kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Merge commit '1406c20959678870fe01564147613b24806697a2'

Browse Source
This commit is contained in:
조찬영
2026-02-03 14:27:21 +09:00
parent d09abab5a2 1406c20959
commit 3868f5967e
25 changed files with 4683 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
backend/cmd/server/main.go
View File

@@ -159,6 +159,20 @@ func main() {
slog.Info("✅ Connected to ClickHouse") slog.Info("✅ Connected to ClickHouse")
} }
var oathkeeperRepo domain.OathkeeperLogRepository
oryCHHost := getEnv("ORY_CLICKHOUSE_HOST", "ory_clickhouse")
oryCHPort, _ := strconv.Atoi(getEnv("ORY_CLICKHOUSE_PORT_NATIVE", "9000"))
oryCHUser := getEnv("ORY_CLICKHOUSE_USER", "ory")
oryCHPass := getEnv("ORY_CLICKHOUSE_PASSWORD", "orypass")
oryCHDB := getEnv("ORY_CLICKHOUSE_DB", "ory")
if repo, err := repository.NewOathkeeperClickHouseRepository(oryCHHost, oryCHPort, oryCHUser, oryCHPass, oryCHDB); err != nil {
slog.Warn("Failed to connect to Ory ClickHouse. Oathkeeper logs will be skipped.", "error", err)
oathkeeperRepo = nil
} else {
oathkeeperRepo = repo
slog.Info("✅ Connected to Ory ClickHouse")
}
// PostgreSQL (Meta Store) // PostgreSQL (Meta Store)
pgHost := getEnv("DB_HOST", "localhost") pgHost := getEnv("DB_HOST", "localhost")
pgPort := getEnv("DB_PORT", "5432") pgPort := getEnv("DB_PORT", "5432")
@@ -244,7 +258,7 @@ func main() {
appEnv := getEnv("APP_ENV", "dev") appEnv := getEnv("APP_ENV", "dev")
app := fiber.New(fiber.Config{ app := fiber.New(fiber.Config{
AppName: "Baron SSO Backend", AppName: "Baron SSO Backend",
DisableStartupMessage: true, // Clean logs DisableStartupMessage: true, // Clean logs
ReadBufferSize: 32768, // 32KB로 증가 (긴 OIDC 챌린지 대응) ReadBufferSize: 32768, // 32KB로 증가 (긴 OIDC 챌린지 대응)
// Global Error Handler for Production Masking // Global Error Handler for Production Masking
ErrorHandler: func(c *fiber.Ctx, err error) error { ErrorHandler: func(c *fiber.Ctx, err error) error {
@@ -468,6 +482,7 @@ func main() {
auth.Post("/password/login", authHandler.PasswordLogin) auth.Post("/password/login", authHandler.PasswordLogin)
auth.Get("/consent", authHandler.GetConsentRequest) auth.Get("/consent", authHandler.GetConsentRequest)
auth.Post("/consent/accept", authHandler.AcceptConsentRequest) auth.Post("/consent/accept", authHandler.AcceptConsentRequest)
auth.Post("/oidc/login/accept", authHandler.AcceptOidcLoginRequest)
auth.Post("/enchanted-link/init", authHandler.InitEnchantedLink) auth.Post("/enchanted-link/init", authHandler.InitEnchantedLink)
auth.Post("/enchanted-link/poll", authHandler.PollEnchantedLink) auth.Post("/enchanted-link/poll", authHandler.PollEnchantedLink)

30
backend/internal/domain/oathkeeper_models.go Normal file
View File

@@ -0,0 +1,30 @@
package domain
import (
"context"
"time"
)
type OathkeeperAccessLog struct {
Timestamp time.Time
RequestID string
Method string
Path string
Status int
LatencyMs int
RP string
Action string
Target string
Subject string
ClientIP string
UserAgent string
Decision string
TraceID string
SpanID string
Raw string
}
type OathkeeperLogRepository interface {
FindPageBySubject(ctx context.Context, subject string, limit int, cursor *AuditCursor) ([]OathkeeperAccessLog, error)
Ping(ctx context.Context) error
}

1058
backend/internal/handler/auth_handler.go
View File

File diff suppressed because it is too large Load Diff

201
backend/internal/handler/auth_handler_oidc_test.go Normal file
View File

@@ -0,0 +1,201 @@
package handler
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"testing"
"github.com/gofiber/fiber/v2"
"baron-sso-backend/internal/service"
)
func newOidcLoginTestApp(h *AuthHandler) *fiber.App {
app := fiber.New()
app.Post("/api/v1/auth/oidc/login/accept", h.AcceptOidcLoginRequest)
return app
}
func TestAcceptOidcLoginRequest_CookieOnly(t *testing.T) {
var gotSubject string
var gotChallenge string
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
switch r.URL.Host {
case "kratos.test":
if r.URL.Path != "/sessions/whoami" {
return httpResponse(r, http.StatusNotFound, "not found"), nil
}
if r.Header.Get("X-Session-Token") != "" {
return httpResponse(r, http.StatusUnauthorized, "invalid token"), nil
}
if r.Header.Get("Cookie") == "" {
return httpResponse(r, http.StatusUnauthorized, "missing cookie"), nil
}
return httpJSON(r, http.StatusOK, map[string]interface{}{
"identity": map[string]interface{}{
"id": "kratos-123",
"traits": map[string]interface{}{},
},
}), nil
case "hydra.test":
if r.URL.Path != "/oauth2/auth/requests/login/accept" {
return httpResponse(r, http.StatusNotFound, "not found"), nil
}
gotChallenge = r.URL.Query().Get("login_challenge")
body, _ := io.ReadAll(r.Body)
var payload map[string]interface{}
_ = json.Unmarshal(body, &payload)
if subject, ok := payload["subject"].(string); ok {
gotSubject = subject
}
return httpResponse(r, http.StatusOK, `{"redirect_to":"http://rp/cb"}`), nil
default:
return httpResponse(r, http.StatusNotFound, "not found"), nil
}
})
client := &http.Client{Transport: transport}
origDefault := http.DefaultClient
http.DefaultClient = client
defer func() {
http.DefaultClient = origDefault
}()
t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
h := &AuthHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: client,
},
}
app := newOidcLoginTestApp(h)
body, _ := json.Marshal(map[string]string{
"login_challenge": "challenge-123",
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/login/accept", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Cookie", "ory_kratos_session=abc123")
resp, err := app.Test(req)
if err != nil {
t.Fatalf("request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", resp.StatusCode)
}
var got map[string]string
if err := json.NewDecoder(resp.Body).Decode(&got); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if got["redirectTo"] != "http://rp/cb" {
t.Fatalf("unexpected redirectTo: %v", got["redirectTo"])
}
if gotSubject != "kratos-123" {
t.Fatalf("unexpected subject: %v", gotSubject)
}
if gotChallenge != "challenge-123" {
t.Fatalf("unexpected login_challenge: %v", gotChallenge)
}
}
func TestAcceptOidcLoginRequest_TokenFallbackToCookie(t *testing.T) {
var gotSubject string
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
switch r.URL.Host {
case "kratos.test":
if r.URL.Path != "/sessions/whoami" {
return httpResponse(r, http.StatusNotFound, "not found"), nil
}
if r.Header.Get("X-Session-Token") != "" {
return httpResponse(r, http.StatusUnauthorized, "invalid token"), nil
}
if r.Header.Get("Cookie") == "" {
return httpResponse(r, http.StatusUnauthorized, "missing cookie"), nil
}
return httpJSON(r, http.StatusOK, map[string]interface{}{
"identity": map[string]interface{}{
"id": "kratos-456",
"traits": map[string]interface{}{},
},
}), nil
case "hydra.test":
if r.URL.Path != "/oauth2/auth/requests/login/accept" {
return httpResponse(r, http.StatusNotFound, "not found"), nil
}
body, _ := io.ReadAll(r.Body)
var payload map[string]interface{}
_ = json.Unmarshal(body, &payload)
if subject, ok := payload["subject"].(string); ok {
gotSubject = subject
}
return httpResponse(r, http.StatusOK, `{"redirect_to":"http://rp/cb"}`), nil
default:
return httpResponse(r, http.StatusNotFound, "not found"), nil
}
})
client := &http.Client{Transport: transport}
origDefault := http.DefaultClient
http.DefaultClient = client
defer func() {
http.DefaultClient = origDefault
}()
t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
h := &AuthHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: client,
},
}
app := newOidcLoginTestApp(h)
body, _ := json.Marshal(map[string]string{
"login_challenge": "challenge-456",
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/login/accept", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", "Bearer invalid-token")
req.Header.Set("Cookie", "ory_kratos_session=def456")
resp, err := app.Test(req)
if err != nil {
t.Fatalf("request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", resp.StatusCode)
}
if gotSubject != "kratos-456" {
t.Fatalf("unexpected subject: %v", gotSubject)
}
}
type roundTripFunc func(*http.Request) (*http.Response, error)
func (f roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
return f(req)
}
func httpResponse(req *http.Request, status int, body string) *http.Response {
return &http.Response{
StatusCode: status,
Header: make(http.Header),
Body: io.NopCloser(bytes.NewBufferString(body)),
Request: req,
}
}
func httpJSON(req *http.Request, status int, payload map[string]interface{}) *http.Response {
data, _ := json.Marshal(payload)
resp := httpResponse(req, status, string(data))
resp.Header.Set("Content-Type", "application/json")
return resp
}

