프론트엔드 동의 화면 추가 및 OIDC 로그인 흐름 완성

2026-02-02 14:45:04 +09:00
parent 849424f030
commit 3a3ea4879e
4 changed files with 215 additions and 42 deletions
--- a/userfront/lib/core/services/auth_proxy_service.dart
+++ b/userfront/lib/core/services/auth_proxy_service.dart
@@ -2,6 +2,7 @@ import 'dart:convert';
 import 'package:http/http.dart' as http;
 import 'package:flutter_dotenv/flutter_dotenv.dart';
 import 'http_client.dart';
 import 'dart:html' as html;
 class AuthProxyService {
  static String _envOrDefault(String key, String fallback) {
@@ -196,23 +197,60 @@ class AuthProxyService {
    }
  }
-  static Future<Map<String, dynamic>> loginWithPassword(String loginId, String password) async {
+  static Future<Map<String, dynamic>> loginWithPassword(String loginId, String password, {String? loginChallenge}) async {
    final url = Uri.parse('$_baseUrl/api/v1/auth/password/login');
    final payload = {
      'loginId': loginId,
      'password': password,
      if (loginChallenge != null && loginChallenge.isNotEmpty) 'login_challenge': loginChallenge,
    };
    final response = await http.post(
      url,
      headers: {'Content-Type': 'application/json'},
-      body: jsonEncode({
+      body: jsonEncode(payload),
-        'loginId': loginId,
+    );
-        'password': password,
+
-      }),
+    if (response.statusCode == 200) {
      final data = jsonDecode(response.body);
      if (data['redirectTo'] != null && data['redirectTo'].isNotEmpty) {
        html.window.location.href = data['redirectTo'];
      }
      return data;
    } else {
      final errorBody = jsonDecode(response.body);
      throw Exception(errorBody['error'] ?? 'Failed to login');
    }
  }
  static Future<Map<String, dynamic>> getConsentInfo(String consentChallenge) async {
    final url = Uri.parse('$_baseUrl/api/v1/auth/consent').replace(queryParameters: {'consent_challenge': consentChallenge});
    final response = await http.get(
      url,
      headers: {'Content-Type': 'application/json'},
    );
    if (response.statusCode == 200) {
      return jsonDecode(response.body);
    } else {
      final errorBody = jsonDecode(response.body);
-      throw Exception(errorBody['error'] ?? 'Failed to login');
+      throw Exception(errorBody['error'] ?? 'Failed to get consent info');
    }
  }
  static Future<Map<String, dynamic>> acceptConsent(String consentChallenge) async {
    final url = Uri.parse('$_baseUrl/api/v1/auth/consent/accept');
    final response = await http.post(
      url,
      headers: {'Content-Type': 'application/json'},
      body: jsonEncode({'consent_challenge': consentChallenge}),
    );
    if (response.statusCode == 200) {
      return jsonDecode(response.body);
    } else {
      final errorBody = jsonDecode(response.body);
      throw Exception(errorBody['error'] ?? 'Failed to accept consent');
    }
  }
--- a/userfront/lib/features/auth/presentation/consent_screen.dart
+++ b/userfront/lib/features/auth/presentation/consent_screen.dart
@@ -0,0 +1,123 @@
 import 'dart:html' as html;
 import 'package:flutter/material.dart';
 import 'package:userfront/core/services/auth_proxy_service.dart';
 class ConsentScreen extends StatefulWidget {
  final String consentChallenge;
  const ConsentScreen({super.key, required this.consentChallenge});
  @override
  State<ConsentScreen> createState() => _ConsentScreenState();
 }
 class _ConsentScreenState extends State<ConsentScreen> {
  Map<String, dynamic>? _consentInfo;
  bool _isLoading = true;
  String? _error;
  @override
  void initState() {
    super.initState();
    _fetchConsentInfo();
  }
  Future<void> _fetchConsentInfo() async {
    try {
      final info = await AuthProxyService.getConsentInfo(widget.consentChallenge);
      setState(() {
        _consentInfo = info;
        _isLoading = false;
      });
    } catch (e) {
      setState(() {
        _error = 'Failed to load consent information: $e';
        _isLoading = false;
      });
    }
  }
  Future<void> _acceptConsent() async {
    setState(() {
      _isLoading = true;
      _error = null;
    });
    try {
      final result =
          await AuthProxyService.acceptConsent(widget.consentChallenge);
      if (result['redirectTo'] != null) {
        html.window.location.href = result['redirectTo'];
      } else {
        setState(() {
          _error = 'Consent accepted, but no redirect URL received.';
          _isLoading = false;
