From 1c8a599d4606c7fba09acd007db6ae4562521834 Mon Sep 17 00:00:00 2001 From: chan Date: Tue, 3 Feb 2026 15:10:13 +0900 Subject: [PATCH] =?UTF-8?q?=EB=B9=8C=EB=93=9C=EC=98=A4=EB=A5=98=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- backend/cmd/server/main.go | 2 +- backend/internal/handler/auth_handler.go | 111 ++++++----------------- 2 files changed, 29 insertions(+), 84 deletions(-) diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go index 96bcccb0..2b96197c 100644 --- a/backend/cmd/server/main.go +++ b/backend/cmd/server/main.go @@ -245,7 +245,7 @@ func main() { userRepo := repository.NewUserRepository(db) auditHandler := handler.NewAuditHandler(auditRepo) - authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, tenantService, ketoService, userRepo) + authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, userRepo) adminHandler := handler.NewAdminHandler() devHandler := handler.NewDevHandler(redisService) tenantHandler := handler.NewTenantHandler(db, tenantService) diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go index 6b620c63..bb4da9ef 100644 --- a/backend/internal/handler/auth_handler.go +++ b/backend/internal/handler/auth_handler.go @@ -2575,57 +2575,12 @@ func (h *AuthHandler) formatPhoneForStorage(phone string) string { // GetMe - Returns current user's profile with enriched data from local DB func (h *AuthHandler) GetMe(c *fiber.Ctx) error { - token := h.getBearerToken(c) - if token != "" { - if looksLikeJWT(token) && h.DescopeClient != nil { - authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token) - if err == nil && authorized { - userResponse, err := h.DescopeClient.Management.User().Load(c.Context(), userToken.ID) - if err != nil { - return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to load user profile"}) - } - - identityID, resolveErr := h.resolveKratosIdentityID( - c.Context(), - userResponse.Email, - normalizePhoneForLoginID(userResponse.Phone), - ) - if resolveErr != nil || identityID == "" { - return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to resolve user identity"}) - } - - dept, _ := userResponse.CustomAttributes["department"].(string) - affType, _ := userResponse.CustomAttributes["affiliationType"].(string) - compCode, _ := userResponse.CustomAttributes["companyCode"].(string) - - resp := domain.UserProfileResponse{ - ID: identityID, - Email: userResponse.Email, - Name: userResponse.Name, - Phone: h.formatPhoneForDisplay(userResponse.Phone), - Department: dept, - AffiliationType: affType, - CompanyCode: compCode, - Metadata: userResponse.CustomAttributes, - } - - if compCode != "" { - if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), compCode); err == nil && tenant != nil { - resp.Tenant = tenant - } - } - - return c.JSON(resp) - } - } - - profile, err := h.getKratosProfile(token) - if err != nil { - return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"}) - } - return c.JSON(profile) + profile, err := h.resolveCurrentProfile(c) + if err != nil { + return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": err.Error()}) } - + return c.JSON(profile) +} // GetEnrichedProfile - Exported wrapper for resolveCurrentProfile used by middlewares func (h *AuthHandler) GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error) { return h.resolveCurrentProfile(c) @@ -3488,7 +3443,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe if testRole == "" { testRole = c.Cookies("X-Mock-Role") } - + if testRole == "" { testRole = domain.RoleUser // 기본값을 user로 변경하여 차단 확인 } @@ -3512,39 +3467,31 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token) if err == nil && authorized { userResponse, err := h.DescopeClient.Management.User().Load(c.Context(), userToken.ID) - if err != nil { - return nil, err + if err == nil { + identityID, resolveErr := h.resolveKratosIdentityID( + c.Context(), + userResponse.Email, + normalizePhoneForLoginID(userResponse.Phone), + ) + if resolveErr == nil && identityID != "" { + dept, _ := userResponse.CustomAttributes["department"].(string) + affType, _ := userResponse.CustomAttributes["affiliationType"].(string) + compCode, _ := userResponse.CustomAttributes["companyCode"].(string) + profile = &domain.UserProfileResponse{ + ID: identityID, + Email: userResponse.Email, + Name: userResponse.Name, + Phone: h.formatPhoneForDisplay(userResponse.Phone), + Department: dept, + AffiliationType: affType, + CompanyCode: compCode, + Metadata: userResponse.CustomAttributes, + } + } } - identityID, resolveErr := h.resolveKratosIdentityID( - c.Context(), - userResponse.Email, - normalizePhoneForLoginID(userResponse.Phone), - ) - if resolveErr != nil || identityID == "" { - return nil, fmt.Errorf("failed to resolve kratos identity for profile") - } - dept, _ := userResponse.CustomAttributes["department"].(string) - affType, _ := userResponse.CustomAttributes["affiliationType"].(string) - compCode, _ := userResponse.CustomAttributes["companyCode"].(string) - return &domain.UserProfileResponse{ - ID: identityID, - Email: userResponse.Email, - Name: userResponse.Name, - Phone: h.formatPhoneForDisplay(userResponse.Phone), - Department: dept, - AffiliationType: affType, - CompanyCode: compCode, - }, nil } } - profile, err := h.getKratosProfile(token) - if err != nil { - return nil, err - } - return profile, nil - } - if profile == nil { profile, err = h.getKratosProfile(token) } @@ -3569,9 +3516,8 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe if profile.Tenant == nil && localUser.Tenant != nil { profile.Tenant = localUser.Tenant } - // 병합되지 않은 메타데이터 처리 (필요시) } else { - // 로컬 DB에 없으면 기본 권한 부여 (또는 강제 생성 정책) + // 로컬 DB에 없으면 기본 권한 부여 profile.Role = domain.RoleUser } } @@ -3585,7 +3531,6 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe return profile, nil } - func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) { token := h.getBearerToken(c) if token != "" {