fix: verify-only magic link approval flow

2026-02-02 12:13:59 +09:00
parent 9d1fe0fb1f
commit 7e662c9878
5 changed files with 99 additions and 13 deletions
--- a/backend/docs/openapi.yaml
+++ b/backend/docs/openapi.yaml
@@ -970,12 +970,18 @@ components:
      properties:
        token:
          type: string
+        verifyOnly:
+          type: boolean

    MagicLinkVerifyResponse:
      type: object
      properties:
        token:
          type: string
+        status:
+          type: string
+        pendingRef:
+          type: string
        message:
          type: string

--- a/backend/internal/domain/auth_models.go
+++ b/backend/internal/domain/auth_models.go
@@ -26,7 +26,8 @@ type EnchantedLinkPollResponse struct {
 }

 type MagicLinkVerifyRequest struct {
-	Token string `json:"token"`
+	Token      string `json:"token"`
+	VerifyOnly bool   `json:"verifyOnly,omitempty"`
 }

 type QRInitResponse struct {
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -774,6 +774,53 @@ func (h *AuthHandler) PollEnchantedLink(c *fiber.Ctx) error {
 		})
 	}

+	if data["status"] == "approved" {
+		loginID := data["loginId"]
+		if loginID == "" {
+			loginID = data["login_id"]
+		}
+		if loginID == "" {
+			slog.Warn("[Poll] Approved but missing loginId", "pendingRef", req.PendingRef)
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid session reference"})
+		}
+		if h.IdpProvider == nil {
+			return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "Identity provider unavailable"})
+		}
+
+		authInfo, err := h.IdpProvider.IssueSession(loginID)
+		if err != nil {
+			if errors.Is(err, domain.ErrNotSupported) {
+				return c.Status(fiber.StatusNotImplemented).JSON(fiber.Map{"error": "Login method not supported"})
+			}
+			slog.Error("[Poll] IDP session issue failed", "error", err)
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue session"})
+		}
+		if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue session"})
+		}
+
+		c.Locals("login_id", loginID)
+		setSessionIDLocal(c, authInfo.SessionToken)
+		sessionID := extractSessionIDFromToken(authInfo.SessionToken)
+
+		sessionData := map[string]string{
+			"status": statusSuccess,
+			"jwt":    authInfo.SessionToken.JWT,
+		}
+		if sessionID != "" {
+			sessionData["session_id"] = sessionID
+		}
+		sessionDataJSON, _ := json.Marshal(sessionData)
+		h.RedisService.Set(prefixSession+req.PendingRef, string(sessionDataJSON), defaultExpiration)
+
+		h.writeLinkAuditLog(loginID, req.PendingRef, authInfo.SessionToken, c)
+
+		return c.JSON(fiber.Map{
+			"sessionJwt": authInfo.SessionToken.JWT,
+			"status":     "ok",
+		})
+	}
+
 	return c.JSON(fiber.Map{
 		"error":    "authorization_pending",
 		"interval": int(minPollInterval.Seconds()),
@@ -804,6 +851,26 @@ func (h *AuthHandler) VerifyMagicLink(c *fiber.Ctx) error {

 	slog.Info("[Verify] Token valid", "loginID", loginID, "pendingRef", pendingRef)

+	if req.VerifyOnly {
+		if pendingRef == "" || loginID == "" {
+			slog.Warn("[Verify] Missing pendingRef/loginID for verify-only", "token", req.Token)
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid session reference"})
+		}
+
+		// 승인 전용: 세션 발급 없이 승인 상태만 기록
+		sessionData, _ := json.Marshal(map[string]string{
+			"status":  "approved",
+			"loginId": loginID,
+		})
+		h.RedisService.Set(prefixSession+pendingRef, string(sessionData), defaultExpiration)
+
+		return c.JSON(fiber.Map{
+			"status":     "approved",
+			"pendingRef": pendingRef,
+			"message":    "Login approved",
+		})
+	}
+
 	if h.IdpProvider == nil {
 		slog.Error("[Verify] IDP Provider is nil")
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Authentication service not configured"})
--- a/userfront/lib/core/services/auth_proxy_service.dart
+++ b/userfront/lib/core/services/auth_proxy_service.dart
@@ -125,7 +125,7 @@ class AuthProxyService {
    throw Exception('Polling failed: ${response.body}');
  }

-  static Future<Map<String, dynamic>> verifyMagicLink(String token) async {
+  static Future<Map<String, dynamic>> verifyMagicLink(String token, {bool verifyOnly = false}) async {
    final url = Uri.parse('$_baseUrl/api/v1/auth/magic-link/verify');
    
    final response = await http.post(
@@ -133,6 +133,7 @@ class AuthProxyService {
      headers: {'Content-Type': 'application/json'},
      body: jsonEncode({
        'token': token,
+        'verifyOnly': verifyOnly,
      }),
    );

--- a/userfront/lib/features/auth/presentation/login_screen.dart
+++ b/userfront/lib/features/auth/presentation/login_screen.dart
@@ -430,11 +430,22 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
    debugPrint("[Auth] Starting verification for token: $token");
    try {
      // Use Backend to verify the token (Backend-Driven Flow)
-      final res = await AuthProxyService.verifyMagicLink(token);
+      final res = await AuthProxyService.verifyMagicLink(
+        token,
+        verifyOnly: _verificationOnly,
+      );
      debugPrint("[Auth] Verification successful for token: $token");
      final jwt = res['token'] ?? res['sessionJwt'];
+      final status = res['status']?.toString();
      final hasLocalSession = await _hasValidLocalSession();

+      if (status == 'approved' || (jwt == null && _verificationOnly)) {
+        if (mounted) {
+          _markVerificationApproved("승인되었습니다. 로그인은 요청하신 창에서 완료됩니다.");
+        }
+        return;
+      }
+
      if (jwt is String && jwt.isNotEmpty) {
        if (hasLocalSession) {
          _markVerificationApproved(
@@ -442,14 +453,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
          );
          return;
        }
-        _markVerificationApproved(
-          "링크로 로그인 되었습니다. 잠시 후 로그인 화면으로 이동합니다.",
-          title: '링크 로그인 완료',
-          pageTitle: '링크 로그인',
-          actionLabel: '로그인 화면으로 이동',
-          actionPath: '/signin',
-          autoRedirect: true,
-        );
+        _markVerificationApproved("승인되었습니다. 로그인은 요청하신 창에서 완료됩니다.");
        return;
      }

@@ -492,8 +496,11 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
          );
          return;
        }
-        _markVerificationApproved(
-          "링크로 로그인 되었습니다. 잠시 후 로그인 화면으로 이동합니다.",
+        if (_verificationOnly) {
+          _markVerificationApproved("승인되었습니다. 로그인은 요청하신 창에서 완료됩니다.");
+          return;
+        }
+        _markVerificationApproved("링크로 로그인 되었습니다. 잠시 후 로그인 화면으로 이동합니다.",
          title: '링크 로그인 완료',
          pageTitle: '링크 로그인',
          actionLabel: '로그인 화면으로 이동',
@@ -539,6 +546,10 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
          );
          return;
        }
+        if (_verificationOnly) {
+          _markVerificationApproved("승인되었습니다. 로그인은 요청하신 창에서 완료됩니다.");
+          return;
+        }
        _completeLoginFromToken(jwt, provider: res['provider'] as String?);
        return;
      }