ilios · stopfstedt · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
@@ -44,6 +44,15 @@ export default class ApplicationController extends Controller {
     return '';
   }
 
+  get hasLtiApplicationScope() {
+    const applicationScope = this.currentUser.applicationScope ?? '';
+    return applicationScope.startsWith('lti-');
+  }
+
+  get hasNavigation() {
+    return this.currentUser.performsNonLearnerFunction && !this.hasLtiApplicationScope;
+  }
+
   @action
   clearErrors() {
     this.errors = [];

@@ -14,43 +14,42 @@ import FlashMessages from 'frontend/components/flash-messages';
     <ConnectionStatus />
     <ApiVersionNotice />
     <UpdateNotification />
-    <div
-      class="application-wrapper{{if
-          @controller.currentUser.performsNonLearnerFunction
-          ' show-navigation'
-        }}"
-    >
-      <IliosHeader />
-      <div class="ilios-logo">
-        <LinkTo @route="dashboard" title={{t "general.dashboard"}}>
-          <picture>
-            <source
-              srcset="/assets/images/ilios-logo.svg"
-              media="(min-width: 400px)"
-              alt={{t "general.logo"}}
-            />
-            <img src="/assets/images/sunburst.svg" alt={{t "general.logo"}} />
-          </picture>
+    <div class="application-wrapper{{if @controller.hasNavigation ' show-navigation'}}">
+      {{#unless @controller.hasLtiApplicationScope}}
+        <IliosHeader />
+        <div class="ilios-logo">
+          <LinkTo @route="dashboard" title={{t "general.dashboard"}}>
+            <picture>
+              <source
+                srcset="/assets/images/ilios-logo.svg"
+                media="(min-width: 400px)"
+                alt={{t "general.logo"}}
+              />
+              <img src="/assets/images/sunburst.svg" alt={{t "general.logo"}} />
+            </picture>
 
-        </LinkTo>
-      </div>
-      {{#if @controller.session.isAuthenticated}}
-        <IliosNavigation />
-      {{/if}}
+          </LinkTo>
+        </div>
+        {{#if @controller.session.isAuthenticated}}
+          <IliosNavigation />
+        {{/if}}
+      {{/unless}}
       <main id="main">
         {{#if @controller.showErrorDisplay}}
           <ErrorDisplay @errors={{@controller.errors}} @clearErrors={{@controller.clearErrors}} />
         {{else}}
           {{outlet}}
         {{/if}}
       </main>
-      <footer class="ilios-footer">
-        <div class="version">
-          {{@controller.iliosVersionTag}}
-          {{@controller.apiVersionTag}}
-          {{@controller.frontendVersionTag}}
-        </div>
-      </footer>
+      {{#unless @controller.hasLtiApplicationScope}}
+        <footer class="ilios-footer">
+          <div class="version">
+            {{@controller.iliosVersionTag}}
+            {{@controller.apiVersionTag}}
+            {{@controller.frontendVersionTag}}
+          </div>
+        </footer>
+      {{/unless}}
     </div>
     <FlashMessages />
   </div>