        });
      }
    } catch (e) {
      setState(() {
        _error = 'Failed to accept consent: $e';
        _isLoading = false;
      });
    }
  }
  @override
  Widget build(BuildContext context) {
    return Scaffold(
      appBar: AppBar(title: const Text('Grant Access')),
      body: Center(
        child: _isLoading
            ? const CircularProgressIndicator()
            : _error != null
                ? Text(_error!, style: const TextStyle(color: Colors.red))
                : _consentInfo != null
                    ? Card(
                        elevation: 4,
                        margin: const EdgeInsets.all(16),
                        child: Padding(
                          padding: const EdgeInsets.all(24.0),
                          child: Column(
                            mainAxisSize: MainAxisSize.min,
                            children: [
                              Text(
                                '${_consentInfo!['client']?['client_name'] ?? 'An application'} wants to access your account',
                                style: Theme.of(context).textTheme.headlineSmall,
                                textAlign: TextAlign.center,
                              ),
                              const SizedBox(height: 24),
                              const Text('This will allow the application to:'),
                              const SizedBox(height: 16),
                              if (_consentInfo!['requested_scope'] != null)
                                ...(_consentInfo!['requested_scope'] as List)
                                    .map((scope) => ListTile(
                                          leading: const Icon(Icons.check_circle_outline),
                                          title: Text(scope.toString()),
                                        ))
                                    .toList(),
                              const SizedBox(height: 24),
                              Row(
                                mainAxisAlignment: MainAxisAlignment.spaceEvenly,
                                children: [
                                  TextButton(
                                    onPressed: () {
                                      // TODO: Implement reject consent
                                      html.window.alert('Consent rejected. You can close this window.');
                                    },
                                    child: const Text('Deny'),
                                  ),
                                  ElevatedButton(
                                    onPressed: _acceptConsent,
                                    child: const Text('Allow'),
                                  ),
                                ],
                              )
                            ],
                          ),
                        ),
                      )
                    : const Text('No consent information available.'),
      ),
    );
  }
 }
--- a/userfront/lib/features/auth/presentation/login_screen.dart
+++ b/userfront/lib/features/auth/presentation/login_screen.dart
@@ -10,10 +10,13 @@ import '../../../core/services/auth_proxy_service.dart';
 import '../../../core/services/auth_token_store.dart';
 import '../../../core/notifiers/auth_notifier.dart';
 import '../../profile/domain/notifiers/profile_notifier.dart';
 import 'dart:html' as html;
 class LoginScreen extends ConsumerStatefulWidget {
  final String? verificationToken;
-  const LoginScreen({super.key, this.verificationToken});
+  final String? loginChallenge;
  const LoginScreen({super.key, this.verificationToken, this.loginChallenge});
  @override
  ConsumerState<LoginScreen> createState() => _LoginScreenState();
@@ -26,6 +29,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
  final TextEditingController _passwordLoginIdController = TextEditingController();
  final TextEditingController _passwordController = TextEditingController();
  String? _redirectUrl;
  String? _loginChallenge;
  // QR Login Variables
  String? _qrImageBase64;
@@ -58,14 +62,13 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
  @override
  void initState() {
    super.initState();
    // 탭 컨트롤러: 3개 탭, 기본 선택은 두 번째 탭("로그인 링크")
    _tabController = TabController(length: 3, vsync: this, initialIndex: 1);
    _tabController.addListener(_handleTabSelection);
