feat(web): 2FA OTP 화면 및 비밀번호 찾기 화면 구현 (mock)

- OtpView: 6자리 digit 입력, 5회 잠금, 30초 재전송 쿨다운 (mock 코드: 123456)
- ForgotPasswordView: 이메일 입력 → 전송 완료 화면 + 관리자 복구 안내
- LoginView: "Forgot password?" 링크를 onForgotPassword 콜백으로 연결
- main.tsx: otp/forgot-password 라우트 및 pendingOtpEmail 상태 추가
  - password "otp1234" → OTP 화면, "temp1234" → 강제 비번 변경
- RouteKey에 "otp", "forgot-password" 추가

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: SOIV

apps/web/src/components/AppShell.tsx

@@ -1,7 +1,7 @@
 import type { ReactNode } from "react";
 import "../styles/shell.css";
 
-export type RouteKey = "login" | "home" | "marketplace" | "admin" | "change-password";
+export type RouteKey = "login" | "otp" | "forgot-password" | "home" | "marketplace" | "admin" | "change-password";
 
 interface AppShellProps {
   installMode: "normal" | "bypass";

apps/web/src/main.tsx

@@ -12,6 +12,8 @@ import { SettingsView } from "./views/SettingsView";
 import { AdminView } from "./views/AdminView";
 import { MarketplaceView } from "./views/MarketplaceView";
 import { ChangePasswordView } from "./views/ChangePasswordView";
+import { OtpView } from "./views/OtpView";
+import { ForgotPasswordView } from "./views/ForgotPasswordView";
 
 // ─── Types ────────────────────────────────────────────────────
 type InstallMode = "normal" | "bypass";
@@ -40,17 +42,8 @@ function resolveInstallMode(runtimeEnv: WebRuntimeEnv): InstallMode {
 function getRouteFromHash(rawHash: string): RouteKey {
   const hash = rawHash.replace("#", "");
   if (hash === "settings") return "home";
-  if (hash === "home" || hash === "marketplace" || hash === "admin" || hash === "login" || hash === "change-password") {
-    return hash;
-  }
-  return "login";
-}
-
-function canAccessRoute(route: RouteKey, isAuthenticated: boolean): boolean {
-  if (route === "login") return true;
-  if (!isAuthenticated) return false;
-  // admin 라우트는 인증된 유저라면 진입 허용 — AdminView 내부에서 isAdmin으로 콘텐츠 게이팅
-  return true;
+  const valid: RouteKey[] = ["login", "otp", "forgot-password", "home", "marketplace", "admin", "change-password"];
+  return (valid as string[]).includes(hash) ? (hash as RouteKey) : "login";
 }
 
 // ─── Session Storage Keys ─────────────────────────────────────
@@ -73,6 +66,8 @@ function App({ installMode }: { installMode: InstallMode }) {
   const [isPinVerified, setIsPinVerified] = useState(
     () => sessionStorage.getItem(SS.pinVerified) === "true",
   );
+  // OTP 인증 대기 중인 이메일 (로그인 완료 전 임시 상태 — sessionStorage 미저장)
+  const [pendingOtpEmail, setPendingOtpEmail] = useState<string | null>(null);
   const [currentUser, setCurrentUser] = useState<{ email: string } | null>(
     () => {
       const email = sessionStorage.getItem(SS.email);
@@ -98,11 +93,16 @@ function App({ installMode }: { installMode: InstallMode }) {
   }, []);
 
   const effectiveRoute = useMemo<RouteKey>(() => {
-    if (!canAccessRoute(route, isAuthenticated)) return "login";
-    // 비밀번호 변경 강제: change-password 이외의 모든 경로 차단
+    // OTP 대기 중: otp 화면만 허용
+    if (pendingOtpEmail) return "otp";
+    // 미인증: login / forgot-password만 허용
+    if (!isAuthenticated) {
+      return route === "forgot-password" ? "forgot-password" : "login";
+    }
+    // 비밀번호 변경 강제
     if (mustChangePassword && route !== "change-password") return "change-password";
     return route;
-  }, [isAuthenticated, mustChangePassword, route]);
+  }, [isAuthenticated, mustChangePassword, pendingOtpEmail, route]);
 
