kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

QR 로그인 구현 완료

Browse Source
This commit is contained in:
Lectom C Han
2026-01-29 16:35:08 +09:00
parent 77d4e9fd77
commit ff655dc7c7
8 changed files with 656 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
backend/cmd/server/main.go
View File

@@ -292,24 +292,30 @@ func main() {
Key: cookieSecret, Key: cookieSecret,
})) }))
app.Get("/docs", func(c *fiber.Ctx) error { // [Security] Disable Swagger/ReDoc in Production
return c.SendFile("./docs/swagger-ui/index.html") if appEnv != "production" {
}) app.Get("/docs", func(c *fiber.Ctx) error {
app.Get("/docs/", func(c *fiber.Ctx) error { return c.SendFile("./docs/swagger-ui/index.html")
return c.SendFile("./docs/swagger-ui/index.html") })
}) app.Get("/docs/", func(c *fiber.Ctx) error {
app.Static("/docs", "./docs/swagger-ui") return c.SendFile("./docs/swagger-ui/index.html")
app.Get("/redoc", func(c *fiber.Ctx) error { })
return c.SendFile("./docs/redoc/index.html") app.Static("/docs", "./docs/swagger-ui")
}) app.Get("/redoc", func(c *fiber.Ctx) error {
app.Get("/redoc/", func(c *fiber.Ctx) error { return c.SendFile("./docs/redoc/index.html")
return c.SendFile("./docs/redoc/index.html") })
}) app.Get("/redoc/", func(c *fiber.Ctx) error {
app.Static("/redoc", "./docs/redoc") return c.SendFile("./docs/redoc/index.html")
app.Get("/openapi.yaml", func(c *fiber.Ctx) error { })
c.Type("yaml") app.Static("/redoc", "./docs/redoc")
return c.SendFile("./docs/openapi.yaml") app.Get("/openapi.yaml", func(c *fiber.Ctx) error {
}) c.Type("yaml")
return c.SendFile("./docs/openapi.yaml")
})
slog.Info("📚 API Docs enabled", "swagger", "/docs", "redoc", "/redoc")
} else {
slog.Info("🔒 API Docs disabled in production")
}
// Routes // Routes
app.Get("/", func(c *fiber.Ctx) error { app.Get("/", func(c *fiber.Ctx) error {

