feat(FR-2616): handle totp and concurrent-session inline in STokenLoginBoundary

- STokenLoginError gains `totp-required` (with `invalidOtp` hint); the
  existing `concurrent-session` kind is now wired up end-to-end.
- `tokenLogin` helper throws a structured `TokenLoginFailedError` instead
  of a generic `Error`, fixing a latent bug where a `{ fail_reason }`
  return value (truthy object) was treated as success by the caller.
- `STokenLoginBoundary` keeps a pending OTP ref (single-use) and a sticky
  `forceApprovedRef`; both fold into `extraParams` on the next retry.
- `DefaultErrorCard` swaps its action area in place for `totp-required`
  (OTP input + Submit) and `concurrent-session` (Copy details + Sign in
  anyway) — no separate modal, no layout split. Card status shifts from
  `error` to `warning` for these two kinds so the user reads them as
  required follow-ups, not terminal failures.
- Classification uses duck-typed field extraction instead of
  `instanceof TokenLoginFailedError` so cross-module-instance errors
  (Jest mocks, HMR reloads) classify the same.
- TODO(user-tunable): once `client.token_login` surfaces the probe
  `type`, replace the string-matching classifier with `type`
  comparisons. The current substrings mirror LoginView's legacy
  fallback.

Author: nowgnuesLee

react/src/components/STokenLoginBoundary.tsx

@@ -169,26 +169,77 @@ export async function connectViaGQL(
   return updatedEndpoints;
 }
 
+/**
+ * Structured error thrown by `tokenLogin` when the webserver reports
+ * `authenticated === false`. Carries the raw `fail_reason` string and the
+ * authenticated-probe `type` when available so callers (the
+ * `STokenLoginBoundary` classifier) can discriminate `require-totp-*`,
+ * `active-login-session-exists`, and generic invalid-token cases without
+ * string-matching the user-visible message.
+ *
+ * The prior implementation collapsed every non-success result into a
+ * generic `Error('Cannot authorize session by token.')`, which silently
+ * broke for `{ fail_reason }` returns (`client.token_login` returns an
+ * object in that case — truthy, so the old `!loginSuccess` check passed
+ * through and `connectViaGQL` ran against an unauthenticated client).
+ */
+export class TokenLoginFailedError extends Error {
+  readonly failReason: string | null;
+  readonly failType: string | null;
+  readonly raw: unknown;
+  constructor(
+    failReason: string | null,
+    failType: string | null,
+    raw: unknown,
+  ) {
+    super(failReason ?? 'Cannot authorize session by token.');
+    this.name = 'TokenLoginFailedError';
+    this.failReason = failReason;
+    this.failType = failType;
+    this.raw = raw;
+  }
+}
+
 /**
  * Perform token-based login (SSO).
  *
  * `extraParams` are forwarded to `client.token_login` as-is. This is used by
  * token URL entry points that need to pass additional query parameters
  * collected from the URL (for example, EduAppLauncher forwards `app`,
- * `session_id`, resource hints) to the server-side token handler.
- * LoginView callers that do not need to forward anything can omit the
- * argument.
+ * `session_id`, resource hints) to the server-side token handler. The
+ * `STokenLoginBoundary` also folds interactive inputs (`otp`, `force`)
+ * into this object when retrying after a TOTP or concurrent-session
+ * challenge. LoginView callers that do not need to forward anything can
+ * omit the argument.
  */
 export async function tokenLogin(
   client: any,
   sToken: string,
   cfg: LoginConfigState,
   endpoints: string[],
-  extraParams?: Record<string, string>,
+  extraParams?: Record<string, string | boolean>,
 ): Promise<string[]> {
-  const loginSuccess = await client.token_login(sToken, extraParams ?? {});
-  if (!loginSuccess) {
-    throw new Error('Cannot authorize session by token.');
+  const result = await client.token_login(sToken, extraParams ?? {});
+  // `client.token_login` returns:
+  //   - truthy check_login result object                       → authenticated
+  //   - `{ fail_reason: string, fail_type: string }`           → authenticated: false
+  //   - `false`                                                → authenticated: false, no envelope
+  // Only the first is a successful login.
+  const failed =
+    result === false ||
+    result == null ||
+    (typeof result === 'object' &&
+      ('fail_reason' in result || 'fail_type' in result));
+  if (failed) {
+    const envelope =
+      typeof result === 'object' && result
+        ? (result as { fail_reason?: string; fail_type?: string })
+        : null;
+    throw new TokenLoginFailedError(
+      envelope?.fail_reason ?? null,
+      envelope?.fail_type ?? null,
+      result,
+    );
   }
   return connectViaGQL(client, cfg, endpoints);
 }

