로그인 챌린지 루프 방지 가드 추가

2026-03-03 14:11:19 +09:00
parent b2dae93ac1
commit 7c1dbaf206
6 changed files with 169 additions and 2 deletions
--- a/userfront/lib/features/auth/presentation/login_screen.dart
+++ b/userfront/lib/features/auth/presentation/login_screen.dart
@@ -9,6 +9,7 @@ import '../../../core/widgets/language_selector.dart';
 import '../../../core/services/web_auth_integration.dart';
 import '../../../core/services/auth_proxy_service.dart';
 import '../../../core/services/auth_token_store.dart';
+import '../../../core/services/login_challenge_loop_guard.dart';
 import '../../../core/i18n/locale_utils.dart';
 import '../../../core/services/oidc_redirect_guard.dart';
 import '../../../core/notifiers/auth_notifier.dart';
@@ -143,7 +144,11 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
      if (!_verificationOnly) {
        await _attemptOidcAutoAccept();
        if (!mounted) return;
-        await _tryCookieSession();
+        // login_challenge 흐름에서는 auto-accept에서 이미 쿠키 세션까지 확인하므로
+        // 동일 프레임에서 중복 체크를 피합니다.
+        if (!_hasLoginChallenge) {
+          await _tryCookieSession();
+        }
      }
    });
  }
@@ -239,11 +244,19 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    if (loginChallenge == null || loginChallenge.isEmpty) {
      return;
    }
+    if (!loginChallengeLoopGuard.shouldAllowAutoAccept(loginChallenge)) {
+      debugPrint(
+        "[Auth] OIDC auto-accept blocked by loop guard for login_challenge",
+      );
+      return;
+    }
+    loginChallengeLoopGuard.markAutoAcceptAttempt(loginChallenge);

    final token = AuthTokenStore.getToken();
    if (token != null && token.isNotEmpty) {
      final accepted = await _acceptOidcLoginAndRedirect(token: token);
      if (accepted) {
+        loginChallengeLoopGuard.clear(loginChallenge);
        return;
      }
    }
@@ -255,7 +268,11 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
        AuthTokenStore.setCookieMode(
          provider: AuthTokenStore.getProvider() ?? 'ory',
        );
-        await _acceptOidcLoginAndRedirect();
+        final accepted = await _acceptOidcLoginAndRedirect();
+        if (accepted) {
+          loginChallengeLoopGuard.clear(loginChallenge);
+          return;
+        }
      } else {
        debugPrint(
          "[Auth] OIDC auto-accept: No active session (status: $status)",
@@ -1216,6 +1233,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
          final nextRedirectTo = res['redirectTo'] as String?;

          if (nextRedirectTo != null && nextRedirectTo.isNotEmpty) {
+            loginChallengeLoopGuard.clear(loginChallenge);
            webWindow.redirectTo(nextRedirectTo); // Removed await
            return;
          } else {}