347
backend/internal/handler/auth_handler.go
View File

@@ -37,7 +37,11 @@ const (
prefixLoginCodeSmsLookup = "login_code_sms_lookup:" prefixLoginCodeSmsLookup = "login_code_sms_lookup:"
prefixLoginCodeShort = "login_code_short:" prefixLoginCodeShort = "login_code_short:"
prefixLoginCodeSmsOnly = "login_code_sms_only:" prefixLoginCodeSmsOnly = "login_code_sms_only:"
prefixLoginCodeQrPending = "login_code_qr_pending:"
prefixLoginCodeQr = "login_code_qr:"
prefixPollMeta = "poll_meta:" prefixPollMeta = "poll_meta:"
prefixQrRef = "qr_ref:"
prefixQrPending = "qr_pending:"
prefixSignupEmail = "signup:email:" prefixSignupEmail = "signup:email:"
prefixSignupPhone = "signup:phone:" prefixSignupPhone = "signup:phone:"
@@ -84,6 +88,21 @@ func GenerateSecureToken(length int) string {
return hex.EncodeToString(b) return hex.EncodeToString(b)
} }
func GenerateSecureAlnumToken(length int) string {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
if length <= 0 {
return ""
}
buf := make([]byte, length)
if _, err := crand.Read(buf); err != nil {
return ""
}
for i := range buf {
buf[i] = charset[int(buf[i])%len(charset)]
}
return string(buf)
}
func GenerateUserCode() string { func GenerateUserCode() string {
const letters = "ABCDEFGHJKLMNPQRSTUVWXYZ" const letters = "ABCDEFGHJKLMNPQRSTUVWXYZ"
return fmt.Sprintf("%c%c-%03d", return fmt.Sprintf("%c%c-%03d",
@@ -1358,18 +1377,23 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
// InitQRLogin - Step 1: Web 패널에서 QR 로그인 세션을 생성합니다. // InitQRLogin - Step 1: Web 패널에서 QR 로그인 세션을 생성합니다.
func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error { func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error {
pendingRef := GenerateSecureToken(16) pendingRef := GenerateSecureToken(16)
qrRef := GenerateSecureAlnumToken(64)
if qrRef == "" {
qrRef = GenerateSecureToken(16)
}
// QR 코드 페이로드를 실제 접속 가능한 URL로 변경합니다. // QR 코드 페이로드를 실제 접속 가능한 URL로 변경합니다.
userfrontURL := os.Getenv("USERFRONT_URL") userfrontURL := os.Getenv("USERFRONT_URL")
if userfrontURL == "" { if userfrontURL == "" {
userfrontURL = "https://sso.hmac.kr" userfrontURL = "https://sso.hmac.kr"
} }
qrPayload := fmt.Sprintf("%s/approve?ref=%s", userfrontURL, pendingRef) qrPayload := fmt.Sprintf("%s/ql/%s", strings.TrimRight(userfrontURL, "/"), qrRef)
slog.Info("[QR] Init", "pendingRef", pendingRef, "url", qrPayload) slog.Info("[QR] Init", "pendingRef", pendingRef, "qrRef", qrRef, "url", qrPayload)
// Redis에 초기 상태 저장 (5분 만료) // Redis에 초기 상태 저장 (5분 만료)
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute) h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute)
h.RedisService.Set(prefixQrRef+qrRef, pendingRef, 5*time.Minute)
return c.JSON(fiber.Map{ return c.JSON(fiber.Map{
"qrCode": qrPayload, // 프론트엔드에서 이 텍스트로 QR을 생성하거나, 이미지를 반환 "qrCode": qrPayload, // 프론트엔드에서 이 텍스트로 QR을 생성하거나, 이미지를 반환
@@ -1430,30 +1454,66 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
} }
slog.Info("[QR] Scan & Approve", "pendingRef", req.PendingRef) rawRef := strings.TrimSpace(req.PendingRef)
pendingRef, err := h.resolveQrPendingRef(rawRef)
if req.Token == "" { if err != nil || pendingRef == "" {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid pendingRef"})
} }
slog.Info("[QR] Scan & Approve", "pendingRef", pendingRef)
// 1. Redis에서 세션 확인 // 1. Redis에서 세션 확인
val, err := h.RedisService.Get(prefixSession + req.PendingRef) val, err := h.RedisService.Get(prefixSession + pendingRef)
if err != nil || val == "" { if err != nil || val == "" {
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"}) return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"})
} }
// 2. 모바일 토큰은 승인 검증용으로만 사용하고, 웹 전용 세션을 새로 발급 if req.Token == "" {
sessionToken, err := h.issueQRWebSession(c, req.Token) cookie := c.Get(fiber.HeaderCookie)
if err != nil { if cookie == "" {
slog.Error("[QR] Issue web session failed", "error", err) return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"})
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"}) }
_, traits, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
slog.Warn("[QR] Cookie session invalid", "error", err)
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
}
loginID := pickLoginIDFromTraits(traits)
if loginID == "" {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
}
if !strings.Contains(loginID, "@") {
loginID = normalizePhoneForLoginID(loginID)
}
if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil {
slog.Error("[QR] Start code login failed", "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
}
return c.JSON(fiber.Map{"message": "QR Login Approved"})
} }
sessionData, _ := json.Marshal(map[string]string{ // 2. 모바일 토큰은 승인 검증용으로만 사용하고, 웹 전용 세션을 새로 발급
"status": statusSuccess, if sessionToken, err := h.tryIssueDescopeQrSession(c, req.Token); err != nil {
"jwt": sessionToken, slog.Error("[QR] Issue web session failed", "error", err)
}) return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
