Merge pull request 'dev/passwd-tab-signup' (#71) from dev/passwd-tab-signup into main

Reviewed-on: ai-team/baron-sso#71
2026-01-27 15:52:09 +09:00
parent c914fad405 5c24e6eb4e
commit 26e6430aa7
3 changed files with 107 additions and 89 deletions
--- a/.gemini/settings.json
+++ b/.gemini/settings.json
@@ -1,5 +0,0 @@
-{
-  "general": {
-    "previewFeatures": true
-  }
-}
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -749,44 +749,6 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {

 	ale.Log(slog.LevelInfo, "Attempting to login")

-	// Validate password complexity before sending to Descope
-	password := req.Password
-	if len(password) < 8 {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must be at least 8 characters long"
-		ale.Log(slog.LevelWarn, "Validation failed: password too short")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 8 characters long"})
-	}
-	if ok, _ := regexp.MatchString(`[a-z]`, password); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one lowercase letter"
-		ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"})
-	}
-	if ok, _ := regexp.MatchString(`[A-Z]`, password); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one uppercase letter"
-		ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"})
-	}
-	if ok, _ := regexp.MatchString(`[0-9]`, password); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one number"
-		ale.Log(slog.LevelWarn, "Validation failed: no number")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"})
-	}
-	if ok, _ := regexp.MatchString(`[\W_]`, password); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one special character"
-		ale.Log(slog.LevelWarn, "Validation failed: no special character")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
-	}
-
 	if h.DescopeClient == nil {
 		ale.Status = fiber.StatusInternalServerError
 		ale.LatencyMs = time.Since(startTime)
@@ -1076,41 +1038,55 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
 	// 디버깅을 위해 요청된 새 비밀번호를 로그로 출력
 	ale.Log(slog.LevelInfo, "Received new password for reset")

-	// Validate password complexity
-	if len(req.NewPassword) < 8 {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must be at least 8 characters long"
-		ale.Log(slog.LevelWarn, "Validation failed: password too short")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 8 characters long"})
-	}
-	if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one lowercase letter"
-		ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"})
-	}
-	if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one uppercase letter"
-		ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"})
-	}
-	if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one number"
-		ale.Log(slog.LevelWarn, "Validation failed: no number")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"})
-	}
-	if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok {
-		ale.Status = fiber.StatusBadRequest
-		ale.LatencyMs = time.Since(startTime)
-		ale.DescopeError = "Password must contain at least one special character"
-		ale.Log(slog.LevelWarn, "Validation failed: no special character")
-		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
+	// Validate password complexity dynamically based on Descope policy
+	policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
+	if err != nil {
+		// If policy fetch fails, log warning and proceed (or fallback to basic check)
+		ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error())
+	} else {
+		if len(req.NewPassword) < int(policy.MinLength) {
+			ale.Status = fiber.StatusBadRequest
+			ale.LatencyMs = time.Since(startTime)
+			ale.DescopeError = fmt.Sprintf("Password must be at least %d characters long", policy.MinLength)
+			ale.Log(slog.LevelWarn, "Validation failed: password too short")
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": ale.DescopeError})
+		}
+		if policy.Lowercase {
+			if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok {
+				ale.Status = fiber.StatusBadRequest
+				ale.LatencyMs = time.Since(startTime)
+				ale.DescopeError = "Password must contain at least one lowercase letter"
+				ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter")
+				return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"})
+			}
+		}
+		if policy.Uppercase {
+			if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok {
+				ale.Status = fiber.StatusBadRequest
+				ale.LatencyMs = time.Since(startTime)
+				ale.DescopeError = "Password must contain at least one uppercase letter"
+				ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter")
+				return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"})
+			}
+		}
+		if policy.Number {
+			if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok {
+				ale.Status = fiber.StatusBadRequest
+				ale.LatencyMs = time.Since(startTime)
+				ale.DescopeError = "Password must contain at least one number"
+				ale.Log(slog.LevelWarn, "Validation failed: no number")
+				return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"})
+			}
+		}
+		if policy.NonAlphanumeric {
+			if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok {
+				ale.Status = fiber.StatusBadRequest
+				ale.LatencyMs = time.Since(startTime)
+				ale.DescopeError = "Password must contain at least one special character"
+				ale.Log(slog.LevelWarn, "Validation failed: no special character")
+				return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
+			}
+		}
 	}

 	ale.Log(slog.LevelInfo, "Attempting to update password via Descope Auth API")
--- a/frontend/lib/features/auth/presentation/signup_screen.dart
+++ b/frontend/lib/features/auth/presentation/signup_screen.dart
@@ -35,6 +35,8 @@ class _SignupScreenState extends State<SignupScreen> {
  bool _termsAccepted = false;
  bool _privacyAccepted = false;
  bool _isLoading = false;
+  Map<String, dynamic>? _policy;
+  bool _isPolicyLoading = false;

