kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Fix SMS login code flow for phone relay

Browse Source
This commit is contained in:
admin-bot
2026-05-07 13:53:23 +09:00
parent 404e5179e8
commit 57a00c0236
4 changed files with 79 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
backend/internal/handler/auth_handler.go
View File

@@ -1028,6 +1028,13 @@ func (h *AuthHandler) resolveUserfrontURL(c *fiber.Ctx) string {
envParsed.Scheme == "https" && baseParsed.Scheme == "http" { envParsed.Scheme == "https" && baseParsed.Scheme == "http" {
return strings.TrimRight(envURL, "/") return strings.TrimRight(envURL, "/")
} }
if os.Getenv("APP_ENV") == "dev" &&
envErr == nil && baseErr == nil &&
strings.EqualFold(envParsed.Hostname(), baseParsed.Hostname()) &&
(envParsed.Hostname() == "localhost" || envParsed.Hostname() == "127.0.0.1") &&
envParsed.Port() != "" && baseParsed.Port() == "" {
return strings.TrimRight(envURL, "/")
}
return baseURL return baseURL
} }
@@ -2003,6 +2010,13 @@ func (h *AuthHandler) VerifyLoginCode(c *fiber.Ctx) error {
if !strings.Contains(loginID, "@") { if !strings.Contains(loginID, "@") {
lookupLoginID = normalizePhoneForLoginID(loginID) lookupLoginID = normalizePhoneForLoginID(loginID)
} }
smsLookupLoginID := ""
if !strings.Contains(loginID, "@") {
smsLookupLoginID = lookupLoginID
if mapped, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + smsLookupLoginID); mapped != "" {
lookupLoginID = mapped
}
}
if h.IdpProvider == nil { if h.IdpProvider == nil {
return errorJSONCode(c, fiber.StatusServiceUnavailable, "service_unavailable", "Identity provider unavailable") return errorJSONCode(c, fiber.StatusServiceUnavailable, "service_unavailable", "Identity provider unavailable")
@@ -2016,11 +2030,6 @@ func (h *AuthHandler) VerifyLoginCode(c *fiber.Ctx) error {
if req.VerifyOnly { if req.VerifyOnly {
c.Locals("auth_timeline_skip", true) c.Locals("auth_timeline_skip", true)
effectiveLoginID := lookupLoginID effectiveLoginID := lookupLoginID
if !strings.Contains(loginID, "@") {
if mapped, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + lookupLoginID); mapped != "" {
effectiveLoginID = mapped
}
}
pendingRef := strings.TrimSpace(req.PendingRef) pendingRef := strings.TrimSpace(req.PendingRef)
storedRef, _ := h.RedisService.Get(prefixLoginCodePending + lookupLoginID) storedRef, _ := h.RedisService.Get(prefixLoginCodePending + lookupLoginID)
if pendingRef == "" { if pendingRef == "" {
@@ -2075,6 +2084,9 @@ func (h *AuthHandler) VerifyLoginCode(c *fiber.Ctx) error {
h.RedisService.Delete(prefixLoginCode + lookupLoginID) h.RedisService.Delete(prefixLoginCode + lookupLoginID)
h.RedisService.Delete(prefixLoginCodeSmsTarget + lookupLoginID) h.RedisService.Delete(prefixLoginCodeSmsTarget + lookupLoginID)
if smsLookupLoginID != "" {
h.RedisService.Delete(prefixLoginCodeSmsLookup + smsLookupLoginID)
}
pendingRef := strings.TrimSpace(req.PendingRef) pendingRef := strings.TrimSpace(req.PendingRef)
if pendingRef == "" { if pendingRef == "" {
@@ -2089,6 +2101,9 @@ func (h *AuthHandler) VerifyLoginCode(c *fiber.Ctx) error {
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration) h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
h.RedisService.Delete(prefixLoginCodePending + lookupLoginID) h.RedisService.Delete(prefixLoginCodePending + lookupLoginID)
h.RedisService.Delete(prefixLoginCodeSmsTarget + lookupLoginID) h.RedisService.Delete(prefixLoginCodeSmsTarget + lookupLoginID)
if smsLookupLoginID != "" {
h.RedisService.Delete(prefixLoginCodeSmsLookup + smsLookupLoginID)
}
return c.JSON(fiber.Map{ return c.JSON(fiber.Map{
"status": "approved", "status": "approved",
"pendingRef": pendingRef, "pendingRef": pendingRef,

