Authentication & Account Management

The current app uses Keycloak as the real sign-in authority.

That means:

the frontend redirects through Keycloak
Keycloak manages the session lifetime
repository-linked providers such as GitHub and GitLab can be used as brokered identity providers
other providers can exist if your Keycloak realm is configured for them

Go to the sign-in page.

The app redirects into Keycloak and returns once authentication is finished.

The app stores its own session state, but protected operations still depend on a valid Keycloak-backed access/refresh chain.

After sign-in, the user is returned to the dashboard or the page they were trying to open.

Session Expiry Behavior

The current frontend is already designed to react when the Keycloak session expires.

Current behavior includes:

periodic session heartbeat checks
automatic redirect back to sign-in when Keycloak is no longer refreshable
profile and avatar actions failing cleanly if the underlying session has expired

In practice, the real protected-session lifetime follows your Keycloak realm settings, not just the frontend cookie duration.

Current profile capabilities include:

The current implementation also keeps profile UI state synchronized more smoothly across the profile page, navbar, and sidebar.

The current product is primarily user-scoped:

users manage their own projects
users manage their own database deployments
project and deployment controllers look up data against the authenticated user identity

That ownership model is a safer thing to document than a large RBAC matrix that may not fully match every deployment environment.

For the current repo, avoid documenting:

a standalone local username/password account system
a complete public role matrix unless you are documenting your exact deployed Keycloak realm configuration
provider-specific features that are not exposed in the current UI flow