h.RedisService.Set(prefixSession+req.PendingRef, string(sessionData), 5*time.Minute) } else if sessionToken != "" {
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": sessionToken,
})
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), 5*time.Minute)
return c.JSON(fiber.Map{"message": "QR Login Approved"})
}
loginID, err := h.resolveKratosLoginID(req.Token)
if err != nil {
slog.Warn("[QR] Invalid token", "error", err)
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
}
if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil {
slog.Error("[QR] Start code login failed", "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
}
return c.JSON(fiber.Map{"message": "QR Login Approved"}) return c.JSON(fiber.Map{"message": "QR Login Approved"})
} }
@@ -1484,6 +1544,66 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient"}) return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient"})
} }
loginID := req.Recipient
if !strings.Contains(loginID, "@") {
loginID = normalizePhoneForLoginID(loginID)
}
if pendingRef, _ := h.RedisService.Get(prefixLoginCodeQrPending + loginID); pendingRef != "" {
code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code"))
if code == "" {
slog.Error("[QR] Missing login code in courier", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"})
}
flowID, _ := h.RedisService.Get(prefixLoginCode + loginID)
if flowID == "" {
slog.Error("[QR] Missing login flow for code verify", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"})
}
authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code)
if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"})
}
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": authInfo.SessionToken.JWT,
})
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
h.RedisService.Delete(prefixLoginCodeQrPending + loginID)
h.RedisService.Delete(prefixLoginCode + loginID)
h.RedisService.Delete(prefixLoginCodeQr + pendingRef)
slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef)
return c.JSON(fiber.Map{"status": "ok"})
}
if pendingRef, _ := h.RedisService.Get(prefixQrPending + loginID); pendingRef != "" {
code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code"))
if code == "" {
slog.Error("[QR] Missing login code in courier", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"})
}
flowID, _ := h.RedisService.Get(prefixLoginCode + loginID)
if flowID == "" {
slog.Error("[QR] Missing login flow for code verify", "loginID", loginID)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"})
}
authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code)
if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"})
}
sessionData, _ := json.Marshal(map[string]string{
"status": statusSuccess,
"jwt": authInfo.SessionToken.JWT,
})
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
h.RedisService.Delete(prefixQrPending + loginID)
h.RedisService.Delete(prefixLoginCode + loginID)
h.RedisService.Delete(prefixLoginCodeSmsTarget + loginID)
h.RedisService.Delete(prefixLoginCodeSmsLookup + loginID)
slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef)
return c.JSON(fiber.Map{"status": "ok"})
}
subject, body := h.buildKratosCourierMessage(&req) subject, body := h.buildKratosCourierMessage(&req)
if strings.TrimSpace(body) == "" { if strings.TrimSpace(body) == "" {
slog.Warn("[Kratos Courier] Empty body", "recipient", req.Recipient, "template", req.TemplateType) slog.Warn("[Kratos Courier] Empty body", "recipient", req.Recipient, "template", req.TemplateType)
@@ -1526,16 +1646,16 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "SMS service not configured"}) return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "SMS service not configured"})
} }
phone := sanitizePhoneForSms(req.Recipient) phone := sanitizePhoneForSms(req.Recipient)
loginID := req.Recipient smsLoginID := req.Recipient
if !strings.Contains(loginID, "@") { if !strings.Contains(smsLoginID, "@") {
lookup := normalizePhoneForLoginID(loginID) lookup := normalizePhoneForLoginID(smsLoginID)
if email, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + lookup); email != "" { if email, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + lookup); email != "" {
loginID = email smsLoginID = email
} else { } else {
loginID = lookup smsLoginID = lookup
} }
} }
smsBody := h.buildKratosShortSmsBody(&req, loginID, phone) smsBody := h.buildKratosShortSmsBody(&req, smsLoginID, phone)
if smsBody == "" { if smsBody == "" {
smsBody = body smsBody = body
} }
@@ -1918,30 +2038,171 @@ func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, err
return id, err return id, err
} }
func (h *AuthHandler) issueQRWebSession(c *fiber.Ctx, token string) (string, error) { func (h *AuthHandler) tryIssueDescopeQrSession(c *fiber.Ctx, token string) (string, error) {
if looksLikeJWT(token) && h.DescopeClient != nil { if !looksLikeJWT(token) || h.DescopeClient == nil {
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token) return "", nil
if err == nil && authorized {
