feat(FR-2616): handle totp and concurrent-session inline in STokenLoginBoundary

[nowgnuesLee]

Follow-up feature on top of Epic FR-2616. Jira ticket to be filed.

Summary

Extends STokenLoginBoundary to handle two interactive auth challenges inline, without a modal and without splitting into separate components — the existing DefaultErrorCard layout stays, only its action area swaps per error kind.

UX

Error kind	Card status	Description	Actions
totp-required (new)	warning	"Enter the 6-digit code from your authenticator app…"	Inline OTP <Input> + Submit
concurrent-session (activated)	warning	"This account is already signed in somewhere else. Do you want to end the other session and continue here?"	Copy details · Sign in anyway
all other kinds	error	(unchanged)	Copy details · Retry

On Submit, STokenLoginBoundary folds otp: <entered> into extraParams and replays the auth sequence. A failed retry re-renders the OTP card with an invalid-code hint above the input; the OTP itself is single-use (cleared after every retry).

On Sign in anyway, the boundary sets a sticky forceApprovedRef and replays the sequence with force: true folded in. Sticky matches LoginView's forceLoginApprovedRef — a TOTP challenge that arrives after a force approval keeps the force flag on the subsequent retries.

Why

• token_login previously had a latent bug: client.token_login returns { fail_reason } on authenticated: false, which is truthy, so the old !loginSuccess guard passed through and connectViaGQL ran against an unauthenticated client. Introducing TokenLoginFailedError fixes this at the helper layer before the classifier inspects it.
• Classification uses duck-typed field extraction (err.failReason, err.failType) rather than instanceof TokenLoginFailedError so cross-module-instance errors (Jest mocks, HMR reloads) classify identically to direct throws.
• String-match detection mirrors LoginView.handleLoginError's legacy fallback so both entry points classify the same until the webserver surfaces the probe type through client.token_login (tracked by TODO(user-tunable)).

Changes

• react/src/helper/loginSessionAuth.ts
  • TokenLoginFailedError class and structured throw from tokenLogin.
  • extraParams type widened to Record<string, string | boolean> so force: true can pass through alongside string URL params.
• react/src/components/STokenLoginBoundary.tsx
  • STokenLoginError union: totp-required added, concurrent-session wired up end-to-end.
  • pendingOtpRef (single-use) + forceApprovedRef (sticky) retry state.
  • retryWithOtp / retryWithForce handlers; existing retry() preserved for non-interactive kinds.
  • DefaultErrorCard gains onSubmitOtp / onConfirmForce plumbing and kind-branched action area. Card status shifts to warning for the two interactive kinds.
  • New TotpInlineForm subcomponent (kept co-located in the same file, per scope request).
• resources/i18n/en.json, resources/i18n/ko.json
  • ErrorTotpRequiredTitle / ErrorTotpRequiredDescription / ErrorTotpInvalidHint / TotpPlaceholder / SubmitOtp / ForceLogin.
  • ErrorConcurrentSessionDescription updated to match the new force-confirm UX.

Test plan

• bash scripts/verify.sh → ALL PASS
• pnpm --dir react jest src/components/STokenLoginBoundary.test.tsx → 9 passed
• Manual: navigate /?sToken=<TOTP-required> → card shows OTP input, submit retries with otp=…. Wrong code surfaces invalid hint; right code proceeds.
• Manual: navigate with an active second-session setup → card offers "Sign in anyway"; confirming retries with force=true.
• Manual (combined): sToken where the server first issues active-login-session-exists then require-totp-authentication on the force retry → force flag stays on while OTP is submitted.

Follow-ups

• File a Jira sub-task under Epic FR-2616 for this feature.
• Swap string-match classifier for strict type equality once client.token_login surfaces the probe type to the caller. TokenLoginFailedError.failType is already reserved.
• Translations for the 20 non-en/ko locales via the fw:i18n skill.

