diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go index 020506f0..95f63389 100644 --- a/backend/internal/handler/auth_handler.go +++ b/backend/internal/handler/auth_handler.go @@ -749,44 +749,6 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error { ale.Log(slog.LevelInfo, "Attempting to login") - // Validate password complexity before sending to Descope - password := req.Password - if len(password) < 8 { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must be at least 8 characters long" - ale.Log(slog.LevelWarn, "Validation failed: password too short") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 8 characters long"}) - } - if ok, _ := regexp.MatchString(`[a-z]`, password); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one lowercase letter" - ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"}) - } - if ok, _ := regexp.MatchString(`[A-Z]`, password); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one uppercase letter" - ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"}) - } - if ok, _ := regexp.MatchString(`[0-9]`, password); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one number" - ale.Log(slog.LevelWarn, "Validation failed: no number") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"}) - } - if ok, _ := regexp.MatchString(`[\W_]`, password); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one special character" - ale.Log(slog.LevelWarn, "Validation failed: no special character") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"}) - } - if h.DescopeClient == nil { ale.Status = fiber.StatusInternalServerError ale.LatencyMs = time.Since(startTime) @@ -1076,41 +1038,55 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error { // 디버깅을 위해 요청된 새 비밀번호를 로그로 출력 ale.Log(slog.LevelInfo, "Received new password for reset") - // Validate password complexity - if len(req.NewPassword) < 8 { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must be at least 8 characters long" - ale.Log(slog.LevelWarn, "Validation failed: password too short") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 8 characters long"}) - } - if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one lowercase letter" - ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"}) - } - if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one uppercase letter" - ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"}) - } - if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one number" - ale.Log(slog.LevelWarn, "Validation failed: no number") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"}) - } - if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok { - ale.Status = fiber.StatusBadRequest - ale.LatencyMs = time.Since(startTime) - ale.DescopeError = "Password must contain at least one special character" - ale.Log(slog.LevelWarn, "Validation failed: no special character") - return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"}) + // Validate password complexity dynamically based on Descope policy + policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background()) + if err != nil { + // If policy fetch fails, log warning and proceed (or fallback to basic check) + ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error()) + } else { + if len(req.NewPassword) < int(policy.MinLength) { + ale.Status = fiber.StatusBadRequest + ale.LatencyMs = time.Since(startTime) + ale.DescopeError = fmt.Sprintf("Password must be at least %d characters long", policy.MinLength) + ale.Log(slog.LevelWarn, "Validation failed: password too short") + return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": ale.DescopeError}) + } + if policy.Lowercase { + if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok { + ale.Status = fiber.StatusBadRequest + ale.LatencyMs = time.Since(startTime) + ale.DescopeError = "Password must contain at least one lowercase letter" + ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter") + return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"}) + } + } + if policy.Uppercase { + if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok { + ale.Status = fiber.StatusBadRequest + ale.LatencyMs = time.Since(startTime) + ale.DescopeError = "Password must contain at least one uppercase letter" + ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter") + return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"}) + } + } + if policy.Number { + if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok { + ale.Status = fiber.StatusBadRequest + ale.LatencyMs = time.Since(startTime) + ale.DescopeError = "Password must contain at least one number" + ale.Log(slog.LevelWarn, "Validation failed: no number") + return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"}) + } + } + if policy.NonAlphanumeric { + if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok { + ale.Status = fiber.StatusBadRequest + ale.LatencyMs = time.Since(startTime) + ale.DescopeError = "Password must contain at least one special character" + ale.Log(slog.LevelWarn, "Validation failed: no special character") + return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"}) + } + } } ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API")