16
backend/internal/handler/dev_handler.go
View File

@@ -396,16 +396,26 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
items := make([]consentSummary, 0, len(sessions)) items := make([]consentSummary, 0, len(sessions))
for _, session := range sessions { for _, session := range sessions {
client := session.Client
if client.ClientID == "" && session.ConsentRequest != nil {
client = session.ConsentRequest.Client
}
subject := session.Subject
if subject == "" && session.ConsentRequest != nil {
subject = session.ConsentRequest.Subject
}
authAt := "" authAt := ""
if session.AuthenticatedAt != nil { if session.AuthenticatedAt != nil {
authAt = session.AuthenticatedAt.Format(time.RFC3339) authAt = session.AuthenticatedAt.Format(time.RFC3339)
} else if session.RequestedAt != nil { } else if session.RequestedAt != nil {
authAt = session.RequestedAt.Format(time.RFC3339) authAt = session.RequestedAt.Format(time.RFC3339)
} else if session.HandledAt != nil {
authAt = session.HandledAt.Format(time.RFC3339)
} }
items = append(items, consentSummary{ items = append(items, consentSummary{
Subject: session.Subject, Subject: subject,
ClientID: session.Client.ClientID, ClientID: client.ClientID,
ClientName: session.Client.ClientName, ClientName: client.ClientName,
GrantedScopes: session.GrantedScope, GrantedScopes: session.GrantedScope,
AuthenticatedAt: authAt, AuthenticatedAt: authAt,
}) })

106
backend/internal/repository/oathkeeper_clickhouse_repo.go Normal file
View File

@@ -0,0 +1,106 @@
package repository
import (
"baron-sso-backend/internal/domain"
"context"
"fmt"
"github.com/ClickHouse/clickhouse-go/v2"
"github.com/ClickHouse/clickhouse-go/v2/lib/driver"
)
type OathkeeperClickHouseRepository struct {
conn driver.Conn
}
func NewOathkeeperClickHouseRepository(host string, port int, user, password, db string) (*OathkeeperClickHouseRepository, error) {
conn, err := clickhouse.Open(&clickhouse.Options{
Addr: []string{fmt.Sprintf("%s:%d", host, port)},
Auth: clickhouse.Auth{
Database: db,
Username: user,
Password: password,
},
Debug: false,
})
if err != nil {
return nil, fmt.Errorf("failed to open ory clickhouse connection: %w", err)
}
if err := conn.Ping(context.Background()); err != nil {
return nil, fmt.Errorf("failed to ping ory clickhouse: %w", err)
}
return &OathkeeperClickHouseRepository{conn: conn}, nil
}
func (r *OathkeeperClickHouseRepository) FindPageBySubject(ctx context.Context, subject string, limit int, cursor *domain.AuditCursor) ([]domain.OathkeeperAccessLog, error) {
if limit <= 0 {
limit = 50
}
query := `
SELECT timestamp, request_id, method, path, status, latency_ms, rp, action, target, subject, client_ip, user_agent, decision, trace_id, span_id, raw
FROM oathkeeper_access_logs
`
args := make([]any, 0, 5)
if subject != "" {
query += `
WHERE subject = ?
`
args = append(args, subject)
if cursor != nil {
query += `
AND ((timestamp < ?) OR (timestamp = ? AND request_id < ?))
`
args = append(args, cursor.Timestamp, cursor.Timestamp, cursor.EventID)
}
} else if cursor != nil {
query += `
WHERE (timestamp < ?) OR (timestamp = ? AND request_id < ?)
`
args = append(args, cursor.Timestamp, cursor.Timestamp, cursor.EventID)
}
query += `
ORDER BY timestamp DESC, request_id DESC
LIMIT ?
`
args = append(args, limit)
rows, err := r.conn.Query(ctx, query, args...)
if err != nil {
return nil, fmt.Errorf("failed to query oathkeeper logs: %w", err)
}
defer rows.Close()
var logs []domain.OathkeeperAccessLog
for rows.Next() {
var log domain.OathkeeperAccessLog
if err := rows.Scan(
&log.Timestamp,
&log.RequestID,
&log.Method,
&log.Path,
&log.Status,
&log.LatencyMs,
&log.RP,
&log.Action,
&log.Target,
&log.Subject,
&log.ClientIP,
&log.UserAgent,
&log.Decision,
&log.TraceID,
&log.SpanID,
&log.Raw,
); err != nil {
return nil, fmt.Errorf("failed to scan oathkeeper log: %w", err)
}
logs = append(logs, log)
}
return logs, nil
}
func (r *OathkeeperClickHouseRepository) Ping(ctx context.Context) error {
if r == nil || r.conn == nil {
return fmt.Errorf("ory clickhouse connection is nil")
}
return r.conn.Ping(ctx)
}

6
backend/internal/service/descope_service.go
View File

@@ -135,7 +135,8 @@ func (d *DescopeProvider) SignIn(loginID, password string) (*domain.AuthInfo, er
Expiration: time.Unix(authInfo.SessionToken.Expiration, 0), Expiration: time.Unix(authInfo.SessionToken.Expiration, 0),
SessionID: authInfo.SessionToken.ID, SessionID: authInfo.SessionToken.ID,
}, },
Subject: authInfo.User.UserID, // 내부 식별자는 Kratos identity ID로 통일합니다.
Subject: "",
} }
if authInfo.RefreshToken != nil { if authInfo.RefreshToken != nil {
res.RefreshToken = &domain.Token{ res.RefreshToken = &domain.Token{
@@ -204,7 +205,8 @@ func (d *DescopeProvider) IssueSession(loginID string) (*domain.AuthInfo, error)
Expiration: time.Unix(authInfo.SessionToken.Expiration, 0), Expiration: time.Unix(authInfo.SessionToken.Expiration, 0),
SessionID: authInfo.SessionToken.ID, SessionID: authInfo.SessionToken.ID,
}, },
Subject: authInfo.User.UserID, // 내부 식별자는 Kratos identity ID로 통일합니다.
Subject: "",
} }
if authInfo.RefreshToken != nil { if authInfo.RefreshToken != nil {
res.RefreshToken = &domain.Token{ res.RefreshToken = &domain.Token{

31
backend/internal/service/hydra_admin_service.go
View File

@@ -46,13 +46,17 @@ type HydraConsentRequest struct {
} }
type HydraConsentSession struct { type HydraConsentSession struct {
Subject string `json:"subject"` ConsentRequestID string `json:"consent_request_id,omitempty"`
GrantedScope []string `json:"granted_scope"` Subject string `json:"subject,omitempty"`
GrantedAudience []string `json:"granted_audience,omitempty"` GrantedScope []string `json:"grant_scope,omitempty"`
Remember bool `json:"remember"` GrantedAudience []string `json:"grant_access_token_audience,omitempty"`
AuthenticatedAt *time.Time `json:"authenticated_at,omitempty"` Remember bool `json:"remember"`
RequestedAt *time.Time `json:"requested_at,omitempty"` RememberFor int `json:"remember_for,omitempty"`
Client HydraClient `json:"client"` AuthenticatedAt *time.Time `json:"authenticated_at,omitempty"`
RequestedAt *time.Time `json:"requested_at,omitempty"`
HandledAt *time.Time `json:"handled_at,omitempty"`
Client HydraClient `json:"client,omitempty"`
ConsentRequest *HydraConsentRequest `json:"consent_request,omitempty"`
} }
func NewHydraAdminService() *HydraAdminService { func NewHydraAdminService() *HydraAdminService {
@@ -267,13 +271,13 @@ func (s *HydraAdminService) ListConsentSessions(ctx context.Context, subject, cl
} }
defer resp.Body.Close() defer resp.Body.Close()
body, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
if resp.StatusCode >= 300 { if resp.StatusCode >= 300 {
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
return nil, fmt.Errorf("hydra admin: list consent sessions failed status=%d body=%s", resp.StatusCode, string(body)) return nil, fmt.Errorf("hydra admin: list consent sessions failed status=%d body=%s", resp.StatusCode, string(body))
} }
var sessions []HydraConsentSession var sessions []HydraConsentSession
if err := json.NewDecoder(resp.Body).Decode(&sessions); err != nil { if err := json.Unmarshal(body, &sessions); err != nil {
return nil, fmt.Errorf("hydra admin: decode consent sessions failed: %w", err) return nil, fmt.Errorf("hydra admin: decode consent sessions failed: %w", err)
} }
return sessions, nil return sessions, nil
@@ -398,7 +402,7 @@ func (s *HydraAdminService) GetConsentRequest(ctx context.Context, challenge str
return &consentReq, nil return &consentReq, nil
} }
func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge string, grantInfo *HydraConsentRequest) (*AcceptConsentRequestResponse, error) { func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge string, grantInfo *HydraConsentRequest, sessionClaims map[string]any) (*AcceptConsentRequestResponse, error) {
params := map[string]string{ params := map[string]string{
"consent_challenge": challenge, "consent_challenge": challenge,
} }
@@ -413,6 +417,12 @@ func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge
"remember": true, "remember": true,
"remember_for": 3600, "remember_for": 3600,
} }
if len(sessionClaims) > 0 {
payload["session"] = map[string]any{
"id_token": sessionClaims,
"access_token": sessionClaims,
}
}
body, _ := json.Marshal(payload) body, _ := json.Marshal(payload)
req, err := http.NewRequestWithContext(ctx, "PUT", endpoint, bytes.NewReader(body)) req, err := http.NewRequestWithContext(ctx, "PUT", endpoint, bytes.NewReader(body))
@@ -443,7 +453,6 @@ func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge
return &AcceptConsentRequestResponse{RedirectTo: hydraResp.RedirectTo}, nil return &AcceptConsentRequestResponse{RedirectTo: hydraResp.RedirectTo}, nil
} }
func (s *HydraAdminService) AcceptLoginRequest(ctx context.Context, challenge string, subject string) (*AcceptLoginRequestResponse, error) { func (s *HydraAdminService) AcceptLoginRequest(ctx context.Context, challenge string, subject string) (*AcceptLoginRequestResponse, error) {
params := map[string]string{ params := map[string]string{
"login_challenge": challenge, "login_challenge": challenge,

12
compose.ory.yaml
View File

@@ -144,6 +144,8 @@ services:
environment: environment:
- APP_ENV=${APP_ENV:-development} - APP_ENV=${APP_ENV:-development}
- LOG_LEVEL=debug - LOG_LEVEL=debug
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
volumes: volumes:
- ./docker/ory/oathkeeper:/etc/config/oathkeeper - ./docker/ory/oathkeeper:/etc/config/oathkeeper
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper - ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
@@ -201,6 +203,8 @@ services:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0} image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
environment: environment:
- HYDRA_ADMIN_URL=http://hydra:4445 - HYDRA_ADMIN_URL=http://hydra:4445
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
command: | command: |
hydra clients create \ hydra clients create \
--endpoint http://hydra:4445 \ --endpoint http://hydra:4445 \
@@ -220,6 +224,14 @@ services:
--token-endpoint-auth-method none \ --token-endpoint-auth-method none \
--response-types code \ --response-types code \
--callbacks http://localhost:5174/callback; --callbacks http://localhost:5174/callback;
hydra clients create \
--endpoint http://hydra:4445 \
--id "$OATHKEEPER_INTROSPECT_CLIENT_ID" \
--secret "$OATHKEEPER_INTROSPECT_CLIENT_SECRET" \
--grant-types client_credentials \
--response-types token \
--scope openid,offline_access,profile,email;
depends_on: depends_on:
ory_stack_check: ory_stack_check:
condition: service_completed_successfully condition: service_completed_successfully

10
docker/ory/clickhouse/init.sql
View File

@@ -7,13 +7,23 @@ CREATE TABLE IF NOT EXISTS ory.oathkeeper_access_logs (
path String DEFAULT '', path String DEFAULT '',
status UInt16 DEFAULT 0, status UInt16 DEFAULT 0,
latency_ms UInt32 DEFAULT 0, latency_ms UInt32 DEFAULT 0,
client_id String DEFAULT '',
rp String DEFAULT '', rp String DEFAULT '',
action String DEFAULT '', action String DEFAULT '',
target String DEFAULT '', target String DEFAULT '',
rule_id String DEFAULT '',
host String DEFAULT '',
scheme String DEFAULT '',
query String DEFAULT '',
upstream_url String DEFAULT '',
subject String DEFAULT '', subject String DEFAULT '',
parent_session_id String DEFAULT '',
client_ip String DEFAULT '', client_ip String DEFAULT '',
user_agent String DEFAULT '', user_agent String DEFAULT '',
referer String DEFAULT '',
decision String DEFAULT '', decision String DEFAULT '',
bytes_in UInt64 DEFAULT 0,
bytes_out UInt64 DEFAULT 0,
trace_id String DEFAULT '', trace_id String DEFAULT '',
span_id String DEFAULT '', span_id String DEFAULT '',
raw String DEFAULT '' raw String DEFAULT ''

17
docker/ory/oathkeeper/oathkeeper.yml
View File

@@ -26,6 +26,23 @@ authenticators:
preserve_path: true preserve_path: true
extra_from: "@this" extra_from: "@this"
subject_from: "identity.id" subject_from: "identity.id"
oauth2_introspection:
enabled: true
config:
introspection_url: http://hydra:4444/oauth2/introspect
pre_authorization:
enabled: true
client_id: ${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
client_secret: ${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
token_url: http://hydra:4444/oauth2/token
jwt:
enabled: true
config:
jwks_urls:
- http://hydra:4444/.well-known/jwks.json
trusted_issuers:
- http://hydra:4444/
scope_strategy: none
authorizers: authorizers:
allow: allow:

18
docker/ory/oathkeeper/rules.draft.json
View File

@@ -84,5 +84,23 @@
"authenticators": [{ "handler": "noop" }], "authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }] "mutators": [{ "handler": "noop" }]
},
{
"id": "rp-host-template",
"description": "RP 호스트 기반 템플릿. redirect_uri의 host를 기준으로 매칭합니다.",
"match": {
"url": "<.*>://rp.example.com/<.*>",
"methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
},
"upstream": {
"url": "http://rp_upstream:8080"
},
"authenticators": [
{ "handler": "cookie_session" },
{ "handler": "oauth2_introspection" },
{ "handler": "jwt" }
],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
} }
] ]

