From c064ec16cfc82a9c89f99f49f18da7ea8f70c720 Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Tue, 26 May 2026 14:47:53 -0400
Subject: [PATCH] fix(security,adminui): logout redirects to /login + restyle
 login card
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two small UX fixes:

- AuthEndpoints.LogoutAsync now redirects browser callers to /login after
  SignOutAsync instead of returning 204 NoContent. 204 was correct for the
  REST contract but left browsers stuck on the page they came from (the
  cookie was cleared but no navigation happened, so "Sign out" appeared
  to do nothing). API callers can still opt into the status-only behavior
  by sending `Accept: application/json`.

- Login.razor drops the .panel-head top strip; the sign-in card now reads
  as a self-contained form with an inline title "MxAccess Gateway Admin —
  sign in". Added a .login-title CSS class to site.css that matches the
  panel-head's typographic weight without the bar.
---
 .../Components/Pages/Login.razor                       |  4 ++--
 .../ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css     | 10 ++++++++++
 .../Endpoints/AuthEndpoints.cs                         |  9 ++++++++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor
index 6a4d5d4..f9c88cc 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor
@@ -10,8 +10,8 @@
 
 <div class="login-wrap rise" style="animation-delay:.02s">
     <section class="panel">
-        <div class="panel-head">OtOpcUa Admin &mdash; sign in</div>
-        <div style="padding:1.1rem 1.1rem 1.25rem">
+        <div style="padding:1.4rem 1.1rem 1.25rem">
+            <h1 class="login-title">MxAccess Gateway Admin &mdash; sign in</h1>
             <form method="post" action="/auth/login" data-enhance="false">
                 @if (ReturnUrl is not null)
                 {
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css
index 6bced4c..86474a5 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css
@@ -49,6 +49,16 @@
     }
 }
 
+/* Login card title. Replaces the panel-head top strip on the login page so the
+   card reads as a self-contained sign-in form, not a tabbed panel. */
+.login-title {
+    margin: 0 0 1.1rem 0;
+    font-size: 1.05rem;
+    font-weight: 600;
+    letter-spacing: 0.01em;
+    color: var(--ink);
+}
+
 /* Brand block pinned at the top of the side rail. Mirrors ScadaLink's
    .sidebar .brand styling — used now that the top app-bar was dropped. */
 .side-rail .brand {
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs
index 094f81d..03f685d 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs
@@ -115,6 +115,13 @@ public static class AuthEndpoints
     private static async Task<IResult> LogoutAsync(HttpContext http)
     {
         await http.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
-        return Results.NoContent();
+
+        // Browser form POST → redirect to /login so the user lands somewhere visible.
+        // API callers that prefer the status-only contract should hit the endpoint with
+        // Accept: application/json and we'll hand them a 204 instead.
+        var wantsJson = http.Request.Headers.Accept.Any(v =>
+            v?.Contains("application/json", StringComparison.OrdinalIgnoreCase) == true);
+        if (wantsJson) return Results.NoContent();
+        return Results.Redirect("/login");
     }
 }