forked from baron/baron-sso
Merge pull request 'dev/sso-from-b5aed4f' (#39) from dev/sso-from-b5aed4f into main
Reviewed-on: ai-team/baron-sso#39
This commit is contained in:
@@ -61,6 +61,7 @@ func main() {
|
||||
// 2. Initialize Handlers
|
||||
auditHandler := handler.NewAuditHandler(auditRepo)
|
||||
authHandler := handler.NewAuthHandler()
|
||||
adminHandler := handler.NewAdminHandler()
|
||||
|
||||
// 3. Initialize Fiber
|
||||
app := fiber.New(fiber.Config{
|
||||
@@ -132,6 +133,15 @@ func main() {
|
||||
auth.Post("/sms", authHandler.SendSms)
|
||||
auth.Post("/verify-sms", authHandler.VerifySms)
|
||||
|
||||
// Admin Routes
|
||||
admin := api.Group("/admin")
|
||||
admin.Post("/users", adminHandler.CreateUser)
|
||||
admin.Get("/check", adminHandler.CheckAuth)
|
||||
admin.Get("/users", adminHandler.ListUsers)
|
||||
admin.Patch("/users/:loginId", adminHandler.UpdateUser)
|
||||
admin.Delete("/users/:loginId", adminHandler.DeleteUser)
|
||||
admin.Patch("/users/:loginId/status", adminHandler.UpdateUserStatus)
|
||||
|
||||
// Webhook for Descope Generic SMS Gateway
|
||||
auth.Post("/webhooks/descope-sms", authHandler.HandleDescopeSmsRelay)
|
||||
|
||||
|
||||
281
backend/internal/handler/admin_handler.go
Normal file
281
backend/internal/handler/admin_handler.go
Normal file
@@ -0,0 +1,281 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"context"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
"net/url"
|
||||
|
||||
"github.com/descope/go-sdk/descope"
|
||||
"github.com/descope/go-sdk/descope/client"
|
||||
"github.com/gofiber/fiber/v2"
|
||||
)
|
||||
|
||||
type AdminHandler struct {
|
||||
DescopeClient *client.DescopeClient
|
||||
}
|
||||
|
||||
func NewAdminHandler() *AdminHandler {
|
||||
projectID := os.Getenv("DESCOPE_PROJECT_ID")
|
||||
managementKey := os.Getenv("DESCOPE_MANAGEMENT_KEY")
|
||||
|
||||
var descopeClient *client.DescopeClient
|
||||
var err error
|
||||
|
||||
if projectID != "" && managementKey != "" {
|
||||
descopeClient, err = client.NewWithConfig(&client.Config{
|
||||
ProjectID: projectID,
|
||||
ManagementKey: managementKey,
|
||||
})
|
||||
if err != nil {
|
||||
log.Printf("Warning: Failed to initialize Descope Client for Admin: %v", err)
|
||||
}
|
||||
} else {
|
||||
log.Println("Warning: DESCOPE_PROJECT_ID or DESCOPE_MANAGEMENT_KEY missing. Admin functions will fail.")
|
||||
}
|
||||
|
||||
return &AdminHandler{
|
||||
DescopeClient: descopeClient,
|
||||
}
|
||||
}
|
||||
|
||||
func boolPtr(b bool) *bool {
|
||||
return &b
|
||||
}
|
||||
|
||||
// checkAuth Helper
|
||||
func (h *AdminHandler) checkAuth(c *fiber.Ctx) error {
|
||||
adminPass := os.Getenv("ADMIN_PASSWORD")
|
||||
if adminPass == "" {
|
||||
adminPass = "admin" // Default fallback
|
||||
}
|
||||
|
||||
reqPass := c.Get("X-Admin-Password")
|
||||
if reqPass != adminPass {
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid Admin Password"})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type CreateUserRequest struct {
|
||||
LoginID string `json:"loginId"`
|
||||
Email string `json:"email"`
|
||||
Phone string `json:"phone"`
|
||||
DisplayName string `json:"displayName"`
|
||||
Roles []string `json:"roles"`
|
||||
Tenants map[string][]string `json:"tenants"` // tenantId -> roles
|
||||
}
|
||||
|
||||
func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
|
||||
if err := h.checkAuth(c); err != nil {
|
||||
return err
|
||||
}
|
||||
return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
|
||||
}
|
||||
|
||||
// ListUsers - GET /api/v1/admin/users
|
||||
func (h *AdminHandler) ListUsers(c *fiber.Ctx) error {
|
||||
if err := h.checkAuth(c); err != nil { return err }
|
||||
|
||||
text := c.Query("text")
|
||||
// Limit is not directly supported in SearchAll options as a simple int in all SDK versions,
|
||||
// but let's check the options struct.
