@coderabbitai review

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Rebased fix/388-wave21 onto latest feat/multicloud-web-frontend (was DIRTY).

Conflict resolution: only internal/api/handler_auth_test.go conflicted, and it was purely additive. The base branch had added the GET /api/auth/me/permissions test block (issues #917/#922) plus the ErrMFARequired_test/ErrInvalidMFACode_test sentinel helpers; this PR added a third helper ErrMFANotConfigured_test and the three issue-#388 MFA-equivalence tests. Kept both: a single de-duplicated trio of sentinel helpers, the base permissions tests, and this PR's #388 tests. No semantic divergence in the security logic.

Prod-side files (handler_auth.go, auth/errors.go, auth/service.go) auto-merged cleanly; the ErrMFANotConfigured sentinel and its handler mapping survived intact.

Verification on the rebased tree: gofmt clean, go vet clean, go build ok, go test ./internal/api/... ./internal/auth/... all green (including the #388 equivalence tests and the #917/#922 permissions tests together).

No prior CodeRabbit findings to address: the only earlier CR activity on this PR was a per-PR review-rate-limit notice (2026-05-30), so this is the first substantive review request.

@coderabbitai review

@cristim: Acknowledged! Triggering a fresh review of the rebased fix/388-wave21 branch. I'll examine the MFA enrollment leak fix and the conflict-resolution additions in handler_auth_test.go as part of this pass.

Learnt from: cristim
Repo: LeanerCloud/CUDly PR: 0
File: :0-0
Timestamp: 2026-05-05T15:44:54.463Z
Learning: In the LeanerCloud/CUDly repository, when a CodeRabbit review flags something as "outside-diff" that was already implemented in an earlier commit of the same PR, it is likely a stale-snapshot artifact where the review diff was generated against a pre-fix view. The inline comment convention `(CR pass on PR #<number> Finding N)` is used by the maintainer (cristim) to mark lines that were changed in direct response to a prior CodeRabbit review pass.

@coderabbitai review

Rebased on feat/multicloud-web-frontend (advanced by sibling merges #887, #819, #789).

Single content conflict, resolved as an additive merge in internal/api/handler_auth_test.go: the base had added TestHandler_login_ErrorEquivalence (issue #416 username-enumeration guard) at the same location where this PR adds the three issue #388 MFA-leak guards (TestLogin_FailedAuth_ResponseEquivalence, TestLogin_MFANotConfigured_ReturnsMFARequired, TestLogin_MFARequired_And_NotConfigured_ProduceSameResponse). Kept both sets of tests; no semantic or renamed-field divergence. The other four touched auth files (handler_auth.go, errors.go, service.go, service_test.go) auto-merged cleanly.

Post-rebase: gofmt clean, go vet clean, build clean, internal/api + internal/auth test suites green. Pushed as 804ff301d.

@coderabbitai review

@cristim: Acknowledged! Triggering a fresh review of the rebased fix/388-wave21 branch at 804ff301d. I'll look at the TestHandler_login_ErrorEquivalence additive merge alongside the three issue #388 MFA-leak guard tests, as well as the clean auto-merges in the four prod-side auth files.

Learnt from: cristim
Repo: LeanerCloud/CUDly PR: 0
File: :0-0
Timestamp: 2026-05-05T15:44:54.463Z
Learning: In the LeanerCloud/CUDly repository, when a CodeRabbit review flags something as "outside-diff" that was already implemented in an earlier commit of the same PR, it is likely a stale-snapshot artifact where the review diff was generated against a pre-fix view. The inline comment convention `(CR pass on PR #<number> Finding N)` is used by the maintainer (cristim) to mark lines that were changed in direct response to a prior CodeRabbit review pass.

pr-iterate auto-rebase stopped: genuine semantic conflict (not the expected additive test merge).

The latest merge wave landed #830 (878046eae -- "sec(auth): collapse MFA-not-configured into generic auth failure (closes #391)"), which directly contradicts this PR's design for the SAME code path (verifyPasswordAndMFA in internal/auth/service.go, MFA-enabled-but-secret-missing branch):

• sec(auth): collapse 'MFA not configured' into generic auth failure (closes #391) #830 / sec(auth): MFA "not configured" error leaks that password was correct #391 (now on base): a correct password against an account with MFA flagged on but no secret returns the SAME generic "Check your email address and password and try again" message as a wrong password -- missing-secret looks like wrong-credentials.
• sec(auth): stop leaking MFA enrollment via login error responses (closes #388) #886 / sec(auth): login endpoint leaks MFA enrollment status via distinct error messages #388 (this PR): that same case returns the typed sentinel ErrMFANotConfigured, which the handler maps to mfa_required (identical response to ErrMFARequired) -- missing-secret looks like "MFA still required".

Both close a real leak but pick opposite indistinguishability targets, and each ships a test asserting its own outcome (base: TestLogin_WithMFA_NoSecret asserts the generic message; this PR: assert.ErrorIs(err, ErrMFANotConfigured)). They cannot both hold at the service layer.

This needs a human security decision on which leak model wins before the rebase can proceed:
(a) keep #830's generic-message collapse and drop this PR's ErrMFANotConfigured path (this PR likely becomes a no-op / closeable as superseded by #391), or
(b) supersede #830 here -- keep ErrMFANotConfigured -> mfa_required, delete the base's TestLogin_WithMFA_NoSecret generic-message subtest, and reconcile the comment in service.go.

Rebase was aborted; branch is unchanged at 804ff30. No force-push, no CR re-ping. Re-run pr-iterate after the direction is chosen.

Closing as superseded. The MFA-enrollment leak this targets (#388) is already fixed by the merged PR #830 (closes #391), which collapses the missing-MFA-secret branch into the generic wrong-credentials response - a strictly stronger anti-enumeration posture than this PR's typed mfa_required response (it hides even that MFA is enrolled for the broken-secret case). The service-layer ErrMFANotConfigured -> mfa_required approach here directly conflicts with #830's generic collapse and cannot coexist with it.

The one genuinely-unique improvement in this PR - replacing the handler_auth.go login catch-all 'return NewClientError(401, err.Error())' with an opaque 'invalid credentials' so raw service errors are never forwarded - is being carried forward as a small standalone hygiene follow-up issue. Tracking there.