react/src/helper/loginSessionAuth.ts

@@ -2068,6 +2068,17 @@
     "SharedMemory": "Gemeinsamer Speicher",
     "Updated": "Ressourcenvoreinstellung aktualisiert"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Ihr Anmelde-Token wird verifiziert…",
+    "ConnectingDescription": "Verbindung mit dem Backend.AI-Server wird hergestellt…",
+    "ErrorConcurrentSessionDescription": "Sie sind bereits an einem anderen Ort angemeldet. Möchten Sie die bestehende Anmeldung beenden und sich hier anmelden?",
+    "ErrorConcurrentSessionTitle": "An anderer Stelle angemeldet",
+    "ErrorTotpInvalidHint": "Der eingegebene Code wurde nicht akzeptiert. Bitte versuchen Sie es erneut.",
+    "ErrorTotpRequiredDescription": "Geben Sie den Code aus Ihrer Authentifizierungs-App ein, um fortzufahren.",
+    "ErrorTotpRequiredTitle": "Zwei-Faktor-Authentifizierung erforderlich",
+    "SubmitOtp": "Bestätigen",
+    "TotpPlaceholder": "Authentifizierungscode"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Geben Sie die Modell-ID ein. (z. B.: openai/gpt-oss-20b)",
     "EnterAVersion": "Geben Sie die Version ein. (Standard: main)",

resources/i18n/de.json

@@ -2066,6 +2066,17 @@
     "SharedMemory": "Κοινόχρηστη μνήμη",
     "Updated": "Η προεπιλογή πόρων ενημερώθηκε"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Το διακριτικό σύνδεσής σας επαληθεύεται…",
+    "ConnectingDescription": "Σύνδεση με τον διακομιστή Backend.AI…",
+    "ErrorConcurrentSessionDescription": "Έχετε ήδη συνδεθεί αλλού. Θέλετε να τερματίσετε την υπάρχουσα σύνδεση και να συνδεθείτε εδώ;",
+    "ErrorConcurrentSessionTitle": "Συνδεδεμένος/η από άλλη τοποθεσία",
+    "ErrorTotpInvalidHint": "Ο κωδικός που εισαγάγατε δεν έγινε αποδεκτός. Παρακαλώ δοκιμάστε ξανά.",
+    "ErrorTotpRequiredDescription": "Εισαγάγετε τον κωδικό από την εφαρμογή ελέγχου ταυτότητας για να συνεχίσετε.",
+    "ErrorTotpRequiredTitle": "Απαιτείται έλεγχος ταυτότητας δύο παραγόντων",
+    "SubmitOtp": "Υποβολή",
+    "TotpPlaceholder": "Κωδικός αυθεντικοποίησης"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Εισαγάγετε το ID του μοντέλου. (π.χ.: openai/gpt-oss-20b)",
     "EnterAVersion": "Εισαγάγετε την έκδοση. (Προεπιλογή: main)",