@@ -0,0 +1,32 @@
+import { module, test } from 'qunit';
+import { visit } from '@ember/test-helpers';
+import { setupAuthentication } from 'ilios-common';
+import { setupApplicationTest, takeScreenshot } from 'frontend/tests/helpers';
+
+module('Acceptance | Application layout', function (hooks) {
+  setupApplicationTest(hooks);
+
+  test('layout with LTI-scoped authentication token', async function (assert) {
+    await setupAuthentication({}, true, { application_scope: 'lti-dashboard' });
+    await visit('/');
+    assert.dom('.application-wrapper').doesNotHaveClass('show-navigation');
+    assert.dom('header.ilios-header').doesNotExist();
+    assert.dom('.ilios-logo').doesNotExist();
+    assert.dom('[data-test-ilios-navigation]').doesNotExist();
+    assert.dom('#main').exists();
+    assert.dom('footer.ilios-footer').doesNotExist();
+    await takeScreenshot(assert);
+  });
+
+  test('layout with non LTI-scoped authentication token', async function (assert) {
+    await setupAuthentication({}, true);
+    await visit('/');
+    assert.dom('.application-wrapper').hasClass('show-navigation');
+    assert.dom('header.ilios-header').exists();
+    assert.dom('.ilios-logo').exists();
+    assert.dom('[data-test-ilios-navigation]').exists();
+    assert.dom('#main').exists();
+    assert.dom('footer.ilios-footer').exists();
+    await takeScreenshot(assert);
+  });
+});
@@ -6,9 +6,10 @@ const defaultUserId = 100;
 export default async function (
   userObject = { id: defaultUserId },
   performsNonLearnerFunction = false,
+  jwtOptions = {},
 ) {
   const userId = userObject && 'id' in userObject ? userObject.id : defaultUserId;
-  const jwtObject = {
+  let jwtObject = {
     user_id: userId,
   };
   const nonLearnerFunctions = [
@@ -31,6 +32,13 @@ export default async function (
   if (performsNonLearnerFunction || hasNonLearnerFunctionInPassedData) {
     jwtObject['performs_non_learner_function'] = true;
   }
+  // KLUDGE!
+  // merge options into JWT.
+  // this is quite bad, since this has the potential to clobber previously set values.
+  // alas, rewriting the whole thing is not in scope, so let's cheese it like this for now.
+  // TODO: clean this up [ST 2026/06/03]
+  jwtObject = { ...jwtObject, ...jwtOptions };
+
   const encodedData = window.btoa('') + '.' + window.btoa(JSON.stringify(jwtObject)) + '.';
   const token = {
     jwt: encodedData,

@@ -85,21 +85,40 @@ export default class CurrentUserService extends Service {
     });
   }
 
-  getBooleanAttributeFromToken(attribute) {
+  /**
+   * Returns the decoded JWT from the current user session.
+   * @returns {object|null}
+   */
+  get decodedJwt() {
     const session = this.session;
     if (isEmpty(session)) {
-      return false;
+      return null;
     }
 
     const jwt = session.get('data.authenticated.jwt');
 
     if (isEmpty(jwt)) {
-      return false;
+      return null;
     }
-    const obj = jwtDecode(jwt);
+    return jwtDecode(jwt);
+  }
 
-    return !!get(obj, attribute);
+  getBooleanAttributeFromToken(attribute) {
+    if (this.decodedJwt) {
+      return !!get(this.decodedJwt, attribute);
+    }
+    return false;
   }
+
+  get applicationScope() {
+    if (!this.decodedJwt) {
+      return null;
+    }
+    return Object.hasOwn(this.decodedJwt, 'application_scope')
+      ? this.decodedJwt['application_scope']
+      : null;
+  }
+
   get isRoot() {
     return this.getBooleanAttributeFromToken('is_root');
   }

@@ -297,4 +297,17 @@ module('Integration | Service | Current User', function (hooks) {
   skip('requireNonLearner', function (/* assert */) {
     // TODO: implement.
   });
+
+  test('application scope', async function (assert) {
+    // check the current session user's JWT for an application scope value. it doesn't have one.
+    const subject = this.owner.lookup('service:current-user');
+    assert.strictEqual(subject.applicationScope, null);
+
+    // now re-authenticate with a token that carries an "application_scope" attribute.
+    await invalidateSession();
+    await authenticateSession({
+      jwt: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwidXNlcl9pZCI6MTAwLCJhcHBsaWNhdGlvbl9zY29wZSI6Imx0aS1kYXNoY2FtIn0.hM_QXikx6hAt-dhorqDp2QKFAHMIYUGkS74Guug55lE',
+    });
+    assert.strictEqual(subject.applicationScope, 'lti-dashcam');
+  });
 });