loginID, err := h.resolveDescopeLoginID(c.Context(), userToken)
if err != nil {
return "", err
}
authInfo, err := h.IdpProvider.IssueSession(loginID)
if err != nil {
return "", err
}
if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
return "", fmt.Errorf("descope issue session returned empty token")
}
return authInfo.SessionToken.JWT, nil
}
} }
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
identityID, _, err := h.getKratosIdentity(token) if err != nil || !authorized {
return "", nil
}
loginID, err := h.resolveDescopeLoginID(c.Context(), userToken)
if err != nil { if err != nil {
return "", err return "", err
} }
return h.issueKratosSession(c.Context(), identityID) authInfo, err := h.IdpProvider.IssueSession(loginID)
if err != nil {
return "", err
}
if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
return "", fmt.Errorf("descope issue session returned empty token")
}
return authInfo.SessionToken.JWT, nil
}
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
_, traits, err := h.getKratosIdentity(token)
if err != nil {
return "", err
}
loginID := pickLoginIDFromTraits(traits)
if loginID == "" {
return "", fmt.Errorf("kratos login id missing")
}
if !strings.Contains(loginID, "@") {
loginID = normalizePhoneForLoginID(loginID)
}
return loginID, nil
}
func pickLoginIDFromTraits(traits map[string]interface{}) string {
if traits == nil {
return ""
}
keys := []string{"email", "phone", "phone_number", "phoneNumber", "mobile", "mobile_number"}
for _, key := range keys {
if raw, ok := traits[key]; ok {
if value, ok := raw.(string); ok && value != "" {
return value
}
}
}
return ""
}
func (h *AuthHandler) resolveQrPendingRef(raw string) (string, error) {
ref := strings.TrimSpace(raw)
if ref == "" {
return "", fmt.Errorf("empty ref")
}
if strings.HasPrefix(ref, "http") {
if parsed, err := url.Parse(ref); err == nil {
if value := parsed.Query().Get("ref"); value != "" {
ref = value
} else if len(parsed.Path) > 0 {
segments := strings.Split(strings.Trim(parsed.Path, "/"), "/")
if len(segments) >= 2 && segments[0] == "ql" {
ref = segments[1]
}
}
}
}
if ref == "" {
return "", fmt.Errorf("invalid ref")
}
if mapped, _ := h.RedisService.Get(prefixQrRef + ref); mapped != "" {
return mapped, nil
}
return ref, nil
}
func (h *AuthHandler) resolveQrRef(raw string) string {
ref := strings.TrimSpace(raw)
if ref == "" {
return ""
}
if strings.HasPrefix(ref, "http") {
if parsed, err := url.Parse(ref); err == nil {
if value := parsed.Query().Get("ref"); value != "" {
return value
}
if len(parsed.Path) > 0 {
segments := strings.Split(strings.Trim(parsed.Path, "/"), "/")
if len(segments) >= 2 && segments[0] == "ql" {
return segments[1]
}
}
}
}
return ref
}
func (h *AuthHandler) startQrCodeLogin(loginID, pendingRef string) error {
if h.IdpProvider == nil {
return fmt.Errorf("identity provider unavailable")
}
userfrontURL := os.Getenv("USERFRONT_URL")
if userfrontURL == "" {
userfrontURL = "http://sso.hmac.kr"
}
_ = h.RedisService.Set(prefixQrPending+loginID, pendingRef, loginCodeExpiration)
init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL)
if err != nil {
h.RedisService.Delete(prefixQrPending + loginID)
if errors.Is(err, domain.ErrNotSupported) {
return fmt.Errorf("login method not supported")
}
return err
}
effectiveLoginID := loginID
if init != nil && init.LoginID != "" {
effectiveLoginID = init.LoginID
}
if effectiveLoginID != loginID {
_ = h.RedisService.Set(prefixQrPending+effectiveLoginID, pendingRef, loginCodeExpiration)
}
if init != nil && init.FlowID != "" {
_ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration)
}
return nil
}
func (h *AuthHandler) startQrCodeLoginForQr(loginID, pendingRef, rawRef string) error {
if h.IdpProvider == nil {
return fmt.Errorf("identity provider unavailable")
}
userfrontURL := os.Getenv("USERFRONT_URL")
if userfrontURL == "" {
userfrontURL = "http://sso.hmac.kr"
}
init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL)
if err != nil {
if errors.Is(err, domain.ErrNotSupported) {
return fmt.Errorf("login method not supported")
}
return err
}
effectiveLoginID := loginID
if init != nil && init.LoginID != "" {
effectiveLoginID = init.LoginID
}
if init == nil || init.FlowID == "" {
return fmt.Errorf("login flow missing")
}
qrRef := h.resolveQrRef(rawRef)
qrPayload, _ := json.Marshal(map[string]string{
"pendingRef": pendingRef,
"qrRef": qrRef,
"loginId": effectiveLoginID,
"approvedAt": time.Now().UTC().Format(time.RFC3339),
})
_ = h.RedisService.Set(prefixLoginCodeQr+pendingRef, string(qrPayload), loginCodeExpiration)
_ = h.RedisService.Set(prefixLoginCodeQrPending+effectiveLoginID, pendingRef, loginCodeExpiration)
_ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration)
return nil
} }
func (h *AuthHandler) resolveDescopeLoginID(ctx context.Context, token *descope.Token) (string, error) { func (h *AuthHandler) resolveDescopeLoginID(ctx context.Context, token *descope.Token) (string, error) {