51
backend/internal/handler/auth_handler_link_test.go
View File

@@ -6,6 +6,7 @@ import (
"baron-sso-backend/internal/testsupport" "baron-sso-backend/internal/testsupport"
"bytes" "bytes"
"encoding/json" "encoding/json"
"io"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"strings" "strings"
@@ -150,6 +151,56 @@ func TestEnchantedLinkFlow_Sms_Success(t *testing.T) {
assert.NotEmpty(t, initResp["userCode"]) assert.NotEmpty(t, initResp["userCode"])
} }
func TestResolveUserfrontURL_DevLocalhostUsesConfiguredPort(t *testing.T) {
t.Setenv("APP_ENV", "dev")
t.Setenv("USERFRONT_URL", "http://localhost:5000")
h := &AuthHandler{}
app := fiber.New()
app.Get("/probe", func(c *fiber.Ctx) error {
return c.SendString(h.resolveUserfrontURL(c))
})
req := httptest.NewRequest(http.MethodGet, "http://localhost/probe", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
body, _ := io.ReadAll(resp.Body)
assert.Equal(t, "http://localhost:5000", string(body))
}
func TestVerifyLoginCode_MapsSmsPhoneBeforeFlowLookup(t *testing.T) {
redis := &mockRedisRepo{data: map[string]string{
prefixLoginCode + "su-@samaneng.com": "flow-123",
prefixLoginCodePending + "su-@samaneng.com": "pending-123",
prefixLoginCodeSmsLookup + "+821041585840": "su-@samaneng.com",
prefixLoginCodeSmsTarget + "su-@samaneng.com": "+821041585840",
prefixLoginCodeValue + "pending-123": "569765",
}}
h := &AuthHandler{
RedisService: redis,
IdpProvider: &mockIdpProvider{},
}
app := fiber.New()
app.Post("/api/v1/auth/login/code/verify", h.VerifyLoginCode)
body, _ := json.Marshal(map[string]interface{}{
"loginId": "01041585840",
"code": "569765",
"pendingRef": "pending-123",
"verifyOnly": true,
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login/code/verify", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var got map[string]interface{}
_ = json.NewDecoder(resp.Body).Decode(&got)
assert.Equal(t, "approved", got["status"])
assert.Equal(t, "pending-123", got["pendingRef"])
}
func TestPollEnchantedLink_ExpiredToken_ReturnsCode(t *testing.T) { func TestPollEnchantedLink_ExpiredToken_ReturnsCode(t *testing.T) {
redis := &mockRedisRepo{data: make(map[string]string)} redis := &mockRedisRepo{data: make(map[string]string)}
h := &AuthHandler{ h := &AuthHandler{

