kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

QR 로그인 구현 완료

Browse Source
This commit is contained in:
Lectom C Han
2026-01-29 16:35:08 +09:00
parent 77d4e9fd77
commit ff655dc7c7
8 changed files with 656 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
backend/cmd/server/main.go
View File

@@ -292,24 +292,30 @@ func main() {
Key: cookieSecret,
}))
app.Get("/docs", func(c *fiber.Ctx) error {
return c.SendFile("./docs/swagger-ui/index.html")
})
app.Get("/docs/", func(c *fiber.Ctx) error {
return c.SendFile("./docs/swagger-ui/index.html")
})
app.Static("/docs", "./docs/swagger-ui")
app.Get("/redoc", func(c *fiber.Ctx) error {
return c.SendFile("./docs/redoc/index.html")
})
app.Get("/redoc/", func(c *fiber.Ctx) error {
return c.SendFile("./docs/redoc/index.html")
})
app.Static("/redoc", "./docs/redoc")
app.Get("/openapi.yaml", func(c *fiber.Ctx) error {
c.Type("yaml")
return c.SendFile("./docs/openapi.yaml")
})
// [Security] Disable Swagger/ReDoc in Production
if appEnv != "production" {
app.Get("/docs", func(c *fiber.Ctx) error {
return c.SendFile("./docs/swagger-ui/index.html")
})
app.Get("/docs/", func(c *fiber.Ctx) error {
return c.SendFile("./docs/swagger-ui/index.html")
})
app.Static("/docs", "./docs/swagger-ui")
app.Get("/redoc", func(c *fiber.Ctx) error {
return c.SendFile("./docs/redoc/index.html")
})
app.Get("/redoc/", func(c *fiber.Ctx) error {
return c.SendFile("./docs/redoc/index.html")
})
app.Static("/redoc", "./docs/redoc")
app.Get("/openapi.yaml", func(c *fiber.Ctx) error {
c.Type("yaml")
return c.SendFile("./docs/openapi.yaml")
})
slog.Info("📚 API Docs enabled", "swagger", "/docs", "redoc", "/redoc")
} else {
slog.Info("🔒 API Docs disabled in production")
}
// Routes
app.Get("/", func(c *fiber.Ctx) error {

