🔐 User Access Management - Quick Admin Guide

For Megan: How to add/remove website access quickly

🎯 How Authentication Actually Works¶

Two sources give people access:

1. 📋 Google Sheets (Current System)¶

• Anyone in LabCatalog People tab

• Must have Lab field containing “Cognitive”

• Uses whatever email is in their row (UCI, Gmail, anything)

• Problem: Alumni/former members still have access unless manually blocked

2. ⚙️ Hardcoded List¶

• ALWAYS_ALLOWED_EMAILS - requires code changes

• Immediate control, no spreadsheet dependency

⚡ Quick Actions (Current System)¶

✅ Add Someone¶

1. Put them in Google Sheets with Lab = “Cognitive & Neural Computation Lab”

2. OR add their email to hardcoded list (requires code change)

❌ Remove Someone¶

1. Add their name to blocklist (see below) - blocks them even if in sheets

⚠️ Current System Issues¶

Problems with current authentication:

• Google Sheets filtering by Lab field is complex

• Alumni remain unless manually blocked by name

• Up to 1-hour cache delay for changes

• Mix of sheet management + code changes required

• Hard to audit who currently has access

🛠 How to Edit the Hardcoded List¶

Files to Edit (BOTH required):¶

1. api/auth/whitelist.js - line 18

2. server/api/auth.js - line 20

Current List:¶

const ALWAYS_ALLOWED_EMAILS = [
  'uci.cnclab@gmail.com',      // Service account  
  'peters.megan@gmail.com',    // Megan's personal
  'emilolsson94@gmail.com'     // Emil's personal
];

To Add Personal Gmail:¶

const ALWAYS_ALLOWED_EMAILS = [
  'uci.cnclab@gmail.com',
  'peters.megan@gmail.com',
  'emilolsson94@gmail.com',
  'newperson@gmail.com'        // ADD HERE
];

To Remove Personal Gmail:¶

Just delete their line from both arrays.

🚫 How to Block Someone (Emergency)¶

Add their full name to the blocklist in both files:

const NON_CNC_MEMBERS = [
  'Aaron Bornstein',
  'Rachel Denison', 
  'Jorge Morales',
  'Travis E. Baker',
  'Blocked Person Name'  // ADD HERE
];

This works even if they have UCI email or are in the spreadsheet.

📍 Summary (Current System)¶

• ✅ Add someone: Put in Google Sheets with Lab=“Cognitive...”

• ✅ Or: Add email to ALWAYS_ALLOWED_EMAILS (code change)

• ❌ Block someone: Add name to NON_CNC_MEMBERS (code change)

• ⏱ Changes: Sheets = up to 1 hour, Code = immediate after deploy

🚨 Emergency Access Removal¶

1. Add person’s full name to NON_CNC_MEMBERS blocklist

2. Commit & push → deploys immediately

3. They lose access within minutes

🔍 How to Check Current Access¶

To see who currently has access:

1. Check GET /api/auth/whitelist endpoint

2. Or run the whitelist script: node scripts/getDocsWhitelist.js

Current authorized emails include:

• Anyone in Google Sheets with Lab containing “Cognitive”

• Plus hardcoded emails in ALWAYS_ALLOWED_EMAILS

• Minus anyone in the NON_CNC_MEMBERS blocklist