사용자 상태 세분화

2026-05-20 10:17:15 +09:00
parent 9112c4fb36
commit 42b49674cc
33 changed files with 876 additions and 590 deletions
--- a/backend/internal/handler/auth_handler_login_test.go
+++ b/backend/internal/handler/auth_handler_login_test.go
@@ -31,6 +31,7 @@ import (
 	josejwt "github.com/go-jose/go-jose/v4/jwt"
 	"github.com/gofiber/fiber/v2"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 )

 // --- Mocks ---
@@ -159,6 +160,61 @@ func newHeadlessPasswordLoginTestApp(h *AuthHandler) *fiber.App {
 	return app
 }

+type passwordLoginUserRepo struct {
+	usersByID map[string]domain.User
+}
+
+func (r *passwordLoginUserRepo) Create(ctx context.Context, user *domain.User) error { return nil }
+func (r *passwordLoginUserRepo) Update(ctx context.Context, user *domain.User) error { return nil }
+func (r *passwordLoginUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
+	return nil, errors.New("not found")
+}
+func (r *passwordLoginUserRepo) FindByID(ctx context.Context, id string) (*domain.User, error) {
+	if r != nil {
+		if user, ok := r.usersByID[id]; ok {
+			return &user, nil
+		}
+	}
+	return nil, errors.New("not found")
+}
+func (r *passwordLoginUserRepo) FindByIDs(ctx context.Context, ids []string) ([]domain.User, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) ListByTenant(ctx context.Context, tenantID string) ([]domain.User, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) List(ctx context.Context, offset, limit int, search string, tenantSlug string) ([]domain.User, int64, error) {
+	return nil, 0, nil
+}
+func (r *passwordLoginUserRepo) CountByTenant(ctx context.Context, tenantID string) (int64, error) {
+	return 0, nil
+}
+func (r *passwordLoginUserRepo) CountByTenantIDs(ctx context.Context, tenantIDs []string) (map[string]int64, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) CountByCompanyCodes(ctx context.Context, codes []string) (map[string]int64, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) FindByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.User, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) FindByCompanyCodes(ctx context.Context, codes []string) ([]domain.User, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) Delete(ctx context.Context, id string) error { return nil }
+func (r *passwordLoginUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
+	return nil
+}
+func (r *passwordLoginUserRepo) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
+	return nil, nil
+}
+func (r *passwordLoginUserRepo) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
+	return false, nil
+}
+func (r *passwordLoginUserRepo) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
+	return "", nil
+}
+
 func mustHeadlessRSAJWK(t *testing.T) (*rsa.PrivateKey, map[string]any) {
 	t.Helper()

@@ -1947,6 +2003,88 @@ func TestPasswordLogin_NoOIDC_Success(t *testing.T) {
 	}
 }

+func TestPasswordLogin_ArchivedUserRejected(t *testing.T) {
+	mockIdp := new(MockIdentityProvider)
+	mockIdp.On("SignIn", "archived@example.com", "password").Return(&domain.AuthInfo{
+		SessionToken: &domain.Token{JWT: "archived-jwt"},
+		Subject:      "archived-user-id",
+	}, nil)
+
+	mockKratos := new(MockKratosAdminService)
+	mockKratos.On("FindIdentityIDByIdentifier", mock.Anything, "archived@example.com").Return("archived-user-id", nil)
+
+	h := &AuthHandler{
+		IdpProvider: mockIdp,
+		KratosAdmin: mockKratos,
+		Hydra:       service.NewHydraAdminService(),
+		UserRepo: &passwordLoginUserRepo{usersByID: map[string]domain.User{
+			"archived-user-id": {
+				ID:     "archived-user-id",
+				Email:  "archived@example.com",
+				Name:   "Archived User",
+				Status: domain.UserStatusArchived,
+			},
+		}},
+	}
+
+	app := newAuthLoginTestApp(h)
+	body, _ := json.Marshal(map[string]string{
+		"loginId":  "archived@example.com",
+		"password": "password",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusForbidden {
+		t.Fatalf("expected 403, got %d", resp.StatusCode)
+	}
+}
+
+func TestEnsureUserActivityAllowedByStatus(t *testing.T) {
+	tests := []struct {
+		name    string
+		status  string
+		wantErr bool
+	}{
+		{name: "active allowed", status: domain.UserStatusActive},
+		{name: "temporary leave allowed", status: domain.UserStatusTemporaryLeave},
+		{name: "baron guest allowed", status: domain.UserStatusBaronGuest},
+		{name: "suspended rejected", status: domain.UserStatusSuspended, wantErr: true},
+		{name: "preboarding rejected", status: domain.UserStatusPreboarding, wantErr: true},
+		{name: "extended leave rejected", status: domain.UserStatusExtendedLeave, wantErr: true},
+		{name: "archived rejected", status: domain.UserStatusArchived, wantErr: true},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			h := &AuthHandler{
+				UserRepo: &passwordLoginUserRepo{usersByID: map[string]domain.User{
+					"user-id": {
+						ID:     "user-id",
+						Email:  "user@example.com",
+						Name:   "User",
+						Status: tc.status,
+					},
+				}},
+			}
+
+			err := h.ensureUserActivityAllowed(context.Background(), "user-id")
+
+			if tc.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
 func TestPasswordLogin_InvalidCredentials_ReturnsCode(t *testing.T) {
 	mockIdp := new(MockIdentityProvider)
 	mockIdp.On("SignIn", "user@example.com", "wrong-password").Return(nil, errors.New("비밀번호가 일치하지 않습니다"))