Merge pull request 'account-claim' (#98) from account-claim into main

Reviewed-on: #98

.gitea/workflows/cd-deploy.yaml

@@ -48,12 +48,12 @@ jobs:
           cd /var/www/html/milsim-site-v4
           version=`git log -1 --format=%H`
           echo "Current Revision: $version"
-          echo "Updating to: ${{ github.sha }}
+          echo "Updating to: ${{ github.sha }}"
           sudo -u nginx git reset --hard
-          sudo -u nginx git pull origin main
+          sudo -u nginx git fetch --tags
           sudo -u nginx git pull origin main
           new_version=`git log -1 --format=%H`
-          echo "Sucessfully updated to: $new_version
+          echo "Successfully updated to: $new_version"
 
       - name: Update Shared Dependencies and Fix Permissions
         run: |

api/src/index.ts

@@ -1,11 +1,15 @@
-const dotenv = require('dotenv')
+import dotenv = require('dotenv');
 dotenv.config();
 
-const express = require('express')
+import express = require('express');
-const cors = require('cors')
+import cors = require('cors');
-const morgan = require('morgan')
+import morgan = require('morgan');
 const app = express()
-app.use(morgan('dev'))
+app.use(morgan('dev', {
+  skip: (req) => {
+    return req.path === '/members/me';
+  }
+}))
 
 app.use(cors({
   origin: [process.env.CLIENT_URL], // your SPA origins
@@ -19,7 +23,7 @@ app.set('trust proxy', 1);
 const port = process.env.SERVER_PORT;
 
 //glitchtip setup
-const sentry = require('@sentry/node');
+import sentry = require('@sentry/node');
 if (process.env.DISABLE_GLITCHTIP === "true") {
   console.log("Glitchtip disabled")
 } else {
@@ -27,14 +31,14 @@ if (process.env.DISABLE_GLITCHTIP === "true") {
   let release = process.env.APPLICATION_VERSION;
   let environment = process.env.APPLICATION_ENVIRONMENT;
   console.log(release, environment)
-  sentry.init({ dsn: dsn, release: release, environment: environment });
+  sentry.init({ dsn: dsn, release: release, environment: environment, integrations: [sentry.captureConsoleIntegration({ levels: ['error'] })] });
   console.log("Glitchtip initialized");
 }
 
 //session setup
-const path = require('path')
+import path = require('path');
-const session = require('express-session')
+import session = require('express-session');
-const passport = require('passport')
+import passport = require('passport');
 const SQLiteStore = require('connect-sqlite3')(session);
 
 app.use(session({
@@ -51,23 +55,21 @@ app.use(session({
 app.use(passport.authenticate('session'));
 
 // Mount route modules
-const applicationsRouter = require('./routes/applications');
+import { applicationRouter } from './routes/applications';
-const { memberRanks, ranks } = require('./routes/ranks');
+import { memberRanks, ranks } from './routes/ranks';
-const members = require('./routes/members');
+import { memberRouter } from './routes/members';
-const loaHandler = require('./routes/loa')
+import { loaRouter } from './routes/loa';
-const { status, memberStatus } = require('./routes/statuses')
+import { status, memberStatus } from './routes/statuses';
-const authRouter = require('./routes/auth')
+import { authRouter } from './routes/auth';
-const { roles, memberRoles } = require('./routes/roles');
+import { roles, memberRoles } from './routes/roles';
-const { courseRouter, eventRouter } = require('./routes/course');
+import { courseRouter, eventRouter } from './routes/course';
-const { calendarRouter } = require('./routes/calendar')
+import { calendarRouter } from './routes/calendar';
-const morgan = require('morgan');
-const { env } = require('process');
 
-app.use('/application', applicationsRouter);
+app.use('/application', applicationRouter);
 app.use('/ranks', ranks);
 app.use('/memberRanks', memberRanks);
-app.use('/members', members);
+app.use('/members', memberRouter);
-app.use('/loa', loaHandler);
+app.use('/loa', loaRouter);
 app.use('/status', status)
 app.use('/memberStatus', memberStatus)
 app.use('/roles', roles)

api/src/middleware/auth.ts

@@ -0,0 +1,49 @@
+import { MemberState } from "@app/shared/types/member";
+import { NextFunction, Request, Response } from "express";
+import { stat } from "fs";
+
+export const requireLogin = function (req: Request, res: Response, next: NextFunction) {
+    if (req.user?.id)
+        next();
+    else
+        res.sendStatus(401)
+}
+
+export function requireMemberState(state: MemberState) {
+    return function (req: Request, res: Response, next: NextFunction) {
+        if (req.user?.state === state)
+            next();
+        else
+            res.status(403).send(`You must be a ${state} of the 17th RBN to access this resource`);
+    }
+}
+
+export function requireRole(requiredRoles: string | string[]) {
+    // Normalize the input to always be an array of lowercase required roles
+    const normalizedRequiredRoles: string[] = Array.isArray(requiredRoles)
+        ? requiredRoles.map(role => role.toLowerCase())
+        : [requiredRoles.toLowerCase()];
+
+    const DEV_ROLE = 'dev';
+
+    return function (req: Request, res: Response, next: NextFunction) {
+        if (!req.user || !req.user.roles) {
+            // User is not authenticated or has no roles array
+            return res.sendStatus(401);
+        }
+
+        const userRolesLowercase = req.user.roles.map(role => role.name.toLowerCase());
+
+        // Check if the user has *any* of the required roles OR the 'dev' role
+        const hasAccess = userRolesLowercase.some(userRole =>
+            userRole === DEV_ROLE || normalizedRequiredRoles.includes(userRole)
+        );
+
+        if (hasAccess) {
+            return next();
+        } else {
+            // User is authenticated but does not have the necessary permissions
+            return res.sendStatus(403);
+        }
+    };
+}

api/src/routes/applications.ts

@@ -3,12 +3,14 @@ const router = express.Router();
 
 import pool from '../db';
 import { approveApplication, createApplication, denyApplication, getAllMemberApplications, getApplicationByID, getApplicationComments, getApplicationList, getMemberApplication } from '../services/applicationService';
-import { MemberState, setUserState } from '../services/memberService';
+import { setUserState } from '../services/memberService';
+import { MemberState } from '@app/shared/types/member';
 import { getRankByName, insertMemberRank } from '../services/rankService';
 import { ApplicationFull, CommentRow } from "@app/shared/types/application"
 import { assignUserToStatus } from '../services/statusService';
 import { Request, response, Response } from 'express';
 import { getUserRoles } from '../services/rolesService';
+import { requireLogin, requireRole } from '../middleware/auth';
 
 //get CoC
 router.get('/coc', async (req: Request, res: Response) => {
@@ -29,7 +31,7 @@ router.get('/coc', async (req: Request, res: Response) => {
 
 
 // POST /application
-router.post('/', async (req, res) => {
+router.post('/', [requireLogin], async (req, res) => {
   try {
     const App = req.body?.App || {};
     const memberID = req.user.id;
@@ -47,7 +49,7 @@ router.post('/', async (req, res) => {
 });
 
 // GET /application/all
-router.get('/all', async (req, res) => {
+router.get('/all', [requireLogin, requireRole("Recruiter")], async (req, res) => {
   try {
     const rows = await getApplicationList();
     res.status(200).json(rows);
@@ -71,7 +73,7 @@ router.get('/meList', async (req, res) => {
   }
 })
 
-router.get('/me', async (req, res) => {
+router.get('/me', [requireLogin], async (req, res) => {
 
   let userID = req.user.id;
 
@@ -96,7 +98,7 @@ router.get('/me', async (req, res) => {
 })
 
 // GET /application/:id
-router.get('/me/:id', async (req: Request, res: Response) => {
+router.get('/me/:id', [requireLogin], async (req: Request, res: Response) => {
   let appID = Number(req.params.id);
   let member = req.user.id;
   try {
@@ -123,22 +125,10 @@ router.get('/me/:id', async (req: Request, res: Response) => {
 });
 
 // GET /application/:id
-router.get('/:id', async (req: Request, res: Response) => {
+router.get('/:id', [requireLogin, requireRole("Recruiter")], async (req: Request, res: Response) => {
   let appID = Number(req.params.id);
   let asAdmin = !!req.query.admin || false;
-  let user = req.user.id;
 
-  //TODO: Replace this with bigger authorization system eventually
-  if (asAdmin) {
-    let allowed = (await getUserRoles(user)).some((role) =>
-      role.name.toLowerCase() === 'dev' ||
-      role.name.toLowerCase() === 'recruiter' ||
-      role.name.toLowerCase() === 'administrator')
-    console.log(allowed)
-    if (!allowed) {
-      return res.sendStatus(403)
-    }
-  }
   try {
     const application = await getApplicationByID(appID);
     if (application === undefined)
@@ -159,7 +149,7 @@ router.get('/:id', async (req: Request, res: Response) => {
 });
 