    _drySendEnabled = _parseBoolParam(Uri.base.queryParameters['drySend']) && !AuthProxyService.isProdEnv;
-    
+
    // Check for tokens (Path Parameter or Legacy Query Parameter)
    WidgetsBinding.instance.addPostFrameCallback((_) {
      final uri = Uri.base;
      _loginChallenge = widget.loginChallenge ?? uri.queryParameters['login_challenge'];
      final loginIdParam = uri.queryParameters['loginId'];
      final codeParam = uri.queryParameters['code'];
      final pendingRefParam = uri.queryParameters['pendingRef'];
@@ -190,7 +193,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    });
  }
  // JWT를 디코딩해 표시용 로그인 아이디 추출
  String _getLoginIdFromJwt(String jwt) {
    try {
      final parts = jwt.split('.');
@@ -198,7 +200,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
      final payload = utf8.decode(base64Url.decode(base64Url.normalize(parts[1])));
      final data = json.decode(payload);
      // 일반적으로 name/email/sub 필드를 사용
      return data['name'] ?? data['email'] ?? data['sub'] ?? 'User';
    } catch (e) {
      debugPrint("[JWT] Decode error: $e");
@@ -207,7 +208,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
  }
  void _handleTabSelection() {
    // QR 탭 (세 번째 탭, index 2)이 선택되었을 때 QR 플로우 시작
    if (_tabController.index == 2 && _qrPendingRef == null) {
      _startQrFlow();
    } else if (_tabController.index != 2) {
@@ -626,7 +626,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    super.dispose();
  }
  // 이메일/비밀번호 로그인 처리
  Future<void> _handlePasswordLogin() async {
    final input = _passwordLoginIdController.text.trim();
    final password = _passwordController.text.trim();
@@ -637,14 +636,12 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    String loginId = input;
    if (!input.contains('@')) {
      // Format phone number if it's not an email
      loginId = input.replaceAll(RegExp(r'[-\s]'), '');
      if (loginId.startsWith('010')) {
        loginId = '+82${loginId.substring(1)}';
      }
    }
    // 로딩 인디케이터 표시
    showDialog(
      context: context,
      barrierDismissible: false,
@@ -652,15 +649,23 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    );
    try {
-      final res = await AuthProxyService.loginWithPassword(loginId, password);
+      final res = await AuthProxyService.loginWithPassword(loginId, password, loginChallenge: _loginChallenge);
      final jwt = res['sessionJwt'];
      final provider = res['provider'] as String?;
-      if (jwt != null && mounted) {
+      final redirectTo = res['redirectTo'] as String?;
-        Navigator.of(context).pop(); // 로딩 닫기
+
      if (mounted) Navigator.of(context).pop();
      if (redirectTo != null && redirectTo.isNotEmpty) {
        html.window.location.href = redirectTo;
        return;
      }
      if (jwt != null) {
        _onLoginSuccess(jwt, provider: provider);
      }
    } catch (e) {
-      if (mounted) Navigator.of(context).pop(); // 로딩 닫기
+      if (mounted) Navigator.of(context).pop();
      if (e.toString().contains("User not registered")) {
        _showUnregisteredDialog();
      } else {
@@ -669,14 +674,12 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    }
  }
  // 로그인 링크 전송 처리
  Future<void> _handleLinkLogin() async {
    final input = _linkIdController.text.trim();
    if (input.isEmpty) return;
    String loginId = input;
    if (!input.contains('@')) {
      // Format phone number if it's not an email
      loginId = input.replaceAll(RegExp(r'[-\s]'), '');
      if (loginId.startsWith('010')) {
        loginId = '+82${loginId.substring(1)}';
@@ -685,7 +688,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    debugPrint("[Auth] Initiating Enchanted Link for: $loginId");
    // 링크 전송 전 사용자 존재 여부 체크 (백엔드에서 이미 처리하지만 에러 핸들링을 위해)
    try {
      await _startEnchantedFlow(loginId, isEmail: input.contains('@'));
    } catch (e) {
@@ -707,7 +709,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
        );
      }
      // 1. Init via Backend API
      final initResponse = await AuthProxyService.initEnchantedLink(
        loginId,
        codeOnly: codeOnly,
@@ -727,13 +728,12 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
          _lastLinkLoginId = loginId;
          _lastLinkIsEmail = isEmail;
        });
-        Navigator.of(context).pop(); // Close Loading
+        Navigator.of(context).pop();
        _showInfo(isEmail
            ? "입력하신 이메일로 로그인 링크를 보냈습니다."
