fix auth pending adoption and turnstile flow

2026-05-05 21:50:44 +08:00 · 2026-04-21 00:45:56 +08:00
parent e4fe9fae2a
commit 12f4af742f
6 changed files with 313 additions and 14 deletions
--- a/frontend/src/views/auth/LinuxDoCallbackView.vue
+++ b/frontend/src/views/auth/LinuxDoCallbackView.vue
@@ -296,6 +296,19 @@ type LinuxDoPendingActionResponse = PendingOAuthExchangeResponse & {
  resolved_email?: string
 }

+function persistPendingAuthSession(redirect?: string) {
+  authStore.setPendingAuthSession({
+    token: '',
+    token_field: 'pending_oauth_token',
+    provider: 'linuxdo',
+    redirect: sanitizeRedirectPath(redirect || redirectTo.value)
+  })
+}
+
+function clearPendingAuthSession() {
+  authStore.clearPendingAuthSession()
+}
+
 function parseFragmentParams(): URLSearchParams {
  const raw = typeof window !== 'undefined' ? window.location.hash : ''
  const hash = raw.startsWith('#') ? raw.slice(1) : raw
@@ -434,6 +447,7 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
 async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
  if (getOAuthCompletionKind(completion) === 'bind') {
    const bindRedirect = sanitizeRedirectPath(completion.redirect || '/profile')
+    clearPendingAuthSession()
    appStore.showSuccess(bindSuccessMessage)
    await router.replace(bindRedirect)
    return
@@ -451,16 +465,19 @@ async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redi

 async function finalizePendingAccountResponse(completion: LinuxDoPendingActionResponse) {
  applyAdoptionSuggestionState(completion)
+  const redirect = sanitizeRedirectPath(completion.redirect || redirectTo.value)

  if (completion.error === 'invitation_required') {
    pendingAccountAction.value = 'none'
    needsInvitation.value = true
    needsAdoptionConfirmation.value = false
    isProcessing.value = false
+    persistPendingAuthSession(redirect)
    return
  }

  if (applyTotpChallenge(completion)) {
+    persistPendingAuthSession(redirect)
    return
  }

@@ -469,10 +486,10 @@ async function finalizePendingAccountResponse(completion: LinuxDoPendingActionRe
    needsInvitation.value = false
    needsAdoptionConfirmation.value = false
    isProcessing.value = false
+    persistPendingAuthSession(redirect)
    return
  }

-  const redirect = sanitizeRedirectPath(completion.redirect || redirectTo.value)
  await finalizeCompletion(completion, redirect)
 }

@@ -502,8 +519,8 @@ async function handleSubmitInvitation() {
 async function handleContinueLogin() {
  isSubmitting.value = true
  try {
-    const completion = await exchangePendingOAuthCompletion(currentAdoptionDecision())
-    await finalizeCompletion(completion, redirectTo.value)
+    const completion = await exchangePendingOAuthCompletion(currentAdoptionDecision()) as LinuxDoPendingActionResponse
+    await finalizePendingAccountResponse(completion)
  } catch (e: unknown) {
    errorMessage.value = getRequestErrorMessage(e, t('auth.loginFailed'))
    appStore.showError(errorMessage.value)
@@ -598,27 +615,32 @@ onMounted(async () => {
    if (completion.error === 'invitation_required') {
      needsInvitation.value = true
      isProcessing.value = false
+      persistPendingAuthSession(redirect)
      return
    }

    if (applyTotpChallenge(completion as LinuxDoPendingActionResponse)) {
+      persistPendingAuthSession(redirect)
      return
    }

    applyPendingAccountAction(completion as LinuxDoPendingActionResponse)
    if (pendingAccountAction.value !== 'none') {
      isProcessing.value = false
+      persistPendingAuthSession(redirect)
      return
    }

    if (adoptionRequired.value && hasSuggestedProfile(completion)) {
      needsAdoptionConfirmation.value = true
      isProcessing.value = false
+      persistPendingAuthSession(redirect)
      return
    }

    await finalizeCompletion(completion, redirect)
  } catch (e: unknown) {
+    clearPendingAuthSession()
    errorMessage.value = getRequestErrorMessage(e, t('auth.loginFailed'))
    appStore.showError(errorMessage.value)
    isProcessing.value = false
--- a/frontend/src/views/auth/OidcCallbackView.vue
+++ b/frontend/src/views/auth/OidcCallbackView.vue
@@ -312,6 +312,19 @@ type PendingOidcCompletion = PendingOAuthExchangeResponse & {
  user_email_masked?: string
 }