347
backend/internal/handler/auth_handler.go
View File

@@ -37,7 +37,11 @@ const (
prefixLoginCodeSmsLookup = "login_code_sms_lookup:"
prefixLoginCodeShort = "login_code_short:"
prefixLoginCodeSmsOnly = "login_code_sms_only:"
prefixLoginCodeQrPending = "login_code_qr_pending:"
prefixLoginCodeQr = "login_code_qr:"
prefixPollMeta = "poll_meta:"
prefixQrRef = "qr_ref:"
prefixQrPending = "qr_pending:"
prefixSignupEmail = "signup:email:"
prefixSignupPhone = "signup:phone:"
@@ -84,6 +88,21 @@ func GenerateSecureToken(length int) string {
return hex.EncodeToString(b)
}
func GenerateSecureAlnumToken(length int) string {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
if length <= 0 {
return ""
}
buf := make([]byte, length)
if _, err := crand.Read(buf); err != nil {
return ""
}
for i := range buf {
buf[i] = charset[int(buf[i])%len(charset)]
}
return string(buf)
}
func GenerateUserCode() string {
const letters = "ABCDEFGHJKLMNPQRSTUVWXYZ"
return fmt.Sprintf("%c%c-%03d",
@@ -1358,18 +1377,23 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
// InitQRLogin - Step 1: Web 패널에서 QR 로그인 세션을 생성합니다.
func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error {
pendingRef := GenerateSecureToken(16)
qrRef := GenerateSecureAlnumToken(64)
if qrRef == "" {
qrRef = GenerateSecureToken(16)
}
// QR 코드 페이로드를 실제 접속 가능한 URL로 변경합니다.
userfrontURL := os.Getenv("USERFRONT_URL")
if userfrontURL == "" {
userfrontURL = "https://sso.hmac.kr"
}
qrPayload := fmt.Sprintf("%s/approve?ref=%s", userfrontURL, pendingRef)
qrPayload := fmt.Sprintf("%s/ql/%s", strings.TrimRight(userfrontURL, "/"), qrRef)
slog.Info("[QR] Init", "pendingRef", pendingRef, "url", qrPayload)
slog.Info("[QR] Init", "pendingRef", pendingRef, "qrRef", qrRef, "url", qrPayload)
// Redis에 초기 상태 저장 (5분 만료)
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute)
h.RedisService.Set(prefixQrRef+qrRef, pendingRef, 5*time.Minute)
return c.JSON(fiber.Map{
"qrCode": qrPayload, // 프론트엔드에서 이 텍스트로 QR을 생성하거나, 이미지를 반환
@@ -1430,30 +1454,66 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
}
slog.Info("[QR] Scan & Approve", "pendingRef", req.PendingRef)
if req.Token == "" {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"})
rawRef := strings.TrimSpace(req.PendingRef)
pendingRef, err := h.resolveQrPendingRef(rawRef)
if err != nil || pendingRef == "" {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid pendingRef"})
}
slog.Info("[QR] Scan & Approve", "pendingRef", pendingRef)
// 1. Redis에서 세션 확인
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
val, err := h.RedisService.Get(prefixSession + pendingRef)
if err != nil || val == "" {
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"})
}
// 2. 모바일 토큰은 승인 검증용으로만 사용하고, 웹 전용 세션을 새로 발급
sessionToken, err := h.issueQRWebSession(c, req.Token)
if err != nil {
slog.Error("[QR] Issue web session failed", "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
if req.Token == "" {
cookie := c.Get(fiber.HeaderCookie)
if cookie == "" {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"})
}
_, traits, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
slog.Warn("[QR] Cookie session invalid", "error", err)
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
}
loginID := pickLoginIDFromTraits(traits)
if loginID == "" {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
}
if !strings.Contains(loginID, "@") {
loginID = normalizePhoneForLoginID(loginID)
}
if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil {
slog.Error("[QR] Start code login failed", "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
}
return c.JSON(fiber.Map{"message": "QR Login Approved"})
}
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": sessionToken,
})
h.RedisService.Set(prefixSession+req.PendingRef, string(sessionData), 5*time.Minute)
// 2. 모바일 토큰은 승인 검증용으로만 사용하고, 웹 전용 세션을 새로 발급
if sessionToken, err := h.tryIssueDescopeQrSession(c, req.Token); err != nil {
slog.Error("[QR] Issue web session failed", "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
} else if sessionToken != "" {
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": sessionToken,
})
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), 5*time.Minute)
return c.JSON(fiber.Map{"message": "QR Login Approved"})
}
loginID, err := h.resolveKratosLoginID(req.Token)
if err != nil {
slog.Warn("[QR] Invalid token", "error", err)