 // POST /application/approve/:id
-router.post('/approve/:id', async (req: Request, res: Response) => {
+router.post('/approve/:id', [requireLogin, requireRole("Recruiter")], async (req: Request, res: Response) => {
   const appID = Number(req.params.id);
   const approved_by = req.user.id;
 
@@ -188,7 +178,7 @@ router.post('/approve/:id', async (req: Request, res: Response) => {
 });
 
 // POST /application/deny/:id
-router.post('/deny/:id', async (req, res) => {
+router.post('/deny/:id', [requireLogin, requireRole("Recruiter")], async (req, res) => {
   const appID = req.params.id;
 
   try {
@@ -203,7 +193,7 @@ router.post('/deny/:id', async (req, res) => {
 });
 
 // POST /application/:id/comment
-router.post('/:id/comment', async (req: Request, res: Response) => {
+router.post('/:id/comment', [requireLogin], async (req: Request, res: Response) => {
   const appID = req.params.id;
   const data = req.body.message;
   const user = req.user;
@@ -217,8 +207,9 @@ router.post('/:id/comment', async (req: Request, res: Response) => {
   )
 VALUES(?, ?, ?);`
 
+
   try {
-    const conn = await pool.getConnection();
+    var conn = await pool.getConnection();
 
     const result = await conn.query(sql, [appID, user.id, data])
     console.log(result)
@@ -242,11 +233,13 @@ VALUES(?, ?, ?);`
   } catch (err) {
     console.error('Comment failed:', err);
     res.status(500).json({ error: 'Could not post comment' });
+  } finally {
+    conn.release();
   }
 });
 
 // POST /application/:id/comment
-router.post('/:id/adminComment', async (req: Request, res: Response) => {
+router.post('/:id/adminComment', [requireLogin, requireRole("Recruiter")], async (req: Request, res: Response) => {
   const appID = req.params.id;
   const data = req.body.message;
   const user = req.user;
@@ -262,7 +255,7 @@ router.post('/:id/adminComment', async (req: Request, res: Response) => {
 VALUES(?, ?, ?, 1);`
 
   try {
-    const conn = await pool.getConnection();
+    var conn = await pool.getConnection();
 
     const result = await conn.query(sql, [appID, user.id, data])
     console.log(result)
@@ -287,6 +280,8 @@ VALUES(?, ?, ?, 1);`
   } catch (err) {
     console.error('Comment failed:', err);
     res.status(500).json({ error: 'Could not post comment' });
+  } finally {
+    conn.release();
   }
 });
 
@@ -301,5 +296,4 @@ router.post('/restart', async (req: Request, res: Response) => {
   }
 })
 
-
+export const applicationRouter = router;
-module.exports = router;

api/src/routes/auth.ts

@@ -6,9 +6,18 @@ dotenv.config();
 const express = require('express');
 const { param } = require('./applications');
 const router = express.Router();
+import { Role } from '@app/shared/types/roles';
 import pool from '../db';
+import { requireLogin } from '../middleware/auth';
+import { getUserRoles } from '../services/rolesService';
+import { getUserState, mapDiscordtoID } from '../services/memberService';
+import { MemberState } from '@app/shared/types/member';
+import { toDateTime } from '@app/shared/utils/time';
 const querystring = require('querystring');
 
+function parseJwt(token) {
+    return JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
+}
 
 passport.use(new OpenIDConnectStrategy({
     issuer: process.env.AUTH_ISSUER,
@@ -18,37 +27,56 @@ passport.use(new OpenIDConnectStrategy({
     clientID: process.env.AUTH_CLIENT_ID,
     clientSecret: process.env.AUTH_CLIENT_SECRET,
     callbackURL: process.env.AUTH_REDIRECT_URI,
-    scope: ['openid', 'profile']
+    scope: ['openid', 'profile', 'discord']
 }, async function verify(issuer, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) {
 
-    console.log('--- OIDC verify() called ---');
+    // console.log('--- OIDC verify() called ---');
-    console.log('issuer:', issuer);
+    // console.log('issuer:', issuer);
-    console.log('sub:', sub);
+    // console.log('sub:', sub);
-    // console.log('profile:', JSON.stringify(profile, null, 2));
+    // // console.log('discord:', discord);
-    console.log('profile:', profile);
+    // console.log('profile:', profile);
-    console.log('id_token claims:', JSON.stringify(jwtClaims, null, 2));
+    // console.log('jwt: ', parseJwt(jwtClaims));
-    console.log('preferred_username:', jwtClaims?.preferred_username);
+    // console.log('params:', params);
+
 
-    const con = await pool.getConnection();
     try {
+        var con = await pool.getConnection();
+
         await con.beginTransaction();
 
         //lookup existing user
         const existing = await con.query(`SELECT id FROM members WHERE authentik_issuer = ? AND authentik_sub = ? LIMIT 1;`, [issuer, sub]);
-        let memberId;
+        let memberId: number;
         //if member exists
         if (existing.length > 0) {
             memberId = existing[0].id;
         } else {
             //otherwise: create account
-            const username = sub.username;
+            const jwt = parseJwt(jwtClaims);
+            const discordID = jwt.discord.id as number;
 
+            //check if account is available to claim
+            memberId = await mapDiscordtoID(discordID);
+
+            if (memberId === null) {
+                // create new account
+                const username = sub.username;
                 const result = await con.query(
                     `INSERT INTO members (name, authentik_sub, authentik_issuer) VALUES (?, ?, ?)`,
                     [username, sub, issuer]
                 )
                 memberId = Number(result.insertId);
+            } else {
+                // claim existing account
+                const result = await con.query(
+                    `UPDATE members SET authentik_sub = ?, authentik_issuer = ? WHERE id = ?;`,
+                    [sub, issuer, memberId]
+                )
             }
+        }
+
+        await con.query(`UPDATE members SET last_login = ? WHERE id = ?`, [toDateTime(new Date()), memberId])
+
         await con.commit();
         return cb(null, { memberId });
     } catch (error) {
@@ -66,12 +94,6 @@ router.get('/login', (req, res, next) => {
     next();
 }, passport.authenticate('openidconnect'));
 
-// router.get('/callback', (req, res, next) => {
-//     passport.authenticate('openidconnect', {
-//         successRedirect: req.session.redirectTo,
-//         failureRedirect: process.env.CLIENT_URL
-//     })
-// });
 
 router.get('/callback', (req, res, next) => {
     const redirectURI = req.session.redirectTo;
@@ -90,7 +112,7 @@ router.get('/callback', (req, res, next) => {
     })(req, res, next);
 });
 
-router.get('/logout', function (req, res, next) {
+router.get('/logout', [requireLogin], function (req, res, next) {
     req.logout(function (err) {
         if (err) { return next(err); }
         var params = {
@@ -110,15 +132,17 @@ passport.serializeUser(function (user, cb) {
 passport.deserializeUser(function (user, cb) {
     process.nextTick(async function () {
 
-        const memberID = user.memberId;
+        const memberID = user.memberId as number;
 
-        const con = await pool.getConnection();
 
-        var userData;
+        var userData: { id: number, name: string, roles: Role[], state: MemberState };
         try {
+            var con = await pool.getConnection();
             let userResults = await con.query(`SELECT id, name FROM members WHERE id = ?;`, [memberID])
             userData = userResults[0];
-
+            let userRoles = await getUserRoles(memberID);
+            userData.roles = userRoles || [];
+            userData.state = await getUserState(memberID);
         } catch (error) {
             console.error(error)
         } finally {
@@ -128,5 +152,18 @@ passport.deserializeUser(function (user, cb) {
     });
 });
 
+declare global {
+    namespace Express {
+        interface Request {
+            user: {
+                id: number;
+                name: string;
+                roles: Role[];
+                state: MemberState;
+            };
+        }
+    }
+}
 
-module.exports = router;
+
+export const authRouter = router;

api/src/routes/calendar.ts

@@ -1,6 +1,8 @@
 import { Request, Response } from "express";
 import { createEvent, getEventAttendance, getEventDetails, getShortEventsInRange, setAttendanceStatus, setEventCancelled, updateEvent } from "../services/calendarService";
 import { CalendarAttendance, CalendarEvent } from "@app/shared/types/calendar";
+import { requireLogin, requireMemberState, requireRole } from "../middleware/auth";
+import { MemberState } from "@app/shared/types/member";
 
 const express = require('express');
 const r = express.Router();
@@ -35,7 +37,7 @@ r.get('/upcoming', async (req, res) => {
     res.sendStatus(501);
 })
 
-r.post('/:id/cancel', async (req: Request, res: Response) => {
+r.post('/:id/cancel', [requireLogin, requireMemberState(MemberState.Member)], async (req: Request, res: Response) => {
     try {
         const eventID = Number(req.params.id);
         setEventCancelled(eventID, true);
@@ -45,7 +47,7 @@ r.post('/:id/cancel', async (req: Request, res: Response) => {
         res.status(500).send('Error setting cancel status');
     }
 })
-r.post('/:id/uncancel', async (req: Request, res: Response) => {
+r.post('/:id/uncancel', [requireLogin, requireMemberState(MemberState.Member)], async (req: Request, res: Response) => {
     try {
         const eventID = Number(req.params.id);
         setEventCancelled(eventID, false);
@@ -57,7 +59,7 @@ r.post('/:id/uncancel', async (req: Request, res: Response) => {
 })
 