   useEffect(() => {
     if (window.location.hash !== `#${effectiveRoute}`) {
@@ -120,8 +120,16 @@ function App({ installMode }: { installMode: InstallMode }) {
     event.preventDefault();
     const formData = new FormData(event.currentTarget);
     const email = (formData.get("email") as string | null) ?? "user@fieldstack.dev";
-    // mock: 비밀번호가 "temp1234"이면 임시 비번 첫 로그인으로 처리
     const password = formData.get("password") as string | null;
+
+    // mock: "otp1234" → 2FA OTP 화면으로 이동
+    if (password === "otp1234") {
+      setPendingOtpEmail(email);
+      navigate("otp");
+      return;
+    }
+
+    // mock: "temp1234" → 임시 비번 첫 로그인 강제 변경
     const isTempLogin = password === "temp1234";
 
     setIsAuthenticated(true);
@@ -156,6 +164,23 @@ function App({ installMode }: { installMode: InstallMode }) {
     navigate("home");
   };
 
+  const onOtpVerified = () => {
+    if (!pendingOtpEmail) return;
+    const email = pendingOtpEmail;
+    setPendingOtpEmail(null);
+    setIsAuthenticated(true);
+    setCurrentUser({ email });
+    sessionStorage.setItem(SS.auth, "true");
+    sessionStorage.setItem(SS.email, email);
+    setNotice("2단계 인증 완료.");
+    navigate("home");
+  };
+
+  const onOtpCancel = () => {
+    setPendingOtpEmail(null);
+    navigate("login");
+  };
+
   const onPinVerified = () => {
     setIsAdmin(true);
     setIsPinVerified(true);
@@ -187,13 +212,30 @@ function App({ installMode }: { installMode: InstallMode }) {
           <LoginView
             onLogin={onLogin}
             onQuickLogin={onQuickLogin}
+            onForgotPassword={() => navigate("forgot-password")}
             showDevBypass={installMode === "bypass"}
           />
         </section>
       </main>
     );
   }
 
+  // 비밀번호 찾기 (no shell)
+  if (effectiveRoute === "forgot-password") {
+    return <ForgotPasswordView onBack={() => navigate("login")} />;
+  }
+
+  // 2FA OTP 인증 (no shell)
+  if (effectiveRoute === "otp") {
+    return (
+      <OtpView
+        email={pendingOtpEmail ?? ""}
+        onVerified={onOtpVerified}
+        onCancel={onOtpCancel}
+      />
+    );
+  }
+
   // 비밀번호 강제 변경 (shell 없이 전체 화면)
   if (effectiveRoute === "change-password") {
     return (