  // Inline Errors
  String? _emailError;
@@ -58,6 +60,24 @@ class _SignupScreenState extends State<SignupScreen> {
    'baroncs.co.kr': 'BARON',
  };

+  @override
+  void initState() {
+    super.initState();
+    _loadPolicy();
+  }
+
+  Future<void> _loadPolicy() async {
+    setState(() => _isPolicyLoading = true);
+    try {
+      final policy = await AuthProxyService.fetchPasswordPolicy();
+      if (mounted) setState(() => _policy = policy);
+    } catch (_) {
+      // Ignore errors, will use defaults
+    } finally {
+      if (mounted) setState(() => _isPolicyLoading = false);
+    }
+  }
+
  @override
  void dispose() {
    _emailTimer?.cancel();
@@ -757,13 +777,40 @@ class _SignupScreenState extends State<SignupScreen> {
    );
  }

+  String _buildPolicyDescription() {
+    if (_isPolicyLoading) {
+      return "비밀번호 정책을 불러오는 중입니다...";
+    }
+    final minLength = (_policy?['minLength'] as int?) ?? 8;
+    final requiresLower = _policy?['lowercase'] ?? true;
+    final requiresUpper = _policy?['uppercase'] ?? true;
+    final requiresNumber = _policy?['number'] ?? true;
+    final requiresSymbol = _policy?['nonAlphanumeric'] ?? true;
+
+    final parts = <String>["최소 $minLength자 이상"];
+    if (requiresUpper) parts.add("대문자");
+    if (requiresLower) parts.add("소문자");
+    if (requiresNumber) parts.add("숫자");
+    if (requiresSymbol) parts.add("특수문자");
+
+    return "보안 정책: ${parts.join(', ')}를 각각 최소 1자 이상 포함해야 합니다.";
+  }
+
  Widget _buildStepPassword() {
    String p = _passwordController.text;
-    bool hasUpper = p.contains(RegExp(r'[A-Z]'));
-    bool hasLower = p.contains(RegExp(r'[a-z]'));
-    bool hasDigit = p.contains(RegExp(r'[0-9]'));
-    bool hasSpecial = p.contains(RegExp(r'[!@#$%^&*(),.?":{}|<>]'));
-    bool hasLength = p.length >= 12;
+    
+    // Default Policy Fallback
+    final minLength = (_policy?['minLength'] as int?) ?? 8;
+    final requiresLower = _policy?['lowercase'] ?? true;
+    final requiresUpper = _policy?['uppercase'] ?? true;
+    final requiresNumber = _policy?['number'] ?? true;
+    final requiresSymbol = _policy?['nonAlphanumeric'] ?? true;
+
+    bool hasLength = p.length >= minLength;
+    bool hasUpper = !requiresUpper || p.contains(RegExp(r'[A-Z]'));
+    bool hasLower = !requiresLower || p.contains(RegExp(r'[a-z]'));
+    bool hasDigit = !requiresNumber || p.contains(RegExp(r'[0-9]'));
+    bool hasSpecial = !requiresSymbol || p.contains(RegExp(r'[!@#$%^&*(),.?":{}|<>]'));

    return Column(
      crossAxisAlignment: CrossAxisAlignment.stretch,
@@ -780,7 +827,7 @@ class _SignupScreenState extends State<SignupScreen> {
              const SizedBox(width: 10),
              Expanded(
                child: Text(
-                  '보안 정책: 12자 이상, 대문자/소문자/숫자/특수문자를 각각 최소 1자 이상 포함해야 합니다.',
+                  _buildPolicyDescription(),
                  style: TextStyle(fontSize: 12, color: Colors.blue[800], fontWeight: FontWeight.w500),
                ),
              ),
@@ -802,11 +849,11 @@ class _SignupScreenState extends State<SignupScreen> {
        Wrap(
          spacing: 10,
          children: [
-            _cryptoCheck('12자 이상', hasLength),
-            _cryptoCheck('대문자', hasUpper),
-            _cryptoCheck('소문자', hasLower),
-            _cryptoCheck('숫자', hasDigit),
-            _cryptoCheck('특수문자', hasSpecial),
+            _cryptoCheck('$minLength자 이상', hasLength),
+            if (requiresUpper) _cryptoCheck('대문자', hasUpper),
+            if (requiresLower) _cryptoCheck('소문자', hasLower),
+            if (requiresNumber) _cryptoCheck('숫자', hasDigit),
+            if (requiresSymbol) _cryptoCheck('특수문자', hasSpecial),
          ],
        ),
        const SizedBox(height: 16),