 
-r.post('/:id/attendance', async (req: Request, res: Response) => {
+r.post('/:id/attendance', [requireLogin, requireMemberState(MemberState.Member)], async (req: Request, res: Response) => {
     try {
         let member = req.user.id;
         let event = Number(req.params.id);
@@ -85,7 +87,7 @@ r.get('/:id', async (req: Request, res: Response) => {
 
 
 //post a new calendar event 
-r.post('/', async (req: Request, res: Response) => {
+r.post('/', [requireLogin, requireMemberState(MemberState.Member)], async (req: Request, res: Response) => {
     try {
         const member = req.user.id;
         let event: CalendarEvent = req.body;
@@ -100,7 +102,7 @@ r.post('/', async (req: Request, res: Response) => {
     }
 })
 
-r.put('/', async (req: Request, res: Response) => {
+r.put('/', [requireLogin, requireMemberState(MemberState.Member)], async (req: Request, res: Response) => {
     try {
         let event: CalendarEvent = req.body;
         event.start = new Date(event.start);
@@ -114,5 +116,4 @@ r.put('/', async (req: Request, res: Response) => {
     }
 })
 
-
+export const calendarRouter = r;
-module.exports.calendarRouter = r;

api/src/routes/course.ts

@@ -1,11 +1,18 @@
 import { CourseAttendee, CourseEventDetails } from "@app/shared/types/course";
 import { getAllCourses, getCourseEventAttendees, getCourseEventDetails, getCourseEventRoles, getCourseEvents, insertCourseEvent } from "../services/CourseSerivce";
 import { Request, Response, Router } from "express";
+import { requireLogin, requireMemberState } from "../middleware/auth";
+import { MemberState } from "@app/shared/types/member";
 
-const courseRouter = Router();
+const cr = Router();
-const eventRouter = Router();
+const er = Router();
 
-courseRouter.get('/', async (req, res) => {
+cr.use(requireLogin)
+er.use(requireLogin)
+cr.use(requireMemberState(MemberState.Member))
+er.use(requireMemberState(MemberState.Member))
+
+cr.get('/', async (req, res) => {
     try {
         const courses = await getAllCourses();
         res.status(200).json(courses);
@@ -15,7 +22,7 @@ courseRouter.get('/', async (req, res) => {
     }
 })
 
-courseRouter.get('/roles', async (req, res) => {
+cr.get('/roles', async (req, res) => {
     try {
         const roles = await getCourseEventRoles();
         res.status(200).json(roles);
@@ -25,7 +32,7 @@ courseRouter.get('/roles', async (req, res) => {
     }
 })
 
-eventRouter.get('/', async (req: Request, res: Response) => {
+er.get('/', async (req: Request, res: Response) => {
     const allowedSorts = new Map([
         ["ascending", "ASC"],
         ["descending", "DESC"]
@@ -50,7 +57,7 @@ eventRouter.get('/', async (req: Request, res: Response) => {
     }
 });
 
-eventRouter.get('/:id', async (req: Request, res: Response) => {
+er.get('/:id', async (req: Request, res: Response) => {
     try {
         let out = await getCourseEventDetails(Number(req.params.id));
         res.status(200).json(out);
@@ -60,7 +67,7 @@ eventRouter.get('/:id', async (req: Request, res: Response) => {
     }
 });
 
-eventRouter.get('/attendees/:id', async (req: Request, res: Response) => {
+er.get('/attendees/:id', async (req: Request, res: Response) => {
     try {
         const attendees: CourseAttendee[] = await getCourseEventAttendees(Number(req.params.id));
         res.status(200).json(attendees);
@@ -70,7 +77,7 @@ eventRouter.get('/attendees/:id', async (req: Request, res: Response) => {
     }
 })
 
-eventRouter.post('/', async (req: Request, res: Response) => {
+er.post('/', async (req: Request, res: Response) => {
     const posterID: number = req.user.id;
     try {
         console.log();
@@ -85,5 +92,5 @@ eventRouter.post('/', async (req: Request, res: Response) => {
     }
 })
 
-module.exports.courseRouter = courseRouter;
+export const courseRouter = cr;
-module.exports.eventRouter = eventRouter;
+export const eventRouter = er;

api/src/routes/loa.ts

@@ -5,6 +5,9 @@ import { Request, Response } from 'express';
 import pool from '../db';
 import { closeLOA, createNewLOA, getAllLOA, getLOAbyID, getLoaTypes, getUserLOA, setLOAExtension } from '../services/loaService';
 import { LOARequest } from '@app/shared/types/loa';
+import { requireLogin, requireRole } from '../middleware/auth';
+
+router.use(requireLogin);
 
 //member posts LOA
 router.post("/", async (req: Request, res: Response) => {
@@ -23,7 +26,7 @@ router.post("/", async (req: Request, res: Response) => {
 });
 
 //admin posts LOA
-router.post("/admin", async (req: Request, res: Response) => {
+router.post("/admin", [requireRole("17th Administrator")], async (req: Request, res: Response) => {
     let LOARequest = req.body as LOARequest;
     LOARequest.created_by = req.user.id;
     LOARequest.filed_date = new Date();
@@ -63,7 +66,7 @@ router.get("/history", async (req: Request, res: Response) => {
     }
 })
 
-router.get('/all', async (req, res) => {
+router.get('/all', [requireRole("17th Administrator")], async (req, res) => {
     try {
         const result = await getAllLOA();
         res.status(200).json(result)
@@ -101,7 +104,7 @@ router.post('/cancel/:id', async (req: Request, res: Response) => {
 })
 
 //TODO: enforce admin only
-router.post('/adminCancel/:id', async (req: Request, res: Response) => {
+router.post('/adminCancel/:id', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
     let closer = req.user.id;
     try {
         await closeLOA(Number(req.params.id), closer);
@@ -113,7 +116,7 @@ router.post('/adminCancel/:id', async (req: Request, res: Response) => {
 })
 
 // TODO: Enforce admin only
-router.post('/extend/:id', async (req: Request, res: Response) => {
+router.post('/extend/:id', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
     const to: Date = req.body.to;
 
     if (!to) {
@@ -145,4 +148,4 @@ router.get('/policy', async (req: Request, res: Response) => {
     }
 })
 
-module.exports = router;
+export const loaRouter = router;

api/src/routes/members.ts

@@ -1,19 +1,16 @@
 const express = require('express');
 const router = express.Router();
 
+import { Request, Response } from 'express';
 import pool from '../db';
+import { requireLogin, requireMemberState, requireRole } from '../middleware/auth';
 import { getUserActiveLOA } from '../services/loaService';
-import { getUserData } from '../services/memberService';
+import { getMemberSettings, getMembersFull, getMembersLite, getUserData, setUserSettings } from '../services/memberService';
 import { getUserRoles } from '../services/rolesService';
-
+import { memberSettings, MemberState } from '@app/shared/types/member';
-router.use((req, res, next) => {
-    console.log(req.user);
-    console.log('Time:', Date.now())
-    next()
-})
 
 //get all users
-router.get('/', async (req, res) => {
+router.get('/', [requireLogin, requireMemberState(MemberState.Member)], async (req, res) => {
     try {
         const result = await pool.query(
             `SELECT
@@ -35,24 +32,17 @@ router.get('/', async (req, res) => {
     }
 });
 
-router.get('/me', async (req, res) => {
+router.get('/me', [requireLogin], async (req, res) => {
     if (req.user === undefined)
         return res.sendStatus(401)
 
     try {
         const { id, name, state } = await getUserData(req.user.id);
-        // const LOAData = await pool.query(
-        //     `SELECT *
-        //     FROM leave_of_absences
-        //     WHERE member_id = ?
-        //     AND deleted = 0 
-        //     AND UTC_TIMESTAMP() BETWEEN start_date AND end_date;`, req.user.id);
         const LOAData = await getUserActiveLOA(req.user.id);
 
         const roleData = await getUserRoles(req.user.id);
 
         const userDataFull = { id, name, state, LOAData, roleData };
-        console.log(userDataFull)
         res.status(200).json(userDataFull);
     } catch (error) {
         console.error('Error fetching user data:', error);
@@ -60,7 +50,54 @@ router.get('/me', async (req, res) => {
     }
 })
 