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
}
if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil {
slog.Error("[QR] Start code login failed", "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
}
return c.JSON(fiber.Map{"message": "QR Login Approved"})
}
@@ -1484,6 +1544,66 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient"})
}
loginID := req.Recipient
if !strings.Contains(loginID, "@") {
loginID = normalizePhoneForLoginID(loginID)
}
if pendingRef, _ := h.RedisService.Get(prefixLoginCodeQrPending + loginID); pendingRef != "" {
code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code"))
if code == "" {
slog.Error("[QR] Missing login code in courier", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"})
}
flowID, _ := h.RedisService.Get(prefixLoginCode + loginID)
if flowID == "" {
slog.Error("[QR] Missing login flow for code verify", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"})
}
authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code)
if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"})
}
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": authInfo.SessionToken.JWT,
})
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
h.RedisService.Delete(prefixLoginCodeQrPending + loginID)
h.RedisService.Delete(prefixLoginCode + loginID)
h.RedisService.Delete(prefixLoginCodeQr + pendingRef)
slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef)
return c.JSON(fiber.Map{"status": "ok"})
}
if pendingRef, _ := h.RedisService.Get(prefixQrPending + loginID); pendingRef != "" {
code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code"))
if code == "" {
slog.Error("[QR] Missing login code in courier", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"})
}
flowID, _ := h.RedisService.Get(prefixLoginCode + loginID)
if flowID == "" {
slog.Error("[QR] Missing login flow for code verify", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"})
}
authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code)
if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"})
}
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": authInfo.SessionToken.JWT,
})
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
h.RedisService.Delete(prefixQrPending + loginID)
h.RedisService.Delete(prefixLoginCode + loginID)
h.RedisService.Delete(prefixLoginCodeSmsTarget + loginID)
h.RedisService.Delete(prefixLoginCodeSmsLookup + loginID)
slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef)
return c.JSON(fiber.Map{"status": "ok"})
}
subject, body := h.buildKratosCourierMessage(&req)
if strings.TrimSpace(body) == "" {
slog.Warn("[Kratos Courier] Empty body", "recipient", req.Recipient, "template", req.TemplateType)
@@ -1526,16 +1646,16 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "SMS service not configured"})
}
phone := sanitizePhoneForSms(req.Recipient)
loginID := req.Recipient
if !strings.Contains(loginID, "@") {
lookup := normalizePhoneForLoginID(loginID)
smsLoginID := req.Recipient
if !strings.Contains(smsLoginID, "@") {
lookup := normalizePhoneForLoginID(smsLoginID)
if email, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + lookup); email != "" {
loginID = email
smsLoginID = email
} else {
loginID = lookup
smsLoginID = lookup
}
}
smsBody := h.buildKratosShortSmsBody(&req, loginID, phone)
smsBody := h.buildKratosShortSmsBody(&req, smsLoginID, phone)
if smsBody == "" {
smsBody = body
}
@@ -1918,30 +2038,171 @@ func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, err
return id, err
}
func (h *AuthHandler) issueQRWebSession(c *fiber.Ctx, token string) (string, error) {
if looksLikeJWT(token) && h.DescopeClient != nil {
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
if err == nil && authorized {
loginID, err := h.resolveDescopeLoginID(c.Context(), userToken)
if err != nil {
return "", err
}
authInfo, err := h.IdpProvider.IssueSession(loginID)
if err != nil {
return "", err
}
if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
return "", fmt.Errorf("descope issue session returned empty token")
}
return authInfo.SessionToken.JWT, nil
}
func (h *AuthHandler) tryIssueDescopeQrSession(c *fiber.Ctx, token string) (string, error) {
if !looksLikeJWT(token) || h.DescopeClient == nil {
return "", nil
}
identityID, _, err := h.getKratosIdentity(token)
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
