import 'dart:async'; import 'dart:convert'; import 'package:flutter/material.dart'; import 'package:flutter_riverpod/flutter_riverpod.dart'; import 'package:flutter_dotenv/flutter_dotenv.dart'; import 'package:google_fonts/google_fonts.dart'; import 'package:descope/descope.dart'; import 'package:go_router/go_router.dart'; import 'package:url_launcher/url_launcher_string.dart'; import 'package:qr_flutter/qr_flutter.dart'; import '../../../core/services/audit_service.dart'; import '../../../core/services/web_auth_integration.dart'; import '../../../core/services/auth_proxy_service.dart'; import '../../../core/notifiers/auth_notifier.dart'; class LoginScreen extends ConsumerStatefulWidget { final String? verificationToken; const LoginScreen({super.key, this.verificationToken}); @override ConsumerState createState() => _LoginScreenState(); } class _LoginScreenState extends ConsumerState with SingleTickerProviderStateMixin { late TabController _tabController; final TextEditingController _idController = TextEditingController(); final TextEditingController _smsCodeController = TextEditingController(); // Keep if needed for verification inputs later? Actually not used in link flow. bool _smsSent = false; String? _redirectUrl; // QR Login Variables String? _qrImageBase64; String? _qrPendingRef; bool _isQrLoading = false; Timer? _qrPollingTimer; int _qrRemainingSeconds = 0; Timer? _qrCountdownTimer; @override void initState() { super.initState(); _tabController = TabController(length: 2, vsync: this); _tabController.addListener(_handleTabSelection); // Check for tokens (Path Parameter or Legacy Query Parameter) WidgetsBinding.instance.addPostFrameCallback((_) { if (widget.verificationToken != null) { _verifyToken(widget.verificationToken!); } else { final uri = Uri.base; if (uri.queryParameters.containsKey('t')) { _verifyToken(uri.queryParameters['t']!); } } final uri = Uri.base; if (uri.queryParameters.containsKey('redirect_url')) { _redirectUrl = uri.queryParameters['redirect_url']; } }); } // Helper to decode JWT and get loginId String _getLoginIdFromJwt(String jwt) { try { final parts = jwt.split('.'); if (parts.length != 3) return 'User'; final payload = utf8.decode(base64Url.decode(base64Url.normalize(parts[1]))); final data = json.decode(payload); // Descope tokens usually have 'name', 'email', or 'sub' return data['name'] ?? data['email'] ?? data['sub'] ?? 'User'; } catch (e) { debugPrint("[JWT] Decode error: $e"); return 'User'; } } // Helper to decode JWT and get User ID (sub claim) String _getUserIdFromJwt(String jwt) { try { final parts = jwt.split('.'); if (parts.length != 3) return 'unknown'; final payload = utf8.decode(base64Url.decode(base64Url.normalize(parts[1]))); final data = json.decode(payload) as Map; return data['sub'] as String? ?? 'unknown'; } catch (e) { debugPrint("[JWT] Could not extract User ID (sub): $e"); return 'unknown'; } } void _handleTabSelection() { if (_tabController.index == 1 && _qrPendingRef == null) { _startQrFlow(); } else if (_tabController.index != 1) { _stopQrPolling(); } } Future _startQrFlow() async { if (_isQrLoading) return; setState(() { _isQrLoading = true; _qrImageBase64 = null; _qrRemainingSeconds = 0; }); try { final res = await AuthProxyService.initQrLogin(); if (mounted) { setState(() { _qrImageBase64 = res['qrCode']; _qrPendingRef = res['pendingRef']; _qrRemainingSeconds = res['expiresIn'] ?? 