Ilia Denisov
9101aba816
Adds a minimal Svelte 5 i18n primitive (`src/lib/i18n/`) backing the
login form, the layout blocker page, and the lobby placeholder.
SUPPORTED_LOCALES drives both the picker and the runtime lookup;
adding a language is a two-step change inside `src/lib/i18n/`.
Login form gains a globe-icon language dropdown (English / Русский
in their native names), defaulting to navigator.languages with `en`
as the fallback. Switching the locale re-renders the form in place;
on submit, the locale rides in the JSON body of `send-email-code`
because Safari/WebKit silently drops JS-set Accept-Language. Gateway
gains a body `locale` field that takes priority over the request
header for preferred-language resolution.
Email and code inputs disable browser autofill / suggestions
(`autocomplete=off` + `autocorrect=off` + `autocapitalize=off` +
`spellcheck=false`) so Keychain / address-book pickers and
remembered-value dropdowns no longer fire on focus.
Cross-cuts:
- backend & gateway openapi: clarify that body `locale` is honored.
- docs/FUNCTIONAL{,_ru}.md §1.2: document body-vs-header priority.
- gateway tests: body `locale` overrides Accept-Language; blank
body `locale` falls back to header.
- new ui/docs/i18n.md; cross-links from auth-flow.md and ui/README.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
186 lines
5.7 KiB
TypeScript
186 lines
5.7 KiB
TypeScript
// Thin wrappers around the gateway public auth REST surface used by
|
|
// the email-code login flow. The two exported functions correspond
|
|
// 1:1 to the OpenAPI operations defined in
|
|
// `backend/openapi.yaml`:
|
|
//
|
|
// POST /api/v1/public/auth/send-email-code
|
|
// POST /api/v1/public/auth/confirm-email-code
|
|
//
|
|
// Both endpoints are unauthenticated — the device session does not
|
|
// exist yet during send-code, and confirm-code is the call that
|
|
// creates one. Persisting the returned `device_session_id` is the
|
|
// caller's responsibility (see `lib/session-store.svelte.ts`).
|
|
//
|
|
// `Accept-Language` is set automatically by the browser; the gateway
|
|
// reads it for the auth-mail localisation. We do not duplicate the
|
|
// value into the optional `locale` body field.
|
|
|
|
const SEND_EMAIL_CODE_PATH = "/api/v1/public/auth/send-email-code";
|
|
const CONFIRM_EMAIL_CODE_PATH = "/api/v1/public/auth/confirm-email-code";
|
|
|
|
export interface SendEmailCodeResult {
|
|
challengeId: string;
|
|
}
|
|
|
|
export interface SendEmailCodeOptions {
|
|
/**
|
|
* locale is forwarded inside the JSON body and read by the
|
|
* gateway in preference to the request `Accept-Language` header.
|
|
* The body field is the canonical channel because Safari/WebKit
|
|
* silently drops JS-set `Accept-Language` headers, while the
|
|
* body round-trips correctly on every supported engine. When the
|
|
* caller omits this option the browser-default Accept-Language
|
|
* remains the gateway's only signal and the auth-mail uses the
|
|
* system locale.
|
|
*/
|
|
locale?: string;
|
|
}
|
|
|
|
export interface ConfirmEmailCodeInput {
|
|
challengeId: string;
|
|
code: string;
|
|
publicKey: Uint8Array;
|
|
timeZone: string;
|
|
}
|
|
|
|
export interface ConfirmEmailCodeResult {
|
|
deviceSessionId: string;
|
|
}
|
|
|
|
/**
|
|
* AuthError is thrown by `sendEmailCode` and `confirmEmailCode` for
|
|
* every non-2xx gateway response. `code` mirrors the stable
|
|
* machine-readable identifier from the gateway error envelope
|
|
* (`invalid_request`, `service_unavailable`, `internal_error`, ...);
|
|
* `status` is the HTTP status that produced the error.
|
|
*/
|
|
export class AuthError extends Error {
|
|
readonly code: string;
|
|
readonly status: number;
|
|
|
|
constructor(code: string, message: string, status: number) {
|
|
super(message);
|
|
this.name = "AuthError";
|
|
this.code = code;
|
|
this.status = status;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* sendEmailCode issues a login challenge for `email`. The gateway
|
|
* returns the same opaque `challenge_id` shape regardless of whether
|
|
* the address belongs to a new, existing, or throttled account, so
|
|
* the caller cannot use the response to enumerate accounts.