if err != nil || !authorized {
return "", nil
}
loginID, err := h.resolveDescopeLoginID(c.Context(), userToken)
if err != nil {
return "", err
}
return h.issueKratosSession(c.Context(), identityID)
authInfo, err := h.IdpProvider.IssueSession(loginID)
if err != nil {
return "", err
}
if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
return "", fmt.Errorf("descope issue session returned empty token")
}
return authInfo.SessionToken.JWT, nil
}
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
_, traits, err := h.getKratosIdentity(token)
if err != nil {
return "", err
}
loginID := pickLoginIDFromTraits(traits)
if loginID == "" {
return "", fmt.Errorf("kratos login id missing")
}
if !strings.Contains(loginID, "@") {
loginID = normalizePhoneForLoginID(loginID)
}
return loginID, nil
}
func pickLoginIDFromTraits(traits map[string]interface{}) string {
if traits == nil {
return ""
}
keys := []string{"email", "phone", "phone_number", "phoneNumber", "mobile", "mobile_number"}
for _, key := range keys {
if raw, ok := traits[key]; ok {
if value, ok := raw.(string); ok && value != "" {
return value
}
}
}
return ""
}
func (h *AuthHandler) resolveQrPendingRef(raw string) (string, error) {
ref := strings.TrimSpace(raw)
if ref == "" {
return "", fmt.Errorf("empty ref")
}
if strings.HasPrefix(ref, "http") {
if parsed, err := url.Parse(ref); err == nil {
if value := parsed.Query().Get("ref"); value != "" {
ref = value
} else if len(parsed.Path) > 0 {
segments := strings.Split(strings.Trim(parsed.Path, "/"), "/")
if len(segments) >= 2 && segments[0] == "ql" {
ref = segments[1]
}
}
}
}
if ref == "" {
return "", fmt.Errorf("invalid ref")
}
if mapped, _ := h.RedisService.Get(prefixQrRef + ref); mapped != "" {
return mapped, nil
}
return ref, nil
}
func (h *AuthHandler) resolveQrRef(raw string) string {
ref := strings.TrimSpace(raw)
if ref == "" {
return ""
}
if strings.HasPrefix(ref, "http") {
if parsed, err := url.Parse(ref); err == nil {
if value := parsed.Query().Get("ref"); value != "" {
return value
}
if len(parsed.Path) > 0 {
segments := strings.Split(strings.Trim(parsed.Path, "/"), "/")
if len(segments) >= 2 && segments[0] == "ql" {
return segments[1]
}
}
}
}
return ref
}
func (h *AuthHandler) startQrCodeLogin(loginID, pendingRef string) error {
if h.IdpProvider == nil {
return fmt.Errorf("identity provider unavailable")
}
userfrontURL := os.Getenv("USERFRONT_URL")
if userfrontURL == "" {
userfrontURL = "http://sso.hmac.kr"
}
_ = h.RedisService.Set(prefixQrPending+loginID, pendingRef, loginCodeExpiration)
init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL)
if err != nil {
h.RedisService.Delete(prefixQrPending + loginID)
if errors.Is(err, domain.ErrNotSupported) {
return fmt.Errorf("login method not supported")
}
return err
}
effectiveLoginID := loginID
if init != nil && init.LoginID != "" {
effectiveLoginID = init.LoginID
}
if effectiveLoginID != loginID {
_ = h.RedisService.Set(prefixQrPending+effectiveLoginID, pendingRef, loginCodeExpiration)
}
if init != nil && init.FlowID != "" {
_ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration)
}
return nil
}
func (h *AuthHandler) startQrCodeLoginForQr(loginID, pendingRef, rawRef string) error {
if h.IdpProvider == nil {
return fmt.Errorf("identity provider unavailable")
}
userfrontURL := os.Getenv("USERFRONT_URL")
if userfrontURL == "" {
userfrontURL = "http://sso.hmac.kr"
}
init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL)
if err != nil {
if errors.Is(err, domain.ErrNotSupported) {
return fmt.Errorf("login method not supported")
}
return err
}
effectiveLoginID := loginID
if init != nil && init.LoginID != "" {
effectiveLoginID = init.LoginID
}
if init == nil || init.FlowID == "" {
return fmt.Errorf("login flow missing")
}
qrRef := h.resolveQrRef(rawRef)
qrPayload, _ := json.Marshal(map[string]string{
"pendingRef": pendingRef,
"qrRef": qrRef,
"loginId": effectiveLoginID,
"approvedAt": time.Now().UTC().Format(time.RFC3339),
})
_ = h.RedisService.Set(prefixLoginCodeQr+pendingRef, string(qrPayload), loginCodeExpiration)
_ = h.RedisService.Set(prefixLoginCodeQrPending+effectiveLoginID, pendingRef, loginCodeExpiration)
_ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration)
return nil
}
func (h *AuthHandler) resolveDescopeLoginID(ctx context.Context, token *descope.Token) (string, error) {