-router.get('/:id', async (req, res) => {
+router.get('/settings', [requireLogin], async (req: Request, res: Response) => {
+    try {
+        let user = req.user.id;
+        console.log(user);
+        let output = await getMemberSettings(user);
+        res.status(200).json(output);
+    } catch (error) {
+        console.error(error);
+        res.status(500).json(error);
+    }
+})
+
+router.put('/settings', [requireLogin], async (req: Request, res: Response) => {
+    try {
+        let user = req.user.id;
+        let settings: memberSettings = req.body;
+        console.log(settings)
+        await setUserSettings(user, settings);
+        res.sendStatus(200);
+    } catch (error) {
+        console.error(error);
+        res.status(500).json(error);
+    }
+})
+
+router.post('/lite/bulk', async (req: Request, res: Response) => {
+    try {
+        let ids = req.body.ids;
+        let out = await getMembersLite(ids);
+        res.status(200).json(out);
+    } catch (error) {
+        console.error(error);
+        res.status(500).json(error);
+    }
+})
+
+router.post('/full/bulk', async (req: Request, res: Response) => {
+    try {
+        let ids = req.body.ids;
+        let out = await getMembersFull(ids);
+        res.status(200).json(out);
+    } catch (error) {
+        console.error(error);
+        res.status(500).json(error);
+    }
+})
+
+router.get('/:id', [requireLogin], async (req, res) => {
     try {
         const userId = req.params.id;
         const result = await pool.query('SELECT * FROM view_member_rank_unit_status_latest WHERE id = $1;', [userId]);
@@ -77,10 +114,8 @@ router.get('/:id', async (req, res) => {
 //update a user's display name (stub)
 router.put('/:id/displayname', async (req, res) => {
     // Stub: not implemented yet
-    return res.status(501).json({ error: 'Update display name not implemented' });
+    return res.status(501);
 });
 
 
-
+export const memberRouter = router;
-
-module.exports = router;

api/src/routes/ranks.ts

@@ -1,10 +1,18 @@
-const express = require('express');
+import { MemberState } from "@app/shared/types/member";
+import { requireLogin, requireMemberState, requireRole } from "../middleware/auth";
+import { getAllRanks, insertMemberRank } from "../services/rankService";
+
+import express = require('express');
 const r = express.Router();
 const ur = express.Router();
-const { getAllRanks, insertMemberRank } = require('../services/rankService')
+
+
+r.use(requireLogin)
+ur.use(requireLogin)
 
 //insert a new latest rank for a user
-ur.post('/', async (req, res) => {3
+ur.post('/', [requireRole(["17th Command", "17th Administrator", "17th HQ"]), requireMemberState(MemberState.Member)], async (req, res) => {
+    3
     try {
         const change = req.body?.change;
         await insertMemberRank(change.member_id, change.rank_id, change.date);
@@ -27,5 +35,5 @@ r.get('/', async (req, res) => {
     }
 });
 
-module.exports.ranks = r;
+export const ranks = r;
-module.exports.memberRanks = ur;
+export const memberRanks = ur;

api/src/routes/roles.ts

@@ -2,11 +2,16 @@ const express = require('express');
 const r = express.Router();
 const ur = express.Router();
 
+import { MemberState } from '@app/shared/types/member';
 import pool from '../db';
+import { requireLogin, requireMemberState, requireRole } from '../middleware/auth';
 import { assignUserGroup, createGroup } from '../services/rolesService';
 
+r.use(requireLogin)
+ur.use(requireLogin)
+
 //manually assign a member to a group
-ur.post('/', async (req, res) => {
+ur.post('/', [requireMemberState(MemberState.Member), requireRole("17th Administrator")], async (req, res) => {
     try {
         const body = req.body;
 
@@ -20,7 +25,7 @@ ur.post('/', async (req, res) => {
 });
 
 //manually remove member from group
-ur.delete('/', async (req, res) => {
+ur.delete('/', [requireMemberState(MemberState.Member), requireRole("17th Administrator")], async (req, res) => {
     try {
         const body = req.body;
         console.log(body);
@@ -38,9 +43,9 @@ ur.delete('/', async (req, res) => {
 })
 
 //get all roles
-r.get('/', async (req, res) => {
+r.get('/', [requireMemberState(MemberState.Member)], async (req, res) => {
     try {
-        const con = await pool.getConnection();
+        var con = await pool.getConnection();
 
         // Get all roles
         const roles = await con.query('SELECT * FROM roles;');
@@ -68,16 +73,17 @@ r.get('/', async (req, res) => {
             members: roleIdToMembers[role.id] || []
         }));
 
-        con.release();
         res.json(result);
     } catch (err) {
         console.error(err);
         res.status(500).json({ error: 'Internal server error' });
+    } finally {
+        con.release();
     }
 });
 
 //create a new role
-r.post('/', async (req, res) => {
+r.post('/', [requireMemberState(MemberState.Member), requireRole("17th Administrator")], async (req, res) => {
     try {
         const { name, color, description } = req.body;
         console.log('Creating role:', { name, color, description });
@@ -99,7 +105,7 @@ r.post('/', async (req, res) => {
     }
 })
 
-r.delete('/:id', async (req, res) => {
+r.delete('/:id', [requireMemberState(MemberState.Member), requireRole("17th Administrator")], async (req, res) => {
     try {
         const id = req.params.id;
 
@@ -112,5 +118,5 @@ r.delete('/:id', async (req, res) => {
     }
 })
 
-module.exports.roles = r;
+export const roles = r;
-module.exports.memberRoles = ur;
+export const memberRoles = ur;

api/src/routes/statuses.ts

@@ -1,11 +1,15 @@
-const express = require('express');
+import express = require('express');
-const status = express.Router();
+const statusR = express.Router();
-const memberStatus = express.Router();
+const memberStatusR = express.Router();
 
 import pool from '../db';
+import { requireLogin } from '../middleware/auth';
+
+statusR.use(requireLogin);
+memberStatusR.use(requireLogin);
 
 //insert a new latest rank for a user
-memberStatus.post('/', async (req, res) => {
+memberStatusR.post('/', async (req, res) => {
     // try {
     //     const App = req.body?.App || {};
 
@@ -30,7 +34,7 @@ memberStatus.post('/', async (req, res) => {
 });
 
 //get all statuses
-status.get('/', async (req, res) => {
+statusR.get('/', async (req, res) => {
     try {
         const result = await pool.query('SELECT * FROM statuses;');
         res.json(result);
@@ -40,7 +44,8 @@ status.get('/', async (req, res) => {
     }
 });
 
-module.exports.status = status;
+export const status = statusR;
-module.exports.memberStatus = memberStatus;
+export const memberStatus = memberStatusR;
+
 
 // TODO, implement get all ranks route with SQL stirng SELECT id, name, short_name, category, sort_id FROM ranks;

api/src/services/CourseSerivce.ts

@@ -79,9 +79,9 @@ export async function getCourseEventDetails(id: number): Promise<CourseEventDeta
 }
 
 export async function insertCourseEvent(event: CourseEventDetails): Promise<number> {
-    console.log(event);
-    const con = await pool.getConnection();
     try {
+        var con = await pool.getConnection();
+
         await con.beginTransaction();
         const res = await con.query("INSERT INTO course_events (course_id, event_date, remarks, created_by) VALUES (?, ?, ?, ?);", [event.course_id, toDateTime(event.event_date), event.remarks, event.created_by]);
         var eventID: number = res.insertId;
@@ -98,12 +98,12 @@ export async function insertCourseEvent(event: CourseEventDetails): Promise<numb
                         VALUES (?, ?, ?, ?, ?, ?);`, [attendee.attendee_id, eventID, attendee.attendee_role_id, attendee.passed_bookwork, attendee.passed_qual, attendee.remarks]);
         }
         await con.commit();
-        await con.release();
         return Number(eventID);
     } catch (error) {
-        await con.rollback();
+        if (con) await con.rollback();
-        await con.release();
         throw error;
+    } finally {
+        if (con) await con.release();
     }
 }
 

api/src/services/memberService.ts

@@ -1,13 +1,5 @@
 import pool from "../db";
-
+import { Member, MemberLight, memberSettings, MemberState } from '@app/shared/types/member'
-export enum MemberState {
-    Guest = "guest",
-    Applicant = "applicant",
-    Member = "member",
-    Retired = "retired",
-    Banned = "banned",
-    Denied = "denied"
-}
 
 export async function getUserData(userID: number) {
   const sql = `SELECT * FROM members WHERE id = ?`;
@@ -22,13 +14,49 @@ export async function setUserState(userID: number, state: MemberState) {
   return await pool.query(sql, [state, userID]);
 }
 
