From ff655dc7c7a7e940d6cb71aa263b40c397b117b5 Mon Sep 17 00:00:00 2001 From: Lectom C Han Date: Thu, 29 Jan 2026 16:35:08 +0900 Subject: [PATCH] =?UTF-8?q?QR=20=EB=A1=9C=EA=B7=B8=EC=9D=B8=20=EA=B5=AC?= =?UTF-8?q?=ED=98=84=20=EC=99=84=EB=A3=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- backend/cmd/server/main.go | 42 ++- backend/internal/handler/auth_handler.go | 347 +++++++++++++++--- docker/ory/kratos/kratos.yml | 136 +++---- .../lib/core/services/auth_proxy_service.dart | 44 ++- .../auth/presentation/approve_qr_screen.dart | 43 ++- .../auth/presentation/login_screen.dart | 67 ++-- .../auth/presentation/qr_scan_screen.dart | 171 +++++++-- userfront/lib/main.dart | 9 + 8 files changed, 656 insertions(+), 203 deletions(-) diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go index a75b8336..ec8060b0 100644 --- a/backend/cmd/server/main.go +++ b/backend/cmd/server/main.go @@ -292,24 +292,30 @@ func main() { Key: cookieSecret, })) - app.Get("/docs", func(c *fiber.Ctx) error { - return c.SendFile("./docs/swagger-ui/index.html") - }) - app.Get("/docs/", func(c *fiber.Ctx) error { - return c.SendFile("./docs/swagger-ui/index.html") - }) - app.Static("/docs", "./docs/swagger-ui") - app.Get("/redoc", func(c *fiber.Ctx) error { - return c.SendFile("./docs/redoc/index.html") - }) - app.Get("/redoc/", func(c *fiber.Ctx) error { - return c.SendFile("./docs/redoc/index.html") - }) - app.Static("/redoc", "./docs/redoc") - app.Get("/openapi.yaml", func(c *fiber.Ctx) error { - c.Type("yaml") - return c.SendFile("./docs/openapi.yaml") - }) + // [Security] Disable Swagger/ReDoc in Production + if appEnv != "production" { + app.Get("/docs", func(c *fiber.Ctx) error { + return c.SendFile("./docs/swagger-ui/index.html") + }) + app.Get("/docs/", func(c *fiber.Ctx) error { + return c.SendFile("./docs/swagger-ui/index.html") + }) + app.Static("/docs", "./docs/swagger-ui") + app.Get("/redoc", func(c *fiber.Ctx) error { + return c.SendFile("./docs/redoc/index.html") + }) + app.Get("/redoc/", func(c *fiber.Ctx) error { + return c.SendFile("./docs/redoc/index.html") + }) + app.Static("/redoc", "./docs/redoc") + app.Get("/openapi.yaml", func(c *fiber.Ctx) error { + c.Type("yaml") + return c.SendFile("./docs/openapi.yaml") + }) + slog.Info("๐Ÿ“š API Docs enabled", "swagger", "/docs", "redoc", "/redoc") + } else { + slog.Info("๐Ÿ”’ API Docs disabled in production") + } // Routes app.Get("/", func(c *fiber.Ctx) error { diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go index d7d43d40..e7c74e55 100644 --- a/backend/internal/handler/auth_handler.go +++ b/backend/internal/handler/auth_handler.go @@ -37,7 +37,11 @@ const ( prefixLoginCodeSmsLookup = "login_code_sms_lookup:" prefixLoginCodeShort = "login_code_short:" prefixLoginCodeSmsOnly = "login_code_sms_only:" + prefixLoginCodeQrPending = "login_code_qr_pending:" + prefixLoginCodeQr = "login_code_qr:" prefixPollMeta = "poll_meta:" + prefixQrRef = "qr_ref:" + prefixQrPending = "qr_pending:" prefixSignupEmail = "signup:email:" prefixSignupPhone = "signup:phone:" @@ -84,6 +88,21 @@ func GenerateSecureToken(length int) string { return hex.EncodeToString(b) } +func GenerateSecureAlnumToken(length int) string { + const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + if length <= 0 { + return "" + } + buf := make([]byte, length) + if _, err := crand.Read(buf); err != nil { + return "" + } + for i := range buf { + buf[i] = charset[int(buf[i])%len(charset)] + } + return string(buf) +} + func GenerateUserCode() string { const letters = "ABCDEFGHJKLMNPQRSTUVWXYZ" return fmt.Sprintf("%c%c-%03d", @@ -1358,18 +1377,23 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error { // InitQRLogin - Step 1: Web ํŒจ๋„์—์„œ QR ๋กœ๊ทธ์ธ ์„ธ์…˜์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค. func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error { pendingRef := GenerateSecureToken(16) + qrRef := GenerateSecureAlnumToken(64) + if qrRef == "" { + qrRef = GenerateSecureToken(16) + } // QR ์ฝ”๋“œ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์‹ค์ œ ์ ‘์† ๊ฐ€๋Šฅํ•œ URL๋กœ ๋ณ€๊ฒฝํ•ฉ๋‹ˆ๋‹ค. userfrontURL := os.Getenv("USERFRONT_URL") if userfrontURL == "" { userfrontURL = "https://sso.hmac.kr" } - qrPayload := fmt.Sprintf("%s/approve?ref=%s", userfrontURL, pendingRef) + qrPayload := fmt.Sprintf("%s/ql/%s", strings.TrimRight(userfrontURL, "/"), qrRef) - slog.Info("[QR] Init", "pendingRef", pendingRef, "url", qrPayload) + slog.Info("[QR] Init", "pendingRef", pendingRef, "qrRef", qrRef, "url", qrPayload) // Redis์— ์ดˆ๊ธฐ ์ƒํƒœ ์ €์žฅ (5๋ถ„ ๋งŒ๋ฃŒ) h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute) + h.RedisService.Set(prefixQrRef+qrRef, pendingRef, 5*time.Minute) return c.JSON(fiber.Map{ "qrCode": qrPayload, // ํ”„๋ก ํŠธ์—”๋“œ์—์„œ ์ด ํ…์ŠคํŠธ๋กœ QR์„ ์ƒ์„ฑํ•˜๊ฑฐ๋‚˜, ์ด๋ฏธ์ง€๋ฅผ ๋ฐ˜ํ™˜ @@ -1430,30 +1454,66 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error { return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"}) } - slog.Info("[QR] Scan & Approve", "pendingRef", req.PendingRef) - - if req.Token == "" { - return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"}) + rawRef := strings.TrimSpace(req.PendingRef) + pendingRef, err := h.resolveQrPendingRef(rawRef) + if err != nil || pendingRef == "" { + return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid pendingRef"}) } + slog.Info("[QR] Scan & Approve", "pendingRef", pendingRef) + // 1. Redis์—์„œ ์„ธ์…˜ ํ™•์ธ - val, err := h.RedisService.Get(prefixSession + req.PendingRef) + val, err := h.RedisService.Get(prefixSession + pendingRef) if err != nil || val == "" { return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"}) } - // 2. ๋ชจ๋ฐ”์ผ ํ† ํฐ์€ ์Šน์ธ ๊ฒ€์ฆ์šฉ์œผ๋กœ๋งŒ ์‚ฌ์šฉํ•˜๊ณ , ์›น ์ „์šฉ ์„ธ์…˜์„ ์ƒˆ๋กœ ๋ฐœ๊ธ‰ - sessionToken, err := h.issueQRWebSession(c, req.Token) - if err != nil { - slog.Error("[QR] Issue web session failed", "error", err) - return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"}) + if req.Token == "" { + cookie := c.Get(fiber.HeaderCookie) + if cookie == "" { + return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"}) + } + _, traits, err := h.getKratosIdentityWithCookie(cookie) + if err != nil { + slog.Warn("[QR] Cookie session invalid", "error", err) + return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"}) + } + loginID := pickLoginIDFromTraits(traits) + if loginID == "" { + return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"}) + } + if !strings.Contains(loginID, "@") { + loginID = normalizePhoneForLoginID(loginID) + } + if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil { + slog.Error("[QR] Start code login failed", "error", err) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"}) + } + return c.JSON(fiber.Map{"message": "QR Login Approved"}) } - sessionData, _ := json.Marshal(map[string]string{ - "status": statusSuccess, - "jwt": sessionToken, - }) - h.RedisService.Set(prefixSession+req.PendingRef, string(sessionData), 5*time.Minute) + // 2. ๋ชจ๋ฐ”์ผ ํ† ํฐ์€ ์Šน์ธ ๊ฒ€์ฆ์šฉ์œผ๋กœ๋งŒ ์‚ฌ์šฉํ•˜๊ณ , ์›น ์ „์šฉ ์„ธ์…˜์„ ์ƒˆ๋กœ ๋ฐœ๊ธ‰ + if sessionToken, err := h.tryIssueDescopeQrSession(c, req.Token); err != nil { + slog.Error("[QR] Issue web session failed", "error", err) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"}) + } else if sessionToken != "" { + sessionData, _ := json.Marshal(map[string]string{ + "status": statusSuccess, + "jwt": sessionToken, + }) + h.RedisService.Set(prefixSession+pendingRef, string(sessionData), 5*time.Minute) + return c.JSON(fiber.Map{"message": "QR Login Approved"}) + } + + loginID, err := h.resolveKratosLoginID(req.Token) + if err != nil { + slog.Warn("[QR] Invalid token", "error", err) + return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"}) + } + if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil { + slog.Error("[QR] Start code login failed", "error", err) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"}) + } return c.JSON(fiber.Map{"message": "QR Login Approved"}) } @@ -1484,6 +1544,66 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error { return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient"}) } + loginID := req.Recipient + if !strings.Contains(loginID, "@") { + loginID = normalizePhoneForLoginID(loginID) + } + if pendingRef, _ := h.RedisService.Get(prefixLoginCodeQrPending + loginID); pendingRef != "" { + code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code")) + if code == "" { + slog.Error("[QR] Missing login code in courier", "loginID", loginID) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"}) + } + flowID, _ := h.RedisService.Get(prefixLoginCode + loginID) + if flowID == "" { + slog.Error("[QR] Missing login