136
docker/ory/kratos/kratos.yml
View File

@@ -3,84 +3,90 @@ version: v1.3.0
dsn: memory dsn: memory
serve: serve:
public: public:
base_url: http://localhost:4433/ base_url: http://localhost:4433/
cors: cors:
enabled: true enabled: true
admin: admin:
base_url: http://localhost:4434/ base_url: http://localhost:4434/
selfservice: selfservice:
default_browser_return_url: http://localhost:4455/ default_browser_return_url: http://localhost:4455/
allowed_return_urls: allowed_return_urls:
- http://localhost:4455 - http://localhost:4455
- http://localhost:5000 - http://localhost:5000
- https://sss.hmac.kr
- https://sss.hmac.kr/
- https://sso.hmac.kr
- https://sso.hmac.kr/
- https://app.hmac.kr
- https://app.hmac.kr/
methods: methods:
password: password:
enabled: true enabled: true
link: link:
enabled: true enabled: true
code: code:
enabled: true enabled: true
passwordless_enabled: true passwordless_enabled: true
flows: flows:
error: error:
ui_url: http://localhost:4455/error ui_url: http://localhost:4455/error
settings: settings:
ui_url: http://localhost:4455/settings ui_url: http://localhost:4455/settings
privileged_session_max_age: 15m privileged_session_max_age: 15m
recovery: recovery:
ui_url: http://localhost:4455/recovery ui_url: http://localhost:4455/recovery
use: code use: code
verification: verification:
ui_url: http://localhost:4455/verification ui_url: http://localhost:4455/verification
use: code use: code
logout: logout:
after: after:
default_browser_return_url: http://localhost:4455/login default_browser_return_url: http://localhost:4455/login
login: login:
ui_url: http://localhost:4455/login ui_url: http://localhost:4455/login
lifespan: 10m lifespan: 10m
registration: registration:
ui_url: http://localhost:4455/registration ui_url: http://localhost:4455/registration
lifespan: 10m lifespan: 10m
log: log:
level: debug level: debug
format: text format: text
leak_sensitive_values: true leak_sensitive_values: true
secrets: secrets:
cookie: cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher: cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL - 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers: ciphers:
algorithm: xchacha20-poly1305 algorithm: xchacha20-poly1305
hashers: hashers:
algorithm: bcrypt algorithm: bcrypt
bcrypt: bcrypt:
cost: 8 cost: 8
identity: identity:
default_schema_id: default default_schema_id: default
schemas: schemas:
- id: default - id: default
url: file:///etc/config/kratos/identity.schema.json url: file:///etc/config/kratos/identity.schema.json
courier: courier:
template_override_path: /etc/config/kratos/courier-templates template_override_path: /etc/config/kratos/courier-templates
delivery_strategy: http delivery_strategy: http
http: http:
request_config: request_config:
url: http://baron_backend:3000/api/v1/auth/webhooks/kratos-courier url: http://baron_backend:3000/api/v1/auth/webhooks/kratos-courier
method: POST method: POST
body: file:///etc/config/kratos/courier-http.jsonnet body: file:///etc/config/kratos/courier-http.jsonnet
headers: headers:
Content-Type: application/json Content-Type: application/json
smtp: smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

44
userfront/lib/core/services/auth_proxy_service.dart
View File

@@ -282,19 +282,41 @@ class AuthProxyService {
throw Exception('QR Polling failed: ${response.body}'); throw Exception('QR Polling failed: ${response.body}');
} }
static Future<void> approveQrLogin(String pendingRef, String token) async { static Future<void> approveQrLogin(
String pendingRef, {
String? token,
bool withCredentials = false,
}) async {
final url = Uri.parse('$_baseUrl/api/v1/auth/qr/approve'); // Mapping to ScanQRLogin on backend final url = Uri.parse('$_baseUrl/api/v1/auth/qr/approve'); // Mapping to ScanQRLogin on backend
final response = await http.post( final payload = <String, dynamic>{
url, 'pendingRef': pendingRef,
headers: {'Content-Type': 'application/json'}, };
body: jsonEncode({ if (token != null && token.isNotEmpty) {
'pendingRef': pendingRef, payload['token'] = token;
'token': token, }
}),
);
if (response.statusCode != 200) { http.Client? client;
throw Exception('QR Approval failed: ${response.body}'); try {
if (withCredentials) {
client = createHttpClient(withCredentials: true);
}
final response = await (client != null
? client.post(
url,
headers: {'Content-Type': 'application/json'},
body: jsonEncode(payload),
)
: http.post(
url,
headers: {'Content-Type': 'application/json'},
body: jsonEncode(payload),
));
if (response.statusCode != 200) {
throw Exception('QR Approval failed: ${response.body}');
}
} finally {
client?.close();
} }
} }