-declare global {
+export async function getUserState(user: number): Promise<MemberState> {
-  namespace Express {
+  let out = await pool.query(`SELECT state FROM members WHERE id = ?`, [user]);
-    interface Request {
+  return (out[0].state as MemberState);
-      user: {
+}
-        id: number;
+
-        name: string;
+export async function getMemberSettings(id: number): Promise<memberSettings> {
-      };
+  const sql = `SELECT * FROM view_member_settings WHERE id = ?`;
-    }
+  let out: memberSettings[] = await pool.query(sql, [id]);
-  }
+
+  if (out.length != 1)
+    throw new Error("Could not get user settings");
+
+  return out[0];
+}
+
+export async function setUserSettings(id: number, settings: memberSettings) {
+  const sql = `UPDATE view_member_settings SET
+                displayName = ?
+                WHERE id = ?;`;
+  let result = await pool.query(sql, [settings.displayName, id])
+  console.log(result);
+}
+
+export async function getMembersLite(ids: number[]): Promise<MemberLight[]> {
+  const sql = `SELECT m.member_id AS id,
+                  m.member_name AS username,
+                  m.displayName,
+                  u.color
+              FROM view_member_rank_unit_status_latest m
+                  LEFT JOIN units u ON u.name = m.unit
+              WHERE member_id IN (?);`;
+  const res: MemberLight[] = await pool.query(sql, [ids]);
+  return res;
+}
+
+export async function getMembersFull(ids: number[]): Promise<Member[]> {
+  const sql = `SELECT * FROM view_member_rank_unit_status_latest WHERE member_id IN (?);`;
+  const res: Member[] = await pool.query(sql, [ids]);
+  return res;
+}
+
+export async function mapDiscordtoID(id: number): Promise<number | null> {
+  const sql = `SELECT id FROM members WHERE discord_id = ?;`
+  let res = await pool.query(sql, [id]);
+  return res.length > 0 ? res[0].id : null;
 }

shared/types/member.ts

@@ -0,0 +1,31 @@
+export interface memberSettings {
+    displayName: string;
+}
+
+export enum MemberState {
+    Guest = "guest",
+    Applicant = "applicant",
+    Member = "member",
+    Retired = "retired",
+    Banned = "banned",
+    Denied = "denied"
+}
+
+export type Member = {
+    member_id: number;
+    member_name: string;
+    rank: string | null;
+    rank_date: string | null;
+    unit: string | null;
+    unit_date: string | null;
+    status: string | null;
+    status_date: string | null;
+    loa_until?: Date;
+};
+
+export interface MemberLight {
+    id: number
+    displayName: string
+    username: string
+    color: string
+}

ui/index.html

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <link rel="icon" href="/favicon.ico">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Vite App</title>
+    <title>17th Ranger Battalion</title>
   </head>
   <body>
     <div id="app"></div>

ui/src/api/application.ts

@@ -59,7 +59,9 @@ export async function postAdminChatMessage(message: any, post_id: number) {
 }
 
 export async function getAllApplications(): Promise<ApplicationFull> {
-  const res = await fetch(`${addr}/application/all`)
+  const res = await fetch(`${addr}/application/all`, {
+    credentials: 'include',
+  })
 
   if (res.ok) {
     return res.json()

ui/src/api/loa.ts

@@ -43,6 +43,7 @@ export async function getMyLOA(): Promise<LOARequest | null> {
         headers: {
             "Content-Type": "application/json",
         },
+        credentials: 'include',
     });
 
 
@@ -63,6 +64,7 @@ export function getAllLOAs(): Promise<LOARequest[]> {
         headers: {
             "Content-Type": "application/json",
         },
+        credentials: 'include',
     }).then((res) => {
         if (res.ok) {
             return res.json();

ui/src/api/member.ts

@@ -1,14 +1,4 @@
-export type Member = {
+import { memberSettings, Member, MemberLight } from "@shared/types/member";
-    member_id: number;
-    member_name: string;
-    rank: string | null;
-    rank_date: string | null;
-    unit: string | null;
-    unit_date: string | null;
-    status: string | null;
-    status_date: string | null;
-    on_loa: boolean | null;
-};
 
 //  @ts-ignore
 const addr = import.meta.env.VITE_APIHOST;
@@ -22,3 +12,65 @@ export async function getMembers(): Promise<Member[]> {
     }
     return response.json();
 }
+
+export async function getMemberSettings(): Promise<memberSettings> {
+    const response = await fetch(`${addr}/members/settings`, {
+        credentials: 'include'
+    });
+    if (!response.ok) {
+        throw new Error("Failed to fetch settings");
+    }
+    return response.json();
+}
+
+export async function setMemberSettings(settings: memberSettings) {
+    const response = await fetch(`${addr}/members/settings`, {
+        credentials: 'include',
+        method: 'PUT',
+        headers: {
+            'Content-Type': 'Application/json',
+        },
+        body: JSON.stringify(settings)
+    });
+    if (!response.ok) {
+        throw new Error("Failed to fetch settings");
+    }
+    return;
+}
+
+export async function getLightMembers(ids: number[]): Promise<MemberLight[]> {
+
+    if (ids.length === 0) return [];
+
+    const response = await fetch(`${addr}/members/lite/bulk`, {
+        credentials: 'include',
+        method: 'POST',
+        headers: {
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ ids })
+    });
+
+    if (!response.ok) {
+        throw new Error("Failed to fetch light members");
+    }
+    return response.json();
+}
+
+export async function getFullMembers(ids: number[]): Promise<Member[]> {
+
+    if (ids.length === 0) return [];
+
+    const response = await fetch(`${addr}/members/full/bulk`, {
+        credentials: 'include',
+        method: 'POST',
+        headers: {
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ ids })
+    });
+    if (!response.ok) {
+        throw new Error("Failed to fetch settings");
+    }
+    return response.json();
+}

ui/src/api/trainingReport.ts

@@ -4,7 +4,9 @@ import { Course, CourseAttendeeRole, CourseEventDetails, CourseEventSummary } fr
 const addr = import.meta.env.VITE_APIHOST;
 
 export async function getTrainingReports(sortMode: string, search: string): Promise<CourseEventSummary[]> {
-    const res = await fetch(`${addr}/courseEvent?sort=${sortMode}&search=${search}`);
+    const res = await fetch(`${addr}/courseEvent?sort=${sortMode}&search=${search}`, {
+        credentials: 'include',
+    });
 
     if (res.ok) {
         return await res.json() as Promise<CourseEventSummary[]>;
@@ -15,7 +17,9 @@ export async function getTrainingReports(sortMode: string, search: string): Prom
 }
 
 export async function getTrainingReport(id: number): Promise<CourseEventDetails> {
-    const res = await fetch(`${addr}/courseEvent/${id}`);
+    const res = await fetch(`${addr}/courseEvent/${id}`, {
+        credentials: 'include',
+    });
 
     if (res.ok) {
         return await res.json() as Promise<CourseEventDetails>;
@@ -26,7 +30,9 @@ export async function getTrainingReport(id: number): Promise<CourseEventDetails>
 }
 
 export async function getAllTrainings(): Promise<Course[]> {
-    const res = await fetch(`${addr}/course`);
+    const res = await fetch(`${addr}/course`, {
+            credentials: 'include',
+    });
 
     if (res.ok) {
         return await res.json() as Promise<Course[]>;
@@ -37,7 +43,9 @@ export async function getAllTrainings(): Promise<Course[]> {
 }
 
 export async function getAllAttendeeRoles(): Promise<CourseAttendeeRole[]> {
-    const res = await fetch(`${addr}/course/roles`);
+    const res = await fetch(`${addr}/course/roles`, {
+        credentials: 'include',
+    });
 
     if (res.ok) {
         return await res.json() as Promise<CourseAttendeeRole[]>;

ui/src/components/Navigation/Navbar.vue

@@ -19,6 +19,8 @@ import NavigationMenuContent from '../ui/navigation-menu/NavigationMenuContent.v
 import { navigationMenuTriggerStyle } from '../ui/navigation-menu/'
 import { useAuth } from '@/composables/useAuth';
 import { ArrowUpRight, CircleArrowOutUpRight } from 'lucide-vue-next';
+import DropdownMenuGroup from '../ui/dropdown-menu/DropdownMenuGroup.vue';
+import DropdownMenuSeparator from '../ui/dropdown-menu/DropdownMenuSeparator.vue';
 
 const userStore = useUserStore();
 const auth = useAuth();
@@ -180,10 +182,12 @@ function blurAfter() {
                         <p>{{ userStore.user.name }}</p>
                     </DropdownMenuTrigger>
                     <DropdownMenuContent>
-                        <!-- <DropdownMenuItem>My Profile</DropdownMenuItem> -->
+                        <DropdownMenuItem @click="$router.push('/profile')">My Profile</DropdownMenuItem>
+                        <DropdownMenuSeparator></DropdownMenuSeparator>
                         <!-- <DropdownMenuItem>Settings</DropdownMenuItem> -->
                         <DropdownMenuItem @click="$router.push('/join')">My Application</DropdownMenuItem>
                         <DropdownMenuItem @click="$router.push('/applications')">Application History</DropdownMenuItem>
+                        <DropdownMenuSeparator></DropdownMenuSeparator>
                         <DropdownMenuItem :variant="'destructive'" @click="logout()">Logout</DropdownMenuItem>
                     </DropdownMenuContent>
                 </DropdownMenu>

ui/src/components/application/ApplicationChat.vue

@@ -15,10 +15,14 @@ import { useAuth } from '@/composables/useAuth'
 import { CommentRow } from '@shared/types/application'
 import { Dot } from 'lucide-vue-next'
 import { ref } from 'vue'
+import MemberCard from '../members/MemberCard.vue'
 
