Class LoginHandler
POST /api/v2/auth/login.
Authentication entry point for the static theme SPA. Performs a tiered set
of cheap-first gates: IP rate-limit, body parsing, presence checks,
per-user rate-limit, then finally credential verification via
FessLoginAssist. On success the response carries the freshly issued
CSRF token and an echo of return_to (only when it is a relative
path — protocol-relative URLs are rejected to prevent open-redirect).
Constructor-injected LoginRateLimiter keeps the handler easy to
test: production wires the DI-managed singleton via
ComponentUtil.getLoginRateLimiter(), tests pass a fresh instance.
MJ-30 i18n contract: error.message values in this handler are
developer-facing English strings. Clients MUST use error.code
(the V2ErrorCode token) for user-facing i18n. This is intentional — the
v2 wire spec explicitly separates machine-readable codes from human messages.
-
Constructor Summary
ConstructorsConstructorDescriptionDefault constructor used by the DI container.LoginHandler(LoginRateLimiter limiter) Test-friendly constructor allowing the caller to inject a specificLoginRateLimiterinstance (e.g. -
Method Summary
Modifier and TypeMethodDescriptionvoidhandle(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) Processes onePOST /api/v2/auth/loginrequest.
-
Constructor Details
-
LoginHandler
public LoginHandler()Default constructor used by the DI container. The handler resolves the sharedLoginRateLimiterlazily vialimiter()so DI bootstrap order is not constrained. The handler holds no per-request state and is safe to share across concurrent requests. -
LoginHandler
Test-friendly constructor allowing the caller to inject a specificLoginRateLimiterinstance (e.g. with a controllable clock). Passingnullcauses the handler to resolve the DI-managed singleton viaComponentUtil.getLoginRateLimiter()on first use.- Parameters:
limiter- the rate limiter to use, ornullto resolve via DI
-
-
Method Details
-
handle
public void handle(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws IOException Processes onePOST /api/v2/auth/loginrequest.Applies a tiered set of cheap-first gates (IP rate-limit, body parse, presence checks, per-user rate-limit) before invoking
FessLoginAssistfor credential verification. On success the response carries the freshly issued CSRF token and an echo of the safereturn_tovalue; failures map to v2 error codes (V2ErrorCode.RATE_LIMITED,V2ErrorCode.INVALID_REQUEST,V2ErrorCode.AUTH_REQUIRED,V2ErrorCode.INTERNAL_ERROR).- Parameters:
req- the incoming HTTP requestres- the HTTP response to write to- Throws:
IOException- if writing the envelope or reading the body fails
-