43
userfront/lib/features/auth/presentation/approve_qr_screen.dart
View File

@@ -16,13 +16,46 @@ class _ApproveQrScreenState extends State<ApproveQrScreen> {
bool _isLoading = false; bool _isLoading = false;
String? _message; String? _message;
bool _success = false; bool _success = false;
bool _isCheckingSession = false;
@override
void initState() {
super.initState();
_bootstrapCookieSession();
}
Future<bool> _bootstrapCookieSession() async {
if (AuthTokenStore.usesCookie()) {
return true;
}
if (_isCheckingSession) {
return false;
}
setState(() => _isCheckingSession = true);
try {
await AuthProxyService.checkCookieSession();
AuthTokenStore.setCookieMode(provider: 'ory');
return true;
} catch (_) {
return false;
} finally {
if (mounted) {
setState(() => _isCheckingSession = false);
}
}
}
Future<void> _handleApprove() async { Future<void> _handleApprove() async {
if (widget.pendingRef == null) return; if (widget.pendingRef == null) return;
final storedToken = AuthTokenStore.getToken(); final storedToken = AuthTokenStore.getToken();
final session = Descope.sessionManager.session; final session = Descope.sessionManager.session;
if (storedToken == null && (session == null || session.refreshToken.isExpired)) { final usesCookie = AuthTokenStore.usesCookie();
var hasCookie = usesCookie;
if (storedToken == null && (session == null || session.refreshToken.isExpired) && !hasCookie) {
hasCookie = await _bootstrapCookieSession();
}
if (storedToken == null && (session == null || session.refreshToken.isExpired) && !hasCookie) {
setState(() => _message = "Please log in on your phone first."); setState(() => _message = "Please log in on your phone first.");
context.go('/signin'); // Redirect to login context.go('/signin'); // Redirect to login
return; return;
@@ -37,7 +70,8 @@ class _ApproveQrScreenState extends State<ApproveQrScreen> {
final token = storedToken ?? session?.sessionToken.jwt ?? ''; final token = storedToken ?? session?.sessionToken.jwt ?? '';
await AuthProxyService.approveQrLogin( await AuthProxyService.approveQrLogin(
widget.pendingRef!, widget.pendingRef!,
token, token: token,
withCredentials: hasCookie,
); );
setState(() { setState(() {
_success = true; _success = true;
@@ -57,7 +91,10 @@ class _ApproveQrScreenState extends State<ApproveQrScreen> {
@override @override
Widget build(BuildContext context) { Widget build(BuildContext context) {
final isLoggedIn = Descope.sessionManager.session?.refreshToken.isExpired == false; final hasStoredToken = AuthTokenStore.getToken() != null;
final hasDescopeSession = Descope.sessionManager.session?.refreshToken.isExpired == false;
final usesCookie = AuthTokenStore.usesCookie();
final isLoggedIn = hasStoredToken || hasDescopeSession || usesCookie || _isCheckingSession;
return Scaffold( return Scaffold(
appBar: AppBar(title: const Text("QR Login Approval")), appBar: AppBar(title: const Text("QR Login Approval")),

67
userfront/lib/features/auth/presentation/login_screen.dart
View File

@@ -288,33 +288,36 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
timer.cancel(); timer.cancel();
_qrCountdownTimer?.cancel(); _qrCountdownTimer?.cancel();
final jwt = res['sessionJwt']; final token = res['sessionJwt'] as String;
final displayName = _getLoginIdFromJwt(jwt); final isJwt = token.split('.').length == 3;
// Create User & Session for Descope SDK if (isJwt) {
final dummyUser = DescopeUser( final displayName = _getLoginIdFromJwt(token);
'unknown', // userId // Create User & Session for Descope SDK
[], // loginIds final dummyUser = DescopeUser(
0, // createdAt 'unknown', // userId
displayName, // name [], // loginIds
null, // picture (Uri?) 0, // createdAt
'', // email displayName, // name
false, // isVerifiedEmail null, // picture (Uri?)
'', // phone '', // email
false, // isVerifiedPhone false, // isVerifiedEmail
{}, // customAttributes '', // phone
'', // givenName false, // isVerifiedPhone
'', // middleName {}, // customAttributes
'', // familyName '', // givenName
false, // hasPassword '', // middleName
'enabled', // status '', // familyName
[], // roleNames false, // hasPassword
[], // ssoAppIds 'enabled', // status
[], // oauthProviders (List<String>) [], // roleNames
); [], // ssoAppIds
final session = DescopeSession.fromJwt(jwt, jwt, dummyUser); [], // oauthProviders (List<String>)
Descope.sessionManager.manageSession(session); );
final session = DescopeSession.fromJwt(token, token, dummyUser);
Descope.sessionManager.manageSession(session);
}
_onLoginSuccess(jwt); _onLoginSuccess(token);
} }
} catch (e) { } catch (e) {
debugPrint("[QR] Polling error: $e"); debugPrint("[QR] Polling error: $e");
@@ -906,8 +909,10 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
controller: _shortCodePrefixController, controller: _shortCodePrefixController,
textCapitalization: TextCapitalization.characters, textCapitalization: TextCapitalization.characters,
decoration: const InputDecoration( decoration: const InputDecoration(
labelText: "AA", labelText: "영문 2자리",
border: OutlineInputBorder(), border: OutlineInputBorder(),
hintText: "AB",
hintStyle: TextStyle(color: Colors.grey),
), ),
maxLength: 2, maxLength: 2,
), ),
@@ -919,11 +924,13 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
controller: _shortCodeDigitsController, controller: _shortCodeDigitsController,
keyboardType: TextInputType.number, keyboardType: TextInputType.number,
decoration: InputDecoration( decoration: InputDecoration(
labelText: "000000", labelText: "숫자 6자리",
border: const OutlineInputBorder(), border: const OutlineInputBorder(),
hintText: _linkExpireSeconds > 0 hintText: "345678",
hintStyle: const TextStyle(color: Colors.grey),
suffixText: _linkExpireSeconds > 0
? "유효시간 ${_formatTime(_linkExpireSeconds)}" ? "유효시간 ${_formatTime(_linkExpireSeconds)}"
: "000000", : null,
), ),
maxLength: 6, maxLength: 6,
), ),