-const props = defineProps<{
+const props = withDefaults(defineProps<{
   messages: CommentRow[]
-}>()
+  adminMode?: boolean
+}>(), {
+  adminMode: false,
+})
 
 const emit = defineEmits<{
   (e: 'post', text: string): void
@@ -59,7 +63,7 @@ function onSubmit(values: { text: string }, { resetForm }: { resetForm: () => vo
 
       <!-- Button below, right-aligned -->
       <div class="mt-2 flex justify-end gap-2">
-        <Button type="submit" @click="submitMode = 'internal'" variant="outline">Post (Internal)</Button>
+        <Button v-if="adminMode" type="submit" @click="submitMode = 'internal'" variant="outline">Post (Internal)</Button>
         <Button type="submit" @click="submitMode = 'public'">Post (Public)</Button>
       </div>
     </Form>
@@ -71,7 +75,7 @@ function onSubmit(values: { text: string }, { resetForm }: { resetForm: () => vo
         <!-- Comment header -->
         <div class="flex justify-between">
           <div class="flex">
-            <p>{{ message.poster_name }}</p>
+            <MemberCard :member-id="message.poster_id"></MemberCard>
             <p v-if="message.admin_only" class="flex">
               <Dot /><span class="text-amber-300">Internal</span>
             </p>

ui/src/components/calendar/ViewCalendarEvent.vue

@@ -12,6 +12,7 @@ import DropdownMenuTrigger from '../ui/dropdown-menu/DropdownMenuTrigger.vue';
 import DropdownMenuContent from '../ui/dropdown-menu/DropdownMenuContent.vue';
 import DropdownMenuItem from '../ui/dropdown-menu/DropdownMenuItem.vue';
 import { Calendar } from 'lucide-vue-next';
+import MemberCard from '../members/MemberCard.vue';
 
 const route = useRoute();
 
@@ -239,7 +240,7 @@ defineExpose({ forceReload })
                     <MapPin :size="20"></MapPin> {{ activeEvent.location || "Unknown" }}
                 </div>
                 <div class="text-foreground/80 flex gap-3 items-center">
-                    <User :size="20"></User> {{ activeEvent.creator_name || "Unknown User" }}
+                    <User :size="20"></User> <MemberCard :member-id="activeEvent.creator_id"></MemberCard>
                 </div>
             </section>
             <!-- Description -->
@@ -276,7 +277,9 @@ defineExpose({ forceReload })
 
                         <div v-for="person in attendanceList" :key="person.member_id"
                             class="grid grid-cols-2 py-1 *:px-3 hover:bg-muted">
-                            <p>{{ person.member_name }}</p>
+                            <div>
+                                <MemberCard :member-id="person.member_id"></MemberCard>
+                            </div>
                             <p :class="statusColor(person.status)" class="text-right">
                                 {{ displayStatus(person.status) }}
                             </p>

ui/src/components/loa/loaList.vue

@@ -32,6 +32,7 @@ import {
     getLocalTimeZone,
 } from "@internationalized/date"
 import { el } from "@fullcalendar/core/internal-common";
+import MemberCard from "../members/MemberCard.vue";
 
 const props = defineProps<{
     adminMode?: boolean
@@ -146,7 +147,7 @@ async function commitExtend() {
                 <TableBody>
                     <TableRow v-for="post in LOAList" :key="post.id" class="hover:bg-muted/50">
                         <TableCell class="font-medium">
-                            {{ post.name }}
+                            <MemberCard :member-id="post.member_id"></MemberCard>
                         </TableCell>
                         <TableCell>{{ post.type_name }}</TableCell>
                         <TableCell>{{ formatDate(post.start_date) }}</TableCell>

ui/src/components/members/MemberCard.vue

@@ -0,0 +1,153 @@
+<script setup lang="ts">
+import { useMemberDirectory } from '@/stores/memberDirectory';
+import { ref, onMounted, computed } from 'vue';
+import { Member, type MemberLight } from '@shared/types/member'
+import Popover from '../ui/popover/Popover.vue';
+import PopoverTrigger from '../ui/popover/PopoverTrigger.vue';
+import PopoverContent from '../ui/popover/PopoverContent.vue';
+import { cn } from '@/lib/utils.js'
+import { watch } from 'vue';
+import { format } from 'path';
+
+
+// Props
+const props = defineProps({
+    memberId: {
+        type: Number,
+        required: true
+    }
+});
+
+// Local state
+const memberLight = ref<MemberLight | null>(null);
+const memberFull = ref<Member | null>(null)
+const loadingFull = ref(false)
+const membersStore = useMemberDirectory();
+
+// Fetch the light member data on mount
+onMounted(async () => {
+    memberLight.value = await membersStore.getLight(props.memberId);
+});
+
+async function loadFull() {
+    if (memberFull.value || loadingFull.value) return
+
+    loadingFull.value = true
+    try {
+        memberFull.value = await membersStore.getFull(props.memberId)
+    } finally {
+        loadingFull.value = false
+    }
+}
+
+watch(() => props.memberId, async (newId) => {
+    memberLight.value = await membersStore.getLight(newId);
+    memberFull.value = null;
+    loadingFull.value = false;
+});
+
+// Compute display name (displayName fallback to username)
+const displayName = computed(() => {
+    if (!memberLight.value) return props.memberId;
+    return memberLight.value.displayName || memberLight.value.username;
+});
+
+const DEFAULT_TEXT_COLOR = '#9ca3af'      // muted gray for text
+const DEFAULT_BG_COLOR = '#d1d5db22'      // muted gray ~20% opacity
+
+const textColor = computed(() => memberLight.value?.color || DEFAULT_TEXT_COLOR)
+const bgColor = computed(() => (memberLight.value?.color ? `${memberLight.value.color}22` : DEFAULT_BG_COLOR))
+
+const hasFullInfo = computed(() => {
+    if (!memberFull.value) return false
+
+    // check if any field has a value
+    const { rank, unit, status } = memberFull.value
+    return !!(rank || unit || status)
+})
+
+function formatDate(date: Date): string {
+    if (!date) return "";
+    date = typeof date === 'string' ? new Date(date) : date;
+    return date.toLocaleDateString("en-US", {
+        year: "numeric",
+        month: "short",
+        day: "numeric",
+    });
+}
+</script>
+
+<template>
+    <Popover @update:open="open => open && loadFull()">
+        <PopoverTrigger @click.stop>
+            <p :class="cn(
+                'px-2 py-1 rounded font-medium inline-flex items-center cursor-pointer'
+            )" :style="{
+                color: textColor,
+                backgroundColor: bgColor
+            }">
+                {{ displayName }}
+            </p>
+        </PopoverTrigger>
+        <PopoverContent class="w-72 p-0 overflow-hidden">
+            <!-- Loading -->
+            <div v-if="loadingFull" class="p-4 text-sm text-muted-foreground">
+                Loading profile…
+            </div>
+
+            <!-- Profile -->
+            <div v-else-if="memberFull">
+                <!-- Header -->
+                <div class="px-4 py-3 relative" :style="{ backgroundColor: `${memberLight?.color}22` }">
+                    <!-- Display name / username -->
+                    <div class="text-lg font-semibold leading-tight" :style="{ color: memberLight?.color }">
+                        {{ displayName }}
+                    </div>
+
+                    <div v-if="memberLight.displayName" class="text-xs text-muted-foreground">
+                        {{ memberLight?.username }}
+                    </div>
+                </div>
+
+                <!-- Body -->
+                <div class="p-4 space-y-3 text-sm">
+                    <!-- Full info -->
+                    <template v-if="hasFullInfo">
+                        <div v-if="memberFull.loa_until"
+                            class=" rounded-md text-center bg-yellow-500/10 px-2 py-1 text-xs text-yellow-600">
+                            On Leave of Absence until {{ formatDate(memberFull.loa_until) }}
+                        </div>
+
+                        <div v-if="memberFull.rank" class="flex justify-between">
+                            <span class="text-muted-foreground">Rank</span>
+                            <span class="font-medium">{{ memberFull.rank }}</span>
+                        </div>
+
+                        <div v-if="memberFull.unit" class="flex justify-between">
+                            <span class="text-muted-foreground">Unit</span>
+                            <span class="font-medium">{{ memberFull.unit }}</span>
+                        </div>
+
+                        <div v-if="memberFull.status" class="flex justify-between">
+                            <span class="text-muted-foreground">Status</span>
+                            <span class="font-medium">{{ memberFull.status }}</span>
+                        </div>
+
+                    </template>
+
+                    <!-- No info fallback -->
+                    <div v-else class="text-sm text-muted-foreground italic">
+                        No user info
+                    </div>
+                </div>
+
+            </div>
+
+            <!-- Not found -->
+            <div v-else class="p-4 text-sm text-muted-foreground">
+                Member not found
+            </div>
+        </PopoverContent>
+
+    </Popover>
+</template>

