ory stack 설정 검사 추가. make 명령으로 실행 필요.

scripts/auth_config.sh

@@ -32,6 +32,24 @@ warn() {
   WARNINGS+=("$1")
 }
 
+validate_dotenv_line_safety() {
+  local key="$1"
+  local env_file="$ROOT_DIR/.env"
+  [[ -f "$env_file" ]] || return 0
+
+  local raw_line
+  raw_line="$(grep -E "^${key}=" "$env_file" | tail -n 1 || true)"
+  [[ -n "$raw_line" ]] || return 0
+
+  if [[ "$raw_line" == *" #"* ]]; then
+    fail ".env line for $key contains inline comment. Use comment-only line above the key."
+  fi
+
+  if [[ "$raw_line" =~ [[:space:]]+$ ]]; then
+    fail ".env line for $key has trailing whitespace."
+  fi
+}
+
 trim() {
   local value="$1"
   value="${value#"${value%%[![:space:]]*}"}"
@@ -50,6 +68,38 @@ csv_to_lines() {
   done
 }
 
+list_to_lines() {
+  local raw="$1"
+  raw="$(trim "$raw")"
+  if [[ -z "$raw" || "$raw" == "[]" ]]; then
+    return 0
+  fi
+
+  if [[ "$raw" =~ ^\[(.*)\]$ ]]; then
+    local inner="${BASH_REMATCH[1]}"
+    inner="$(trim "$inner")"
+    if [[ -z "$inner" ]]; then
+      return 0
+    fi
+
+    printf '%s\n' "$inner" | tr ',' '\n' | while IFS= read -r token; do
+      local item
+      item="$(trim "$token")"
+      item="${item#\"}"
+      item="${item%\"}"
+      item="${item#\'}"
+      item="${item%\'}"
+      item="$(trim "$item")"
+      if [[ -n "$item" ]]; then
+        printf '%s\n' "$item"
+      fi
+    done
+    return 0
+  fi
+
+  csv_to_lines "$raw"
+}
+
 is_http_url() {
   local url="$1"
   [[ "$url" =~ ^https?://[^[:space:]]+$ ]]
@@ -144,7 +194,7 @@ collect_values() {
 
   while IFS= read -r item; do
     EXTRA_ALLOWED_RETURNS+=("$item")
-  done < <(csv_to_lines "$KRATOS_ALLOWED_RETURN_URLS_EXTRA")
+  done < <(list_to_lines "$KRATOS_ALLOWED_RETURN_URLS_EXTRA")
 }
 
 validate_urls() {
@@ -169,8 +219,13 @@ validate_callback_group() {
   local has_path=0
   for url in "${urls[@]}"; do
     validate_urls "$group_name entry" "$url"
+    local canonical
+    canonical="$(canonicalize_url "$url")"
+    if [[ "$url" != "$canonical" ]]; then
+      fail "$group_name entry must not end with trailing slash: $url"
+    fi
     local path
-    path="$(url_path "$url")"
+    path="$(url_path "$canonical")"
     if [[ -n "$path" && "$path" != "/" ]]; then
       has_path=1
     fi
@@ -283,9 +338,9 @@ EOF
 validate_compose_wiring() {
   grep -Eq 'KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=\$\{KRATOS_ALLOWED_RETURN_URLS_JSON' "$ROOT_DIR/compose.ory.yaml" \
     || fail "compose.ory.yaml is not wired to KRATOS_ALLOWED_RETURN_URLS_JSON"
-  grep -Eq 'ADMINFRONT_CALLBACK_URLS=\$\{ADMINFRONT_CALLBACK_URLS' "$ROOT_DIR/compose.ory.yaml" \
+  grep -Eq 'ADMINFRONT_CALLBACK_URLS' "$ROOT_DIR/compose.ory.yaml" \
     || fail "compose.ory.yaml is not wired to ADMINFRONT_CALLBACK_URLS"
-  grep -Eq 'DEVFRONT_CALLBACK_URLS=\$\{DEVFRONT_CALLBACK_URLS' "$ROOT_DIR/compose.ory.yaml" \
+  grep -Eq 'DEVFRONT_CALLBACK_URLS' "$ROOT_DIR/compose.ory.yaml" \
     || fail "compose.ory.yaml is not wired to DEVFRONT_CALLBACK_URLS"
 }
 
@@ -301,10 +356,10 @@ verify_runtime_hydra_clients() {
   fi
 
   local admin_info dev_info
-  if ! admin_info="$(docker exec ory_hydra hydra clients get --endpoint http://hydra:4445 adminfront 2>/dev/null)"; then
+  if ! admin_info="$(docker exec ory_hydra hydra get oauth2-client --endpoint http://hydra:4445 adminfront 2>/dev/null)"; then
     fail "failed to read hydra client 'adminfront' from running container"
   fi
-  if ! dev_info="$(docker exec ory_hydra hydra clients get --endpoint http://hydra:4445 devfront 2>/dev/null)"; then
+  if ! dev_info="$(docker exec ory_hydra hydra get oauth2-client --endpoint http://hydra:4445 devfront 2>/dev/null)"; then
     fail "failed to read hydra client 'devfront' from running container"
   fi
 
@@ -321,6 +376,15 @@ verify_runtime_hydra_clients() {
 }
 
 run_validation() {
+  validate_dotenv_line_safety "USERFRONT_URL"
+  validate_dotenv_line_safety "BACKEND_URL"
+  validate_dotenv_line_safety "OATHKEEPER_PUBLIC_URL"
+  validate_dotenv_line_safety "HYDRA_PUBLIC_URL"
+  validate_dotenv_line_safety "KRATOS_BROWSER_URL"
+  validate_dotenv_line_safety "KRATOS_UI_URL"
+  validate_dotenv_line_safety "ADMINFRONT_CALLBACK_URLS"
+  validate_dotenv_line_safety "DEVFRONT_CALLBACK_URLS"
+
   collect_values
   validate_callback_group "ADMINFRONT_CALLBACK_URLS" "/auth/callback" "${ADMIN_CALLBACKS[@]}"
   validate_callback_group "DEVFRONT_CALLBACK_URLS" "/callback" "${DEV_CALLBACKS[@]}"