feat(FR-2626): migrate LoginView sToken path to STokenLoginBoundary

Story 2 of Epic FR-2616. Wires up the reusable STokenLoginBoundary
component introduced in Story 1 as the canonical sToken entry point
for the main app (/ and /interactive-login).

Changes:
- Add STokenGuard component in routes.tsx: reads sToken via useSToken
  (nuqs), conditionally wraps the downstream tree with
  STokenLoginBoundary when a token is present, passthrough otherwise.
  Applied to / and /interactive-login routes.
- Add persistPostLoginState helper in helper/loginSessionAuth.ts
  consolidating the non-LoginView-specific post-login side effects
  (last_login / login_attempt counters, clear saved credentials,
  persist api_endpoint, set client.ready) so the route-level onSuccess
  callback and LoginView's panel-based postConnectSetup can keep
  these behaviors in lockstep. client.ready = true is what allows
  useLoginOrchestration to short-circuit on subsequent LoginView
  mounts.
- Remove the sToken branch from LoginView.connectUsingSession
  (previously at lines 455-490). The component no longer reads
  window.location.search for sToken; URL parsing is the route
  wrapper's responsibility via nuqs (spec 'URL 파라미터 파싱 규약').
  Drops the now-unused tokenLogin import.

Behavior parity:
- Already-logged-in users arriving with ?sToken=... skip token_login
  via the boundary's check_login idempotency fast-path (FR-2631).
- Successful sToken auth persists the same localStorage /
  backendaioptions / cookie state the legacy branch did.
- URL cleanup still strips both sToken and the deprecated stoken
  key, now via nuqs setter rather than history.replaceState({}).

Resolves FR-2636, FR-2637, FR-2638 (bundled — same two files,
tightly-coupled change). FR-2639 (E2E regression) ships in the
follow-up PR.

Refs FR-2616, FR-2626

Author: nowgnuesLee

react/src/components/LoginView.tsx

@@ -20,7 +20,6 @@ import {
 import {
   createBackendAIClient,
   connectViaGQL,
-  tokenLogin,
   loadConfigFromWebServer,
   loginWithSAML,
   loginWithOpenID,
@@ -452,42 +451,10 @@ const LoginView: React.FC<{
         block(t('login.PleaseWait'), t('login.ConnectingToCluster'));
       }
 
-      // Check for SSO token
-      const urlParams = new URLSearchParams(window.location.search);
-      const sToken = urlParams.get('sToken');
-      if (sToken) {
-        try {
-          document.cookie = `sToken=${sToken}; expires=Session; path=/; Secure; SameSite=Lax`;
-          const updatedEndpoints = await tokenLogin(
-            client,
-            sToken,
-            configRef.current,
-            endpoints,
-          );
-          setEndpoints(updatedEndpoints);
-
-          // tokenLogin already called connectViaGQL internally; reuse the
-          // shared post-connect helper to stay in sync with the regular
-          // session-login path (login_attempt/last_login, clearSavedLoginInfo,
-          // forceLoginApprovedRef reset, panel close, endpoint persistence).
-          postConnectSetup(client);
-
-          // Strip the sToken from the URL so it doesn't leak into browser
-          // history or get re-processed on refresh.
-          window.history.replaceState({}, '', '/');
-          return;
-        } catch (err) {
-          logger.error('tokenLogin failed', err);
-          notification(t('eduapi.CannotAuthorizeSessionByToken'));
-          // Previously a hard reload cleared the UI; now we must restore
-          // the login panel ourselves so the user isn't stuck in a loading
-          // or blocked state.
-          setIsBlockPanelOpen(false);
-          open();
-          setIsLoading(false);
-          return;
-        }
-      }
+      // sToken (SSO) URL entry is handled entirely by STokenLoginBoundary
+      // at the route level (see routes.tsx `STokenGuard`). LoginView no
+      // longer reads sToken from the URL; when a token is present the
+      // boundary mounts LoginView only after authentication succeeds.
 
       // Do session login
       // client.login() returns only on success (authenticated === true).

react/src/helper/loginSessionAuth.ts

@@ -206,6 +206,45 @@ export async function tokenLogin(
   return connectViaGQL(client, cfg, endpoints);
 }
 
+/**
+ * Persist the state a successful login should leave behind, independent of
+ * which UI surface performed the login (LoginView panel, STokenLoginBoundary,
+ * etc.). Centralized here so every successful login path keeps the same
+ * side effects in lockstep:
+ *
+ *   - `last_login` timestamp + reset of `login_attempt` counter
+ *   - drop any saved username / password / keypair credentials from prior
+ *     signed-out sessions on this device
+ *   - persist the resolved API endpoint into `localStorage` so the next
+ *     cold start can re-use it
+ *   - mark the client `ready` so `useLoginOrchestration` short-circuits on
+ *     subsequent mounts within the same page load
+ *
+ * Callers: LoginView's `postConnectSetup` (for panel-based login) and the
+ * STokenLoginBoundary `onSuccess` route handlers. Kept separate from
+ * `connectViaGQL` because the GQL step also runs for the non-authenticated
+ * paths (e.g. an already-logged-in session refresh) where the counter and
+ * credential-cleanup side effects would be incorrect.
+ */
+export function persistPostLoginState(client: any): void {
+  const options = (globalThis as any).backendaioptions;
+  if (options) {
+    options.set('last_login', Math.floor(Date.now() / 1000), 'general');
+    options.set('login_attempt', 0, 'general');
+  }
+  localStorage.removeItem('backendaiwebui.login.api_key');
+  localStorage.removeItem('backendaiwebui.login.secret_key');
+  localStorage.removeItem('backendaiwebui.login.user_id');
+  localStorage.removeItem('backendaiwebui.login.password');
+  const endpoint = client?._config?.endpoint;
+  if (typeof endpoint === 'string' && endpoint) {
+    localStorage.setItem('backendaiwebui.api_endpoint', endpoint);
+  }
+  if (client) {
+    client.ready = true;
+  }
+}
+
 /**
  * Load webserver config when the api_endpoint differs from current URL origin.
  * Uses React's fetchAndParseConfig instead of the Lit shell's _parseConfig.

react/src/routes.tsx

@@ -12,11 +12,14 @@ import FlexActivityIndicator from './components/FlexActivityIndicator';
 import LocationStateBreadCrumb from './components/LocationStateBreadCrumb';
 import LoginView from './components/LoginView';
 import MainLayout from './components/MainLayout/MainLayout';
+import { STokenLoginBoundary } from './components/STokenLoginBoundary';
 import WebUINavigate from './components/WebUINavigate';
+import { persistPostLoginState } from './helper/loginSessionAuth';
 import { useSuspendedBackendaiClient } from './hooks';
 import { useAutoDiagnostics } from './hooks/useAutoDiagnostics';
 import { useBAISettingUserState } from './hooks/useBAISetting';
 import { LogoutEventHandler } from './hooks/useLogout';
+import { useSToken } from './hooks/useSToken';
 import { useWebUIMenuItems } from './hooks/useWebUIMenuItems';
 // High priority to import the component
 import ComputeSessionListPage from './pages/ComputeSessionListPage';
@@ -692,6 +695,38 @@ const AutoDiagnosticsEffect = () => {
   return null;
 };
 