ui/src/components/ui/spinner/Spinner.vue

@@ -0,0 +1,16 @@
+<script setup>
+import { Loader2Icon } from "lucide-vue-next";
+import { cn } from "@/lib/utils";
+
+const props = defineProps({
+  class: { type: null, required: false },
+});
+</script>
+
+<template>
+  <Loader2Icon
+    role="status"
+    aria-label="Loading"
+    :class="cn('size-4 animate-spin', props.class)"
+  />
+</template>

ui/src/components/ui/spinner/index.js

@@ -0,0 +1 @@
+export { default as Spinner } from "./Spinner.vue";

ui/src/pages/Application.vue

@@ -164,7 +164,7 @@ async function handleDeny(id) {
             </ApplicationForm>
             <div v-if="!newApp" class="pb-15">
                 <h3 class="scroll-m-20 text-2xl font-semibold tracking-tight mb-4">Discussion</h3>
-                <ApplicationChat :messages="chatData" @post="postComment" @post-internal="postCommentInternal">
+                <ApplicationChat :messages="chatData" @post="postComment" @post-internal="postCommentInternal" :admin-mode="finalMode === 'view-recruiter'">
                 </ApplicationChat>
             </div>
         </div>

ui/src/pages/ManageApplications.vue

@@ -15,6 +15,7 @@ import { onMounted, ref, watch } from 'vue';
 import { useRoute, useRouter } from 'vue-router';
 import { CheckIcon, XIcon } from 'lucide-vue-next';
 import Application from './Application.vue';
+import MemberCard from '@/components/members/MemberCard.vue';
 
 const appList = ref([]);
 const now = Date.now();
@@ -113,7 +114,9 @@ onMounted(async () => {
                         <TableBody>
                             <TableRow v-for="app in appList" :key="app.id" class="cursor-pointer"
                                 @click="openApplication(app.id)">
-                                <TableCell class="font-medium">{{ app.member_name }}</TableCell>
+                                <TableCell class="font-medium">
+                                    <MemberCard :memberId="app.member_id"></MemberCard>
+                                </TableCell>
                                 <TableCell :title="formatExact(app.submitted_at)">
                                     {{ formatAgo(app.submitted_at) }}
                                 </TableCell>

ui/src/pages/MyProfile.vue

@@ -0,0 +1,97 @@
+<script setup lang="ts">
+import { onMounted, ref } from "vue";
+import { Card, CardHeader, CardTitle, CardDescription, CardContent, CardFooter } from "@/components/ui/card";
+import { Label } from "@/components/ui/label";
+import { Input } from "@/components/ui/input";
+import { Button } from "@/components/ui/button";
+import { memberSettings } from '@shared/types/member'
+import { getMemberSettings, setMemberSettings } from "@/api/member";
+import Spinner from "@/components/ui/spinner/Spinner.vue";
+import { useMemberDirectory } from "@/stores/memberDirectory";
+import { useUserStore } from "@/stores/user";
+
+const saving = ref(false);
+const loading = ref(true);
+const showLoading = ref(false);
+const form = ref<memberSettings>();
+
+const memberDictionary = useMemberDirectory()
+const userStore = useUserStore()
+
+function saveSettings() {
+    saving.value = true;
+
+    setTimeout(async () => {
+        // Replace with your API save call
+        setMemberSettings(form.value);
+        saving.value = false;
+        console.log(userStore.user.id)
+        memberDictionary.invalidateMember(userStore.user.id)
+    }, 800);
+}
+
+onMounted(async () => {
+    // Start a brief timer before showing the spinner
+    const timer = setTimeout(() => {
+        showLoading.value = true;
+    }, 200); // 150–250ms is ideal
+
+    form.value = await getMemberSettings();
+
+    clearTimeout(timer);
+    loading.value = false;
+    showLoading.value = false; // ensure spinner hides if it was shown
+});
+</script>
+
+
+<template>
+    <div class="mx-auto max-w-3xl w-full py-10 px-6 space-y-10">
+        <!-- Page Header -->
+        <div>
+            <h1 class="scroll-m-20 text-2xl font-semibold tracking-tight">Profile Settings</h1>
+            <p class="text-muted-foreground mt-1">
+                Manage your account information and display preferences.
+            </p>
+        </div>
+
+        <Card>
+            <CardHeader>
+                <CardTitle>Account Info</CardTitle>
+                <CardDescription>Your identity across the platform.</CardDescription>
+            </CardHeader>
+            <Transition name="fade" mode="out-in">
+
+                <CardContent class="space-y-6 min-h-40" v-if="!loading">
+                    <!-- Display Name -->
+                    <div class="grid gap-2">
+                        <Label for="displayName">Display Name</Label>
+                        <Input id="displayName" v-model="form.displayName" placeholder="Your display name" />
+                    </div>
+
+                </CardContent>
+                <CardContent v-else class="min-h-40 space-y-6 flex items-center">
+                    <Spinner v-if="showLoading" class="size-7 flex mx-auto -my-10"></Spinner>
+                </CardContent>
+            </Transition>
+
+            <CardFooter class="flex justify-end">
+                <Button @click="saveSettings" :disabled="saving">
+                    {{ saving ? "Saving..." : "Save Changes" }}
+                </Button>
+            </CardFooter>
+        </Card>
+    </div>
+</template>
+
+<style scoped>
+.fade-enter-active,
+.fade-leave-active {
+    transition: opacity 0.05s ease;
+}
+
+.fade-enter-from,
+.fade-leave-to {
+    opacity: 0;
+}
+</style>

ui/src/pages/TrainingReport.vue

@@ -21,6 +21,7 @@ import SelectValue from '@/components/ui/select/SelectValue.vue';
 import SelectContent from '@/components/ui/select/SelectContent.vue';
 import SelectItem from '@/components/ui/select/SelectItem.vue';
 import Input from '@/components/ui/input/Input.vue';
+import MemberCard from '@/components/members/MemberCard.vue';
 
 enum sidePanelState { view, create, closed };
 
@@ -152,9 +153,13 @@ onMounted(async () => {
                             <TableCell class="font-medium">{{ report.course_name.length > 30 ? report.course_shortname :
                                 report.course_name }}</TableCell>
                             <TableCell>{{ report.date.split('T')[0] }}</TableCell>
-                            <TableCell class="text-right">{{ report.created_by_name === null ? "Unknown User" :
+                            <TableCell class="text-right">
+                                <MemberCard v-if="report.created_by_name" :member-id="report.created_by"></MemberCard>
+                                <span v-else>Unknown User</span>
+                            </TableCell>
+                            <!-- <TableCell class="text-right">{{ report.created_by_name === null ? "Unknown User" :
                                 report.created_by_name
-                                }}</TableCell>
+                            }}</TableCell> -->
                         </TableRow>
                     </TableBody>
                 </Table>
@@ -172,11 +177,14 @@ onMounted(async () => {
                 <div class="flex flex-col mb-5 border rounded-lg bg-muted/70 p-2 py-3 px-4">
                     <p class="scroll-m-20 text-xl font-semibold tracking-tight">{{ focusedTrainingReport.course_name }}
                     </p>
-                    <div class="flex gap-10">
+                    <div class="flex gap-10 items-center">
                         <p class="text-muted-foreground">{{ focusedTrainingReport.event_date.split('T')[0] }}</p>
-                        <p class="">Created by {{ focusedTrainingReport.created_by_name === null ? "Unknown User" :
+                        <p class="flex gap-2 items-center">Created by:
+                            <MemberCard v-if="focusedTrainingReport.created_by"
+                                :member-id="focusedTrainingReport.created_by" />
+                        <p v-else>{{ focusedTrainingReport.created_by_name === null ? "Unknown User" :
                             focusedTrainingReport.created_by_name
-                        }}
+                        }}</p>
                         </p>
                     </div>
                 </div>
@@ -191,7 +199,11 @@ onMounted(async () => {
                         </div>
                         <div v-for="person in focusedTrainingTrainers"
                             class="grid grid-cols-4 py-2 items-center border-b last:border-none">
-                            <p>{{ person.attendee_name }}</p>
+                            <div>
+                                <MemberCard v-if="person.attendee_id" :member-id="person.attendee_id"
+                                    class="justify-self-start"></MemberCard>
+                                <p v-else>{{ person.attendee_name }}</p>
+                            </div>
                             <p class="">{{ person.role.name }}</p>
                             <p class="col-span-2 text-right px-2"
                                 :class="person.remarks == '' ? 'text-muted-foreground' : ''">
@@ -213,7 +225,11 @@ onMounted(async () => {
                         </div>
                         <div v-for="person in focusedTrainingTrainees"
                             class="grid grid-cols-5 py-2 items-center border-b last:border-none">
-                            <p>{{ person.attendee_name }}</p>
+                            <div>
+                                <MemberCard v-if="person.attendee_id" :member-id="person.attendee_id"
+                                    class="justify-self-start"></MemberCard>
+                                <p v-else>{{ person.attendee_name }}</p>
+                            </div>
                             <Checkbox :disabled="!focusedTrainingReport.course.hasQual"
                                 :model-value="person.passed_bookwork" class="pointer-events-none ml-5">
                             </Checkbox>
@@ -242,7 +258,11 @@ onMounted(async () => {
                         </div>
                         <div v-for="person in focusedNoShows"
                             class="grid grid-cols-5 py-2 items-center border-b last:border-none">
-                            <p>{{ person.attendee_name }}</p>
+                            <div>
+                                <MemberCard v-if="person.attendee_id" :member-id="person.attendee_id"
+                                    class="justify-self-start"></MemberCard>
+                                <p v-else>{{ person.attendee_name }}</p>
+                            </div>
                             <!-- <Checkbox :default-value="person.passed_bookwork ? true : false" class="pointer-events-none">
                             </Checkbox>
                             <Checkbox :default-value="person.passed_qual ? true : false" class="pointer-events-none">

