feat(auth): email verification login and personal access tokens

* feat(auth): add email verification login flow with 401 auto-redirect Replace the old OAuth-based login with email verification codes: - Backend: send-code / verify-code endpoints, verification_codes table (migration 009), rate limiting, Resend email service - Frontend: two-step login UI (email → 6-digit OTP), auth store with sendCode/verifyCode - SDK: ApiClient gains onUnauthorized callback; 401 responses auto-clear token and redirect to /login - Fix login button staying disabled due to global isLoading state Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): add brute-force protection, redirect loop guard, and expired code cleanup - VerifyCode: increment attempts on wrong code, reject after 5 failed tries (migration 010) - onUnauthorized: skip redirect if already on /login to prevent infinite loops - SendCode: best-effort cleanup of expired verification codes older than 1 hour Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(auth): add master verification code for non-production environments Allow code "888888" to bypass email verification in non-production environments to simplify development and testing workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(auth): add personal access tokens for CLI and API authentication Add full-stack PAT support: users create tokens in Settings, CLI authenticates via `multica auth login`. Server stores SHA-256 hashes only. Auth middleware extended to accept both JWTs and PATs (distinguished by `mul_` prefix). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:32:30 +08:00 · 2026-03-26 14:32:30 +08:00 · 5c9c2f69fd
commit 5c9c2f69fd
parent a997bcfec0
42 changed files with 1889 additions and 311 deletions
--- a/server/internal/handler/handler.go
+++ b/server/internal/handler/handler.go
@ -27,27 +27,29 @@ type dbExecutor interface {
 }

 type Handler struct {
-	Queries     *db.Queries
-	DB          dbExecutor
-	TxStarter   txStarter
-	Hub         *realtime.Hub
-	Bus         *events.Bus
-	TaskService *service.TaskService
+	Queries      *db.Queries
+	DB           dbExecutor
+	TxStarter    txStarter
+	Hub          *realtime.Hub
+	Bus          *events.Bus
+	TaskService  *service.TaskService
+	EmailService *service.EmailService
 }

-func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus) *Handler {
+func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus, emailService *service.EmailService) *Handler {
 	var executor dbExecutor
 	if candidate, ok := txStarter.(dbExecutor); ok {
 		executor = candidate
 	}

 	return &Handler{
-		Queries:     queries,
-		DB:          executor,
-		TxStarter:   txStarter,
-		Hub:         hub,
-		Bus:         bus,
-		TaskService: service.NewTaskService(queries, hub, bus),
+		Queries:      queries,
+		DB:           executor,
+		TxStarter:    txStarter,
+		Hub:          hub,
+		Bus:          bus,
+		TaskService:  service.NewTaskService(queries, hub, bus),
+		EmailService: emailService,
 	}
 }