flow for code verify", "loginID", loginID) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"}) + } + authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code) + if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" { + slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"}) + } + sessionData, _ := json.Marshal(map[string]string{ + "status": statusSuccess, + "jwt": authInfo.SessionToken.JWT, + }) + h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration) + h.RedisService.Delete(prefixLoginCodeQrPending + loginID) + h.RedisService.Delete(prefixLoginCode + loginID) + h.RedisService.Delete(prefixLoginCodeQr + pendingRef) + slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef) + return c.JSON(fiber.Map{"status": "ok"}) + } + if pendingRef, _ := h.RedisService.Get(prefixQrPending + loginID); pendingRef != "" { + code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code")) + if code == "" { + slog.Error("[QR] Missing login code in courier", "loginID", loginID) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"}) + } + flowID, _ := h.RedisService.Get(prefixLoginCode + loginID) + if flowID == "" { + slog.Error("[QR] Missing login flow for code verify", "loginID", loginID) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"}) + } + authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code) + if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" { + slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err) + return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"}) + } + sessionData, _ := json.Marshal(map[string]string{ + "status": statusSuccess, + "jwt": authInfo.SessionToken.JWT, + }) + h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration) + h.RedisService.Delete(prefixQrPending + loginID) + h.RedisService.Delete(prefixLoginCode + loginID) + h.RedisService.Delete(prefixLoginCodeSmsTarget + loginID) + h.RedisService.Delete(prefixLoginCodeSmsLookup + loginID) + slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef) + return c.JSON(fiber.Map{"status": "ok"}) + } + subject, body := h.buildKratosCourierMessage(&req) if strings.TrimSpace(body) == "" { slog.Warn("[Kratos Courier] Empty body", "recipient", req.Recipient, "template", req.TemplateType) @@ -1526,16 +1646,16 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error { return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "SMS service not configured"}) } phone := sanitizePhoneForSms(req.Recipient) - loginID := req.Recipient - if !strings.Contains(loginID, "@") { - lookup := normalizePhoneForLoginID(loginID) + smsLoginID := req.Recipient + if !strings.Contains(smsLoginID, "@") { + lookup := normalizePhoneForLoginID(smsLoginID) if email, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + lookup); email != "" { - loginID = email + smsLoginID = email } else { - loginID = lookup + smsLoginID = lookup } } - smsBody := h.buildKratosShortSmsBody(&req, loginID, phone) + smsBody := h.buildKratosShortSmsBody(&req, smsLoginID, phone) if smsBody == "" { smsBody = body } @@ -1918,30 +2038,171 @@ func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, err return id, err } -func (h *AuthHandler) issueQRWebSession(c *fiber.Ctx, token string) (string, error) { - if looksLikeJWT(token) && h.DescopeClient != nil { - authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token) - if err == nil && authorized { - loginID, err := h.resolveDescopeLoginID(c.Context(), userToken) - if err != nil { - return "", err - } - authInfo, err := h.IdpProvider.IssueSession(loginID) - if err != nil { - return "", err - } - if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" { - return "", fmt.Errorf("descope issue session returned empty token") - } - return authInfo.SessionToken.JWT, nil - } +func (h *AuthHandler) tryIssueDescopeQrSession(c *fiber.Ctx, token string) (string, error) { + if !looksLikeJWT(token) || h.DescopeClient == nil { + return "", nil } - - identityID, _, err := h.getKratosIdentity(token) + authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token) + if err != nil || !authorized { + return "", nil + } + loginID, err := h.resolveDescopeLoginID(c.Context(), userToken) if err != nil { return "", err } - return h.issueKratosSession(c.Context(), identityID) + authInfo, err := h.IdpProvider.IssueSession(loginID) + if err != nil { + return "", err + } + if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" { + return "", fmt.Errorf("descope issue session returned empty token") + } + return authInfo.SessionToken.JWT, nil +} + +func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) { + _, traits, err := h.getKratosIdentity(token) + if err != nil { + return "", err + } + loginID := pickLoginIDFromTraits(traits) + if loginID == "" { + return "", fmt.Errorf("kratos login id missing") + } + if !strings.Contains(loginID, "@") { + loginID = normalizePhoneForLoginID(loginID) + } + return loginID, nil +} + +func pickLoginIDFromTraits(traits map[string]interface{}) string { + if traits == nil { + return "" + } + keys := []string{"email", "phone", "phone_number", "phoneNumber", "mobile", "mobile_number"} + for _, key := range keys { + if raw, ok := traits[key]; ok { + if value, ok := raw.(string); ok && value != "" { + return value + } + } + } + return "" +} + +func (h *AuthHandler) resolveQrPendingRef(raw string) (string, error) { + ref := strings.TrimSpace(raw) + if ref == "" { + return "", fmt.Errorf("empty ref") + } + if strings.HasPrefix(ref, "http") { + if parsed, err := url.Parse(ref); err == nil { + if value := parsed.Query().Get("ref"); value != "" { + ref = value + } else if len(parsed.Path) > 0 { + segments := strings.Split(strings.Trim(parsed.Path, "/"), "/") + if len(segments) >= 2 && segments[0] == "ql" { + ref = segments[1] + } + } + } + } + if ref == "" { + return "", fmt.Errorf("invalid ref") + } + if mapped, _ := h.RedisService.Get(prefixQrRef + ref); mapped != "" { + return mapped, nil + } + return ref, nil +} + +func (h *AuthHandler) resolveQrRef(raw string) string { + ref := strings.TrimSpace(raw) + if ref == "" { + return "" + } + if strings.HasPrefix(ref, "http") { + if parsed, err := url.Parse(ref); err == nil { + if value := parsed.Query().Get("ref"); value != "" { + return value + } + if len(parsed.Path) > 0 { + segments := strings.Split(strings.Trim(parsed.Path, "/"), "/") + if len(segments) >= 2 && segments[0] == "ql" { + return segments[1] + } + } + } + } + return ref +} + +func (h *AuthHandler) startQrCodeLogin(loginID, pendingRef string) error { + if h.IdpProvider == nil { + return fmt.Errorf("identity provider unavailable") + } + userfrontURL := os.Getenv("USERFRONT_URL") + if userfrontURL == "" { + userfrontURL = "http://sso.hmac.kr" + } + _ = h.RedisService.Set(prefixQrPending+loginID, pendingRef, loginCodeExpiration) + init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL) + if err != nil { + h.RedisService.Delete(prefixQrPending + loginID) + if errors.Is(err, domain.ErrNotSupported) { + return fmt.Errorf("login method not supported") + } + return err + } + effectiveLoginID := loginID + if init != nil && init.LoginID != "" { + effectiveLoginID = init.LoginID + } + if effectiveLoginID != loginID { + _ = h.RedisService.Set(prefixQrPending+effectiveLoginID, pendingRef, loginCodeExpiration) + } + if init != nil && init.FlowID != "" { + _ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration) + } + return nil +} + +func (h *AuthHandler) startQrCodeLoginForQr(loginID, pendingRef, rawRef string) error { + if h.IdpProvider == nil { + return fmt.Errorf("identity provider unavailable") + } + userfrontURL := os.Getenv("USERFRONT_URL") + if userfrontURL == "" { + userfrontURL = "http://sso.hmac.kr" + } + + init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL) + if err != nil { + if errors.Is(err, domain.ErrNotSupported) { + return fmt.Errorf("login method not supported") + } + return err + } + + effectiveLoginID := loginID + if init != nil && init.LoginID != "" { + effectiveLoginID = init.LoginID + } + if init == nil || init.FlowID == "" { + return fmt.Errorf("login flow missing") + } + + qrRef := h.resolveQrRef(rawRef) + qrPayload, _ := json.Marshal(map[string]string{ + "pendingRef": pendingRef, + "qrRef": qrRef, + "loginId": effectiveLoginID, + "approvedAt": time.Now().UTC().Format(time.RFC3339), + }) + _ = h.RedisService.Set(prefixLoginCodeQr+pendingRef, string(qrPayload), loginCodeExpiration) + _ = h.RedisService.Set(prefixLoginCodeQrPending+effectiveLoginID, pendingRef, loginCodeExpiration) + _ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration) + return nil } func (h *AuthHandler) resolveDescopeLoginID(ctx context.Context, token *descope.Token) (string, error) { diff --git a/docker/ory/kratos/kratos.yml b/docker/ory/kratos/kratos.yml index 1bcc337e..277dc1d0 100644 --- a/docker/ory/kratos/kratos.yml +++ b/docker/ory/kratos/kratos.yml @@ -3,84 +3,90 @@ version: v1.3.0 dsn: memory serve: - public: - base_url: http://localhost:4433/ - cors: - enabled: true - admin: - base_url: http://localhost:4434/ + public: + base_url: http://localhost:4433/ + cors: + enabled: true + admin: + base_url: http://localhost:4434/ selfservice: - default_browser_return_url: http://localhost:4455/ - allowed_return_urls: - - http://localhost:4455 - - http://localhost:5000 + default_browser_return_url: http://localhost:4455/ + allowed_return_urls: + - http://localhost:4455 + - http://localhost:5000 + - https://sss.hmac.kr + - https://sss.hmac.kr/ + - https://sso.hmac.kr + - https://sso.hmac.kr/ + - https://app.hmac.kr + - https://app.hmac.kr/ - methods: - password: - enabled: true - link: - enabled: true - code: - enabled: true - passwordless_enabled: true + methods: + password: + enabled: true + link: + enabled: true + code: + enabled: true + passwordless_enabled: true - flows: - error: - ui_url: http://localhost:4455/error - settings: - ui_url: http://localhost:4455/settings - privileged_session_max_age: 15m - recovery: - ui_url: http://localhost:4455/recovery - use: code - verification: - ui_url: http://localhost:4455/verification - use: code - logout: - after: - default_browser_return_url: http://localhost:4455/login - login: - ui_url: http://localhost:4455/login - lifespan: 10m - registration: - ui_url: http://localhost:4455/registration - lifespan: 10m + flows: + error: + ui_url: http://localhost:4455/error + settings: + ui_url: http://localhost:4455/settings + privileged_session_max_age: 15m + recovery: + ui_url: http://localhost:4455/recovery + use: code + verification: + ui_url: http://localhost:4455/verification + use: code + logout: + after: + default_browser_return_url: http://localhost:4455/login + login: + ui_url: http://localhost:4455/login + lifespan: 10m + registration: + ui_url: http://localhost:4455/registration + lifespan: 10m log: - level: debug - format: text - leak_sensitive_values: true + level: debug + format: text + leak_sensitive_values: true secrets: - cookie: - - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE - cipher: - - 32-LONG-SECRET-NOT-SECURE-AT-ALL + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + cipher: + - 32-LONG-SECRET-NOT-SECURE-AT-ALL ciphers: - algorithm: xchacha20-poly1305 + algorithm: xchacha20-poly1305 hashers: - algorithm: bcrypt - bcrypt: - cost: 8 + algorithm: bcrypt + bcrypt: + cost: 8 identity: - default_schema_id: default - schemas: - - id: default - url: file:///etc/config/kratos/identity.schema.json + default_schema_id: default + schemas: + - id: default + url: file:///etc/config/kratos/identity.schema.json courier: - template_override_path: /etc/config/kratos/courier-templates - delivery_strategy: http - http: - request_config: - url: http://baron_backend:3000/api/v1/auth/webhooks/kratos-courier - method: POST - body: file:///etc/config/kratos/courier-http.jsonnet - headers: - Content-Type: application/json - smtp: - connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true + template_override_path: /etc/config/kratos/courier-templates + delivery_strategy: http + http: + request_config: + url: http://baron_backend:3000/api/v1/auth/webhooks/kratos-courier + method: POST + body: file:///etc/config/kratos/courier-http.jsonnet + headers: + Content-Type: application/json + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true diff --git a/userfront/lib/core/services/auth_proxy_service.dart b/userfront/lib/core/services/auth_proxy_service.dart index ddd653bb..2fb3897b 100644 --- a/userfront/lib/core/services/auth_proxy_service.dart +++ b/userfront/lib/core/services/auth_proxy_service.dart @@ -282,19 +282,41 @@ class AuthProxyService { throw Exception('QR Polling failed: ${response.body}'); } - static Future approveQrLogin(String pendingRef, String token) async { + static Future approveQrLogin( + String pendingRef, { + String? token, + bool withCredentials = false, + }) async { final url = Uri.parse('$_baseUrl/api/v1/auth/qr/approve'); // Mapping to ScanQRLogin on backend - final response = await http.post( - url, - headers: {'Content-Type': 