OIDC로 빠지는 분기 점검 login_challenge 복구 fallback 추가

2026-02-19 13:54:40 +09:00
parent f617467082
commit 33660cfdcf
7 changed files with 400 additions and 4 deletions
--- a/userfront/lib/features/auth/presentation/login_screen.dart
+++ b/userfront/lib/features/auth/presentation/login_screen.dart
@@ -11,6 +11,7 @@ import '../../../core/services/auth_proxy_service.dart';
 import '../../../core/services/auth_token_store.dart';
 import '../../../core/services/oidc_redirect_guard.dart';
 import '../../../core/notifiers/auth_notifier.dart';
+import '../domain/login_challenge_resolver.dart';
 import '../domain/password_login_flow_policy.dart';
 import '../../profile/domain/notifiers/profile_notifier.dart';
 import '../../../core/services/web_window.dart';
@@ -99,8 +100,12 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
        }
      }

-      _loginChallenge =
-          widget.loginChallenge ?? uri.queryParameters['login_challenge'];
+      final challengeResolution = _resolveLoginChallenge(uri);
+      _loginChallenge = challengeResolution.value;
+      _logLoginChallengeDiagnostics(
+        phase: 'init',
+        resolution: challengeResolution,
+      );
      final loginIdParam = uri.queryParameters['loginId'];
      final codeParam = uri.queryParameters['code'];
      final pendingRefParam = uri.queryParameters['pendingRef'];
@@ -273,6 +278,32 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
  bool get _hasLoginChallenge =>
      _loginChallenge != null && _loginChallenge!.isNotEmpty;

+  LoginChallengeResolution _resolveLoginChallenge(Uri uri) {
+    return resolveLoginChallenge(
+      widgetLoginChallenge: widget.loginChallenge,
+      uri: uri,
+      rawSearch: webWindow.currentSearch(),
+      rawHref: webWindow.currentHref(),
+    );
+  }
+
+  void _logLoginChallengeDiagnostics({
+    required String phase,
+    required LoginChallengeResolution resolution,
+  }) {
+    final current = Uri.base;
+    final currentQueryKeys = current.queryParameters.keys.toList()..sort();
+    final payload = <String, Object?>{
+      'phase': phase,
+      'current_path': current.path,
+      'current_query_keys': currentQueryKeys,
+      'stored_has_login_challenge': _hasLoginChallenge,
+      'stored_login_challenge_len': _loginChallenge?.length ?? 0,
+      ...resolution.toDiagnostics(),
+    };
+    debugPrint("[Auth] login_challenge diagnostics: ${jsonEncode(payload)}");
+  }
+
  void _logOidcRedirectDiagnostics({
    required String source,
    required OidcRedirectCheckResult checked,
@@ -864,6 +895,15 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    }

    try {
+      final challengeResolution = _resolveLoginChallenge(Uri.base);
+      if (!_hasLoginChallenge && challengeResolution.value != null) {
+        _loginChallenge = challengeResolution.value;
+      }
+      _logLoginChallengeDiagnostics(
+        phase: 'password_submit',
+        resolution: challengeResolution,
+      );
+
      final res = await AuthProxyService.loginWithPassword(
        loginId,
        password,
@@ -883,6 +923,11 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
      debugPrint(
        "[Auth] Password login outcome: has_login_challenge=$_hasLoginChallenge, next_action=$nextAction, has_jwt=$hasJwt",
      );
+      if (!_hasLoginChallenge) {
+        debugPrint(
+          "[Auth] WARNING: password login proceeded without login_challenge; treated as local login flow",
+        );
+      }

      switch (nextAction) {
        case PasswordLoginNextAction.redirectToOidc: