From 1a97483beae9e89ac3a4aa91e9dec2d99c8dd537 Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Tue, 3 Feb 2026 09:29:43 +0900
Subject: [PATCH] =?UTF-8?q?=ED=81=B4=EB=9D=BC=EC=9D=B4=EC=96=B8=ED=8A=B8?=
 =?UTF-8?q?=20=EC=8B=9C=ED=81=AC=EB=A6=BF=20=EC=BA=90=EC=8B=B1=20=EB=A1=9C?=
 =?UTF-8?q?=EC=A7=81=20=EC=A0=81=EC=9A=A9=20=EB=B0=8F=20=EC=9D=98=EC=A1=B4?=
 =?UTF-8?q?=EC=84=B1=20=EC=A3=BC=EC=9E=85?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/cmd/server/main.go              |  3 +-
 backend/internal/handler/dev_handler.go | 45 ++++++++++++++++++-------
 2 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
index 7fef9116..ac7de5b3 100644
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -252,11 +252,12 @@ func main() {
 	relyingPartyRepo := repository.NewRelyingPartyRepository(db)
 	hydraService := service.NewHydraAdminService()
 	relyingPartyService := service.NewRelyingPartyService(relyingPartyRepo, hydraService, ketoService)
+	secretRepo := repository.NewClientSecretRepository(db)
 
 	auditHandler := handler.NewAuditHandler(auditRepo)
 	authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, userRepo)
 	adminHandler := handler.NewAdminHandler()
-	devHandler := handler.NewDevHandler(redisService)
+	devHandler := handler.NewDevHandler(redisService, secretRepo)
 	tenantHandler := handler.NewTenantHandler(db, tenantService)
 	relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService)
 	kratosAdminService := service.NewKratosAdminService()
diff --git a/backend/internal/handler/dev_handler.go b/backend/internal/handler/dev_handler.go
index 3d446240..732e4e2f 100644
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/service"
+	"context"
 	"errors"
 	"strings"
 	"time"
@@ -12,14 +13,16 @@ import (
 )
 
 type DevHandler struct {
-	Hydra *service.HydraAdminService
-	Redis *service.RedisService
+	Hydra      *service.HydraAdminService
+	Redis      *service.RedisService
+	SecretRepo domain.ClientSecretRepository
 }
 
-func NewDevHandler(redis *service.RedisService) *DevHandler {
+func NewDevHandler(redis *service.RedisService, secretRepo domain.ClientSecretRepository) *DevHandler {
 	return &DevHandler{
-		Hydra: service.NewHydraAdminService(),
-		Redis: redis,
+		Hydra:      service.NewHydraAdminService(),
+		Redis:      redis,
+		SecretRepo: secretRepo,
 	}
 }
 
@@ -249,13 +252,12 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 
 	// Store secret in metadata for later retrieval
 	if created.ClientSecret != "" {
-		if created.Metadata == nil {
-			created.Metadata = map[string]interface{}{}
+		// 1. Store in PostgreSQL (Source of Truth)
+		if h.SecretRepo != nil {
+			_ = h.SecretRepo.Upsert(c.Context(), created.ClientID, created.ClientSecret)
 		}
-		created.Metadata["client_secret"] = created.ClientSecret
-		_, _ = h.Hydra.UpdateClient(c.Context(), created.ClientID, *created)
-		
-		// Also store in Redis if available
+
+		// 2. Also store in Redis (Cache)
 		if h.Redis != nil {
 			_ = h.Redis.Set("client_secret:"+created.ClientID, created.ClientSecret, 0)
 		}
@@ -375,7 +377,12 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}
 
-	// Clean up Redis
+	// 1. Clean up PostgreSQL
+	if h.SecretRepo != nil {
+		_ = h.SecretRepo.Delete(c.Context(), clientID)
+	}
+
+	// 2. Clean up Redis
 	if h.Redis != nil {
 		_ = h.Redis.Delete("client_secret:" + clientID)
 	}
@@ -466,13 +473,25 @@ func (h *DevHandler) mapClientSummary(client domain.HydraClient) clientSummary {
 			clientSecret = val
 		}
 	}
-	// 2. Check Redis (New)
+
+	// 2. Check Redis (Cache)
 	if clientSecret == "" && h.Redis != nil {
 		if val, err := h.Redis.Get("client_secret:" + client.ClientID); err == nil && val != "" {
 			clientSecret = val
 		}
 	}
 
+	// 3. Check PostgreSQL (Source of Truth) & Cache Warming
+	if clientSecret == "" && h.SecretRepo != nil {
+		if val, err := h.SecretRepo.GetByID(context.Background(), client.ClientID); err == nil && val != "" {
+			clientSecret = val
+			// Warm up cache
+			if h.Redis != nil {
+				_ = h.Redis.Set("client_secret:"+client.ClientID, clientSecret, 0)
+			}
+		}
+	}
+
 	return clientSummary{
 		ID:           client.ClientID,
 		Name:         name,