feat: implement device login approval system

Add a complete device authentication approval flow that allows users to approve login requests from new devices on their already-authenticated devices. Core features: - Create authentication requests when logging in from new devices - Display pending requests with device info, IP address, and fingerprint phrases - Approve or deny requests from web interface with real-time notifications - Support multiple auth request types (authenticate & unlock, unlock only) - Automatic expiration and cleanup of stale requests Backend changes: - Add auth_requests table with proper indexes for efficient queries - Implement full CRUD API for authentication requests - Add notification hub integration for real-time updates - Add device fingerprint phrase generation for security verification Frontend changes: - Add AuthRequestApprovalDialog component for approving/denying requests - Add PendingAuthRequestsPanel component to display and manage pending requests - Integrate panels into Security and Settings pages - Add fingerprint wordlist for generating human-readable verification phrases - Update i18n translations for all supported languages Security considerations: - Access code verification to prevent unauthorized access - Device fingerprint validation for additional security layer - IP address and country tracking for audit purposes - Automatic expiration of old requests (15 minutes) - Only most recent request per device can be approved Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-22 21:50:13 +00:00 · 2026-06-12 13:12:11 +08:00
parent e9aef72df7
commit c652cc1533
27 changed files with 9187 additions and 92 deletions
@@ -389,3 +389,83 @@
 .mobile-sidebar-head {
  @apply hidden;
 }
+
+.auth-request-details {
+  display: grid;
+  gap: 12px;
+  margin: 12px 0 4px;
+}
+
+.auth-request-device {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  border: 1px solid var(--line-soft);
+  border-radius: 8px;
+  padding: 10px;
+  background: color-mix(in srgb, var(--primary) 7%, var(--panel));
+}
+
+.auth-request-device svg {
+  color: var(--primary-strong);
+  flex: 0 0 auto;
+}
+
+.auth-request-device div,
+.account-passkey-main {
+  min-width: 0;
+}
+
+.auth-request-device strong,
+.auth-request-device small {
+  display: block;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.auth-request-device small {
+  color: var(--muted);
+}
+
+.auth-request-kv {
+  display: flex;
+  justify-content: space-between;
+  gap: 12px;
+  font-size: var(--font-sm);
+}
+
+.auth-request-kv span,
+.auth-request-fingerprint span {
+  color: var(--muted);
+}
+
+.auth-request-kv strong {
+  color: var(--text);
+  text-align: right;
+}
+
+.auth-request-fingerprint {
+  display: grid;
+  gap: 6px;
+  border: 1px solid var(--line-soft);
+  border-radius: 8px;
+  padding: 10px;
+}
+
+.auth-request-fingerprint strong,
+.auth-request-fingerprint-inline {
+  overflow-wrap: anywhere;
+  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace;
+  font-size: var(--font-sm);
+  line-height: 1.45;
+}
+
+.auth-request-row {
+  align-items: start;
+}
+
+.auth-request-fingerprint-inline {
+  color: var(--muted-strong);
+  max-width: 260px;
+}