22
docker/ory/vector/vector.toml
View File

@@ -15,6 +15,9 @@
request_method = get(parsed, ["request", "method"]) ?? "" request_method = get(parsed, ["request", "method"]) ?? ""
request_path = get(parsed, ["request", "path"]) ?? "" request_path = get(parsed, ["request", "path"]) ?? ""
request_url = get(parsed, ["request", "url"]) ?? "" request_url = get(parsed, ["request", "url"]) ?? ""
request_host = get(parsed, ["request", "host"]) ?? ""
request_scheme = get(parsed, ["request", "scheme"]) ?? ""
request_query = get(parsed, ["request", "query"]) ?? ""
.method = parsed.method ?? parsed.http_method ?? request_method ?? "" .method = parsed.method ?? parsed.http_method ?? request_method ?? ""
.path = parsed.path ?? parsed.http_path ?? request_path ?? request_url ?? "" .path = parsed.path ?? parsed.http_path ?? request_path ?? request_url ?? ""
response_status = get(parsed, ["response", "status"]) ?? 0 response_status = get(parsed, ["response", "status"]) ?? 0
@@ -27,6 +30,7 @@
.user_agent = parsed.user_agent .user_agent = parsed.user_agent
if is_null(.user_agent) { .user_agent = get(headers, ["User-Agent"]) } if is_null(.user_agent) { .user_agent = get(headers, ["User-Agent"]) }
if is_null(.user_agent) { .user_agent = "" } if is_null(.user_agent) { .user_agent = "" }
.referer = get(headers, ["Referer"]) ?? ""
.decision = parsed.decision .decision = parsed.decision
if is_null(.decision) { .decision = parsed.result } if is_null(.decision) { .decision = parsed.result }
@@ -38,9 +42,21 @@
.span_id = parsed.span_id .span_id = parsed.span_id
if is_null(.span_id) { .span_id = "" } if is_null(.span_id) { .span_id = "" }
.rp = "" .rp = parsed.rp ?? ""
.action = "" .action = parsed.action ?? ""
.target = "" .target = parsed.target ?? ""
.rule_id = parsed.rule_id ?? get(parsed, ["rule", "id"]) ?? ""
parsed_url = {}
if request_url != "" { parsed_url = parse_url(request_url) ?? {} }
query_params = get(parsed_url, ["query"]) ?? {}
.client_id = parsed.client_id ?? get(parsed, ["client", "id"]) ?? get(query_params, ["client_id"]) ?? get(query_params, ["clientId"]) ?? ""
.parent_session_id = parsed.parent_session_id ?? get(parsed, ["extra", "parent_session_id"]) ?? ""
.host = parsed.host ?? request_host ?? ""
.scheme = parsed.scheme ?? request_scheme ?? ""
.query = parsed.query ?? request_query ?? ""
.upstream_url = parsed.upstream_url ?? get(parsed, ["upstream", "url"]) ?? ""
.bytes_in = to_int(parsed.bytes_in ?? parsed.request_bytes ?? 0) ?? 0
.bytes_out = to_int(parsed.bytes_out ?? parsed.response_bytes ?? 0) ?? 0
''' '''
[sinks.clickhouse] [sinks.clickhouse]

2471
docs/개발완료보고서.md Normal file
View File

File diff suppressed because it is too large Load Diff

11
userfront/lib/core/constants/error_whitelist.dart Normal file
View File

@@ -0,0 +1,11 @@
const Map<String, String> errorWhitelistMessages = {
'settings_disabled': '현재 계정 설정 화면은 준비 중입니다.',
'invalid_session': '세션이 만료되었습니다. 다시 로그인해 주세요.',
'verification_required': '추가 인증이 필요합니다. 안내에 따라 진행해 주세요.',
'recovery_expired': '재설정 링크가 만료되었습니다. 다시 요청해 주세요.',
'recovery_invalid': '재설정 링크가 유효하지 않습니다.',
'consent_required': '앱 접근 동의가 필요합니다.',
'rate_limited': '요청이 많습니다. 잠시 후 다시 시도해 주세요.',
'not_found': '요청한 페이지를 찾을 수 없습니다.',
'bad_request': '입력값을 확인해 주세요.',
};

34
userfront/lib/core/services/auth_proxy_service.dart
View File

@@ -2,7 +2,7 @@ import 'dart:convert';
import 'package:http/http.dart' as http; import 'package:http/http.dart' as http;
import 'package:flutter_dotenv/flutter_dotenv.dart'; import 'package:flutter_dotenv/flutter_dotenv.dart';
import 'http_client.dart'; import 'http_client.dart';
import 'dart:html' as html; import 'web_window.dart';
class AuthProxyService { class AuthProxyService {
static String _envOrDefault(String key, String fallback) { static String _envOrDefault(String key, String fallback) {
@@ -215,7 +215,7 @@ class AuthProxyService {
if (response.statusCode == 200) { if (response.statusCode == 200) {
final data = jsonDecode(response.body); final data = jsonDecode(response.body);
if (data['redirectTo'] != null && data['redirectTo'].isNotEmpty) { if (data['redirectTo'] != null && data['redirectTo'].isNotEmpty) {
html.window.location.href = data['redirectTo']; webWindow.redirectTo(data['redirectTo']);
} }
return data; return data;
} else { } else {
@@ -254,6 +254,36 @@ class AuthProxyService {
} }
} }
static Future<Map<String, dynamic>> acceptOidcLogin(
String loginChallenge, {
String? token,
}) async {
final url = Uri.parse('$_baseUrl/api/v1/auth/oidc/login/accept');
final headers = <String, String>{
'Content-Type': 'application/json',
};
if (token != null && token.isNotEmpty) {
headers['Authorization'] = 'Bearer $token';
}
final client = createHttpClient(withCredentials: true);
try {
final response = await client.post(
url,
headers: headers,
body: jsonEncode({'login_challenge': loginChallenge}),
);
if (response.statusCode == 200) {
return jsonDecode(response.body);
} else {
final errorBody = jsonDecode(response.body);
throw Exception(errorBody['error'] ?? 'Failed to accept OIDC login');
}
} finally {
client.close();
}
}
static Future<Map<String, dynamic>> initiatePasswordReset(String loginId, {bool? drySend}) async { static Future<Map<String, dynamic>> initiatePasswordReset(String loginId, {bool? drySend}) async {
final url = Uri.parse('$_baseUrl/api/v1/auth/password/reset/initiate'); final url = Uri.parse('$_baseUrl/api/v1/auth/password/reset/initiate');
final response = await http.post( final response = await http.post(

1
userfront/lib/core/services/web_window.dart Normal file
View File

@@ -0,0 +1 @@
export 'web_window_stub.dart' if (dart.library.html) 'web_window_web.dart';

17
userfront/lib/core/services/web_window_stub.dart Normal file
View File

@@ -0,0 +1,17 @@
class WebWindow {
void redirectTo(String url) {}
void alert(String message) {}
void close() {}
bool hasOpener() {
return false;
}
bool redirectOpenerTo(String url) {
return false;
}
}
final webWindow = WebWindow();

34
userfront/lib/core/services/web_window_web.dart Normal file
View File

@@ -0,0 +1,34 @@
import 'dart:html' as html;
class WebWindow {
void redirectTo(String url) {
html.window.location.href = url;
}
void alert(String message) {
html.window.alert(message);
}
void close() {
html.window.close();
}
bool hasOpener() {
return html.window.opener != null;
}
bool redirectOpenerTo(String url) {
final opener = html.window.opener;
if (opener == null) {
return false;
}
try {
opener.location.href = url;
return true;
} catch (_) {
return false;
}
}
}
final webWindow = WebWindow();

543
userfront/lib/features/auth/presentation/consent_screen.dart
View File

@@ -1,7 +1,6 @@
import 'dart:html' as html;
import 'package:flutter/material.dart'; import 'package:flutter/material.dart';
import 'package:userfront/core/services/auth_proxy_service.dart'; import 'package:userfront/core/services/auth_proxy_service.dart';
import 'package:userfront/core/services/web_window.dart';
class ConsentScreen extends StatefulWidget { class ConsentScreen extends StatefulWidget {
final String consentChallenge; final String consentChallenge;
@@ -13,8 +12,15 @@ class ConsentScreen extends StatefulWidget {
} }
class _ConsentScreenState extends State<ConsentScreen> { class _ConsentScreenState extends State<ConsentScreen> {
static const _ink = Color(0xFF1A1F2C);
static const _surface = Colors.white;
static const _border = Color(0xFFE5E7EB);
static const _subtle = Color(0xFFF7F8FA);
static const _accent = Color(0xFF2563EB);
Map<String, dynamic>? _consentInfo; Map<String, dynamic>? _consentInfo;
bool _isLoading = true; bool _isLoading = true;
bool _isSubmitting = false;
String? _error; String? _error;
@override @override
@@ -32,7 +38,7 @@ class _ConsentScreenState extends State<ConsentScreen> {
}); });
} catch (e) { } catch (e) {
setState(() { setState(() {
_error = 'Failed to load consent information: $e'; _error = '권한 정보를 불러오지 못했습니다: $e';
_isLoading = false; _isLoading = false;
}); });
} }
@@ -40,83 +46,498 @@ class _ConsentScreenState extends State<ConsentScreen> {
Future<void> _acceptConsent() async { Future<void> _acceptConsent() async {
setState(() { setState(() {
_isLoading = true; _isSubmitting = true;
_error = null; _error = null;
}); });
try { try {
final result = final result =
await AuthProxyService.acceptConsent(widget.consentChallenge); await AuthProxyService.acceptConsent(widget.consentChallenge);
if (result['redirectTo'] != null) { final redirectTo = result['redirectTo']?.toString() ?? '';
html.window.location.href = result['redirectTo']; if (redirectTo.isNotEmpty) {
} else { if (webWindow.hasOpener() && webWindow.redirectOpenerTo(redirectTo)) {
setState(() { // 팝업에서 호출된 경우, 부모 창으로 리다이렉트 후 현재 창을 닫습니다.
_error = 'Consent accepted, but no redirect URL received.'; webWindow.close();
_isLoading = false; return;
}); }
webWindow.redirectTo(redirectTo);
return;
} }
setState(() {
_error = '동의는 완료됐지만 이동할 주소를 받지 못했습니다.';
});
} catch (e) { } catch (e) {
setState(() { setState(() {
_error = 'Failed to accept consent: $e'; _error = '동의 처리 중 오류가 발생했습니다: $e';
_isLoading = false;
}); });
} finally {
if (mounted) {
setState(() => _isSubmitting = false);
}
} }
} }
void _rejectConsent() {
webWindow.alert('동의를 취소했습니다. 창을 닫아 주세요.');
}
Map<String, dynamic>? _client() {
final info = _consentInfo;
if (info == null) return null;
final client = info['client'];
if (client is Map<String, dynamic>) {
return client;
}
return null;
}
String _resolveClientName(Map<String, dynamic>? client) {
final name = client?['client_name']?.toString().trim();
if (name != null && name.isNotEmpty) {
return name;
}
final id = client?['client_id']?.toString().trim();
if (id != null && id.isNotEmpty) {
return id;
}
return '알 수 없는 앱';
}
String? _resolveClientId(Map<String, dynamic>? client) {
final id = client?['client_id']?.toString().trim();
if (id != null && id.isNotEmpty) {
return id;
}
return null;
}
String? _resolveClientLogo(Map<String, dynamic>? client) {
final logo = client?['logo_uri']?.toString().trim();
if (logo != null && logo.isNotEmpty) {
return logo;
}
final metadata = client?['metadata'];
if (metadata is Map<String, dynamic>) {
final metaLogo = metadata['logo_url']?.toString().trim();
if (metaLogo != null && metaLogo.isNotEmpty) {
return metaLogo;
}
}
return null;
}
List<String> _requestedScopes() {
final scopes = _consentInfo?['requested_scope'];
if (scopes is List) {
return scopes.map((e) => e.toString()).toList();
}
return const [];
}
String _scopeDescription(String scope) {
switch (scope) {
case 'openid':
return '로그인 상태 확인을 위한 기본 식별자';
case 'profile':
return '이름, 사용자 식별자 등 기본 프로필 정보';
case 'email':
return '이메일 주소 정보';
case 'phone':
return '휴대폰 번호 정보';
default:
return '앱에서 요청한 추가 권한';
}
}
Widget _buildInfoChip(IconData icon, String label) {
return Container(
padding: const EdgeInsets.symmetric(horizontal: 12, vertical: 8),
decoration: BoxDecoration(
color: _subtle,
borderRadius: BorderRadius.circular(999),
border: Border.all(color: _border),
),
child: Row(
mainAxisSize: MainAxisSize.min,
children: [
Icon(icon, size: 16, color: _ink),
const SizedBox(width: 6),
Text(
label,
style: const TextStyle(
fontSize: 12,
color: _ink,
fontWeight: FontWeight.w600,
),
),
],
),
);
}
@override @override
Widget build(BuildContext context) { Widget build(BuildContext context) {
final theme = Theme.of(context);
final client = _client();
final clientName = _resolveClientName(client);
final clientId = _resolveClientId(client);
final logoUrl = _resolveClientLogo(client);
final scopes = _requestedScopes();
return Scaffold( return Scaffold(
appBar: AppBar(title: const Text('Grant Access')), backgroundColor: _subtle,
body: Center( body: SafeArea(
child: _isLoading child: Center(
? const CircularProgressIndicator() child: SingleChildScrollView(
: _error != null padding: const EdgeInsets.all(24),
? Text(_error!, style: const TextStyle(color: Colors.red)) child: ConstrainedBox(
: _consentInfo != null constraints: const BoxConstraints(maxWidth: 560),
? Card( child: Container(
elevation: 4, decoration: BoxDecoration(
margin: const EdgeInsets.all(16), color: _surface,
child: Padding( borderRadius: BorderRadius.circular(20),
padding: const EdgeInsets.all(24.0), border: Border.all(color: _border),
child: Column( boxShadow: [
mainAxisSize: MainAxisSize.min, BoxShadow(
children: [ color: Colors.black.withOpacity(0.04),
Text( blurRadius: 18,
'${_consentInfo!['client']?['client_name'] ?? 'An application'} wants to access your account', offset: const Offset(0, 8),
style: Theme.of(context).textTheme.headlineSmall, ),
textAlign: TextAlign.center, ],
),
child: Padding(
padding: const EdgeInsets.fromLTRB(28, 28, 28, 24),
child: _isLoading
? Column(
mainAxisSize: MainAxisSize.min,
children: [
const CircularProgressIndicator(),
const SizedBox(height: 16),
Text(
'권한 정보를 불러오는 중입니다...',
style: theme.textTheme.bodyMedium?.copyWith(
color: Colors.grey[600],
), ),
const SizedBox(height: 24), ),
const Text('This will allow the application to:'), ],
const SizedBox(height: 16), )
if (_consentInfo!['requested_scope'] != null) : _consentInfo == null
...(_consentInfo!['requested_scope'] as List) ? Column(
.map((scope) => ListTile( mainAxisSize: MainAxisSize.min,
leading: const Icon(Icons.check_circle_outline), crossAxisAlignment: CrossAxisAlignment.start,
title: Text(scope.toString()), children: [
)) Text(
.toList(), '요청 정보를 확인할 수 없습니다.',
const SizedBox(height: 24), style: theme.textTheme.bodyMedium?.copyWith(
Row( color: Colors.grey[700],
mainAxisAlignment: MainAxisAlignment.spaceEvenly,
children: [
TextButton(
onPressed: () {
// TODO: Implement reject consent
html.window.alert('Consent rejected. You can close this window.');
},
child: const Text('Deny'),
), ),
ElevatedButton( ),
onPressed: _acceptConsent, if (_error != null) ...[
child: const Text('Allow'), const SizedBox(height: 12),
Text(
_error!,
style: theme.textTheme.bodySmall?.copyWith(
color: const Color(0xFFB91C1C),
),
), ),
], ],
) const SizedBox(height: 16),
], OutlinedButton(
), onPressed: _fetchConsentInfo,
), style: OutlinedButton.styleFrom(
) foregroundColor: _ink,
: const Text('No consent information available.'), side: const BorderSide(color: _border),
padding: const EdgeInsets.symmetric(
horizontal: 16,
vertical: 10,
),
shape: RoundedRectangleBorder(
borderRadius: BorderRadius.circular(10),
),
),
child: const Text('다시 시도'),
),
],
)
: Column(
mainAxisSize: MainAxisSize.min,
crossAxisAlignment: CrossAxisAlignment.start,
children: [
Row(
crossAxisAlignment: CrossAxisAlignment.start,
children: [
Container(
width: 56,
height: 56,
decoration: BoxDecoration(
color: _subtle,
borderRadius: BorderRadius.circular(16),
border: Border.all(color: _border),
),
child: logoUrl == null
? const Icon(
Icons.lock_outline,
color: _ink,
)
: ClipRRect(
borderRadius:
BorderRadius.circular(14),
child: Image.network(
logoUrl,
fit: BoxFit.cover,
errorBuilder: (
context,
error,
stackTrace,
) {
return const Icon(
Icons.lock_outline,
color: _ink,
);
},
),
),
),
const SizedBox(width: 16),
Expanded(
child: Column(
crossAxisAlignment:
CrossAxisAlignment.start,
children: [
Text(
'앱 권한 요청',
style: theme.textTheme.titleLarge
?.copyWith(
fontWeight: FontWeight.w700,
color: _ink,
),
),
const SizedBox(height: 6),
Text(
clientName,
style: theme.textTheme.titleMedium
?.copyWith(
fontWeight: FontWeight.w600,
color: _ink,
),
),
const SizedBox(height: 8),
Wrap(
spacing: 8,
runSpacing: 8,
children: [
if (clientId != null)
_buildInfoChip(
Icons.vpn_key_outlined,
'Client ID: $clientId',
),
_buildInfoChip(
Icons.security_outlined,
'요청 권한 ${scopes.length}',
),
],
),
],
),
),
],
),
const SizedBox(height: 16),
Text(
'이 앱이 아래 정보에 접근하려고 합니다. 계속 진행하려면 동의 여부를 선택해 주세요.',
style: theme.textTheme.bodyMedium?.copyWith(
color: Colors.grey[700],
height: 1.5,
),
),
if (_error != null) ...[
const SizedBox(height: 16),
Container(
padding: const EdgeInsets.all(12),
decoration: BoxDecoration(
color: const Color(0xFFFEE2E2),
borderRadius: BorderRadius.circular(12),
border: Border.all(
color: const Color(0xFFFCA5A5),
),
),
child: Row(
crossAxisAlignment:
CrossAxisAlignment.start,
children: [
const Icon(
Icons.error_outline,
color: Color(0xFFB91C1C),
size: 20,
),
const SizedBox(width: 8),
Expanded(
child: Text(
_error!,
style: theme.textTheme.bodySmall
?.copyWith(
color: const Color(0xFFB91C1C),
height: 1.4,
),
),
),
],
),
),
],
const SizedBox(height: 20),
Text(
'요청된 권한',
style: theme.textTheme.titleSmall?.copyWith(
fontWeight: FontWeight.w600,
color: _ink,
),
),
const SizedBox(height: 12),
if (scopes.isEmpty)
Text(
'요청된 권한 정보가 없습니다.',
style: theme.textTheme.bodySmall?.copyWith(
color: Colors.grey[600],
),
)
else
Column(
children: scopes
.map(
(scope) => Container(
margin: const EdgeInsets.only(
bottom: 10,
),
padding: const EdgeInsets.all(12),
decoration: BoxDecoration(
color: _subtle,
borderRadius:
BorderRadius.circular(12),
border:
Border.all(color: _border),
),
child: Row(
crossAxisAlignment:
CrossAxisAlignment.start,
children: [
const Icon(
Icons.check_circle_outline,
color: _accent,
size: 20,
),
const SizedBox(width: 10),
Expanded(
child: Column(
crossAxisAlignment:
CrossAxisAlignment
.start,
children: [
Text(
scope,
style: theme.textTheme
.bodyMedium
?.copyWith(
fontWeight:
FontWeight.w600,
color: _ink,
),
),
const SizedBox(height: 4),
Text(
_scopeDescription(
scope),
style: theme.textTheme
.bodySmall
?.copyWith(
color:
Colors.grey[600],
),
),
],
),
),
],
),
),
)
.toList(),
),
const SizedBox(height: 12),
Text(
'동의 후 자동으로 서비스로 이동합니다.',
style: theme.textTheme.bodySmall?.copyWith(
color: Colors.grey[600],
),
),
const SizedBox(height: 20),
Wrap(
spacing: 12,
runSpacing: 12,
children: [
OutlinedButton(
onPressed: _isSubmitting
? null
: _rejectConsent,
style: OutlinedButton.styleFrom(
foregroundColor: _ink,
padding: const EdgeInsets.symmetric(
horizontal: 18,
vertical: 12,
),
side: const BorderSide(
color: _border,
),
shape: RoundedRectangleBorder(
borderRadius:
BorderRadius.circular(10),
),
),
child: const Text('취소'),
),
FilledButton(
onPressed: _isSubmitting
? null
: _acceptConsent,
style: FilledButton.styleFrom(
backgroundColor: _ink,
foregroundColor: Colors.white,
padding: const EdgeInsets.symmetric(
horizontal: 18,
vertical: 12,
),
shape: RoundedRectangleBorder(
borderRadius:
BorderRadius.circular(10),
),
),
child: _isSubmitting
? Row(
mainAxisSize: MainAxisSize.min,
children: const [
SizedBox(
width: 16,
height: 16,
child:
CircularProgressIndicator(
strokeWidth: 2,
color: Colors.white,
),
),
SizedBox(width: 8),
Text('처리 중...'),
],
)
: const Text('동의하고 계속하기'),
),
],
),
],
),
),
),
),
),
),
), ),
); );
} }

27
userfront/lib/features/auth/presentation/error_screen.dart
View File

@@ -1,30 +1,41 @@
import 'package:flutter/material.dart'; import 'package:flutter/material.dart';
import 'package:go_router/go_router.dart'; import 'package:go_router/go_router.dart';
import '../../../core/constants/error_whitelist.dart';
import '../../../core/services/auth_proxy_service.dart';
class ErrorScreen extends StatelessWidget { class ErrorScreen extends StatelessWidget {
final String? errorId; final String? errorId;
final String? errorCode; final String? errorCode;
final String? description; final String? description;
final bool? isProdOverride;
const ErrorScreen({ const ErrorScreen({
super.key, super.key,
this.errorId, this.errorId,
this.errorCode, this.errorCode,
this.description, this.description,
this.isProdOverride,
}); });
@override @override
Widget build(BuildContext context) { Widget build(BuildContext context) {
final theme = Theme.of(context); final theme = Theme.of(context);
final errorType = (errorCode == null || errorCode!.isEmpty) final isProd = isProdOverride ?? AuthProxyService.isProdEnv;
? 'unknown_error' final normalizedCode = (errorCode ?? '').trim();
: errorCode!; final hasCode = normalizedCode.isNotEmpty;
final title = errorCode == null || errorCode!.isEmpty final whitelistMessage = errorWhitelistMessages[normalizedCode];
final isWhitelisted = whitelistMessage != null;
final errorType = isProd
? (isWhitelisted && hasCode ? normalizedCode : 'unknown_error')
: (hasCode ? normalizedCode : 'unknown_error');
final title = isProd
? '인증 과정에서 오류가 발생했습니다' ? '인증 과정에서 오류가 발생했습니다'
: '오류: $errorCode'; : (hasCode ? '오류: $normalizedCode' : '오류가 발생했습니다');
final detail = description?.isNotEmpty == true final detail = isProd
? description! ? (isWhitelisted ? whitelistMessage! : '에러가 계속되면 관리자에게 문의해주세요')
: '요청을 처리하는 중 문제가 발생했습니다. 잠시 후 다시 시도해 주세요.'; : ((description?.isNotEmpty == true)
? description!
: (hasCode ? '오류가 발생했습니다.' : '요청을 처리하는 중 문제가 발생했습니다.'));
return Scaffold( return Scaffold(
backgroundColor: const Color(0xFFF7F8FA), backgroundColor: const Color(0xFFF7F8FA),

92
userfront/lib/features/auth/presentation/login_screen.dart
View File

@@ -10,7 +10,7 @@ import '../../../core/services/auth_proxy_service.dart';
import '../../../core/services/auth_token_store.dart'; import '../../../core/services/auth_token_store.dart';
import '../../../core/notifiers/auth_notifier.dart'; import '../../../core/notifiers/auth_notifier.dart';
import '../../profile/domain/notifiers/profile_notifier.dart'; import '../../profile/domain/notifiers/profile_notifier.dart';
import 'dart:html' as html; import '../../../core/services/web_window.dart';
class LoginScreen extends ConsumerStatefulWidget { class LoginScreen extends ConsumerStatefulWidget {
final String? verificationToken; final String? verificationToken;
@@ -58,6 +58,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
Timer? _verificationRedirectTimer; Timer? _verificationRedirectTimer;
bool _noticeHandled = false; bool _noticeHandled = false;
bool _drySendEnabled = false; bool _drySendEnabled = false;
bool _oidcAutoAcceptTried = false;
@override @override
void initState() { void initState() {
@@ -66,7 +67,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
_tabController.addListener(_handleTabSelection); _tabController.addListener(_handleTabSelection);
_drySendEnabled = _parseBoolParam(Uri.base.queryParameters['drySend']) && !AuthProxyService.isProdEnv; _drySendEnabled = _parseBoolParam(Uri.base.queryParameters['drySend']) && !AuthProxyService.isProdEnv;
WidgetsBinding.instance.addPostFrameCallback((_) { WidgetsBinding.instance.addPostFrameCallback((_) async {
final uri = Uri.base; final uri = Uri.base;
_loginChallenge = widget.loginChallenge ?? uri.queryParameters['login_challenge']; _loginChallenge = widget.loginChallenge ?? uri.queryParameters['login_challenge'];
final loginIdParam = uri.queryParameters['loginId']; final loginIdParam = uri.queryParameters['loginId'];
@@ -95,7 +96,9 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
} }
if (!_verificationOnly) { if (!_verificationOnly) {
_tryCookieSession(); await _attemptOidcAutoAccept();
if (!mounted) return;
await _tryCookieSession();
} }
if (uri.queryParameters.containsKey('redirect_url')) { if (uri.queryParameters.containsKey('redirect_url')) {
@@ -105,14 +108,12 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
} }
Future<void> _tryCookieSession({bool silent = true}) async { Future<void> _tryCookieSession({bool silent = true}) async {
if (AuthTokenStore.getToken() != null) { if (AuthTokenStore.getToken() != null &&
(_loginChallenge == null || _loginChallenge!.isEmpty)) {
return; return;
} }
final pendingProvider = AuthTokenStore.getPendingProvider(); final pendingProvider = AuthTokenStore.getPendingProvider();
final provider = pendingProvider ?? AuthTokenStore.getProvider(); final provider = pendingProvider ?? AuthTokenStore.getProvider() ?? 'ory';
if (provider == null || !provider.toLowerCase().contains('ory')) {
return;
}
try { try {
await AuthProxyService.checkCookieSession(); await AuthProxyService.checkCookieSession();
@@ -120,7 +121,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
AuthTokenStore.clearPendingProvider(); AuthTokenStore.clearPendingProvider();
if (mounted) { if (mounted) {
await ref.read(profileProvider.notifier).loadProfile(); await ref.read(profileProvider.notifier).loadProfile();
_onCookieLoginSuccess(provider); await _onCookieLoginSuccess(provider);
} }
} catch (e) { } catch (e) {
if (!silent) { if (!silent) {
@@ -129,14 +130,65 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
} }
} }
void _onCookieLoginSuccess(String provider) { Future<void> _onCookieLoginSuccess(String provider) async {
debugPrint("[Auth] Cookie-based login success. Provider: $provider"); debugPrint("[Auth] Cookie-based login success. Provider: $provider");
AuthNotifier.instance.notify(); AuthNotifier.instance.notify();
if (_loginChallenge != null && _loginChallenge!.isNotEmpty) {
final accepted = await _acceptOidcLoginAndRedirect();
if (accepted) {
return;
}
}
if (mounted) { if (mounted) {
context.go('/'); context.go('/');
} }
} }
Future<void> _attemptOidcAutoAccept() async {
if (_oidcAutoAcceptTried) return;
_oidcAutoAcceptTried = true;
if (_loginChallenge == null || _loginChallenge!.isEmpty) {
return;
}
final token = AuthTokenStore.getToken();
if (token != null && token.isNotEmpty) {
final accepted = await _acceptOidcLoginAndRedirect(token: token);
if (accepted) {
return;
}
}
try {
await AuthProxyService.checkCookieSession();
AuthTokenStore.setCookieMode(provider: AuthTokenStore.getProvider() ?? 'ory');
await _acceptOidcLoginAndRedirect();
} catch (e) {
debugPrint("[Auth] OIDC auto-accept cookie check failed: $e");
}
}
Future<bool> _acceptOidcLoginAndRedirect({String? token}) async {
if (_loginChallenge == null || _loginChallenge!.isEmpty) {
return false;
}
try {
final res = await AuthProxyService.acceptOidcLogin(
_loginChallenge!,
token: token,
);
final redirectTo = res['redirectTo'] as String?;
if (redirectTo != null && redirectTo.isNotEmpty) {
debugPrint("[Auth] OIDC login accepted. Redirecting to: $redirectTo");
webWindow.redirectTo(redirectTo);
return true;
}
} catch (e) {
debugPrint("[Auth] OIDC login auto-accept failed: $e");
}
return false;
}
void _resetLinkLoginState() { void _resetLinkLoginState() {
_linkPendingRef = null; _linkPendingRef = null;
_lastLinkLoginId = null; _lastLinkLoginId = null;
@@ -657,7 +709,7 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
if (mounted) Navigator.of(context).pop(); if (mounted) Navigator.of(context).pop();
if (redirectTo != null && redirectTo.isNotEmpty) { if (redirectTo != null && redirectTo.isNotEmpty) {
html.window.location.href = redirectTo; webWindow.redirectTo(redirectTo);
return; return;
} }
@@ -885,6 +937,24 @@ class _LoginScreenState extends ConsumerState<LoginScreen>
debugPrint("[Auth] Failed to pre-fetch profile: $e"); debugPrint("[Auth] Failed to pre-fetch profile: $e");
} }
if (_loginChallenge != null && _loginChallenge!.isNotEmpty) {
try {
final res = await AuthProxyService.acceptOidcLogin(
_loginChallenge!,
token: token,
);
final redirectTo = res['redirectTo'] as String?;
if (redirectTo != null && redirectTo.isNotEmpty) {
debugPrint("[Auth] OIDC login accepted. Redirecting to: $redirectTo");
webWindow.redirectTo(redirectTo);
return;
}
} catch (e) {
_showError("OIDC 로그인 처리에 실패했습니다. 다시 시도해 주세요.");
return;
}
}
if (WebAuthIntegration.isPopup()) { if (WebAuthIntegration.isPopup()) {
debugPrint("[Auth] Popup detected. Notifying opener and attempting to close."); debugPrint("[Auth] Popup detected. Notifying opener and attempting to close.");
WebAuthIntegration.sendLoginSuccess(token); WebAuthIntegration.sendLoginSuccess(token);

31
userfront/lib/features/auth/presentation/qr_scan_screen.dart
View File

@@ -16,6 +16,7 @@ class _QRScanScreenState extends State<QRScanScreen> {
final _log = Logger('QRScanScreen'); final _log = Logger('QRScanScreen');
final MobileScannerController controller = MobileScannerController( final MobileScannerController controller = MobileScannerController(
detectionSpeed: DetectionSpeed.noDuplicates, detectionSpeed: DetectionSpeed.noDuplicates,
autoStart: false,
); );
bool _isScanned = false; bool _isScanned = false;
bool _isCheckingSession = false; bool _isCheckingSession = false;
@@ -28,6 +29,9 @@ class _QRScanScreenState extends State<QRScanScreen> {
void initState() { void initState() {
super.initState(); super.initState();
_bootstrapCookieSession(); _bootstrapCookieSession();
WidgetsBinding.instance.addPostFrameCallback((_) {
_startScannerIfNeeded();
});
} }
Future<bool> _bootstrapCookieSession() async { Future<bool> _bootstrapCookieSession() async {
@@ -52,6 +56,28 @@ class _QRScanScreenState extends State<QRScanScreen> {
} }
} }
Future<void> _startScannerIfNeeded() async {
if (controller.value.isRunning || controller.value.isStarting) {
return;
}
try {
await controller.start();
} catch (e) {
_log.warning('Scanner start failed: $e');
}
}
Future<void> _stopScannerIfRunning() async {
if (!controller.value.isRunning && !controller.value.isStarting) {
return;
}
try {
await controller.stop();
} catch (e) {
_log.warning('Scanner stop failed: $e');
}
}
@override @override
void dispose() { void dispose() {
controller.dispose(); controller.dispose();
@@ -65,6 +91,7 @@ class _QRScanScreenState extends State<QRScanScreen> {
for (final barcode in barcodes) { for (final barcode in barcodes) {
if (barcode.rawValue != null) { if (barcode.rawValue != null) {
_isScanned = true; _isScanned = true;
await _stopScannerIfRunning();
if (mounted) { if (mounted) {
setState(() => _isProcessing = true); setState(() => _isProcessing = true);
} }
@@ -142,14 +169,14 @@ class _QRScanScreenState extends State<QRScanScreen> {
_isSuccess = null; _isSuccess = null;
_resultMessage = null; _resultMessage = null;
}); });
controller.start(); _startScannerIfNeeded();
} }
Future<void> _requestCameraPermission() async { Future<void> _requestCameraPermission() async {
if (_isRequestingCamera) return; if (_isRequestingCamera) return;
setState(() => _isRequestingCamera = true); setState(() => _isRequestingCamera = true);
try { try {
await controller.start(); await _startScannerIfNeeded();
} catch (e) { } catch (e) {
_log.warning('Camera permission request failed: $e'); _log.warning('Camera permission request failed: $e');
if (mounted) { if (mounted) {

91
userfront/lib/features/dashboard/presentation/dashboard_screen.dart
View File

@@ -21,6 +21,10 @@ class AuditLogEntry {
final String userAgent; final String userAgent;
final String sessionId; final String sessionId;
final String details; final String details;
final String source;
final String clientId;
final String appName;
final String parentSessionId;
AuditLogEntry({ AuditLogEntry({
required this.eventId, required this.eventId,
@@ -33,6 +37,10 @@ class AuditLogEntry {
required this.userAgent, required this.userAgent,
required this.sessionId, required this.sessionId,
required this.details, required this.details,
required this.source,
required this.clientId,
required this.appName,
required this.parentSessionId,
}); });
factory AuditLogEntry.fromJson(Map<String, dynamic> json) { factory AuditLogEntry.fromJson(Map<String, dynamic> json) {
@@ -55,6 +63,10 @@ class AuditLogEntry {
userAgent: json['user_agent'] ?? '', userAgent: json['user_agent'] ?? '',
sessionId: json['session_id'] ?? '', sessionId: json['session_id'] ?? '',
details: json['details'] ?? '', details: json['details'] ?? '',
source: json['source'] ?? '',
clientId: json['client_id'] ?? '',
appName: json['app_name'] ?? '',
parentSessionId: json['parent_session_id'] ?? '',
); );
} }
@@ -542,6 +554,34 @@ class _DashboardScreenState extends ConsumerState<DashboardScreen> {
); );
} }
String _appLabelForLog(AuditLogEntry log) {
if (log.appName.isNotEmpty) {
return log.appName;
}
return _appLabelForPath(log.path);
}
Widget _buildAppCell(AuditLogEntry log, {TextStyle? style}) {
final label = _appLabelForLog(log);
if (label == 'Baron 통합로그인') {
return _selectableText(label, style: style);
}
final tooltip = log.parentSessionId.isEmpty
? '부모 세션 ID 없음'
: '부모 세션 ID: ${log.parentSessionId}';
final baseStyle = style ?? const TextStyle();
final emphasisStyle = log.parentSessionId.isEmpty
? baseStyle
: baseStyle.copyWith(
color: Colors.blueAccent,
decoration: TextDecoration.underline,
);
return Tooltip(
message: tooltip,
child: _selectableText(label, style: emphasisStyle),
);
}
String _appLabelForPath(String path) { String _appLabelForPath(String path) {
if (path.startsWith('/api/v1/auth')) { if (path.startsWith('/api/v1/auth')) {
return 'Baron 통합로그인'; return 'Baron 통합로그인';
@@ -751,6 +791,23 @@ class _DashboardScreenState extends ConsumerState<DashboardScreen> {
); );
} }
if (activities.isEmpty) {
return Column(
crossAxisAlignment: CrossAxisAlignment.start,
children: [
Text(
'연동된 RP가 없습니다.',
style: TextStyle(fontSize: 14, color: Colors.grey[700], fontWeight: FontWeight.w600),
),
const SizedBox(height: 6),
Text(
'RP를 연동하면 최근 활동과 상태가 표시됩니다.',
style: TextStyle(fontSize: 12, color: Colors.grey[600]),
),
],
);
}
return grid; return grid;
}, },
); );
@@ -775,33 +832,6 @@ class _DashboardScreenState extends ConsumerState<DashboardScreen> {
); );
} }
items.addAll([
_ActivityItem(
appName: 'BEPs',
lastAuthAt: '연동 필요',
status: '미연동',
canLogout: false,
),
_ActivityItem(
appName: 'KNGIL',
lastAuthAt: '연동 필요',
status: '미연동',
canLogout: false,
),
_ActivityItem(
appName: 'C.E.L',
lastAuthAt: '연동 필요',
status: '미연동',
canLogout: false,
),
_ActivityItem(
appName: 'EG-BIM',
lastAuthAt: '연동 필요',
status: '미연동',
canLogout: false,
),
]);
return items; return items;
} }
@@ -992,13 +1022,12 @@ class _DashboardScreenState extends ConsumerState<DashboardScreen> {
rows: logs.map((log) { rows: logs.map((log) {
final statusLabel = log.status == 'success' ? '성공' : '실패'; final statusLabel = log.status == 'success' ? '성공' : '실패';
final statusColor = log.status == 'success' ? Colors.green : Colors.redAccent; final statusColor = log.status == 'success' ? Colors.green : Colors.redAccent;
final appLabel = _appLabelForPath(log.path);
final authMethod = log.authMethod.isNotEmpty ? log.authMethod : _authMethodLabel(); final authMethod = log.authMethod.isNotEmpty ? log.authMethod : _authMethodLabel();
final deviceLabel = _deviceLabelFromUserAgent(log.userAgent); final deviceLabel = _deviceLabelFromUserAgent(log.userAgent);
return DataRow(cells: [ return DataRow(cells: [
DataCell(_selectableText(log.sessionId.isEmpty ? '-' : log.sessionId)), DataCell(_selectableText(log.sessionId.isEmpty ? '-' : log.sessionId)),
DataCell(_selectableText(_formatDateTime(log.timestamp))), DataCell(_selectableText(_formatDateTime(log.timestamp))),
DataCell(_selectableText(appLabel)), DataCell(_buildAppCell(log)),
DataCell(_selectableText(log.ipAddress.isEmpty ? '-' : log.ipAddress)), DataCell(_selectableText(log.ipAddress.isEmpty ? '-' : log.ipAddress)),
DataCell(_selectableText(deviceLabel)), DataCell(_selectableText(deviceLabel)),
DataCell(_buildAuthMethodCell(log, authMethod)), DataCell(_buildAuthMethodCell(log, authMethod)),
@@ -1036,8 +1065,8 @@ class _DashboardScreenState extends ConsumerState<DashboardScreen> {
Row( Row(
children: [ children: [
Expanded( Expanded(
child: _selectableText( child: _buildAppCell(
_appLabelForPath(log.path), log,
style: const TextStyle(fontWeight: FontWeight.w600, color: _ink), style: const TextStyle(fontWeight: FontWeight.w600, color: _ink),
), ),
), ),

64
userfront/test/error_screen_test.dart Normal file
View File

@@ -0,0 +1,64 @@
import 'package:flutter/material.dart';
import 'package:flutter_test/flutter_test.dart';
import 'package:userfront/features/auth/presentation/error_screen.dart';
Future<void> _pumpErrorScreen(
WidgetTester tester, {
String? errorCode,
String? description,
bool? isProdOverride,
}) async {
await tester.pumpWidget(
MaterialApp(
home: ErrorScreen(
errorCode: errorCode,
description: description,
isProdOverride: isProdOverride,
),
),
);
await tester.pump();
}
void main() {
testWidgets('개발환경은 원문 메시지를 노출한다', (WidgetTester tester) async {
await _pumpErrorScreen(
tester,
errorCode: 'custom_error',
description: '원문 메시지',
isProdOverride: false,
);
expect(find.text('오류: custom_error'), findsOneWidget);
expect(find.text('원문 메시지'), findsOneWidget);
expect(find.text('오류 종류: custom_error'), findsOneWidget);
});
testWidgets('프로덕션은 whitelist 메시지를 노출한다', (WidgetTester tester) async {
await _pumpErrorScreen(
tester,
errorCode: 'settings_disabled',
description: '원문 메시지',
isProdOverride: true,
);
expect(find.text('인증 과정에서 오류가 발생했습니다'), findsOneWidget);
expect(find.text('현재 계정 설정 화면은 준비 중입니다.'), findsOneWidget);
expect(find.text('원문 메시지'), findsNothing);
expect(find.text('오류 종류: settings_disabled'), findsOneWidget);
});
testWidgets('프로덕션은 비허용 에러를 unknown_error로 처리한다', (WidgetTester tester) async {
await _pumpErrorScreen(
tester,
errorCode: 'weird_error',
description: '원문 메시지',
isProdOverride: true,
);
expect(find.text('인증 과정에서 오류가 발생했습니다'), findsOneWidget);
expect(find.text('에러가 계속되면 관리자에게 문의해주세요'), findsOneWidget);
expect(find.text('원문 메시지'), findsNothing);
expect(find.text('오류 종류: unknown_error'), findsOneWidget);
});
}