136
docker/ory/kratos/kratos.yml
View File

@@ -3,84 +3,90 @@ version: v1.3.0
dsn: memory
serve:
public:
base_url: http://localhost:4433/
cors:
enabled: true
admin:
base_url: http://localhost:4434/
public:
base_url: http://localhost:4433/
cors:
enabled: true
admin:
base_url: http://localhost:4434/
selfservice:
default_browser_return_url: http://localhost:4455/
allowed_return_urls:
- http://localhost:4455
- http://localhost:5000
default_browser_return_url: http://localhost:4455/
allowed_return_urls:
- http://localhost:4455
- http://localhost:5000
- https://sss.hmac.kr
- https://sss.hmac.kr/
- https://sso.hmac.kr
- https://sso.hmac.kr/
- https://app.hmac.kr
- https://app.hmac.kr/
methods:
password:
enabled: true
link:
enabled: true
code:
enabled: true
passwordless_enabled: true
methods:
password:
enabled: true
link:
enabled: true
code:
enabled: true
passwordless_enabled: true
flows:
error:
ui_url: http://localhost:4455/error
settings:
ui_url: http://localhost:4455/settings
privileged_session_max_age: 15m
recovery:
ui_url: http://localhost:4455/recovery
use: code
verification:
ui_url: http://localhost:4455/verification
use: code
logout:
after:
default_browser_return_url: http://localhost:4455/login
login:
ui_url: http://localhost:4455/login
lifespan: 10m
registration:
ui_url: http://localhost:4455/registration
lifespan: 10m
flows:
error:
ui_url: http://localhost:4455/error
settings:
ui_url: http://localhost:4455/settings
privileged_session_max_age: 15m
recovery:
ui_url: http://localhost:4455/recovery
use: code
verification:
ui_url: http://localhost:4455/verification
use: code
logout:
after:
default_browser_return_url: http://localhost:4455/login
login:
ui_url: http://localhost:4455/login
lifespan: 10m
registration:
ui_url: http://localhost:4455/registration
lifespan: 10m
log:
level: debug
format: text
leak_sensitive_values: true
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
algorithm: bcrypt
bcrypt:
cost: 8
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
courier:
template_override_path: /etc/config/kratos/courier-templates
delivery_strategy: http
http:
request_config:
url: http://baron_backend:3000/api/v1/auth/webhooks/kratos-courier
method: POST
body: file:///etc/config/kratos/courier-http.jsonnet
headers:
Content-Type: application/json
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
template_override_path: /etc/config/kratos/courier-templates
delivery_strategy: http
http:
request_config:
url: http://baron_backend:3000/api/v1/auth/webhooks/kratos-courier
method: POST
body: file:///etc/config/kratos/courier-http.jsonnet
headers:
Content-Type: application/json
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

44
userfront/lib/core/services/auth_proxy_service.dart
View File

@@ -282,19 +282,41 @@ class AuthProxyService {
throw Exception('QR Polling failed: ${response.body}');
}
static Future<void> approveQrLogin(String pendingRef, String token) async {
static Future<void> approveQrLogin(
String pendingRef, {
String? token,
bool withCredentials = false,
}) async {
final url = Uri.parse('$_baseUrl/api/v1/auth/qr/approve'); // Mapping to ScanQRLogin on backend
final response = await http.post(
url,
headers: {'Content-Type': 'application/json'},
body: jsonEncode({
'pendingRef': pendingRef,
'token': token,
}),
);
final payload = <String, dynamic>{
'pendingRef': pendingRef,
};
if (token != null && token.isNotEmpty) {
payload['token'] = token;
}
if (response.statusCode != 200) {
throw Exception('QR Approval failed: ${response.body}');
http.Client? client;
try {
if (withCredentials) {
client = createHttpClient(withCredentials: true);
}
final response = await (client != null
? client.post(
url,
headers: {'Content-Type': 'application/json'},
body: jsonEncode(payload),
)
: http.post(
url,
headers: {'Content-Type': 'application/json'},
body: jsonEncode(payload),
));
if (response.statusCode != 200) {
throw Exception('QR Approval failed: ${response.body}');
}
} finally {
client?.close();
}
}

