@page "/account"
@* v1's Account page surfaced per-cluster role grants alongside identity. v2 dropped per-cluster
   grants in favour of fleet-wide LDAP-group → role mapping (Q4 of the AdminUI rebuild plan), so
   this version only shows identity + the resolved fleet roles + raw LDAP groups for
   troubleshooting. *@
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
@using System.Security.Claims

<div class="d-flex justify-content-between align-items-center mb-3">
    <h4 class="mb-0">My account</h4>
</div>

<AuthorizeView>
    <Authorized>
        @{
            var username = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value
                          ?? context.User.Identity?.Name ?? "—";
            var displayName = context.User.Identity?.Name ?? "—";
            var roles = context.User.Claims
                .Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value)
                .OrderBy(s => s, StringComparer.OrdinalIgnoreCase).ToList();
            var ldapGroups = context.User.Claims
                .Where(c => c.Type == "ldap_group").Select(c => c.Value)
                .OrderBy(s => s, StringComparer.OrdinalIgnoreCase).ToList();
        }

        <section class="card-grid rise" style="animation-delay:.02s">
            <div class="metric-card">
                <div class="panel-head">Identity</div>
                <div class="kv"><span class="k">Username</span><span class="v mono">@username</span></div>
                <div class="kv"><span class="k">Display name</span><span class="v">@displayName</span></div>
            </div>

            <div class="metric-card">
                <div class="panel-head">Fleet roles</div>
                <div class="kv">
                    <span class="k">Resolved roles</span>
                    <span class="v">
                        @if (roles.Count == 0)
                        {
                            <span class="text-muted">none — sign-in should have been blocked; session claim is likely stale</span>
                        }
                        else
                        {
                            @foreach (var r in roles)
                            {
                                <span class="chip chip-idle me-1">@r</span>
                            }
                        }
                    </span>
                </div>
                <div class="kv">
                    <span class="k">LDAP groups</span>
                    <span class="v">
                        @if (ldapGroups.Count == 0)
                        {
                            <span class="text-muted">none</span>
                        }
                        else
                        {
                            @foreach (var g in ldapGroups)
                            {
                                <span class="chip me-1 mono">@g</span>
                            }
                        }
                    </span>
                </div>
            </div>
        </section>

        <section class="panel notice rise" style="animation-delay:.08s">
            Fleet roles come from LDAP group membership via the
            <span class="mono">Authentication:Ldap:GroupToRole</span> mapping. To change them,
            edit the LDAP group on the directory server; the next sign-in picks up the change.
            Sign out + sign back in to refresh the cookie claim.
        </section>
    </Authorized>
</AuthorizeView>