'application/json'}, - body: jsonEncode({ - 'pendingRef': pendingRef, - 'token': token, - }), - ); + final payload = { + 'pendingRef': pendingRef, + }; + if (token != null && token.isNotEmpty) { + payload['token'] = token; + } - if (response.statusCode != 200) { - throw Exception('QR Approval failed: ${response.body}'); + http.Client? client; + try { + if (withCredentials) { + client = createHttpClient(withCredentials: true); + } + final response = await (client != null + ? client.post( + url, + headers: {'Content-Type': 'application/json'}, + body: jsonEncode(payload), + ) + : http.post( + url, + headers: {'Content-Type': 'application/json'}, + body: jsonEncode(payload), + )); + + if (response.statusCode != 200) { + throw Exception('QR Approval failed: ${response.body}'); + } + } finally { + client?.close(); } } diff --git a/userfront/lib/features/auth/presentation/approve_qr_screen.dart b/userfront/lib/features/auth/presentation/approve_qr_screen.dart index 744e8abf..ea0b480f 100644 --- a/userfront/lib/features/auth/presentation/approve_qr_screen.dart +++ b/userfront/lib/features/auth/presentation/approve_qr_screen.dart @@ -16,13 +16,46 @@ class _ApproveQrScreenState extends State { bool _isLoading = false; String? _message; bool _success = false; + bool _isCheckingSession = false; + + @override + void initState() { + super.initState(); + _bootstrapCookieSession(); + } + + Future _bootstrapCookieSession() async { + if (AuthTokenStore.usesCookie()) { + return true; + } + if (_isCheckingSession) { + return false; + } + setState(() => _isCheckingSession = true); + try { + await AuthProxyService.checkCookieSession(); + AuthTokenStore.setCookieMode(provider: 'ory'); + return true; + } catch (_) { + return false; + } finally { + if (mounted) { + setState(() => _isCheckingSession = false); + } + } + } Future _handleApprove() async { if (widget.pendingRef == null) return; final storedToken = AuthTokenStore.getToken(); final session = Descope.sessionManager.session; - if (storedToken == null && (session == null || session.refreshToken.isExpired)) { + final usesCookie = AuthTokenStore.usesCookie(); + var hasCookie = usesCookie; + if (storedToken == null && (session == null || session.refreshToken.isExpired) && !hasCookie) { + hasCookie = await _bootstrapCookieSession(); + } + if (storedToken == null && (session == null || session.refreshToken.isExpired) && !hasCookie) { setState(() => _message = "Please log in on your phone first."); context.go('/signin'); // Redirect to login return; @@ -37,7 +70,8 @@ class _ApproveQrScreenState extends State { final token = storedToken ?? session?.sessionToken.jwt ?? ''; await AuthProxyService.approveQrLogin( widget.pendingRef!, - token, + token: token, + withCredentials: hasCookie, ); setState(() { _success = true; @@ -57,7 +91,10 @@ class _ApproveQrScreenState extends State { @override Widget build(BuildContext context) { - final isLoggedIn = Descope.sessionManager.session?.refreshToken.isExpired == false; + final hasStoredToken = AuthTokenStore.getToken() != null; + final hasDescopeSession = Descope.sessionManager.session?.refreshToken.isExpired == false; + final usesCookie = AuthTokenStore.usesCookie(); + final isLoggedIn = hasStoredToken || hasDescopeSession || usesCookie || _isCheckingSession; return Scaffold( appBar: AppBar(title: const Text("QR Login Approval")), diff --git a/userfront/lib/features/auth/presentation/login_screen.dart b/userfront/lib/features/auth/presentation/login_screen.dart index ea3bb2cb..18accd55 100644 --- a/userfront/lib/features/auth/presentation/login_screen.dart +++ b/userfront/lib/features/auth/presentation/login_screen.dart @@ -288,33 +288,36 @@ class _LoginScreenState extends ConsumerState timer.cancel(); _qrCountdownTimer?.cancel(); - final jwt = res['sessionJwt']; - final displayName = _getLoginIdFromJwt(jwt); - // Create User & Session for Descope SDK - final dummyUser = DescopeUser( - 'unknown', // userId - [], // loginIds - 0, // createdAt - displayName, // name - null, // picture (Uri?) - '', // email - false, // isVerifiedEmail - '', // phone - false, // isVerifiedPhone - {}, // customAttributes - '', // givenName - '', // middleName - '', // familyName - false, // hasPassword - 'enabled', // status - [], // roleNames - [], // ssoAppIds - [], // oauthProviders (List) - ); - final session = DescopeSession.fromJwt(jwt, jwt, dummyUser); - Descope.sessionManager.manageSession(session); + final token = res['sessionJwt'] as String; + final isJwt = token.split('.').length == 3; + if (isJwt) { + final displayName = _getLoginIdFromJwt(token); + // Create User & Session for Descope SDK + final dummyUser = DescopeUser( + 'unknown', // userId + [], // loginIds + 0, // createdAt + displayName, // name + null, // picture (Uri?) + '', // email + false, // isVerifiedEmail + '', // phone + false, // isVerifiedPhone + {}, // customAttributes + '', // givenName + '', // middleName + '', // familyName + false, // hasPassword + 'enabled', // status + [], // roleNames + [], // ssoAppIds + [], // oauthProviders (List) + ); + final session = DescopeSession.fromJwt(token, token, dummyUser); + Descope.sessionManager.manageSession(session); + } - _onLoginSuccess(jwt); + _onLoginSuccess(token); } } catch (e) { debugPrint("[QR] Polling error: $e"); @@ -906,8 +909,10 @@ class _LoginScreenState extends ConsumerState controller: _shortCodePrefixController, textCapitalization: TextCapitalization.characters, decoration: const InputDecoration( - labelText: "AA", + labelText: "์˜๋ฌธ 2์ž๋ฆฌ", border: OutlineInputBorder(), + hintText: "AB", + hintStyle: TextStyle(color: Colors.grey), ), maxLength: 2, ), @@ -919,11 +924,13 @@ class _LoginScreenState extends ConsumerState controller: _shortCodeDigitsController, keyboardType: TextInputType.number, decoration: InputDecoration( - labelText: "000000", + labelText: "์ˆซ์ž 6์ž๋ฆฌ", border: const OutlineInputBorder(), - hintText: _linkExpireSeconds > 0 + hintText: "345678", + hintStyle: const TextStyle(color: Colors.grey), + suffixText: _linkExpireSeconds > 0 ? "์œ ํšจ์‹œ๊ฐ„ ${_formatTime(_linkExpireSeconds)}" - : "000000", + : null, ), maxLength: 6, ), diff --git a/userfront/lib/features/auth/presentation/qr_scan_screen.dart b/userfront/lib/features/auth/presentation/qr_scan_screen.dart index 43aac077..cac86bc4 100644 --- a/userfront/lib/features/auth/presentation/qr_scan_screen.dart +++ b/userfront/lib/features/auth/presentation/qr_scan_screen.dart @@ -19,6 +19,38 @@ class _QRScanScreenState extends State { detectionSpeed: DetectionSpeed.noDuplicates, ); bool _isScanned = false; + bool _isCheckingSession = false; + bool _isProcessing = false; + bool? _isSuccess; + String? _resultMessage; + + @override + void initState() { + super.initState(); + _bootstrapCookieSession(); + } + + Future _bootstrapCookieSession() async { + if (AuthTokenStore.usesCookie()) { + return true; + } + if (_isCheckingSession) { + return false; + } + setState(() => _isCheckingSession = true); + try { + await AuthProxyService.checkCookieSession(); + AuthTokenStore.setCookieMode(provider: 'ory'); + return true; + } catch (e) { + _log.info('Cookie session check failed: $e'); + return false; + } finally { + if (mounted) { + setState(() => _isCheckingSession = false); + } + } + } @override void dispose() { @@ -33,6 +65,9 @@ class _QRScanScreenState extends State { for (final barcode in barcodes) { if (barcode.rawValue != null) { _isScanned = true; + if (mounted) { + setState(() => _isProcessing = true); + } String qrData = barcode.rawValue!; String pendingRef = qrData; @@ -42,6 +77,12 @@ class _QRScanScreenState extends State { final uri = Uri.parse(qrData); if (uri.queryParameters.containsKey('ref')) { pendingRef = uri.queryParameters['ref']!; + } else if (uri.pathSegments.isNotEmpty) { + final segments = uri.pathSegments; + final qlIndex = segments.indexOf('ql'); + if (qlIndex != -1 && qlIndex + 1 < segments.length) { + pendingRef = segments[qlIndex + 1]; + } } } catch (e) { _log.warning('Failed to parse QR URL: $qrData', e); @@ -49,10 +90,15 @@ class _QRScanScreenState extends State { } _log.info('QR Code detected raw: $qrData, ref: $pendingRef'); + final approveRef = qrData; - final sessionToken = AuthTokenStore.getToken() ?? - Descope.sessionManager.session?.sessionToken.jwt; - if (sessionToken == null) { + final storedToken = AuthTokenStore.getToken(); + final sessionToken = storedToken ?? Descope.sessionManager.session?.sessionToken.jwt; + var usesCookie = AuthTokenStore.usesCookie(); + if (sessionToken == null && !usesCookie) { + usesCookie = await _bootstrapCookieSession(); + } + if (sessionToken == null && !usesCookie) { if (mounted) { ScaffoldMessenger.of(context).showSnackBar( const SnackBar(content: Text('๋กœ๊ทธ์ธ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.'), backgroundColor: Colors.red), @@ -64,28 +110,27 @@ class _QRScanScreenState extends State { try { // Call backend API to approve login with clean ref - await AuthProxyService.approveQrLogin(pendingRef, sessionToken); + await AuthProxyService.approveQrLogin( + approveRef, + token: sessionToken, + withCredentials: usesCookie, + ); if (mounted) { - ScaffoldMessenger.of(context).showSnackBar( - const SnackBar( - content: Text('๋กœ๊ทธ์ธ ์Šน์ธ ์™„๋ฃŒ!'), - backgroundColor: Colors.green, - ), - ); - // Wait a bit and go back - await Future.delayed(const Duration(milliseconds: 500)); - if (mounted) context.pop(); + setState(() { + _isSuccess = true; + _resultMessage = 'QR ์Šน์ธ ์™„๋ฃŒ! PC ํ™”๋ฉด์—์„œ ๋กœ๊ทธ์ธ์ด ์ง„ํ–‰๋ฉ๋‹ˆ๋‹ค.'; + _isProcessing = false; + }); } } catch (e) { _log.severe("QR Approval Failed", e); if (mounted) { - ScaffoldMessenger.of(context).showSnackBar( - SnackBar(content: Text('์Šน์ธ ์‹คํŒจ: $e'), backgroundColor: Colors.red), - ); - // Allow rescanning after a delay - await Future.delayed(const Duration(seconds: 2)); - _isScanned = false; + setState(() { + _isSuccess = false; + _resultMessage = 'QR ์Šน์ธ ์‹คํŒจ: $e'; + _isProcessing = false; + }); } } break; @@ -93,6 +138,58 @@ class _QRScanScreenState extends State { } } + void _resetScan() { + setState(() { + _isScanned = false; + _isProcessing = false; + _isSuccess = null; + _resultMessage = null; + }); + controller.start(); + } + + Widget _buildResultView() { + final success = _isSuccess == true; + final icon = success ? Icons.check_circle_outline : Icons.error_outline; + final color = success ? Colors.green : Colors.red; + final title = success ? '์Šน์ธ ์™„๋ฃŒ' : '์Šน์ธ ์‹คํŒจ'; + final message = _resultMessage ?? ''; + + return Center( + child: Padding( + padding: const EdgeInsets.all(24.0), + child: Column( + mainAxisAlignment: MainAxisAlignment.center, + children: [ + Icon(icon, color: color, size: 72), + const SizedBox(height: 16), + Text( + title, + style: TextStyle(fontSize: 22, fontWeight: FontWeight.bold, color: color), + ), + const SizedBox(height: 12), + Text( + message, + textAlign: TextAlign.center, + style: const TextStyle(color: Colors.black54), + ), + const SizedBox(height: 24), + if (!success) + FilledButton( + onPressed: _resetScan, + child: const Text('๋‹ค์‹œ ์Šค์บ”'), + ), + if (success) + FilledButton( + onPressed: () => context.pop(), + child: const Text('๋‹ซ๊ธฐ'), + ), + ], + ), + ), + ); + } + @override Widget build(BuildContext context) { return Scaffold( @@ -103,22 +200,30 @@ class _QRScanScreenState extends State { onPressed: () => context.pop(), ), ), - body: MobileScanner( - controller: controller, - onDetect: _onDetect, - errorBuilder: (context, error, child) { - return Center( - child: Column( - mainAxisAlignment: MainAxisAlignment.center, + body: _isSuccess == null + ? Stack( children: [ - const Icon(Icons.error, color: Colors.red, size: 50), - const SizedBox(height: 10), - Text('Camera Error: ${error.errorCode}'), + MobileScanner( + controller: controller, + onDetect: _onDetect, + errorBuilder: (context, error, child) { + return Center( + child: Column( + mainAxisAlignment: MainAxisAlignment.center, + children: [ + const Icon(Icons.error, color: Colors.red, size: 50), + const SizedBox(height: 10), + Text('Camera Error: ${error.errorCode}'), + ], + ), + ); + }, + ), + if (_isProcessing || _isCheckingSession) + const Center(child: CircularProgressIndicator()), ], - ), - ); - }, - ), + ) + : _buildResultView(), ); } } diff --git a/userfront/lib/main.dart b/userfront/lib/main.dart index 1f13a44e..7745b09e 100644 --- a/userfront/lib/main.dart +++ b/userfront/lib/main.dart @@ -157,6 +157,14 @@ final _router = GoRouter( return ApproveQrScreen(pendingRef: ref); }, ), + GoRoute( + path: '/ql/:ref', + builder: (context, state) { + final ref = state.pathParameters['ref']; + _routerLogger.info("Navigating to /ql with ref: $ref"); + return ApproveQrScreen(pendingRef: ref); + }, + ), GoRoute( path: '/scan', builder: (context, state) { @@ -186,6 +194,7 @@ final _router = GoRouter( path == '/verify' || path.startsWith('/verify/') || path == '/approve' || + path.startsWith('/ql/') || path == '/forgot-password' || path == '/reset-password';