+function persistPendingAuthSession(redirect?: string) {
+  authStore.setPendingAuthSession({
+    token: '',
+    token_field: 'pending_oauth_token',
+    provider: 'oidc',
+    redirect: sanitizeRedirectPath(redirect || redirectTo.value)
+  })
+}
+
+function clearPendingAuthSession() {
+  authStore.clearPendingAuthSession()
+}
+
 function parseFragmentParams(): URLSearchParams {
  const raw = typeof window !== 'undefined' ? window.location.hash : ''
  const hash = raw.startsWith('#') ? raw.slice(1) : raw
@@ -478,6 +491,7 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
 async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
  if (getOAuthCompletionKind(completion) === 'bind') {
    const bindRedirect = sanitizeRedirectPath(completion.redirect || '/profile')
+    clearPendingAuthSession()
    appStore.showSuccess(bindSuccessMessage)
    await router.replace(bindRedirect)
    return
@@ -495,16 +509,19 @@ async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redi

 async function finalizePendingAccountResponse(completion: PendingOidcCompletion) {
  applyAdoptionSuggestionState(completion)
+  const redirect = sanitizeRedirectPath(completion.redirect || redirectTo.value)

  if (completion.error === 'invitation_required') {
    pendingAccountAction.value = 'none'
    needsInvitation.value = true
    needsAdoptionConfirmation.value = false
    isProcessing.value = false
+    persistPendingAuthSession(redirect)
    return
  }

  if (applyTotpChallenge(completion)) {
+    persistPendingAuthSession(redirect)
    return
  }

@@ -513,10 +530,10 @@ async function finalizePendingAccountResponse(completion: PendingOidcCompletion)
    needsInvitation.value = false
    needsAdoptionConfirmation.value = false
    isProcessing.value = false
+    persistPendingAuthSession(redirect)
    return
  }

-  const redirect = sanitizeRedirectPath(completion.redirect || redirectTo.value)
  await finalizeCompletion(completion, redirect)
 }

@@ -546,8 +563,8 @@ async function handleSubmitInvitation() {
 async function handleContinueLogin() {
  isSubmitting.value = true
  try {
-    const completion = await exchangePendingOAuthCompletion(currentAdoptionDecision())
-    await finalizeCompletion(completion, redirectTo.value)
+    const completion = await exchangePendingOAuthCompletion(currentAdoptionDecision()) as PendingOidcCompletion
+    await finalizePendingAccountResponse(completion)
  } catch (e: unknown) {
    errorMessage.value = getRequestErrorMessage(e, t('auth.loginFailed'))
    appStore.showError(errorMessage.value)
@@ -644,27 +661,32 @@ onMounted(async () => {
    if (completion.error === 'invitation_required') {
      needsInvitation.value = true
      isProcessing.value = false
+      persistPendingAuthSession(redirect)
      return
    }

    if (applyTotpChallenge(completion)) {
+      persistPendingAuthSession(redirect)
      return
    }

    applyPendingAccountAction(completion)
    if (pendingAccountAction.value !== 'none') {
      isProcessing.value = false
+      persistPendingAuthSession(redirect)
      return
    }

    if (adoptionRequired.value && hasSuggestedProfile(completion)) {
      needsAdoptionConfirmation.value = true
      isProcessing.value = false
+      persistPendingAuthSession(redirect)
      return
    }

    await finalizeCompletion(completion, redirect)
  } catch (e: unknown) {
+    clearPendingAuthSession()
    errorMessage.value = getRequestErrorMessage(e, t('auth.loginFailed'))
    appStore.showError(errorMessage.value)
    isProcessing.value = false
--- a/frontend/src/views/auth/tests/LinuxDoCallbackView.spec.ts
+++ b/frontend/src/views/auth/tests/LinuxDoCallbackView.spec.ts
@@ -7,8 +7,11 @@ const replace = vi.fn()
 const showSuccess = vi.fn()
 const showError = vi.fn()
 const setToken = vi.fn()
+const setPendingAuthSession = vi.fn()
+const clearPendingAuthSession = vi.fn()
 const exchangePendingOAuthCompletion = vi.fn()
 const completeLinuxDoOAuthRegistration = vi.fn()
+const getPublicSettings = vi.fn()
 const login2FA = vi.fn()
 const apiClientPost = vi.fn()
 const sendVerifyCode = vi.fn()
@@ -34,7 +37,9 @@ vi.mock('vue-i18n', async () => {