300; _isQrLoading = false; }); _startQrPolling(); _startCountdown(); } } catch (e) { _showError("Failed to init QR: $e"); if (mounted) setState(() => _isQrLoading = false); } } void _startCountdown() { _qrCountdownTimer?.cancel(); _qrCountdownTimer = Timer.periodic(const Duration(seconds: 1), (timer) { if (!mounted || _qrRemainingSeconds <= 0) { timer.cancel(); if (_qrRemainingSeconds <= 0) _stopQrPolling(); return; } setState(() { _qrRemainingSeconds--; }); }); } void _startQrPolling() { _qrPollingTimer?.cancel(); _qrPollingTimer = Timer.periodic(const Duration(milliseconds: 1500), (timer) async { if (_qrPendingRef == null || !mounted || _qrRemainingSeconds <= 0) { timer.cancel(); return; } try { final res = await AuthProxyService.pollQrStatus(_qrPendingRef!); if (res['status'] == 'ok' && res['sessionJwt'] != null) { timer.cancel(); _qrCountdownTimer?.cancel(); final jwt = res['sessionJwt']; final displayName = _getLoginIdFromJwt(jwt); // Create User & Session for Descope SDK final dummyUser = DescopeUser( 'unknown', // userId [], // loginIds 0, // createdAt displayName, // name null, // picture (Uri?) '', // email false, // isVerifiedEmail '', // phone false, // isVerifiedPhone {}, // customAttributes '', // givenName '', // middleName '', // familyName false, // hasPassword 'enabled', // status [], // roleNames [], // ssoAppIds [], // oauthProviders (List) ); final session = DescopeSession.fromJwt(jwt, jwt, dummyUser); Descope.sessionManager.manageSession(session); _onLoginSuccess(jwt); } } catch (e) { debugPrint("[QR] Polling error: $e"); } }); } void _stopQrPolling() { _qrPollingTimer?.cancel(); _qrPollingTimer = null; _qrCountdownTimer?.cancel(); _qrCountdownTimer = null; _qrPendingRef = null; } String _formatTime(int seconds) { final m = seconds ~/ 60; final s = seconds % 60; return "${m.toString().padLeft(2, '0')}:${s.toString().padLeft(2, '0')}"; } Future _verifyToken(String token) async { debugPrint("[Auth] Starting verification for token: $token"); try { // Use Backend to verify the token (Backend-Driven Flow) final res = await AuthProxyService.verifyMagicLink(token); final jwt = res['token']; debugPrint("[Auth] Verification successful for token: $token"); if (jwt != null && mounted) { final displayName = _getLoginIdFromJwt(jwt); // Create User & Session for Descope SDK to log in this tab final dummyUser = DescopeUser( 'unknown', [], 0, displayName, null, '', false, '', false, {}, '', '', '', false, 'enabled', [], [], [], ); final session = DescopeSession.fromJwt(jwt, jwt, dummyUser); // Refresh Token을 LocalStorage에 저장 Descope.sessionManager.manageSession(session); // Notify and Go to Dashboard _onLoginSuccess(jwt); } } catch (e) { debugPrint("[Auth] Verification FAILED for token: $token. Error: $e"); if (mounted) { _showError("Verification failed: $e"); } } } void _showSuccessDialog() { showDialog( context: context, barrierDismissible: false, builder: (context) => const AlertDialog( title: Text("Authentication Successful"), content: Text("You can close this tab and return to the application."), ), ); } @override void dispose() { _stopQrPolling(); _tabController.dispose(); _idController.dispose(); _smsCodeController.dispose(); super.dispose(); } Future _handleLogin() async { final input = _idController.text.trim(); if (input.isEmpty) return; String loginId = input; if (!input.contains('@')) { // Format phone number if it's not an email loginId = input.replaceAll(RegExp(r'[-\s]'), ''); if (loginId.startsWith('010')) { loginId = '+82${loginId.substring(1)}'; } } debugPrint("[Auth] Initiating Enchanted Link for: $loginId"); _startEnchantedFlow(loginId, isEmail: input.contains('@')); } Future _startEnchantedFlow(String loginId, {required bool isEmail}) async { try { if (mounted) { showDialog( context: context, barrierDismissible: false, builder: (context) => const Center(child: CircularProgressIndicator()), ); } // 1. Init via Backend API (Now handles both SMS and SES Email) final initResponse = await AuthProxyService.initEnchantedLink(loginId); final pendingRef = initResponse['pendingRef']; debugPrint("[Auth] Link Sent. PendingRef: $pendingRef"); if (mounted) { Navigator.of(context).pop(); // Close Loading showDialog( context: context, barrierDismissible: false, builder: (context) => AlertDialog( title: Text(isEmail ? "이메일 전송됨" : "SMS 전송됨"), content: Column( mainAxisSize: MainAxisSize.min, children: [ Text(isEmail ? "입력하신 이메일로 로그인 링크를 보냈습니다." : "입력하신 번호로 로그인 링크를 보냈습니다."), const SizedBox(height: 16), const LinearProgressIndicator(), const SizedBox(height: 16), TextButton( onPressed: () { debugPrint("[Auth] Polling canceled by user"); Navigator.of(context).pop(); }, child: const Text("취소") ) ], ), ), ); // 2. Poll Backend manually _pollForSession(pendingRef); } } catch (e) { debugPrint("[Auth] Initialization failed: $e"); if (mounted && Navigator.canPop(context)) Navigator.of(context).pop(); _showError("전송 실패: $e"); } } Future _pollForSession(String pendingRef) async { int attempts = 0; const maxAttempts = 60; // 2 minutes debugPrint("[Auth] Starting poll for ref: $pendingRef"); while (attempts < maxAttempts && mounted) { await Future.delayed(const Duration(seconds: 2)); attempts++; try { final result = await AuthProxyService.pollEnchantedLink(pendingRef); if (result['status'] == 'ok') { final jwt = result['sessionJwt']; if (jwt != null) { debugPrint("[Auth] Polling SUCCESS. Token received."); final displayName = _getLoginIdFromJwt(jwt); // Descope SDK 세션 강제 주입 // Note: DescopeUser in 0.9.11 requires 18 positional arguments. final dummyUser = DescopeUser( 'unknown', // userId [], // loginIds 0, // createdAt displayName, // name null, // picture (Uri?) '', // email false, // isVerifiedEmail '', // phone false, // isVerifiedPhone {}, // customAttributes '', // givenName '', // middleName '', // familyName false, // hasPassword 'enabled', // status [], // roleNames [], // ssoAppIds [], // oauthProviders (List) ); final session = DescopeSession.fromJwt(jwt, jwt, dummyUser); Descope.sessionManager.manageSession(session); if (mounted) { Navigator.of(context).pop(); // Close Polling Dialog _onLoginSuccess(jwt); } return; } } } catch (e) { debugPrint("[Auth] Polling error (attempt $attempts): $e"); } } if (mounted) { debugPrint("[Auth] Polling timed out for ref: $pendingRef"); Navigator.of(context).pop(); // Close Polling Dialog _showError("Login timed out."); } } void _showError(String message) { if (!mounted) return; ScaffoldMessenger.of(context).showSnackBar( SnackBar(content: Text(message), backgroundColor: Colors.red), ); try { AuthProxyService.logError(message); } catch (e) { // ignore } } void _logTokenDetails(String jwt) { try { // JWT는 세 부분(Header, Payload, Signature)이 '.'으로 구분된 문자열입니다. 이를 분리합니다. final parts = jwt.split('.'); // 세 부분으로 정확히 나뉘지 않았다면 유효한 JWT가 아니므로 중단합니다. if (parts.length != 3) return; // JWT의 두 번째 부분(Payload)은 Base64Url로 인코딩된 JSON 데이터입니다. // 1. Base64Url 문자열을 디코딩하여 바이트 배열로 변환합니다. // normalize()는 Base64 패딩(=) 문제를 처리해줍니다. final decodedPayload = base64Url.decode(base64Url.normalize(parts[1])); // 2. 바이트 배열을 UTF-8 형식의 일반 문자열(JSON)로 변환합니다. final payloadJson = utf8.decode(decodedPayload); // 3. JSON 문자열을 Dart에서 사용할 수 있는 Map 객체로 변환합니다. final data = json.decode(payloadJson) as Map; // [FIX] 'exp'는 int 또는 double일 수 있으므로, 안전하게 num으로 처리합니다. final accessExpValue = data['exp'] as num?; // 'exp' (Expiration Time) 필드는 Access Token의 만료 시간을 나타냅니다. Unix 타임스탬프(초 단위) 값입니다. // 이 값을 Dart의 DateTime 객체로 변환합니다. (1000을 곱해 밀리초 단위로 만듦) final accessExp = accessExpValue != null ? DateTime.fromMillisecondsSinceEpoch(accessExpValue.toInt() * 1000) : 'N/A'; // 'rexp' (Refresh Expiration) 필드는 Descope가 사용하는 커스텀 필드로, Refresh Token의 만료 시간을 ISO 8601 형식의 문자열로 나타냅니다. final refreshExp = data['rexp'] ?? 