marketing-shibata50/multica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(auth): email verification login and personal access tokens

Browse source 
* feat(auth): add email verification login flow with 401 auto-redirect

Replace the old OAuth-based login with email verification codes:
- Backend: send-code / verify-code endpoints, verification_codes table (migration 009), rate limiting, Resend email service
- Frontend: two-step login UI (email → 6-digit OTP), auth store with sendCode/verifyCode
- SDK: ApiClient gains onUnauthorized callback; 401 responses auto-clear token and redirect to /login
- Fix login button staying disabled due to global isLoading state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(auth): add brute-force protection, redirect loop guard, and expired code cleanup

- VerifyCode: increment attempts on wrong code, reject after 5 failed tries (migration 010)
- onUnauthorized: skip redirect if already on /login to prevent infinite loops
- SendCode: best-effort cleanup of expired verification codes older than 1 hour

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(auth): add master verification code for non-production environments

Allow code "888888" to bypass email verification in non-production
environments to simplify development and testing workflows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(auth): add personal access tokens for CLI and API authentication

Add full-stack PAT support: users create tokens in Settings, CLI authenticates
via `multica auth login`. Server stores SHA-256 hashes only. Auth middleware
extended to accept both JWTs and PATs (distinguished by `mul_` prefix).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
LinYushen 2026-03-26 14:32:30 +08:00 committed by GitHub
parent a997bcfec0
commit 5c9c2f69fd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
42 changed files with 1889 additions and 311 deletions
Download patch file Download diff file Expand all files Collapse all files

36
server/internal/middleware/auth_test.go
View file

@ -24,8 +24,13 @@ func validClaims() jwt.MapClaims {
}
}
// authMiddleware returns the Auth middleware with nil queries (JWT-only tests).
func authMiddleware(next http.Handler) http.Handler {
return Auth(nil)(next)
}
func TestAuth_MissingHeader(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -42,7 +47,7 @@ func TestAuth_MissingHeader(t *testing.T) {
}
func TestAuth_NoBearerPrefix(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -60,7 +65,7 @@ func TestAuth_NoBearerPrefix(t *testing.T) {
}
func TestAuth_InvalidToken(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -75,7 +80,7 @@ func TestAuth_InvalidToken(t *testing.T) {
}
func TestAuth_ExpiredToken(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -94,7 +99,7 @@ func TestAuth_ExpiredToken(t *testing.T) {
}
func TestAuth_WrongSecret(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -111,7 +116,7 @@ func TestAuth_WrongSecret(t *testing.T) {
}
func TestAuth_WrongSigningMethod(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -131,7 +136,7 @@ func TestAuth_WrongSigningMethod(t *testing.T) {
func TestAuth_ValidToken(t *testing.T) {
var gotUserID, gotEmail string
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
gotUserID = r.Header.Get("X-User-ID")
gotEmail = r.Header.Get("X-User-Email")
w.WriteHeader(http.StatusOK)
@ -156,7 +161,7 @@ func TestAuth_ValidToken(t *testing.T) {
}
func TestAuth_MissingClaims(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
@ -175,3 +180,18 @@ func TestAuth_MissingClaims(t *testing.T) {
t.Fatalf("expected 401, got %d", w.Code)
}
}
func TestAuth_InvalidPAT(t *testing.T) {
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer mul_invalid_token_here")
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
}