43
userfront/lib/features/auth/presentation/approve_qr_screen.dart
View File

@@ -16,13 +16,46 @@ class _ApproveQrScreenState extends State<ApproveQrScreen> {
bool _isLoading = false;
String? _message;
bool _success = false;
bool _isCheckingSession = false;
@override
void initState() {
super.initState();
_bootstrapCookieSession();
}
Future<bool> _bootstrapCookieSession() async {
if (AuthTokenStore.usesCookie()) {
return true;
}
if (_isCheckingSession) {
return false;
}
setState(() => _isCheckingSession = true);
try {
await AuthProxyService.checkCookieSession();
AuthTokenStore.setCookieMode(provider: 'ory');
return true;
} catch (_) {
return false;
} finally {
if (mounted) {
setState(() => _isCheckingSession = false);
}
}
}
Future<void> _handleApprove() async {
if (widget.pendingRef == null) return;
final storedToken = AuthTokenStore.getToken();
final session = Descope.sessionManager.session;
if (storedToken == null && (session == null || session.refreshToken.isExpired)) {
final usesCookie = AuthTokenStore.usesCookie();
var hasCookie = usesCookie;
if (storedToken == null && (session == null || session.refreshToken.isExpired) && !hasCookie) {
hasCookie = await _bootstrapCookieSession();
}
if (storedToken == null && (session == null || session.refreshToken.isExpired) && !hasCookie) {
setState(() => _message = "Please log in on your phone first.");
context.go('/signin'); // Redirect to login
return;
@@ -37,7 +70,8 @@ class _ApproveQrScreenState extends State<ApproveQrScreen> {
final token = storedToken ?? session?.sessionToken.jwt ?? '';
await AuthProxyService.approveQrLogin(
widget.pendingRef!,
token,
token: token,
withCredentials: hasCookie,
);
setState(() {
_success = true;
@@ -57,7 +91,10 @@ class _ApproveQrScreenState extends State<ApproveQrScreen> {
@override
Widget build(BuildContext context) {
final isLoggedIn = Descope.sessionManager.session?.refreshToken.isExpired == false;
final hasStoredToken = AuthTokenStore.getToken() != null;
final hasDescopeSession = Descope.sessionManager.session?.refreshToken.isExpired == false;
final usesCookie = AuthTokenStore.usesCookie();
final isLoggedIn = hasStoredToken || hasDescopeSession || usesCookie || _isCheckingSession;
return Scaffold(
appBar: AppBar(title: const Text("QR Login Approval")),

67
userfront/lib/features/auth/presentation/login_screen.dart
View File

@@ -288,33 +288,36 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
timer.cancel();
_qrCountdownTimer?.cancel();
final jwt = res['sessionJwt'];
final displayName = _getLoginIdFromJwt(jwt);
// Create User & Session for Descope SDK
final dummyUser = DescopeUser(
'unknown', // userId
[], // loginIds
0, // createdAt
displayName, // name
null, // picture (Uri?)
'', // email
false, // isVerifiedEmail
'', // phone
false, // isVerifiedPhone
{}, // customAttributes
'', // givenName
'', // middleName
'', // familyName
false, // hasPassword
'enabled', // status
[], // roleNames
[], // ssoAppIds
[], // oauthProviders (List<String>)
);
final session = DescopeSession.fromJwt(jwt, jwt, dummyUser);
Descope.sessionManager.manageSession(session);
final token = res['sessionJwt'] as String;
final isJwt = token.split('.').length == 3;
if (isJwt) {
final displayName = _getLoginIdFromJwt(token);
// Create User & Session for Descope SDK
final dummyUser = DescopeUser(
'unknown', // userId
[], // loginIds
0, // createdAt
displayName, // name
null, // picture (Uri?)
'', // email
false, // isVerifiedEmail
'', // phone
false, // isVerifiedPhone
{}, // customAttributes
'', // givenName
'', // middleName
'', // familyName
false, // hasPassword
'enabled', // status
[], // roleNames
[], // ssoAppIds
[], // oauthProviders (List<String>)
);
final session = DescopeSession.fromJwt(token, token, dummyUser);
Descope.sessionManager.manageSession(session);
}
_onLoginSuccess(jwt);
_onLoginSuccess(token);
}
} catch (e) {
debugPrint("[QR] Polling error: $e");
@@ -906,8 +909,10 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
controller: _shortCodePrefixController,
textCapitalization: TextCapitalization.characters,
decoration: const InputDecoration(
labelText: "AA",
labelText: "영문 2자리",
border: OutlineInputBorder(),
hintText: "AB",
hintStyle: TextStyle(color: Colors.grey),
),
maxLength: 2,
),
@@ -919,11 +924,13 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
controller: _shortCodeDigitsController,
keyboardType: TextInputType.number,
decoration: InputDecoration(
labelText: "000000",
labelText: "숫자 6자리",
border: const OutlineInputBorder(),
hintText: _linkExpireSeconds > 0
hintText: "345678",
hintStyle: const TextStyle(color: Colors.grey),
suffixText: _linkExpireSeconds > 0
? "유효시간 ${_formatTime(_linkExpireSeconds)}"
: "000000",
: null,
),
maxLength: 6,
),