[nowgnuesLee]

• feat(FR-2616): handle totp and concurrent-session inline in STokenLoginBoundary #6897 👈 (View in Graphite)
• test(FR-2639): add E2E regression for sToken login boundary routes #6865
• feat(FR-2627): migrate EduAppLauncher sToken path to STokenLoginBoundary #6864 : 1 other dependent PR (#6893 )
• feat(FR-2626): migrate LoginView sToken path to STokenLoginBoundary #6861
• refactor(FR-2616): rely on React Compiler ('use memo') for memoization #6857
• test(FR-2633): add unit tests for STokenLoginBoundary #6856
• feat(FR-2632): add default fallback and error card UI for STokenLoginBoundary #6855
• feat(FR-2631): implement STokenLoginBoundary component core #6853 : 1 other dependent PR (#6854 )
• feat(FR-2630): add useSToken hook with nuqs and stoken deprecation warning #6852
• feat(FR-2629): extend tokenLogin helper with optional extraParams #6851
• refactor(FR-2628): rename useEduAppApiEndpoint to useResolvedApiEndpoint #6850
• feat(FR-2618): add sToken login boundary component spec #6828
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• flow:merge-queue - adds this PR to the back of the merge queue
• flow:hotfix - for urgent changes, fast-track this PR to the front of the merge queue

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has required the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Coverage report for ./react

St.❔	Category	Percentage	Covered / Total
🔴	Statements	9.02% (+0.1% 🔼)	1857/20587
🔴	Branches	8.19% (+0.11% 🔼)	1187/14502
🔴	Functions	5.29% (+0.01% 🔼)	295/5578
🔴	Lines	8.76% (+0.11% 🔼)	1749/19973

Show files with reduced coverage 🔻

St.❔	File	Statements	Branches	Functions	Lines
🟡	... / STokenLoginBoundary.tsx	70.92% (-14.14% 🔻)	60.22% (-31.68% 🔻)	47.62% (-21.61% 🔻)	72.99% (-13.05% 🔻)

Test suite run success

865 tests passing in 40 suites.

Report generated by 🧪jest coverage report action from 7005b4b

[Copilot]

Pull request overview

Extends STokenLoginBoundary to handle interactive auth challenges (TOTP and concurrent-session force login) inline within the existing error card UI, while improving token-login failure signaling and adding supporting i18n/E2E coverage.

Changes:

• Add structured token-login failure propagation (fail_reason / fail_type) and throw TokenLoginFailedError on authenticated: false.
• Implement inline TOTP submit flow + concurrent-session “force” retry flow in STokenLoginBoundary, including improved pending-step messaging.
• Add/adjust translations across multiple locales and expand Playwright E2E coverage for the interactive flows.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/lib/backend.ai-client-esm.ts	Surface fail_type alongside fail_reason from token_login for downstream classification.
react/src/helper/loginSessionAuth.ts	Introduce TokenLoginFailedError and ensure token-login failures can’t proceed to connectViaGQL.
react/src/components/STokenLoginBoundary.tsx	Add inline TOTP + concurrent-session force flows, failure classification, and pending-step messaging.
e2e/auth/stoken-login.spec.ts	Add E2E tests mocking /server/token-login to validate OTP/force retry request bodies and UI branching.
resources/i18n/en.json	Update/add sTokenLoginBoundary strings for new pending-step + TOTP flows and revised concurrent-session copy.
resources/i18n/ko.json	Update/add sTokenLoginBoundary strings for new pending-step + TOTP flows and revised concurrent-session copy.
resources/i18n/de.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/el.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/es.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/fi.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/fr.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/id.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/it.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/ja.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/mn.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/ms.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/pl.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/pt.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/pt-BR.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/ru.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/th.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/tr.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/vi.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/zh-CN.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.
resources/i18n/zh-TW.json	Add sTokenLoginBoundary strings for pending-step + interactive flows.

[yomybaby]

LGTM

[graphite-app]

Merge activity

• Apr 23, 10:31 AM UTC: yomybaby added this pull request to the Graphite merge queue.
• Apr 23, 10:32 AM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #6865.
• Apr 23, 10:32 AM UTC: The Graphite merge queue removed this pull request due to downstack failures on PR #6865.
• Apr 24, 7:47 AM UTC: yomybaby added this pull request to the Graphite merge queue.
• Apr 24, 7:51 AM UTC: Merged by the Graphite merge queue.