 vi.mock('@/stores', () => ({
  useAuthStore: () => ({
-    setToken
+    setToken,
+    setPendingAuthSession,
+    clearPendingAuthSession
  }),
  useAppStore: () => ({
    showSuccess,
@@ -54,6 +59,7 @@ vi.mock('@/api/auth', async () => {
    ...actual,
    exchangePendingOAuthCompletion: (...args: any[]) => exchangePendingOAuthCompletion(...args),
    completeLinuxDoOAuthRegistration: (...args: any[]) => completeLinuxDoOAuthRegistration(...args),
+    getPublicSettings: (...args: any[]) => getPublicSettings(...args),
    login2FA: (...args: any[]) => login2FA(...args),
    sendVerifyCode: (...args: any[]) => sendVerifyCode(...args)
  }
@@ -65,11 +71,18 @@ describe('LinuxDoCallbackView', () => {
    showSuccess.mockReset()
    showError.mockReset()
    setToken.mockReset()
+    setPendingAuthSession.mockReset()
+    clearPendingAuthSession.mockReset()
    exchangePendingOAuthCompletion.mockReset()
    completeLinuxDoOAuthRegistration.mockReset()
+    getPublicSettings.mockReset()
    login2FA.mockReset()
    apiClientPost.mockReset()
    sendVerifyCode.mockReset()
+    getPublicSettings.mockResolvedValue({
+      turnstile_enabled: false,
+      turnstile_site_key: ''
+    })
  })

  it('does not send adoption decisions during the initial exchange', async () => {
@@ -208,6 +221,72 @@ describe('LinuxDoCallbackView', () => {
    expect(replace).toHaveBeenCalledWith('/profile/security')
  })

+  it('keeps rendering pending bind-login UI when adoption confirmation leads to another pending step', async () => {
+    exchangePendingOAuthCompletion
+      .mockResolvedValueOnce({
+        redirect: '/profile/security',
+        adoption_required: true,
+        suggested_display_name: 'LinuxDo Nick',
+        suggested_avatar_url: 'https://cdn.example/linuxdo.png'
+      })
+      .mockResolvedValueOnce({
+        step: 'bind_login_required',
+        redirect: '/profile/security',
+        email: 'existing@example.com',
+        adoption_required: true,
+        suggested_display_name: 'LinuxDo Nick',
+        suggested_avatar_url: 'https://cdn.example/linuxdo.png'
+      })
+
+    const wrapper = mount(LinuxDoCallbackView, {
+      global: {
+        stubs: {
+          AuthLayout: { template: '<div><slot /></div>' },
+          Icon: true,
+          RouterLink: { template: '<a><slot /></a>' },
+          transition: false
+        }
+      }
+    })
+
+    await flushPromises()
+    await wrapper.findAll('button')[0].trigger('click')
+    await flushPromises()
+
+    expect(showSuccess).not.toHaveBeenCalled()
+    expect(replace).not.toHaveBeenCalled()
+    expect((wrapper.get('[data-testid="linuxdo-bind-login-email"]').element as HTMLInputElement).value).toBe(
+      'existing@example.com'
+    )
+  })
+
+  it('persists a pending auth session when the oauth flow still needs account creation', async () => {
+    exchangePendingOAuthCompletion.mockResolvedValue({
+      error: 'email_required',
+      redirect: '/welcome'
+    })
+
+    mount(LinuxDoCallbackView, {
+      global: {
+        stubs: {
+          AuthLayout: { template: '<div><slot /></div>' },
+          Icon: true,
+          RouterLink: { template: '<a><slot /></a>' },
+          transition: false
+        }
+      }
+    })
+
+    await flushPromises()
+
+    expect(setPendingAuthSession).toHaveBeenCalledWith({
+      token: '',
+      token_field: 'pending_oauth_token',
+      provider: 'linuxdo',
+      redirect: '/welcome'
+    })
+  })
+
  it('renders adoption choices for invitation flow and submits the selected values', async () => {
    exchangePendingOAuthCompletion.mockResolvedValue({
      error: 'invitation_required',
--- a/frontend/src/views/auth/tests/OidcCallbackView.spec.ts
+++ b/frontend/src/views/auth/tests/OidcCallbackView.spec.ts
@@ -7,6 +7,8 @@ const replace = vi.fn()
 const showSuccess = vi.fn()
 const showError = vi.fn()
 const setToken = vi.fn()
+const setPendingAuthSession = vi.fn()
+const clearPendingAuthSession = vi.fn()
 const exchangePendingOAuthCompletion = vi.fn()
 const completeOIDCOAuthRegistration = vi.fn()
 const getPublicSettings = vi.fn()
@@ -40,7 +42,9 @@ vi.mock('vue-i18n', async () => {