|
|
*/
|
|
export async function sendEmailCode(
|
|
baseUrl: string,
|
|
email: string,
|
|
options?: SendEmailCodeOptions,
|
|
): Promise<SendEmailCodeResult> {
|
|
const requestBody: Record<string, string> = { email };
|
|
if (options?.locale !== undefined && options.locale !== "") {
|
|
requestBody.locale = options.locale;
|
|
}
|
|
const response = await fetch(joinUrl(baseUrl, SEND_EMAIL_CODE_PATH), {
|
|
method: "POST",
|
|
headers: { "content-type": "application/json" },
|
|
body: JSON.stringify(requestBody),
|
|
});
|
|
if (!response.ok) {
|
|
throw await readAuthError(response);
|
|
}
|
|
const responseBody = (await response.json()) as { challenge_id?: unknown };
|
|
if (
|
|
typeof responseBody.challenge_id !== "string" ||
|
|
responseBody.challenge_id.length === 0
|
|
) {
|
|
throw new AuthError(
|
|
"internal_error",
|
|
"gateway returned a malformed send-email-code response",
|
|
response.status,
|
|
);
|
|
}
|
|
return { challengeId: responseBody.challenge_id };
|
|
}
|
|
|
|
/**
|
|
* confirmEmailCode submits the verification code and the device's
|
|
* Ed25519 public key. On success the gateway returns the new device
|
|
* session identifier; persistence of that identifier is the caller's
|
|
* responsibility.
|
|
*/
|
|
export async function confirmEmailCode(
|
|
baseUrl: string,
|
|
input: ConfirmEmailCodeInput,
|
|
): Promise<ConfirmEmailCodeResult> {
|
|
const response = await fetch(joinUrl(baseUrl, CONFIRM_EMAIL_CODE_PATH), {
|
|
method: "POST",
|
|
headers: { "content-type": "application/json" },
|
|
body: JSON.stringify({
|
|
challenge_id: input.challengeId,
|
|
code: input.code,
|
|
client_public_key: encodeBase64(input.publicKey),
|
|
time_zone: input.timeZone,
|
|
}),
|
|
});
|
|
if (!response.ok) {
|
|
throw await readAuthError(response);
|
|
}
|
|
const body = (await response.json()) as { device_session_id?: unknown };
|
|
if (
|
|
typeof body.device_session_id !== "string" ||
|
|
body.device_session_id.length === 0
|
|
) {
|
|
throw new AuthError(
|
|
"internal_error",
|
|
"gateway returned a malformed confirm-email-code response",
|
|
response.status,
|
|
);
|
|
}
|
|
return { deviceSessionId: body.device_session_id };
|
|
}
|
|
|
|
async function readAuthError(response: Response): Promise<AuthError> {
|
|
let code = "";
|
|
let message = "";
|
|
try {
|
|
const body = (await response.json()) as {
|
|
error?: { code?: unknown; message?: unknown };
|
|
};
|
|
const err = body.error;
|
|
if (err && typeof err.code === "string") {
|
|
code = err.code;
|
|
}
|
|
if (err && typeof err.message === "string") {
|
|
message = err.message;
|
|
}
|
|
} catch {
|
|
// Body was not JSON or could not be parsed; fall through to
|
|
// generic defaults below.
|
|
}
|
|
if (code.length === 0) {
|
|
code = response.status >= 500 ? "internal_error" : "invalid_request";
|
|
}
|
|
if (message.length === 0) {
|
|
message =
|
|
response.status >= 500
|
|
? "service is temporarily unavailable"
|
|
: `request rejected (${response.status})`;
|
|
}
|
|
return new AuthError(code, message, response.status);
|
|
}
|
|
|
|
function joinUrl(baseUrl: string, path: string): string {
|
|
const trimmedBase = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
|
|
const trimmedPath = path.startsWith("/") ? path : `/${path}`;
|
|
return `${trimmedBase}${trimmedPath}`;
|
|
}
|
|
|
|
function encodeBase64(bytes: Uint8Array): string {
|
|
let binary = "";
|
|
for (let i = 0; i < bytes.length; i++) {
|
|
binary += String.fromCharCode(bytes[i]!);
|
|
}
|
|
return btoa(binary);
|
|
}
|