'N/A'; // 확인된 만료 시간 정보들을 디버그 콘솔에 출력합니다. debugPrint(""" [Auth] Session Token Details --- - Access Token Expires: $accessExp - Refresh Token Expires: $refreshExp """); } catch (e) { // JWT를 해석하는 과정에서 오류가 발생하면 콘솔에 에러를 출력합니다. debugPrint("[Auth] Failed to decode or log token details: $e"); } } void _onLoginSuccess(String token) { if (!mounted) return; _logTokenDetails(token); // [FIX] 감사 로그에 실제 사용자 ID를 전송하기 위해 토큰에서 ID를 추출합니다. final userId = _getUserIdFromJwt(token); // Record Audit Log AuditService.logEvent( userId: userId, eventType: "LOGIN_SUCCESS", status: "SUCCESS", details: "User logged in via Baron SSO", ); // 1. Handle Popup Flow (Highest Priority for child windows) // If opened as a popup (has opener), we notify and try to close. if (WebAuthIntegration.isPopup()) { debugPrint("[Auth] Popup detected. Notifying opener and attempting to close."); WebAuthIntegration.sendLoginSuccess(token); // We don't 'return' here to allow a fallback if window.close() is blocked, // but in most cases WebAuthIntegration.sendLoginSuccess will close the window. } else { // 2. Handle Redirect Flow (Only if NOT a popup) if (_redirectUrl != null && _redirectUrl!.isNotEmpty) { debugPrint("[Auth] Redirecting standalone window to: $_redirectUrl"); final target = "$_redirectUrl?token=$token"; launchUrlString(target, webOnlyWindowName: '_self'); return; } } // 3. Standalone mode / Fallback // If it's a standard login, or if a popup's window.close() was blocked by the browser. debugPrint("[Auth] Login success. Navigating to root."); AuthNotifier.instance.notify(); if (mounted) { context.go('/'); } } @override Widget build(BuildContext context) { return Scaffold( body: LayoutBuilder( builder: (context, constraints) { return SingleChildScrollView( child: ConstrainedBox( constraints: BoxConstraints(minHeight: constraints.maxHeight), child: Center( child: Container( constraints: const BoxConstraints(maxWidth: 400), padding: const EdgeInsets.all(24), child: Column( mainAxisAlignment: MainAxisAlignment.center, crossAxisAlignment: CrossAxisAlignment.stretch, children: [ Text( "Baron SSO", style: GoogleFonts.outfit( fontSize: 32, fontWeight: FontWeight.bold, ), textAlign: TextAlign.center, ), const SizedBox(height: 40), TabBar( controller: _tabController, tabs: const [ Tab(text: "로그인"), Tab(text: "QR 코드"), ], ), const SizedBox(height: 24), SizedBox( height: 350, child: TabBarView( controller: _tabController, children: [ // Unified Login Form Padding( padding: const EdgeInsets.only(top: 16.0), child: Column( children: [ TextField( controller: _idController, decoration: const InputDecoration( labelText: "이메일 또는 휴대폰 번호", hintText: "", border: OutlineInputBorder(), prefixIcon: Icon(Icons.person_outline), ), onSubmitted: (_) => _handleLogin(), ), const SizedBox(height: 24), FilledButton( onPressed: _handleLogin, style: FilledButton.styleFrom( minimumSize: const Size.fromHeight(50), ), child: const Text("로그인 링크 전송"), ), const SizedBox(height: 16), Row( mainAxisAlignment: MainAxisAlignment.center, children: [ const Text("계정이 없으신가요?", style: TextStyle(color: Colors.grey, fontSize: 14)), TextButton( onPressed: () => context.push('/signup'), child: const Text("회원가입"), ), ], ), const SizedBox(height: 16), const Text( "입력하신 정보로 로그인 링크를 전송합니다.", style: TextStyle(color: Colors.grey, fontSize: 12), textAlign: TextAlign.center, ), ], ), ), // QR Login View Column( mainAxisAlignment: MainAxisAlignment.center, crossAxisAlignment: CrossAxisAlignment.center, children: [ if (_isQrLoading) const CircularProgressIndicator() else if (_qrImageBase64 != null) Column( crossAxisAlignment: CrossAxisAlignment.center, children: [ Container( padding: const EdgeInsets.all(16), decoration: BoxDecoration( border: Border.all(color: Colors.grey.shade300), borderRadius: BorderRadius.circular(12), ), child: QrImageView( data: _qrImageBase64!, version: QrVersions.auto, size: 200.0, ), ), const SizedBox(height: 12), Text( _qrRemainingSeconds > 0 ? "남은 시간: ${_formatTime(_qrRemainingSeconds)}" : "QR 코드 만료됨", textAlign: TextAlign.center, style: TextStyle( color: _qrRemainingSeconds > 30 ? Colors.blue : Colors.red, fontWeight: FontWeight.bold, ), ), const SizedBox(height: 8), const Text( "모바일 앱으로 스캔하세요", textAlign: TextAlign.center, style: TextStyle(color: Colors.grey, fontSize: 12), ), TextButton( onPressed: _startQrFlow, child: const Text("QR 코드 새로고침") ), ], ) else const Text("QR 코드를 불러오지 못했습니다.", textAlign: TextAlign.center), ], ), ], ), ), ], ), ), ), ), ); }, ), ); } }