            : "입력하신 번호로 로그인 링크를 보냈습니다.");
        // 2. Poll Backend manually
        final initialInterval = (interval is int && interval > 0)
            ? Duration(seconds: interval)
            : const Duration(seconds: 2);
@@ -761,7 +761,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
  Future<void> _pollForSession(String pendingRef, {Duration? initialInterval}) async {
    int attempts = 0;
-    const maxAttempts = 60; // 2 minutes
+    const maxAttempts = 60;
    var pollInterval = initialInterval ?? const Duration(seconds: 2);
    debugPrint("[Auth] Starting poll for ref: $pendingRef");
@@ -789,7 +789,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
        }
        if (result['error'] == 'expired_token') {
          if (mounted) {
-            Navigator.of(context).pop(); // Close Polling Dialog
+            Navigator.of(context).pop();
            _showError("Login timed out.");
          }
          return;
@@ -820,7 +820,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    if (mounted) {
      debugPrint("[Auth] Polling timed out for ref: $pendingRef");
-      Navigator.of(context).pop(); // Close Polling Dialog
+      Navigator.of(context).pop();
      _showError("Login timed out.");
    }
  }
@@ -879,19 +879,16 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    AuthTokenStore.setToken(token, provider: providerName);
    AuthTokenStore.clearPendingProvider();
    // 로그인 성공 직후 백엔드에서 전체 프로필 정보를 가져와 세션 업데이트
    try {
      await ref.read(profileProvider.notifier).loadProfile();
    } catch (e) {
      debugPrint("[Auth] Failed to pre-fetch profile: $e");
    }
    // 1. Handle Popup Flow
    if (WebAuthIntegration.isPopup()) {
      debugPrint("[Auth] Popup detected. Notifying opener and attempting to close.");
      WebAuthIntegration.sendLoginSuccess(token);
    } else {
      // 2. Handle Redirect Flow
      if (_redirectUrl != null && _redirectUrl!.isNotEmpty) {
        debugPrint("[Auth] Redirecting standalone window to: $_redirectUrl");
        final target = "$_redirectUrl?token=$token";
@@ -900,7 +897,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
      }
    }
    // 3. Standalone mode / Fallback
    debugPrint("[Auth] Login success. Navigating to root.");
    AuthNotifier.instance.notify();
    if (mounted) {
@@ -908,7 +904,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    }
  }
  // [New] 미등록 회원 안내 팝업
  void _showUnregisteredDialog() {
    showDialog(
      context: context,
@@ -1010,7 +1005,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
                        child: TabBarView(
                          controller: _tabController,
                          children: [
                            // 1. 이메일/비밀번호 로그인 폼
                            Padding(
                              padding: const EdgeInsets.only(top: 16.0),
                              child: Column(
@@ -1047,7 +1041,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
                              ),
                            ),
                            // 2. 로그인 링크 전송 -> 전송 후 코드 입력으로 전환
                            Padding(
                              padding: const EdgeInsets.only(top: 16.0),
                              child: Column(
@@ -1188,7 +1181,6 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
                              ),
                            ),
                            // 3. QR 로그인 뷰
                            Column(
                              mainAxisAlignment: MainAxisAlignment.center,
                              crossAxisAlignment: CrossAxisAlignment.center,
--- a/userfront/lib/main.dart
+++ b/userfront/lib/main.dart
@@ -20,6 +20,7 @@ import 'core/services/auth_token_store.dart';
 import 'core/services/logger_service.dart';
 import 'core/notifiers/auth_notifier.dart';
 import 'package:logging/logging.dart';
 import 'features/auth/presentation/consent_screen.dart';
 final _log = Logger('Main');
@@ -91,9 +92,10 @@ final _router = GoRouter(
    GoRoute(
      path: '/signin', 
      builder: (context, state) {
-        _routerLogger.info("Navigating to /signin");
+        final loginChallenge = state.uri.queryParameters['login_challenge'];
-        return LoginScreen(key: state.pageKey);
+        _routerLogger.info("Navigating to /signin with login_challenge: $loginChallenge");
-      }
+        return LoginScreen(key: state.pageKey, loginChallenge: loginChallenge);
      },
    ),
    GoRoute(
      path: '/login',
@@ -102,6 +104,18 @@ final _router = GoRouter(
        return LoginScreen(key: state.pageKey);
      },
    ),
    GoRoute(
      path: '/consent',
      builder: (BuildContext context, GoRouterState state) {
        final consentChallenge = state.uri.queryParameters['consent_challenge'];
        if (consentChallenge == null) {
          _routerLogger.warning("Consent screen loaded without a challenge.");
          return const Scaffold(body: Center(child: Text('Error: Consent challenge is missing.')));
        }
        _routerLogger.info("Navigating to /consent with challenge.");
        return ConsentScreen(consentChallenge: consentChallenge);
      },
    ),
    GoRoute(
      path: '/signup',
      builder: (context, state) {
@@ -243,7 +257,8 @@ final _router = GoRouter(
                         path == '/recovery' ||
                         path == '/reset-password' ||
                         path == '/error' ||
-                         path == '/settings';
+                         path == '/settings' ||
                         path == '/consent'; // Consent page is public
    _routerLogger.fine("Redirect check - Path: $path, IsLoggedIn: $isLoggedIn");
@@ -254,7 +269,12 @@ final _router = GoRouter(
    // If not logged in and trying to access a protected page, redirect to /signin
    if (!isLoggedIn) {
-      _routerLogger.info("Not logged in, redirecting to /signin");
+       _routerLogger.info("Not logged in, redirecting to /signin");
      // Preserve OIDC challenge if present
      final loginChallenge = state.uri.queryParameters['login_challenge'];
      if (loginChallenge != null) {
        return '/signin?login_challenge=$loginChallenge';
      }
      return '/signin';
    }