resources/i18n/el.json

@@ -2077,11 +2077,12 @@
     "Updated": "Resource preset updated"
   },
   "sTokenLoginBoundary": {
-    "AuthenticatingDescription": "Authenticating with your single sign-on token. This usually takes only a moment.",
+    "AuthenticatingDescription": "Verifying your sign-in token…",
     "AuthenticatingTitle": "Signing you in",
+    "ConnectingDescription": "Connecting to the Backend.AI server…",
     "CopyErrorDetails": "Copy error details",
-    "ErrorConcurrentSessionDescription": "This account is already signed in somewhere else. Please close the other session and try again.",
-    "ErrorConcurrentSessionTitle": "Another active session was detected.",
+    "ErrorConcurrentSessionDescription": "You are already logged in elsewhere. Would you like to end the existing session and log in here?",
+    "ErrorConcurrentSessionTitle": "Logged in elsewhere",
     "ErrorDetailsCopied": "Error details copied to clipboard.",
     "ErrorEndpointUnresolvedDescription": "The Backend.AI server address could not be resolved from the configuration file. Please try again in a moment or contact your administrator.",
     "ErrorEndpointUnresolvedTitle": "Server configuration is unavailable.",
@@ -2091,9 +2092,14 @@
     "ErrorServerUnreachableTitle": "Cannot reach the Backend.AI server.",
     "ErrorTokenInvalidDescription": "The sign-in token may have expired or been revoked. Please restart the sign-in flow from your original application.",
     "ErrorTokenInvalidTitle": "Your sign-in token is not valid.",
+    "ErrorTotpInvalidHint": "The code you entered was not accepted. Please try again.",
+    "ErrorTotpRequiredDescription": "Enter the code from your authenticator app to continue.",
+    "ErrorTotpRequiredTitle": "Two-factor authentication required",
     "ErrorUnknownDescription": "An unexpected error occurred while signing in. Please try again, and copy the error details below if the problem persists.",
     "ErrorUnknownTitle": "Sign-in failed unexpectedly.",
-    "Retry": "Retry"
+    "Retry": "Retry",
+    "SubmitOtp": "Submit",
+    "TotpPlaceholder": "Authenticator code"
   },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Enter a model ID. (e.g. openai/gpt-oss-20b)",

resources/i18n/en.json

@@ -2066,6 +2066,17 @@
     "SharedMemory": "Memoria compartida",
     "Updated": "Preajuste de recursos actualizado"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Verificando su token de inicio de sesión…",
+    "ConnectingDescription": "Conectando al servidor Backend.AI…",
+    "ErrorConcurrentSessionDescription": "Ya ha iniciado sesión en otro lugar. ¿Desea cerrar la sesión existente e iniciar sesión aquí?",
+    "ErrorConcurrentSessionTitle": "Sesión iniciada en otro lugar",
+    "ErrorTotpInvalidHint": "El código introducido no fue aceptado. Por favor, inténtelo de nuevo.",
+    "ErrorTotpRequiredDescription": "Ingrese el código de su aplicación de autenticación para continuar.",
+    "ErrorTotpRequiredTitle": "Se requiere autenticación de dos factores",
+    "SubmitOtp": "Enviar",
+    "TotpPlaceholder": "Código de autenticación"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Introduzca el ID del modelo. (p. ej.: openai/gpt-oss-20b)",
     "EnterAVersion": "Introduzca la versión. (Predeterminado: main)",

resources/i18n/es.json

@@ -2066,6 +2066,17 @@
     "SharedMemory": "Jaettu muisti",
     "Updated": "Resurssien esiasetus päivitetty"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Kirjautumistunnistettasi varmennetaan…",
+    "ConnectingDescription": "Yhdistetään Backend.AI-palvelimeen…",
+    "ErrorConcurrentSessionDescription": "Olet jo kirjautunut sisään toisessa paikassa. Haluatko lopettaa nykyisen istunnon ja kirjautua sisään täällä?",
+    "ErrorConcurrentSessionTitle": "Kirjautunut muualta",
+    "ErrorTotpInvalidHint": "Antamasi koodi ei kelpaa. Yritä uudelleen.",
+    "ErrorTotpRequiredDescription": "Syötä koodi todennussovelluksestasi jatkaaksesi.",
+    "ErrorTotpRequiredTitle": "Kaksivaiheinen todennus vaaditaan",
+    "SubmitOtp": "Lähetä",
+    "TotpPlaceholder": "Todennuskoodi"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Syötä mallin tunnus (esim. openai/gpt-oss-20b)",
     "EnterAVersion": "Syötä versio. (Oletus: main)",

