Phase 1 scaffold: auth for all apps

- Backend: Fastify with two listeners (public + internal), routes, services, DB migration + seed - client_app: Flutter with BLoC, all auth screens (welcome, display name, register, OTP, force-register) - mitra_app: Flutter with BLoC, OTP-only login - control_center: React + Vite, email/password login, mitra/user management, anonymity settings - Docs: phase1 plan, API contract, client app mockup - CLAUDE.md and shared memory for all subprojects Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 10:08:42 +08:00
commit a7a2a32d27
85 changed files with 3953 additions and 0 deletions
--- a/mitra_app/lib/core/api/api_client.dart
+++ b/mitra_app/lib/core/api/api_client.dart
@@ -0,0 +1,30 @@
+import 'package:dio/dio.dart';
+import 'package:firebase_auth/firebase_auth.dart';
+
+class ApiClient {
+  static const String _baseUrl = String.fromEnvironment(
+    'API_BASE_URL',
+    defaultValue: 'https://api.halobestie.com',
+  );
+
+  late final Dio _dio;
+
+  ApiClient() {
+    _dio = Dio(BaseOptions(baseUrl: _baseUrl));
+    _dio.interceptors.add(InterceptorsWrapper(
+      onRequest: (options, handler) async {
+        final user = FirebaseAuth.instance.currentUser;
+        if (user != null) {
+          final token = await user.getIdToken();
+          options.headers['Authorization'] = 'Bearer $token';
+        }
+        handler.next(options);
+      },
+    ));
+  }
+
+  Future<Map<String, dynamic>> post(String path, {Map<String, dynamic>? data}) async {
+    final response = await _dio.post(path, data: data);
+    return response.data as Map<String, dynamic>;
+  }
+}
--- a/mitra_app/lib/core/auth/auth_bloc.dart
+++ b/mitra_app/lib/core/auth/auth_bloc.dart
@@ -0,0 +1,115 @@
+import 'package:equatable/equatable.dart';
+import 'package:firebase_auth/firebase_auth.dart';
+import 'package:flutter_bloc/flutter_bloc.dart';
+import '../api/api_client.dart';
+
+// Events
+abstract class AuthEvent extends Equatable {
+  @override
+  List<Object?> get props => [];
+}
+
+class AppStarted extends AuthEvent {}
+class PhoneOtpRequested extends AuthEvent {
+  final String phone;
+  PhoneOtpRequested(this.phone);
+  @override List<Object?> get props => [phone];
+}
+class OtpVerified extends AuthEvent {
+  final String verificationId;
+  final String smsCode;
+  OtpVerified(this.verificationId, this.smsCode);
+  @override List<Object?> get props => [verificationId, smsCode];
+}
+class LogoutRequested extends AuthEvent {}
+
+// States
+abstract class AuthState extends Equatable {
+  @override
+  List<Object?> get props => [];
+}
+
+class AuthInitial extends AuthState {}
+class AuthLoading extends AuthState {}
+class AuthAuthenticated extends AuthState {
+  final Map<String, dynamic> profile;
+  AuthAuthenticated(this.profile);
+  @override List<Object?> get props => [profile];
+}
+class AuthOtpSent extends AuthState {
+  final String verificationId;
+  AuthOtpSent(this.verificationId);
+  @override List<Object?> get props => [verificationId];
+}
+class AuthError extends AuthState {
+  final String message;
+  AuthError(this.message);
+  @override List<Object?> get props => [message];
+}
+
+// Bloc
+class AuthBloc extends Bloc<AuthEvent, AuthState> {
+  final ApiClient apiClient;
+  final _auth = FirebaseAuth.instance;
+
+  AuthBloc({required this.apiClient}) : super(AuthInitial()) {
+    on<AppStarted>(_onAppStarted);
+    on<PhoneOtpRequested>(_onPhoneOtpRequested);
+    on<OtpVerified>(_onOtpVerified);
+    on<LogoutRequested>(_onLogout);
+  }
+
+  Future<void> _onAppStarted(AppStarted event, Emitter<AuthState> emit) async {
+    if (_auth.currentUser != null) {
+      await _verifyAndEmit(emit);
+    }
+  }
+
+  Future<void> _onPhoneOtpRequested(PhoneOtpRequested event, Emitter<AuthState> emit) async {
+    emit(AuthLoading());
+    await _auth.verifyPhoneNumber(
+      phoneNumber: event.phone,
+      verificationCompleted: (_) {},
+      verificationFailed: (e) => emit(AuthError('Gagal mengirim OTP. Coba lagi.')),
+      codeSent: (verificationId, _) => emit(AuthOtpSent(verificationId)),
+      codeAutoRetrievalTimeout: (_) {},
+    );
+  }
+
+  Future<void> _onOtpVerified(OtpVerified event, Emitter<AuthState> emit) async {
+    emit(AuthLoading());
+    try {
+      final credential = PhoneAuthProvider.credential(
+        verificationId: event.verificationId,
+        smsCode: event.smsCode,
+      );
+      await _auth.signInWithCredential(credential);
+      await _verifyAndEmit(emit);
+    } catch (e) {
+      emit(AuthError('OTP tidak valid. Coba lagi.'));
+    }
+  }
+
+  Future<void> _onLogout(LogoutRequested event, Emitter<AuthState> emit) async {
+    await _auth.signOut();
+    emit(AuthInitial());
+  }
+
+  Future<void> _verifyAndEmit(Emitter<AuthState> emit) async {
+    try {
+      final response = await apiClient.post('/api/mitra/auth/verify');
+      emit(AuthAuthenticated(response['data'] as Map<String, dynamic>));
+    } on Exception catch (e) {
+      await _auth.signOut();
+      // Surface specific errors from backend
+      final msg = e.toString();
+      if (msg.contains('ACCOUNT_NOT_FOUND')) {
+        emit(AuthError('Akun tidak ditemukan. Hubungi administrator.'));
+      } else if (msg.contains('ACCOUNT_INACTIVE')) {
+        emit(AuthError('Akun tidak aktif. Hubungi administrator.'));
+      } else {
+        emit(AuthError('Gagal masuk. Coba lagi.'));
+      }
+    }
+  }
+}