feat(FR-2629): extend tokenLogin helper with optional extraParams

nowgnuesLee · nowgnuesLee · commit 66e3c56d1eb9 · 2026-04-23T17:00:59.000+09:00
Add an optional fifth parameter `extraParams?: Record<string, string>` to the `tokenLogin` helper in `loginSessionAuth.ts`. When provided, it is forwarded to `client.token_login(sToken, extraParams)` so callers can pass additional query parameters collected from the URL (e.g. EduAppLauncher's `app`, `session_id`, `cpu`, `mem`). Existing LoginView caller remains valid since the parameter is optional and defaults to an empty object internally. This closes Open Question 1 from the spec (option (a) — extend over bypass). Refs FR-2616
diff --git a/react/src/helper/loginSessionAuth.ts b/react/src/helper/loginSessionAuth.ts
@@ -171,14 +171,35 @@ export async function connectViaGQL(
 
 /**
  * Perform token-based login (SSO).
+ *
+ * `extraParams` are forwarded to `client.token_login` alongside the `sToken`
+ * argument. Callers typically collect these from URL query parameters (for
+ * example, EduAppLauncher forwards `app`, `session_id`, resource hints) for
+ * the server-side token handler. LoginView callers that do not need to
+ * forward anything can omit the argument.
+ *
+ * Reserved keys (`sToken`, `stoken`) are stripped from `extraParams` before
+ * forwarding so that the explicit `sToken` argument always wins, regardless
+ * of whether a caller accidentally (or maliciously) included the token in
+ * the forwarded query parameters. `client.token_login` merges `extraParams`
+ * into the request body via `Object.assign`, so an unsanitized map would
+ * otherwise overwrite the authenticated token field.
  */
 export async function tokenLogin(
   client: any,
   sToken: string,
   cfg: LoginConfigState,
   endpoints: string[],
+  extraParams?: Record<string, string>,
 ): Promise<string[]> {
-  const loginSuccess = await client.token_login(sToken);
+  const sanitizedExtraParams = extraParams
+    ? Object.fromEntries(
+        Object.entries(extraParams).filter(
+          ([key]) => key !== 'sToken' && key !== 'stoken',
+        ),
+      )
+    : {};
+  const loginSuccess = await client.token_login(sToken, sanitizedExtraParams);
   if (!loginSuccess) {
     throw new Error('Cannot authorize session by token.');
   }