resources/i18n/fi.json

@@ -2068,6 +2068,17 @@
     "SharedMemory": "Mémoire partagée",
     "Updated": "Préréglage de ressource mis à jour"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Vérification de votre jeton de connexion…",
+    "ConnectingDescription": "Connexion au serveur Backend.AI…",
+    "ErrorConcurrentSessionDescription": "Vous êtes déjà connecté ailleurs. Voulez-vous déconnecter la session existante et vous connecter ici ?",
+    "ErrorConcurrentSessionTitle": "Connecté ailleurs",
+    "ErrorTotpInvalidHint": "Le code saisi n'a pas été accepté. Veuillez réessayer.",
+    "ErrorTotpRequiredDescription": "Saisissez le code de votre application d'authentification pour continuer.",
+    "ErrorTotpRequiredTitle": "Authentification à deux facteurs requise",
+    "SubmitOtp": "Valider",
+    "TotpPlaceholder": "Code d'authentification"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Saisissez l'ID du modèle. (ex : openai/gpt-oss-20b)",
     "EnterAVersion": "Saisissez la version. (Par défaut : main)",

resources/i18n/fr.json

@@ -2069,6 +2069,17 @@
     "SharedMemory": "Memori bersama",
     "Updated": "Preset sumber daya diperbarui"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Memverifikasi token masuk Anda…",
+    "ConnectingDescription": "Menghubungkan ke server Backend.AI…",
+    "ErrorConcurrentSessionDescription": "Anda sudah masuk di tempat lain. Ingin mengakhiri sesi yang ada dan masuk di sini?",
+    "ErrorConcurrentSessionTitle": "Sedang masuk di tempat lain",
+    "ErrorTotpInvalidHint": "Kode yang Anda masukkan tidak diterima. Silakan coba lagi.",
+    "ErrorTotpRequiredDescription": "Masukkan kode dari aplikasi autentikasi Anda untuk melanjutkan.",
+    "ErrorTotpRequiredTitle": "Autentikasi dua faktor diperlukan",
+    "SubmitOtp": "Kirim",
+    "TotpPlaceholder": "Kode autentikasi"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Masukkan ID model. (Contoh: openai/gpt-oss-20b)",
     "EnterAVersion": "Masukkan versi. (Nilai bawaan: main)",

resources/i18n/id.json

@@ -2066,6 +2066,17 @@
     "SharedMemory": "Memoria condivisa",
     "Updated": "Preimpostazione delle risorse aggiornata"
   },
+  "sTokenLoginBoundary": {
+    "AuthenticatingDescription": "Verifica del token di accesso in corso…",
+    "ConnectingDescription": "Connessione al server Backend.AI…",
+    "ErrorConcurrentSessionDescription": "Sei già connesso altrove. Vuoi terminare la sessione esistente e accedere qui?",
+    "ErrorConcurrentSessionTitle": "Accesso da un altro dispositivo",
+    "ErrorTotpInvalidHint": "Il codice inserito non è stato accettato. Riprova.",
+    "ErrorTotpRequiredDescription": "Inserisci il codice dell'app di autenticazione per continuare.",
+    "ErrorTotpRequiredTitle": "Autenticazione a due fattori richiesta",
+    "SubmitOtp": "Invia",
+    "TotpPlaceholder": "Codice di autenticazione"
+  },
   "scanArtifactModelsFromHuggingFaceModal": {
     "EnterAModelID": "Inserisci l'ID del modello. (es.: openai/gpt-oss-20b)",
     "EnterAVersion": "Inserisci la versione. (Predefinito: main)",