 vi.mock('@/stores', () => ({
  useAuthStore: () => ({
-    setToken
+    setToken,
+    setPendingAuthSession,
+    clearPendingAuthSession
  }),
  useAppStore: () => ({
    showSuccess,
@@ -72,6 +76,8 @@ describe('OidcCallbackView', () => {
    showSuccess.mockReset()
    showError.mockReset()
    setToken.mockReset()
+    setPendingAuthSession.mockReset()
+    clearPendingAuthSession.mockReset()
    exchangePendingOAuthCompletion.mockReset()
    completeOIDCOAuthRegistration.mockReset()
    getPublicSettings.mockReset()
@@ -79,7 +85,9 @@ describe('OidcCallbackView', () => {
    apiClientPost.mockReset()
    sendVerifyCode.mockReset()
    getPublicSettings.mockResolvedValue({
-      oidc_oauth_provider_name: 'ExampleID'
+      oidc_oauth_provider_name: 'ExampleID',
+      turnstile_enabled: false,
+      turnstile_site_key: ''
    })
  })

@@ -196,6 +204,72 @@ describe('OidcCallbackView', () => {
    expect(replace).toHaveBeenCalledWith('/profile')
  })

+  it('keeps rendering pending bind-login UI when adoption confirmation leads to another pending step', async () => {
+    exchangePendingOAuthCompletion
+      .mockResolvedValueOnce({
+        redirect: '/profile',
+        adoption_required: true,
+        suggested_display_name: 'OIDC Nick',
+        suggested_avatar_url: 'https://cdn.example/oidc.png'
+      })
+      .mockResolvedValueOnce({
+        step: 'bind_login_required',
+        redirect: '/profile',
+        email: 'existing@example.com',
+        adoption_required: true,
+        suggested_display_name: 'OIDC Nick',
+        suggested_avatar_url: 'https://cdn.example/oidc.png'
+      })
+
+    const wrapper = mount(OidcCallbackView, {
+      global: {
+        stubs: {
+          AuthLayout: { template: '<div><slot /></div>' },
+          Icon: true,
+          RouterLink: { template: '<a><slot /></a>' },
+          transition: false
+        }
+      }
+    })
+
+    await flushPromises()
+    await wrapper.findAll('button')[0].trigger('click')
+    await flushPromises()
+
+    expect(showSuccess).not.toHaveBeenCalled()
+    expect(replace).not.toHaveBeenCalled()
+    expect((wrapper.get('[data-testid="oidc-bind-login-email"]').element as HTMLInputElement).value).toBe(
+      'existing@example.com'
+    )
+  })
+
+  it('persists a pending auth session when the oauth flow still needs account creation', async () => {
+    exchangePendingOAuthCompletion.mockResolvedValue({
+      error: 'email_required',
+      redirect: '/welcome'
+    })
+
+    mount(OidcCallbackView, {
+      global: {
+        stubs: {
+          AuthLayout: { template: '<div><slot /></div>' },
+          Icon: true,
+          RouterLink: { template: '<a><slot /></a>' },
+          transition: false
+        }
+      }
+    })
+
+    await flushPromises()
+
+    expect(setPendingAuthSession).toHaveBeenCalledWith({
+      token: '',
+      token_field: 'pending_oauth_token',
+      provider: 'oidc',
+      redirect: '/welcome'
+    })
+  })
+
  it('renders adoption choices for invitation flow and submits the selected values', async () => {
    exchangePendingOAuthCompletion.mockResolvedValue({
      error: 'invitation_required',