apps/web/src/styles/forgot-password.css

@@ -0,0 +1,105 @@
+.fpw-shell {
+  min-height: 100vh;
+  display: grid;
+  place-items: center;
+  padding: 24px 16px;
+  background: var(--bg);
+}
+
+.fpw-panel {
+  width: 100%;
+  max-width: 420px;
+  display: grid;
+  gap: 16px;
+}
+
+.fpw-header {
+  text-align: center;
+  display: grid;
+  gap: 6px;
+}
+
+.fpw-icon {
+  font-size: 32px;
+  line-height: 1;
+}
+
+.fpw-title {
+  margin: 0;
+  font-size: 20px;
+  font-weight: 800;
+  color: var(--text);
+}
+
+.fpw-desc {
+  margin: 0;
+  font-size: 13px;
+  color: var(--text-muted);
+  line-height: 1.6;
+}
+
+.fpw-form {
+  gap: 14px;
+}
+
+.fpw-input-error {
+  border-color: var(--err);
+  box-shadow: 0 0 0 3px rgba(248, 113, 113, 0.2);
+}
+
+.fpw-input-error:focus {
+  border-color: var(--err);
+  box-shadow: 0 0 0 3px rgba(248, 113, 113, 0.2);
+}
+
+.fpw-field-error {
+  margin: 2px 0 0;
+  font-size: 12px;
+  color: var(--err);
+}
+
+.fpw-divider {
+  height: 1px;
+  background: var(--border-subtle);
+}
+
+/* ── Admin recovery notice ────────────────────────────────────── */
+.fpw-notice {
+  padding: 12px 14px;
+  border: 1px solid var(--border-subtle);
+  border-radius: 9px;
+  background: var(--bg-surface);
+  display: grid;
+  gap: 4px;
+}
+
+.fpw-notice-label {
+  margin: 0;
+  font-size: 12px;
+  font-weight: 700;
+  color: var(--text-muted);
+}
+
+.fpw-notice-text {
+  margin: 0;
+  font-size: 12px;
+  color: var(--text-faint);
+  line-height: 1.5;
+}
+
+.fpw-back-btn {
+  background: none;
+  border: none;
+  font-size: 12px;
+  color: var(--text-muted);
+  cursor: pointer;
+  font-family: inherit;
+  padding: 4px 8px;
+  border-radius: 6px;
+  justify-self: center;
+}
+
+.fpw-back-btn:hover {
+  color: var(--text);
+  text-decoration: underline;
+}

apps/web/src/styles/otp.css

@@ -0,0 +1,118 @@
+.otp-shell {
+  min-height: 100vh;
+  display: grid;
+  place-items: center;
+  padding: 24px 16px;
+  background: var(--bg);
+}
+
+.otp-panel {
+  width: 100%;
+  max-width: 400px;
+}
+
+.otp-header {
+  text-align: center;
+  display: grid;
+  gap: 6px;
+  margin-bottom: 24px;
+}
+
+.otp-icon {
+  font-size: 32px;
+  line-height: 1;
+}
+
+.otp-title {
+  margin: 0;
+  font-size: 20px;
+  font-weight: 800;
+  color: var(--text);
+}
+
+.otp-desc {
+  margin: 0;
+  font-size: 13px;
+  color: var(--text-muted);
+  line-height: 1.6;
+}
+
+.otp-form {
+  gap: 16px;
+}
+
+/* ── Digit boxes ──────────────────────────────────────────────── */
+.otp-digits {
+  display: flex;
+  gap: 8px;
+  justify-content: center;
+}
+
+.otp-digit {
+  width: 44px;
+  height: 52px;
+  border-radius: 9px;
+  border: 1px solid var(--border);
+  background: var(--bg-elevated);
+  color: var(--text);
+  font-size: 22px;
+  font-weight: 700;
+  text-align: center;
+  font-family: inherit;
+  outline: none;
+  transition: border-color 110ms ease, box-shadow 110ms ease;
+}
+
+.otp-digit:focus {
+  border-color: var(--accent);
+  box-shadow: 0 0 0 3px rgba(124, 124, 240, 0.2);
+}
+
+.otp-digit:disabled {
+  opacity: 0.45;
+  cursor: not-allowed;
+}
+
+.otp-digit-error {
+  border-color: var(--err);
+  box-shadow: 0 0 0 3px rgba(248, 113, 113, 0.2);
+}
+
+.otp-error {
+  margin: 0;
+  font-size: 12px;
+  color: var(--err);
+  text-align: center;
+}
+
+/* ── Footer buttons ───────────────────────────────────────────── */
+.otp-footer {
+  display: grid;
+  gap: 4px;
+  justify-items: center;
+}
+
+.otp-text-btn {
+  background: none;
+  border: none;
+  font-size: 12px;
+  color: var(--accent-hover);
+  cursor: pointer;
+  font-family: inherit;
+  padding: 4px 8px;
+  border-radius: 6px;
+  transition: opacity 110ms ease;
+}
+
+.otp-text-btn:disabled {
+  color: var(--text-faint);
+  cursor: default;
+}
+
+.otp-text-btn:not(:disabled):hover {
+  text-decoration: underline;
+}
+
+.otp-text-btn-muted {
+  color: var(--text-muted);
+}