171
userfront/lib/features/auth/presentation/qr_scan_screen.dart
View File

@@ -19,6 +19,38 @@ class _QRScanScreenState extends State<QRScanScreen> {
detectionSpeed: DetectionSpeed.noDuplicates, detectionSpeed: DetectionSpeed.noDuplicates,
); );
bool _isScanned = false; bool _isScanned = false;
bool _isCheckingSession = false;
bool _isProcessing = false;
bool? _isSuccess;
String? _resultMessage;
@override
void initState() {
super.initState();
_bootstrapCookieSession();
}
Future<bool> _bootstrapCookieSession() async {
if (AuthTokenStore.usesCookie()) {
return true;
}
if (_isCheckingSession) {
return false;
}
setState(() => _isCheckingSession = true);
try {
await AuthProxyService.checkCookieSession();
AuthTokenStore.setCookieMode(provider: 'ory');
return true;
} catch (e) {
_log.info('Cookie session check failed: $e');
return false;
} finally {
if (mounted) {
setState(() => _isCheckingSession = false);
}
}
}
@override @override
void dispose() { void dispose() {
@@ -33,6 +65,9 @@ class _QRScanScreenState extends State<QRScanScreen> {
for (final barcode in barcodes) { for (final barcode in barcodes) {
if (barcode.rawValue != null) { if (barcode.rawValue != null) {
_isScanned = true; _isScanned = true;
if (mounted) {
setState(() => _isProcessing = true);
}
String qrData = barcode.rawValue!; String qrData = barcode.rawValue!;
String pendingRef = qrData; String pendingRef = qrData;
@@ -42,6 +77,12 @@ class _QRScanScreenState extends State<QRScanScreen> {
final uri = Uri.parse(qrData); final uri = Uri.parse(qrData);
if (uri.queryParameters.containsKey('ref')) { if (uri.queryParameters.containsKey('ref')) {
pendingRef = uri.queryParameters['ref']!; pendingRef = uri.queryParameters['ref']!;
} else if (uri.pathSegments.isNotEmpty) {
final segments = uri.pathSegments;
final qlIndex = segments.indexOf('ql');
if (qlIndex != -1 && qlIndex + 1 < segments.length) {
pendingRef = segments[qlIndex + 1];
}
} }
} catch (e) { } catch (e) {
_log.warning('Failed to parse QR URL: $qrData', e); _log.warning('Failed to parse QR URL: $qrData', e);
@@ -49,10 +90,15 @@ class _QRScanScreenState extends State<QRScanScreen> {
} }
_log.info('QR Code detected raw: $qrData, ref: $pendingRef'); _log.info('QR Code detected raw: $qrData, ref: $pendingRef');
final approveRef = qrData;
final sessionToken = AuthTokenStore.getToken() ?? final storedToken = AuthTokenStore.getToken();
Descope.sessionManager.session?.sessionToken.jwt; final sessionToken = storedToken ?? Descope.sessionManager.session?.sessionToken.jwt;
if (sessionToken == null) { var usesCookie = AuthTokenStore.usesCookie();
if (sessionToken == null && !usesCookie) {
usesCookie = await _bootstrapCookieSession();
}
if (sessionToken == null && !usesCookie) {
if (mounted) { if (mounted) {
ScaffoldMessenger.of(context).showSnackBar( ScaffoldMessenger.of(context).showSnackBar(
const SnackBar(content: Text('로그인이 필요합니다.'), backgroundColor: Colors.red), const SnackBar(content: Text('로그인이 필요합니다.'), backgroundColor: Colors.red),
@@ -64,28 +110,27 @@ class _QRScanScreenState extends State<QRScanScreen> {
try { try {
// Call backend API to approve login with clean ref // Call backend API to approve login with clean ref
await AuthProxyService.approveQrLogin(pendingRef, sessionToken); await AuthProxyService.approveQrLogin(
approveRef,
token: sessionToken,
withCredentials: usesCookie,
);
if (mounted) { if (mounted) {
ScaffoldMessenger.of(context).showSnackBar( setState(() {
const SnackBar( _isSuccess = true;
content: Text('로그인 승인 완료!'), _resultMessage = 'QR 승인 완료! PC 화면에서 로그인이 진행됩니다.';
backgroundColor: Colors.green, _isProcessing = false;
), });
);