5
scripts/render_ory_config.sh
View File

@@ -65,14 +65,14 @@ OATHKEEPER_INTROSPECT_CLIENT_SECRET="${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oath
export KRATOS_DSN HYDRA_DSN KETO_DSN HYDRA_SYSTEM_SECRET export KRATOS_DSN HYDRA_DSN KETO_DSN HYDRA_SYSTEM_SECRET
export OATHKEEPER_INTROSPECT_CLIENT_ID OATHKEEPER_INTROSPECT_CLIENT_SECRET export OATHKEEPER_INTROSPECT_CLIENT_ID OATHKEEPER_INTROSPECT_CLIENT_SECRET
rm -rf "$OUTPUT_DIR" mkdir -p "$OUTPUT_DIR/kratos" "$OUTPUT_DIR/hydra" "$OUTPUT_DIR/keto" "$OUTPUT_DIR/oathkeeper"
mkdir -p "$OUTPUT_DIR"
render_template "$TEMPLATE_ROOT/kratos/kratos.yml.template" "$OUTPUT_DIR/kratos/kratos.yml" render_template "$TEMPLATE_ROOT/kratos/kratos.yml.template" "$OUTPUT_DIR/kratos/kratos.yml"
copy_if_exists "$TEMPLATE_ROOT/kratos/identity.schema.json" "$OUTPUT_DIR/kratos/identity.schema.json" copy_if_exists "$TEMPLATE_ROOT/kratos/identity.schema.json" "$OUTPUT_DIR/kratos/identity.schema.json"
copy_if_exists "$TEMPLATE_ROOT/kratos/courier-http.jsonnet" "$OUTPUT_DIR/kratos/courier-http.jsonnet" copy_if_exists "$TEMPLATE_ROOT/kratos/courier-http.jsonnet" "$OUTPUT_DIR/kratos/courier-http.jsonnet"
if [[ -d "$TEMPLATE_ROOT/kratos/courier-templates" ]]; then if [[ -d "$TEMPLATE_ROOT/kratos/courier-templates" ]]; then
mkdir -p "$OUTPUT_DIR/kratos" mkdir -p "$OUTPUT_DIR/kratos"
rm -rf "$OUTPUT_DIR/kratos/courier-templates"
cp -a "$TEMPLATE_ROOT/kratos/courier-templates" "$OUTPUT_DIR/kratos/courier-templates" cp -a "$TEMPLATE_ROOT/kratos/courier-templates" "$OUTPUT_DIR/kratos/courier-templates"
fi fi
@@ -85,6 +85,7 @@ copy_if_exists "$TEMPLATE_ROOT/keto/namespaces.yml" "$OUTPUT_DIR/keto/namespaces
render_template "$TEMPLATE_ROOT/oathkeeper/oathkeeper.yml.template" "$OUTPUT_DIR/oathkeeper/oathkeeper.yml" render_template "$TEMPLATE_ROOT/oathkeeper/oathkeeper.yml.template" "$OUTPUT_DIR/oathkeeper/oathkeeper.yml"
copy_if_exists "$TEMPLATE_ROOT/oathkeeper/entrypoint.sh" "$OUTPUT_DIR/oathkeeper/entrypoint.sh" copy_if_exists "$TEMPLATE_ROOT/oathkeeper/entrypoint.sh" "$OUTPUT_DIR/oathkeeper/entrypoint.sh"
chmod +x "$OUTPUT_DIR/oathkeeper/entrypoint.sh" chmod +x "$OUTPUT_DIR/oathkeeper/entrypoint.sh"
find "$OUTPUT_DIR/oathkeeper" -maxdepth 1 -type f -name 'rules*.json' -delete
for rules_file in "$TEMPLATE_ROOT"/oathkeeper/rules*.json; do for rules_file in "$TEMPLATE_ROOT"/oathkeeper/rules*.json; do
[[ -e "$rules_file" ]] || continue [[ -e "$rules_file" ]] || continue
copy_if_exists "$rules_file" "$OUTPUT_DIR/oathkeeper/$(basename "$rules_file")" copy_if_exists "$rules_file" "$OUTPUT_DIR/oathkeeper/$(basename "$rules_file")"

5
test/ory_v26_compose_policy_test.sh
View File

@@ -274,6 +274,11 @@ if ! grep -q 'scripts/render_ory_config.sh' "$repo_root/.gitea/workflows/staging
exit 1 exit 1
fi fi
if grep -Eq '^[[:space:]]*rm -rf "?\$OUTPUT_DIR"?[[:space:]]*$' "$repo_root/scripts/render_ory_config.sh"; then
echo "ERROR: Ory renderer must preserve config/.generated/ory service directories so live bind mounts stay valid." >&2
exit 1
fi
"$repo_root/scripts/render_ory_config.sh" >/dev/null "$repo_root/scripts/render_ory_config.sh" >/dev/null
for generated_config in \ for generated_config in \