ui/src/router/index.js

@@ -16,10 +16,11 @@ const router = createRouter({
     { path: '/members', component: () => import('@/pages/memberList.vue'), meta: { requiresAuth: true, memberOnly: true } },
     { path: '/loa', component: () => import('@/pages/SubmitLOA.vue'), meta: { requiresAuth: true, memberOnly: true } },
     { path: '/transfer', component: () => import('@/pages/Transfer.vue'), meta: { requiresAuth: true, memberOnly: true } },
+    { path: '/profile', component: () => import('@/pages/MyProfile.vue'), meta: { requiresAuth: true, memberOnly: true } },
 
 
-    { path: '/calendar', component: () => import('@/pages/Calendar.vue'), meta: { requiresAuth: true, memberOnly: true }, },
+    { path: '/calendar', component: () => import('@/pages/Calendar.vue') },
-    { path: '/calendar/event/:id', component: () => import('@/pages/Calendar.vue'), meta: { requiresAuth: true, memberOnly: true }, },
+    { path: '/calendar/event/:id', component: () => import('@/pages/Calendar.vue') },
 
     // disabled in favor of linking 
     // { path: '/documents', component: () => import('@/pages/Documentation.vue'), meta: { requiresAuth: true, memberOnly: true }, },
@@ -31,7 +32,7 @@ const router = createRouter({
     // ADMIN / STAFF ROUTES
     {
       path: '/administration',
-      meta: { requiresAuth: true, memberOnly: true, roles: ['staff', 'admin'] },
+      meta: { requiresAuth: true, memberOnly: true, roles: ['17th Administrator', '17th HQ', '17th Command'] },
       children: [
         { path: 'applications', component: () => import('@/pages/ManageApplications.vue') },
         { path: 'applications/:id', component: () => import('@/pages/ManageApplications.vue') },

ui/src/stores/memberDirectory.ts

@@ -0,0 +1,140 @@
+import { defineStore } from "pinia"
+import type { MemberLight, Member } from "@shared/types/member"
+import { getLightMembers, getFullMembers } from "@/api/member"
+import { reactive, ref } from "vue"
+import { resolve } from "path"
+import { rejects } from "assert"
+
+export const useMemberDirectory = defineStore('memberDirectory', () => {
+    const light = reactive<Record<number, MemberLight>>({});
+    const full = reactive<Record<number, Member>>({})
+
+    function getLight(id: number): Promise<MemberLight> {
+        if (light[id]) return Promise.resolve(light[id]);
+
+        if (!lightWaiters.has(id)) {
+            pendingLight.add(id);
+            lightWaiters.set(id, []);
+        }
+
+        scheduleBatch();
+
+        return new Promise<MemberLight>((resolve, reject) => {
+            lightWaiters.get(id)!.push({ resolve, reject })
+        })
+    }
+
+    function getFull(id: number): Promise<Member> {
+        if (full[id]) return Promise.resolve(full[id])
+
+        if (!fullWaiters.has(id)) {
+            pendingFull.add(id)
+            fullWaiters.set(id, [])
+        }
+
+        scheduleBatch()
+
+        return new Promise<Member>((resolve, reject) => {
+            fullWaiters.get(id)!.push({ resolve, reject })
+        })
+    }
+
+    function invalidateMember(id: number) {
+        delete light[id]
+        delete full[id]
+    }
+
+    //batching system
+    const pendingLight = new Set<number>()
+    const pendingFull = new Set<number>()
+
+    // promises
+    const lightWaiters = new Map<number, Array<{ resolve: (m: MemberLight) => void; reject: (e: any) => void }>>()
+    const fullWaiters = new Map<number, Array<{ resolve: (m: Member) => void; reject: (e: any) => void }>>()
+
+    let batchTimer: ReturnType<typeof setTimeout> | null = null;
+
+    function scheduleBatch() {
+        if (batchTimer) return
+
+        batchTimer = setTimeout(async () => {
+            batchTimer = null;
+
+            //Batch light
+            if (pendingLight.size > 0) {
+                const ids = Array.from(pendingLight);
+                pendingLight.clear();
+
+                try {
+                    const res = await getLightMembers(ids);
+                    for (const m of res) {
+                        light[m.id] = m;
+
+                        const waiters = lightWaiters.get(m.id);
+                        if (waiters) {
+                            for (const w of waiters) w.resolve(m)
+                            lightWaiters.delete(m.id)
+                        }
+                    }
+
+                    for (const id of ids) {
+                        if (!light[id]) {
+                            const waiters = lightWaiters.get(id);
+                            if (waiters) {
+                                for (const w of waiters) w.reject("Not found");
+                                lightWaiters.delete(id);
+                            }
+                        }
+                    }
+                } catch (error) {
+                    for (const id of ids) {
+                        const waiters = lightWaiters.get(id);
+                        if (waiters) {
+                            for (const w of waiters) w.reject(error);
+                            lightWaiters.delete(id);
+                        }
+                    }
+                }
+            }
+
+            //batch full
+            if (pendingFull.size > 0) {
+                const ids = Array.from(pendingFull);
+                pendingFull.clear();
+
+                try {
+                    const res = await getFullMembers(ids);
+                    for (const m of res) {
+                        full[m.member_id] = m;
+
+                        const waiters = fullWaiters.get(m.member_id);
+                        if (waiters) {
+                            for (const w of waiters) w.resolve(m)
+                            fullWaiters.delete(m.member_id);
+                        }
+                    }
+
+                    for (const id of ids) {
+                        if (!light[id]) {
+                            const waiters = fullWaiters.get(id);
+                            if (waiters) {
+                                for (const w of waiters) w.reject("Not found");
+                                fullWaiters.delete(id);
+                            }
+                        }
+                    }
+                } catch (error) {
+                    for (const id of ids) {
+                        const waiters = fullWaiters.get(id);
+                        if (waiters) {
+                            for (const w of waiters) w.reject(error);
+                            fullWaiters.delete(id);
+                        }
+                    }
+                }
+            }
+        })
+    }
+
+    return { light, full, getLight, getFull, invalidateMember }
+})

ui/src/stores/user.ts

@@ -1,5 +1,8 @@
-import { ref, computed } from 'vue'
+import { ref, computed, watch } from 'vue'
 import { defineStore } from 'pinia'
+import { useRoute, useRouter } from 'vue-router'
+
+const POLL_INTERVAL = 10_000
 
 export const useUserStore = defineStore('user', () => {
     const user = ref(null)
@@ -33,5 +36,57 @@ export const useUserStore = defineStore('user', () => {
         return requiredRoles.some(r => roles.value.has(r))
     }
 
+    const route = useRoute();
+    const router = useRouter();
+    watch(user, (newUser) => {
+        if (!newUser) return
+        console.log(newUser);
+
+        const currentRoute = route.meta
+
+        // Member-only route
+        if (currentRoute.memberOnly && state.value !== 'member') {
+            router.replace('/unauthorized')
+            return
+        }
+
+        // Role-based route
+        if (currentRoute.roles && !hasRole('Dev') && !hasAnyRole(currentRoute.roles as string[])) {
+            return '/unauthorized'
+        }
+    },
+        { deep: true } // deep watch ensures nested changes trigger
+    )
+
+    //polling system
+    let pollTimeout: number | null = null
+    let polling = false;
+    let lastVersion: string | null = null
+
+    async function poll() {
+        // Only poll if tab is visible
+        if (document.hidden) {
+            polling = false;
+            return
+        }
+
+        await loadUser();
+
+        scheduleNext()
+    }
+
+    function scheduleNext() {
+        polling = true;
+        pollTimeout = window.setTimeout(poll, POLL_INTERVAL)
+    }
+
+    poll() //start polling
+
+    document.addEventListener('visibilitychange', () => {
+        if (!document.hidden && polling === false) {
+            poll()
+        }
+    })
+
     return { user, isLoggedIn, roles, loadUser, loaded, hasAnyRole, hasRole, state }
 })