171
userfront/lib/features/auth/presentation/qr_scan_screen.dart
View File

@@ -19,6 +19,38 @@ class _QRScanScreenState extends State<QRScanScreen> {
detectionSpeed: DetectionSpeed.noDuplicates,
);
bool _isScanned = false;
bool _isCheckingSession = false;
bool _isProcessing = false;
bool? _isSuccess;
String? _resultMessage;
@override
void initState() {
super.initState();
_bootstrapCookieSession();
}
Future<bool> _bootstrapCookieSession() async {
if (AuthTokenStore.usesCookie()) {
return true;
}
if (_isCheckingSession) {
return false;
}
setState(() => _isCheckingSession = true);
try {
await AuthProxyService.checkCookieSession();
AuthTokenStore.setCookieMode(provider: 'ory');
return true;
} catch (e) {
_log.info('Cookie session check failed: $e');
return false;
} finally {
if (mounted) {
setState(() => _isCheckingSession = false);
}
}
}
@override
void dispose() {
@@ -33,6 +65,9 @@ class _QRScanScreenState extends State<QRScanScreen> {
for (final barcode in barcodes) {
if (barcode.rawValue != null) {
_isScanned = true;
if (mounted) {
setState(() => _isProcessing = true);
}
String qrData = barcode.rawValue!;
String pendingRef = qrData;
@@ -42,6 +77,12 @@ class _QRScanScreenState extends State<QRScanScreen> {
final uri = Uri.parse(qrData);
if (uri.queryParameters.containsKey('ref')) {
pendingRef = uri.queryParameters['ref']!;
} else if (uri.pathSegments.isNotEmpty) {
final segments = uri.pathSegments;
final qlIndex = segments.indexOf('ql');
if (qlIndex != -1 && qlIndex + 1 < segments.length) {
pendingRef = segments[qlIndex + 1];
}
}
} catch (e) {
_log.warning('Failed to parse QR URL: $qrData', e);
@@ -49,10 +90,15 @@ class _QRScanScreenState extends State<QRScanScreen> {
}
_log.info('QR Code detected raw: $qrData, ref: $pendingRef');
final approveRef = qrData;
final sessionToken = AuthTokenStore.getToken() ??
Descope.sessionManager.session?.sessionToken.jwt;
if (sessionToken == null) {
final storedToken = AuthTokenStore.getToken();
final sessionToken = storedToken ?? Descope.sessionManager.session?.sessionToken.jwt;
var usesCookie = AuthTokenStore.usesCookie();
if (sessionToken == null && !usesCookie) {
usesCookie = await _bootstrapCookieSession();
}
if (sessionToken == null && !usesCookie) {
if (mounted) {
ScaffoldMessenger.of(context).showSnackBar(
const SnackBar(content: Text('로그인이 필요합니다.'), backgroundColor: Colors.red),
@@ -64,28 +110,27 @@ class _QRScanScreenState extends State<QRScanScreen> {
try {
// Call backend API to approve login with clean ref
await AuthProxyService.approveQrLogin(pendingRef, sessionToken);
await AuthProxyService.approveQrLogin(
approveRef,
token: sessionToken,
withCredentials: usesCookie,
);
if (mounted) {
ScaffoldMessenger.of(context).showSnackBar(
const SnackBar(
content: Text('로그인 승인 완료!'),
backgroundColor: Colors.green,
),
);
// Wait a bit and go back
await Future.delayed(const Duration(milliseconds: 500));
if (mounted) context.pop();
setState(() {
_isSuccess = true;
_resultMessage = 'QR 승인 완료! PC 화면에서 로그인이 진행됩니다.';
_isProcessing = false;
});
}
} catch (e) {
