mount, the login form defaults to this mount. Otherwise the form preselects the passed auth type.
+ * @param {object} defaultView - The `FormView` (see the interface below) data to render the initial view.
  * @param {function} handleNamespaceUpdate - callback task that passes user input to the controller and updates the namespace query param in the url
+ * @param {object} initialFormState - sets selectedAuthMethod and showAlternateView based on the login form configuration computed in parent component
  * @param {string} namespaceQueryParam - namespace query param from the url
  * @param {string} oidcProviderQueryParam - oidc provider query param, set in url as "?o=someprovider". if present, disables the namespace input
  * @param {function} onSuccess - callback after the initial authentication request, if an mfa_requirement exists the parent renders the mfa form otherwise it fires the authSuccess action in the auth controller and handles transitioning to the app
- * @param {object} visibleMountsByType - auth methods to render as tabs, contains mount data for any mounts with listing_visibility="unauth"
+ * @param {array} visibleMountTypes - array of auth method types that have mounts with listing_visibility="unauth"
  *
  * */
 
 interface Args {
-  canceledMfaAuth: string;
+  alternateView: FormView | null;
   cluster: ClusterModel;
-  directLinkData: (AuthTabMountData & { isVisibleMount: boolean }) | null;
+  defaultView: FormView;
   handleNamespaceUpdate: CallableFunction;
+  initialFormState: { initialAuthType: string; showAlternate: boolean };
   namespaceQueryParam: string;
   oidcProviderQueryParam: string;
   onSuccess: CallableFunction;
-  visibleMountsByType: UnauthMountsByType;
+  visibleMountTypes: string[];
+}
+
+interface FormView {
+  view: string; // "dropdown" or "tabs"
+  tabData: UnauthMountsByType | null; // tabs to render if view = "tabs"
 }
 
 export default class AuthFormTemplate extends Component<Args> {
-  @service declare readonly auth: AuthService;
   @service declare readonly flags: FlagsService;
-  @service declare readonly store: Store;
   @service declare readonly version: VersionService;
 
-  // true → "Back" button renders, false → "Sign in with other methods→" renders if customizations exist
-  @tracked showOtherMethods = false;
+  supportedAuthTypes: string[];
 
-  // auth login variables
-  @tracked selectedAuthMethod = '';
   @tracked errorMessage = '';
-
-  get tabData() {
-    const { directLinkData } = this.args;
-    // URL contains a "with" query param that references a mount with listing_visibility="unauth"
-    // Treat it as a "preferred" mount and hide all other tabs
-    if (directLinkData?.isVisibleMount && directLinkData?.type) {
-      return { [directLinkData.type]: [this.args.directLinkData] };
-    }
-    return this.args.visibleMountsByType;
-  }
-
-  get authTabTypes() {
-    const visibleMounts = this.args.visibleMountsByType;
-    return visibleMounts ? Object.keys(visibleMounts) : [];
+  @tracked selectedAuthMethod = '';
+  // true → "Back" button renders, false → "Sign in with other methods→" renders if an alternate view exists
+  @tracked showAlternateView = false;
+
+  constructor(owner: unknown, args: Args) {
+    super(owner, args);
+    const { initialAuthType, showAlternate } = this.args.initialFormState;
+    this.selectedAuthMethod = initialAuthType;
+    this.showAlternateView = showAlternate;
+    this.supportedAuthTypes = supportedTypes(this.version.isEnterprise);
   }
 
-  get availableMethodTypes() {
-    return supportedTypes(this.version.isEnterprise);
+  get tabData() {
+    if (this.showAlternateView) return this.args?.alternateView?.tabData;
+    return this.args?.defaultView?.tabData;
   }
 
   get formComponent() {
     const { selectedAuthMethod } = this;
     // isSupported means there is a component file defined for that auth type
-    const isSupported = this.availableMethodTypes.includes(selectedAuthMethod);
+    const isSupported = this.supportedAuthTypes.includes(selectedAuthMethod);
     const formFile = () => (['oidc', 'jwt'].includes(selectedAuthMethod) ? 'oidc-jwt' : selectedAuthMethod);
     const component = isSupported ? formFile() : 'base';
 
     // an Auth::Form::<Type> component exists for each method in supported-login-methods
     return `auth/form/${component}`;
   }
 
+  get hideAdvancedSettings() {
+    // Token does not support custom paths
+    if (this.selectedAuthMethod === 'token') return true;
+
+    // Always show for dropdown mode
+    if (!this.tabData) return false;
+
+    // For remaining scenarios, hide "Advanced settings" if the selected method has visible mount(s)
+    return this.args.visibleMountTypes?.includes(this.selectedAuthMethod);
+  }
+
   get namespaceInput() {
     const namespaceQueryParam = this.args.namespaceQueryParam;
     if (this.flags.hvdManagedNamespaceRoot) {
@@ -105,42 +114,6 @@ export default class AuthFormTemplate extends Component<Args> {
     return namespaceQueryParam;
   }
 
-  get preselectedType() {
-    // Prioritize canceledMfaAuth since it's triggered by user interaction.
-    // Next, check type from directLinkData as it's specified by the URL.
-    // Finally, fall back to the most recently used auth method in localStorage.
-    return this.args.canceledMfaAuth || this.args.directLinkData?.type || this.auth.getAuthType();
-  }
-
-  // The "standard" selection is a dropdown listing all auth methods.
-  // This getter determines whether to render an alternative view (e.g., tabs or a preferred mount).
-  // If `true`, the "Sign in with other methods →" link is shown.
-  get showCustomAuthOptions() {
-    const hasLoginCustomization = this.args?.directLinkData?.isVisibleMount || this.args.visibleMountsByType;
-    // Show if customization exists and the user has NOT clicked "Sign in with other methods →"
-    return hasLoginCustomization && !this.showOtherMethods;
-  }
-
-  @action
-  initializeState() {
-    // SET AUTH TYPE
-    if (this.preselectedType) {
-      this.setAuthType(this.preselectedType);
-    } else {
-      // if nothing has been preselected, select first tab or set to 'token'
-      const authType = this.args.visibleMountsByType ? (this.authTabTypes[0] as string) : 'token';
-      this.setAuthType(authType);
-    }
-
-    // DETERMINES INITIAL RENDER: custom selection (direct link or tabs) vs dropdown
-    if (this.args.visibleMountsByType) {
-      // render tabs if selectedAuthMethod is one, otherwise render dropdown (i.e. showOtherMethods = false)
-      this.showOtherMethods = this.authTabTypes.includes(this.selectedAuthMethod) ? false : true;
-    } else {
-      this.showOtherMethods = false;
-    }
-  }
-
   @action
   setAuthType(authType: string) {
     this.selectedAuthMethod = authType;
@@ -153,15 +126,10 @@ export default class AuthFormTemplate extends Component<Args> {
 
   @action
   toggleView() {
-    this.showOtherMethods = !this.showOtherMethods;
-
-    if (this.showCustomAuthOptions) {
-      const firstTab = this.authTabTypes[0] as string;
-      this.setAuthType(firstTab);
-    } else {
-      // all methods render, reset dropdown
-      this.selectedAuthMethod = this.preselectedType || 'token';
-    }
+    this.showAlternateView = !this.showAlternateView;
+    const firstAuthTab = Object.keys(this.tabData || {})[0];
+    const type = firstAuthTab || this.args.initialFormState.initialAuthType;
+    this.setAuthType(type);
   }
 
   @action