tenant 제한 에러 처리 보안

2026-06-04 10:09:49 +09:00
parent 80aa60fdf1
commit 243b852591
6 changed files with 104 additions and 18 deletions
--- a/userfront/test/auth_proxy_service_test.dart
+++ b/userfront/test/auth_proxy_service_test.dart
@@ -153,6 +153,37 @@ void main() {
      },
    );

+    test(
+      'acceptOidcLogin error는 code/message/details를 AuthProxyException으로 보존한다',
+      () async {
+        client.enqueueJson({
+          'code': 'tenant_not_allowed',
+          'error': 'tenant blocked',
+          'details': {
+            'allowed_tenants': ['gp'],
+          },
+        }, statusCode: 403);
+
+        await expectLater(
+          AuthProxyService.acceptOidcLogin('login-challenge', token: 'jwt'),
+          throwsA(
+            isA<AuthProxyException>()
+                .having(
+                  (error) => error.errorCode,
+                  'code',
+                  'tenant_not_allowed',
+                )
+                .having((error) => error.message, 'message', 'tenant blocked')
+                .having(
+                  (error) => error.details?['allowed_tenants'],
+                  'details',
+                  ['gp'],
+                ),
+          ),
+        );
+      },
+    );
+
    test(
      'approveQrLogin은 credential mode와 bearer token payload를 지원한다',
      () async {
--- a/userfront/test/consent_error_routing_test.dart
+++ b/userfront/test/consent_error_routing_test.dart
@@ -20,4 +20,33 @@ void main() {

    expect(shouldRouteConsentErrorToErrorScreen(error), isFalse);
  });
+
+  test('tenant_not_allowed auth error also routes to error screen', () {
+    const error = AuthProxyException(
+      errorCode: 'tenant_not_allowed',
+      message: '허용되지 않은 테넌트입니다.',
+    );
+
+    expect(shouldRouteTenantAccessErrorToErrorScreen(error), isTrue);
+  });
+
+  test('buildTenantAccessErrorPath builds userfront error route', () {
+    const error = AuthProxyException(
+      errorCode: 'tenant_not_allowed',
+      message: '허용되지 않은 테넌트입니다.',
+      details: {
+        'allowed_tenants': ['tenant-a'],
+      },
+    );
+
+    final target = buildTenantAccessErrorPath(
+      error,
+      Uri.parse('https://sso-test.hmac.kr/ko?login_challenge=abc'),
+    );
+
+    expect(target, contains('/error?'));
+    expect(target, contains('error=tenant_not_allowed'));
+    expect(target, contains('error_description='));
+    expect(target, contains('details='));
+  });
 }