_log.severe("QR Approval Failed", e);
if (mounted) {
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(content: Text('승인 실패: $e'), backgroundColor: Colors.red),
);
// Allow rescanning after a delay
await Future.delayed(const Duration(seconds: 2));
_isScanned = false;
setState(() {
_isSuccess = false;
_resultMessage = 'QR 승인 실패: $e';
_isProcessing = false;
});
}
}
break;
@@ -93,6 +138,58 @@ class _QRScanScreenState extends State<QRScanScreen> {
}
}
void _resetScan() {
setState(() {
_isScanned = false;
_isProcessing = false;
_isSuccess = null;
_resultMessage = null;
});
controller.start();
}
Widget _buildResultView() {
final success = _isSuccess == true;
final icon = success ? Icons.check_circle_outline : Icons.error_outline;
final color = success ? Colors.green : Colors.red;
final title = success ? '승인 완료' : '승인 실패';
final message = _resultMessage ?? '';
return Center(
child: Padding(
padding: const EdgeInsets.all(24.0),
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
children: [
Icon(icon, color: color, size: 72),
const SizedBox(height: 16),
Text(
title,
style: TextStyle(fontSize: 22, fontWeight: FontWeight.bold, color: color),
),
const SizedBox(height: 12),
Text(
message,
textAlign: TextAlign.center,
style: const TextStyle(color: Colors.black54),
),
const SizedBox(height: 24),
if (!success)
FilledButton(
onPressed: _resetScan,
child: const Text('다시 스캔'),
),
if (success)
FilledButton(
onPressed: () => context.pop(),
child: const Text('닫기'),
),
],
),
),
);
}
@override
Widget build(BuildContext context) {
return Scaffold(
@@ -103,22 +200,30 @@ class _QRScanScreenState extends State<QRScanScreen> {
onPressed: () => context.pop(),
),
),
body: MobileScanner(
controller: controller,
onDetect: _onDetect,
errorBuilder: (context, error, child) {
return Center(
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
body: _isSuccess == null
? Stack(
children: [
const Icon(Icons.error, color: Colors.red, size: 50),
const SizedBox(height: 10),
Text('Camera Error: ${error.errorCode}'),
MobileScanner(
controller: controller,
onDetect: _onDetect,
errorBuilder: (context, error, child) {
return Center(
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
children: [
const Icon(Icons.error, color: Colors.red, size: 50),
const SizedBox(height: 10),
Text('Camera Error: ${error.errorCode}'),
],
),
);
},
),
if (_isProcessing || _isCheckingSession)
const Center(child: CircularProgressIndicator()),
],
),
);
},
),
)
: _buildResultView(),
);
}
}

9
userfront/lib/main.dart
View File

@@ -157,6 +157,14 @@ final _router = GoRouter(
return ApproveQrScreen(pendingRef: ref);
},
),
GoRoute(
path: '/ql/:ref',
builder: (context, state) {
final ref = state.pathParameters['ref'];
_routerLogger.info("Navigating to /ql with ref: $ref");
return ApproveQrScreen(pendingRef: ref);
},
),
GoRoute(
path: '/scan',
builder: (context, state) {
@@ -186,6 +194,7 @@ final _router = GoRouter(
path == '/verify' ||
path.startsWith('/verify/') ||
path == '/approve' ||
path.startsWith('/ql/') ||
path == '/forgot-password' ||
path == '/reset-password';