feat(auth): email verification login and personal access tokens
* feat(auth): add email verification login flow with 401 auto-redirect Replace the old OAuth-based login with email verification codes: - Backend: send-code / verify-code endpoints, verification_codes table (migration 009), rate limiting, Resend email service - Frontend: two-step login UI (email → 6-digit OTP), auth store with sendCode/verifyCode - SDK: ApiClient gains onUnauthorized callback; 401 responses auto-clear token and redirect to /login - Fix login button staying disabled due to global isLoading state Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): add brute-force protection, redirect loop guard, and expired code cleanup - VerifyCode: increment attempts on wrong code, reject after 5 failed tries (migration 010) - onUnauthorized: skip redirect if already on /login to prevent infinite loops - SendCode: best-effort cleanup of expired verification codes older than 1 hour Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(auth): add master verification code for non-production environments Allow code "888888" to bypass email verification in non-production environments to simplify development and testing workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(auth): add personal access tokens for CLI and API authentication Add full-stack PAT support: users create tokens in Settings, CLI authenticates via `multica auth login`. Server stores SHA-256 hashes only. Auth middleware extended to accept both JWTs and PATs (distinguished by `mul_` prefix). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
LinYushen
GitHub
parent
a997bcfec0
commit
5c9c2f69fd
42 changed files with 1889 additions and 311 deletions
118
server/pkg/db/generated/verification_code.sql.go
Normal file
118
server/pkg/db/generated/verification_code.sql.go
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
// Code generated by sqlc. DO NOT EDIT.
|
||||
// versions:
|
||||
// sqlc v1.30.0
|
||||
// source: verification_code.sql
|
||||
|
||||
package db
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgtype"
|
||||
)
|
||||
|
||||
const createVerificationCode = `-- name: CreateVerificationCode :one
|
||||
INSERT INTO verification_code (email, code, expires_at)
|
||||
VALUES ($1, $2, $3)
|
||||
RETURNING id, email, code, expires_at, used, created_at, attempts
|
||||
`
|
||||
|
||||
type CreateVerificationCodeParams struct {
|
||||
Email string `json:"email"`
|
||||
Code string `json:"code"`
|
||||
ExpiresAt pgtype.Timestamptz `json:"expires_at"`
|
||||
}
|
||||
|
||||
func (q *Queries) CreateVerificationCode(ctx context.Context, arg CreateVerificationCodeParams) (VerificationCode, error) {
|
||||
row := q.db.QueryRow(ctx, createVerificationCode, arg.Email, arg.Code, arg.ExpiresAt)
|
||||
var i VerificationCode
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Email,
|
||||
&i.Code,
|
||||
&i.ExpiresAt,
|
||||
&i.Used,
|
||||
&i.CreatedAt,
|
||||
&i.Attempts,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const deleteExpiredVerificationCodes = `-- name: DeleteExpiredVerificationCodes :exec
|
||||
DELETE FROM verification_code
|
||||
WHERE expires_at < now() - interval '1 hour'
|
||||
`
|
||||
|
||||
func (q *Queries) DeleteExpiredVerificationCodes(ctx context.Context) error {
|
||||
_, err := q.db.Exec(ctx, deleteExpiredVerificationCodes)
|
||||
return err
|
||||
}
|
||||
|
||||
const getLatestCodeByEmail = `-- name: GetLatestCodeByEmail :one
|
||||
SELECT id, email, code, expires_at, used, created_at, attempts FROM verification_code
|
||||
WHERE email = $1
|
||||
ORDER BY created_at DESC
|
||||
LIMIT 1
|
||||
`
|
||||
|
||||
func (q *Queries) GetLatestCodeByEmail(ctx context.Context, email string) (VerificationCode, error) {
|
||||
row := q.db.QueryRow(ctx, getLatestCodeByEmail, email)
|
||||
var i VerificationCode
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Email,
|
||||
&i.Code,
|
||||
&i.ExpiresAt,
|
||||
&i.Used,
|
||||
&i.CreatedAt,
|
||||
&i.Attempts,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const getLatestVerificationCode = `-- name: GetLatestVerificationCode :one
|
||||
SELECT id, email, code, expires_at, used, created_at, attempts FROM verification_code
|
||||
WHERE email = $1
|
||||
AND used = FALSE
|
||||
AND expires_at > now()
|
||||
AND attempts < 5
|
||||
ORDER BY created_at DESC
|
||||
LIMIT 1
|
||||
`
|
||||
|
||||
func (q *Queries) GetLatestVerificationCode(ctx context.Context, email string) (VerificationCode, error) {
|
||||
row := q.db.QueryRow(ctx, getLatestVerificationCode, email)
|
||||
var i VerificationCode
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.Email,
|
||||
&i.Code,
|
||||
&i.ExpiresAt,
|
||||
&i.Used,
|
||||
&i.CreatedAt,
|
||||
&i.Attempts,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const incrementVerificationCodeAttempts = `-- name: IncrementVerificationCodeAttempts :exec
|
||||
UPDATE verification_code
|
||||
SET attempts = attempts + 1
|
||||
WHERE id = $1
|
||||
`
|
||||
|
||||
func (q *Queries) IncrementVerificationCodeAttempts(ctx context.Context, id pgtype.UUID) error {
|
||||
_, err := q.db.Exec(ctx, incrementVerificationCodeAttempts, id)
|
||||
return err
|
||||
}
|
||||
|
||||
const markVerificationCodeUsed = `-- name: MarkVerificationCodeUsed :exec
|
||||
UPDATE verification_code
|
||||
SET used = TRUE
|
||||
WHERE id = $1
|
||||
`
|
||||
|
||||
func (q *Queries) MarkVerificationCodeUsed(ctx context.Context, id pgtype.UUID) error {
|
||||
_, err := q.db.Exec(ctx, markVerificationCodeUsed, id)
|
||||
return err
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue