사용자 상태 세분화

2026-05-20 10:17:15 +09:00
parent 9112c4fb36
commit 42b49674cc
33 changed files with 876 additions and 590 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -2580,6 +2580,9 @@ func (h *AuthHandler) authenticatePasswordLogin(ctx context.Context, loginID, pa
 		slog.Error("Failed to resolve kratos identity after login", "loginID", loginID, "error", resolveErr)
 		return nil, fmt.Errorf("failed to resolve user identity")
 	}
+	if err := h.ensureUserActivityAllowed(ctx, subject); err != nil {
+		return nil, err
+	}

 	authInfo.Subject = subject
 	return authInfo, nil
@@ -2598,9 +2601,30 @@ func passwordLoginErrorSpec(err error) (int, string, string) {
 	if strings.Contains(err.Error(), "failed to resolve user identity") {
 		return fiber.StatusInternalServerError, "internal_error", "Failed to resolve user identity"
 	}
+	if strings.Contains(err.Error(), "cannot perform Baron activity") {
+		return fiber.StatusForbidden, "user_status_forbidden", "This user status cannot sign in"
+	}
 	return fiber.StatusUnauthorized, "password_or_email_mismatch", "Invalid credentials"
 }

+func (h *AuthHandler) ensureUserActivityAllowed(ctx context.Context, userID string) error {
+	if h == nil || h.UserRepo == nil || strings.TrimSpace(userID) == "" {
+		return nil
+	}
+	user, err := h.UserRepo.FindByID(ctx, userID)
+	if err != nil || user == nil {
+		return nil
+	}
+	if !domain.IsBaronActivityAllowedStatus(user.Status) {
+		return fmt.Errorf("user status %s cannot perform Baron activity", domain.NormalizeUserStatus(user.Status))
+	}
+	return nil
+}
+
+func isUserActivityForbiddenError(err error) bool {
+	return err != nil && strings.Contains(err.Error(), "cannot perform Baron activity")
+}
+
 func headlessAssertionAudiences(c *fiber.Ctx) []string {
 	if c == nil {
 		return nil
@@ -4522,6 +4546,9 @@ func (h *AuthHandler) formatPhoneForStorage(phone string) string {
 func (h *AuthHandler) GetMe(c *fiber.Ctx) error {
 	profile, err := h.resolveCurrentProfile(c)
 	if err != nil {
+		if isUserActivityForbiddenError(err) {
+			return errorJSON(c, fiber.StatusForbidden, "This user status cannot perform Baron activity")
+		}
 		return errorJSON(c, fiber.StatusUnauthorized, err.Error())
 	}
 	return c.JSON(profile)
@@ -6198,6 +6225,9 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error {
 	if err != nil || subject == "" {
 		return fiber.NewError(fiber.StatusUnauthorized, "Authentication required")
 	}
+	if err := h.ensureUserActivityAllowed(c.Context(), subject); err != nil {
+		return fiber.NewError(fiber.StatusForbidden, "This user status cannot sign in")
+	}
 	c.Locals("user_id", subject)
 	approvedSessionID := strings.TrimSpace(req.ApprovedSessionID)
 	if approvedSessionID == "" {
@@ -7472,6 +7502,9 @@ func (h *AuthHandler) getHydraProfile(ctx context.Context, token string) (*domai
 		slog.Warn("Hydra token session validation failed", "error", err)
 		return nil, err
 	}
+	if err := h.ensureUserActivityAllowed(ctx, intro.Subject); err != nil {
+		return nil, err
+	}

 	slog.Info("Hydra token introspected", "subject", intro.Subject, "client_id", intro.ClientID)

@@ -7655,6 +7688,9 @@ func (h *AuthHandler) getKratosProfile(sessionToken string) (*domain.UserProfile
 	if err != nil {
 		return nil, err
 	}
+	if err := h.ensureUserActivityAllowed(context.Background(), identityID); err != nil {
+		return nil, err
+	}
 	return h.applySessionInfoFromWhoami(
 		h.mapKratosIdentityToProfile(identityID, traits),
 		authenticatedAt,
@@ -7667,6 +7703,9 @@ func (h *AuthHandler) getKratosProfileWithCookie(cookie string) (*domain.UserPro
 	if err != nil {
 		return nil, err
 	}
+	if err := h.ensureUserActivityAllowed(context.Background(), identityID); err != nil {
+		return nil, err
+	}
 	return h.applySessionInfoFromWhoami(
 		h.mapKratosIdentityToProfile(identityID, traits),
 		authenticatedAt,
@@ -7699,6 +7738,9 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
 	if err != nil {
 		return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
 	}
+	if err := h.ensureUserActivityAllowed(c.Context(), identityID); err != nil {
+		return errorJSON(c, fiber.StatusForbidden, "This user status cannot perform Baron activity")
+	}

 	currentPhone, _ := traits["phone_number"].(string)
 	newPhoneStorage := h.formatPhoneForStorage(req.Phone)