// Wait a bit and go back
await Future.delayed(const Duration(milliseconds: 500));
if (mounted) context.pop();
} }
} catch (e) { } catch (e) {
_log.severe("QR Approval Failed", e); _log.severe("QR Approval Failed", e);
if (mounted) { if (mounted) {
ScaffoldMessenger.of(context).showSnackBar( setState(() {
SnackBar(content: Text('승인 실패: $e'), backgroundColor: Colors.red), _isSuccess = false;
); _resultMessage = 'QR 승인 실패: $e';
// Allow rescanning after a delay _isProcessing = false;
await Future.delayed(const Duration(seconds: 2)); });
_isScanned = false;
} }
} }
break; break;
@@ -93,6 +138,58 @@ class _QRScanScreenState extends State<QRScanScreen> {
} }
} }
void _resetScan() {
setState(() {
_isScanned = false;
_isProcessing = false;
_isSuccess = null;
_resultMessage = null;
});
controller.start();
}
Widget _buildResultView() {
final success = _isSuccess == true;
final icon = success ? Icons.check_circle_outline : Icons.error_outline;
final color = success ? Colors.green : Colors.red;
final title = success ? '승인 완료' : '승인 실패';
final message = _resultMessage ?? '';
return Center(
child: Padding(
padding: const EdgeInsets.all(24.0),
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
children: [
Icon(icon, color: color, size: 72),
const SizedBox(height: 16),
Text(
title,
style: TextStyle(fontSize: 22, fontWeight: FontWeight.bold, color: color),
),
const SizedBox(height: 12),
Text(
message,
textAlign: TextAlign.center,
style: const TextStyle(color: Colors.black54),
),
const SizedBox(height: 24),
if (!success)
FilledButton(
onPressed: _resetScan,
child: const Text('다시 스캔'),
),
if (success)
FilledButton(
onPressed: () => context.pop(),
child: const Text('닫기'),
),
],
),
),
);
}
@override @override
Widget build(BuildContext context) { Widget build(BuildContext context) {
return Scaffold( return Scaffold(
@@ -103,22 +200,30 @@ class _QRScanScreenState extends State<QRScanScreen> {
onPressed: () => context.pop(), onPressed: () => context.pop(),
), ),
), ),
body: MobileScanner( body: _isSuccess == null
controller: controller, ? Stack(
onDetect: _onDetect,
errorBuilder: (context, error, child) {
return Center(
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
children: [ children: [
const Icon(Icons.error, color: Colors.red, size: 50), MobileScanner(
const SizedBox(height: 10), controller: controller,
Text('Camera Error: ${error.errorCode}'), onDetect: _onDetect,
errorBuilder: (context, error, child) {
return Center(
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
children: [
const Icon(Icons.error, color: Colors.red, size: 50),
const SizedBox(height: 10),
Text('Camera Error: ${error.errorCode}'),
],
),
);
},
),
if (_isProcessing || _isCheckingSession)
const Center(child: CircularProgressIndicator()),
], ],
), )
); : _buildResultView(),
},
),
); );
} }
} }

9
userfront/lib/main.dart
View File

@@ -157,6 +157,14 @@ final _router = GoRouter(
return ApproveQrScreen(pendingRef: ref); return ApproveQrScreen(pendingRef: ref);
}, },
), ),
GoRoute(
path: '/ql/:ref',
builder: (context, state) {
final ref = state.pathParameters['ref'];
_routerLogger.info("Navigating to /ql with ref: $ref");
return ApproveQrScreen(pendingRef: ref);
},
),
GoRoute( GoRoute(
path: '/scan', path: '/scan',
builder: (context, state) { builder: (context, state) {
@@ -186,6 +194,7 @@ final _router = GoRouter(
path == '/verify' || path == '/verify' ||
path.startsWith('/verify/') || path.startsWith('/verify/') ||
path == '/approve' || path == '/approve' ||
path.startsWith('/ql/') ||
path == '/forgot-password' || path == '/forgot-password' ||
path == '/reset-password'; path == '/reset-password';