+/**
+ * Route-level gate that delegates to `STokenLoginBoundary` when an sToken
+ * is present in the URL (transparently passes through otherwise). Sourced
+ * here so the regular `LoginView` + `MainLayout` tree never re-reads the
+ * URL query for authentication — see the spec "URL 파라미터 파싱 규약
+ * (nuqs)" section for the invariant.
+ *
+ * On boundary success, the route-level `onSuccess` persists the login
+ * state (`last_login`, `login_attempt`, saved-credential cleanup,
+ * `api_endpoint`, `client.ready`) and nulls both `sToken` / `stoken` keys
+ * from the URL via the nuqs setter so the token doesn't leak into browser
+ * history or referer headers.
+ */
+const STokenGuard: React.FC<{ children: React.ReactNode }> = ({ children }) => {
+  'use memo';
+  const [sToken, clearSToken] = useSToken();
+  if (!sToken) {
+    return <>{children}</>;
+  }
+  return (
+    <STokenLoginBoundary
+      sToken={sToken}
+      onSuccess={(client) => {
+        persistPostLoginState(client);
+        clearSToken(null);
+      }}
+    >
+      {children}
+    </STokenLoginBoundary>
+  );
+};
+
 /**
  * Root routes configuration
  */
@@ -702,13 +737,15 @@ export const routes: RouteObject[] = [
     element: (
       <BAIErrorBoundary>
         <DefaultProvidersForReactRoot>
-          <Suspense>
-            <LoginView waitForMainLayout={false} />
-          </Suspense>
-          <LogoutEventHandler />
-          <Suspense fallback={<Skeleton active />}>
-            <InteractiveLoginPage />
-          </Suspense>
+          <STokenGuard>
+            <Suspense>
+              <LoginView waitForMainLayout={false} />
+            </Suspense>
+            <LogoutEventHandler />
+            <Suspense fallback={<Skeleton active />}>
+              <InteractiveLoginPage />
+            </Suspense>
+          </STokenGuard>
         </DefaultProvidersForReactRoot>
       </BAIErrorBoundary>
     ),
@@ -771,33 +808,35 @@ export const routes: RouteObject[] = [
     element: (
       <BAIErrorBoundary>
         <DefaultProvidersForReactRoot>
-          <Suspense>
-            <LoginView />
-          </Suspense>
-          {/*FYI, MainLayout has ErrorBoundaryWithNullFallback for <Outlet/> */}
-          <MainLayout />
-          <ErrorBoundaryWithNullFallback>
-            <RoutingEventHandler />
-          </ErrorBoundaryWithNullFallback>
-          <Suspense>
-            <ErrorBoundaryWithNullFallback>
-              <AutoDiagnosticsEffect />
-            </ErrorBoundaryWithNullFallback>
-          </Suspense>
-          <Suspense>
-            <ErrorBoundaryWithNullFallback>
-              <LoginViewLazy />
-            </ErrorBoundaryWithNullFallback>
-            <ErrorBoundaryWithNullFallback>
-              <FolderExplorerOpener />
-            </ErrorBoundaryWithNullFallback>
-            <ErrorBoundaryWithNullFallback>
-              <FolderInvitationResponseModalOpener />
-            </ErrorBoundaryWithNullFallback>
+          <STokenGuard>
+            <Suspense>
+              <LoginView />
+            </Suspense>
+            {/*FYI, MainLayout has ErrorBoundaryWithNullFallback for <Outlet/> */}
+            <MainLayout />
             <ErrorBoundaryWithNullFallback>
-              <FileUploadManager />
+              <RoutingEventHandler />
             </ErrorBoundaryWithNullFallback>
-          </Suspense>
+            <Suspense>
+              <ErrorBoundaryWithNullFallback>
+                <AutoDiagnosticsEffect />
+              </ErrorBoundaryWithNullFallback>
+            </Suspense>
+            <Suspense>
+              <ErrorBoundaryWithNullFallback>
+                <LoginViewLazy />
+              </ErrorBoundaryWithNullFallback>
+              <ErrorBoundaryWithNullFallback>
+                <FolderExplorerOpener />
+              </ErrorBoundaryWithNullFallback>
+              <ErrorBoundaryWithNullFallback>
+                <FolderInvitationResponseModalOpener />
+              </ErrorBoundaryWithNullFallback>
+              <ErrorBoundaryWithNullFallback>
+                <FileUploadManager />
+              </ErrorBoundaryWithNullFallback>
+            </Suspense>
+          </STokenGuard>
         </DefaultProvidersForReactRoot>
       </BAIErrorBoundary>
     ),