oathkeeper-introspect 연동 앱 목록 노출 제외

backend/internal/handler/dev_handler.go

@@ -142,6 +142,10 @@ type clientUpsertRequest struct {
 	Metadata                *map[string]interface{} `json:"metadata"`
 }
 
+var protectedSystemClientIDs = map[string]struct{}{
+	"oathkeeper-introspect": {},
+}
+
 func normalizeUserRole(role string) string {
 	return domain.NormalizeRole(role)
 }
@@ -263,6 +267,15 @@ func profileRole(profile *domain.UserProfileResponse) string {
 	return strings.TrimSpace(profile.Role)
 }
 
+func isProtectedSystemClientID(clientID string) bool {
+	_, ok := protectedSystemClientIDs[strings.TrimSpace(clientID)]
+	return ok
+}
+
+func isProtectedSystemClient(client domain.HydraClient) bool {
+	return isProtectedSystemClientID(client.ClientID)
+}
+
 func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
 	if (!ok || profile == nil) && h.Auth != nil {
@@ -557,6 +570,10 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
 
 	items := make([]clientSummary, 0, len(clients))
 	for _, client := range clients {
+		if isProtectedSystemClient(client) {
+			continue
+		}
+
 		summary := h.mapClientSummary(client)
 
 		// 1. [Security] Filter out 'private' clients if user is not an AppManager
@@ -604,6 +621,10 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
 
+	if isProtectedSystemClient(*client) {
+		return errorJSON(c, fiber.StatusNotFound, "client not found")
+	}
+
 	summary := h.mapClientSummary(*client)
 	profile := h.getCurrentProfile(c)
 	if profile == nil {
@@ -678,6 +699,10 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
 
+	if isProtectedSystemClient(*current) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
+	}
+
 	summary := h.mapClientSummary(*current)
 	profile := h.getCurrentProfile(c)
 	if profile == nil {
@@ -759,6 +784,9 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 	if clientID == "" {
 		clientID = uuid.NewString()
 	}
+	if isProtectedSystemClientID(clientID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: reserved system client id")
+	}
 
 	name := strings.TrimSpace(valueOr(req.Name, ""))
 	if name == "" {
@@ -899,6 +927,10 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
 
+	if isProtectedSystemClient(*current) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
+	}
+
 	currentSummary := h.mapClientSummary(*current)
 	profile := h.getCurrentProfile(c)
 	if profile == nil {
@@ -1030,6 +1062,10 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
 
+	if isProtectedSystemClient(*current) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
+	}
+
 	summary := h.mapClientSummary(*current)
 	profile := h.getCurrentProfile(c)
 	if profile == nil {
@@ -1265,6 +1301,10 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
 
+	if isProtectedSystemClient(*current) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
+	}
+
 	summary := h.mapClientSummary(*current)
 	profile := h.getCurrentProfile(c)
 	if profile == nil {
@@ -1462,6 +1502,9 @@ func (h *DevHandler) GetStats(c *fiber.Ctx) error {
 	var totalClients int64
 	if err == nil {
 		for _, client := range clients {
+			if isProtectedSystemClient(client) {
+				continue
+			}
 			if isSuperAdmin {
 				totalClients++
 				continue