|
||||
// Based on previous inspection: SearchAll takes UserSearchOptions.
|
||||
|
||||
var users []*descope.UserResponse
|
||||
var err error
|
||||
|
||||
if text != "" {
|
||||
options := &descope.UserSearchOptions{ Text: text, Limit: 50 }
|
||||
users, _, err = h.DescopeClient.Management.User().SearchAll(context.Background(), options)
|
||||
} else {
|
||||
// Nil options means default search (usually returns all or default page)
|
||||
users, _, err = h.DescopeClient.Management.User().SearchAll(context.Background(), nil)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
log.Printf("[Admin] ListUsers failed: %v", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{"users": users})
|
||||
}
|
||||
|
||||
// DeleteUser - DELETE /api/v1/admin/users/:loginId
|
||||
func (h *AdminHandler) DeleteUser(c *fiber.Ctx) error {
|
||||
if err := h.checkAuth(c); err != nil { return err }
|
||||
|
||||
loginID := c.Params("loginId")
|
||||
// Decode if necessary (Fiber usually decodes params, but let's be safe if it's double encoded)
|
||||
if decoded, err := url.QueryUnescape(loginID); err == nil {
|
||||
loginID = decoded
|
||||
}
|
||||
|
||||
log.Printf("[Admin] Deleting user: %s", loginID)
|
||||
if err := h.DescopeClient.Management.User().Delete(context.Background(), loginID); err != nil {
|
||||
log.Printf("[Admin] DeleteUser failed: %v", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{"message": "User deleted successfully"})
|
||||
}
|
||||
|
||||
// UpdateUserStatus - PATCH /api/v1/admin/users/:loginId/status
|
||||
func (h *AdminHandler) UpdateUserStatus(c *fiber.Ctx) error {
|
||||
if err := h.checkAuth(c); err != nil { return err }
|
||||
|
||||
loginID := c.Params("loginId")
|
||||
if decoded, err := url.QueryUnescape(loginID); err == nil {
|
||||
loginID = decoded
|
||||
}
|
||||
|
||||
var req struct {
|
||||
Status string `json:"status"` // "enabled" or "disabled"
|
||||
}
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
||||
}
|
||||
|
||||
var user *descope.UserResponse
|
||||
var err error
|
||||
|
||||
log.Printf("[Admin] Updating status for %s to %s", loginID, req.Status)
|
||||
|
||||
if req.Status == "enabled" || req.Status == "active" {
|
||||
user, err = h.DescopeClient.Management.User().Activate(context.Background(), loginID)
|
||||
} else {
|
||||
user, err = h.DescopeClient.Management.User().Deactivate(context.Background(), loginID)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
log.Printf("[Admin] Status update failed: %v", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"message": "Status updated",
|
||||
"user": user,
|
||||
})
|
||||
}
|
||||
|
||||
// UpdateUser - PATCH /api/v1/admin/users/:loginId
|
||||
func (h *AdminHandler) UpdateUser(c *fiber.Ctx) error {
|
||||
if err := h.checkAuth(c); err != nil { return err }
|
||||
|
||||
loginID := c.Params("loginId")
|
||||
if decoded, err := url.QueryUnescape(loginID); err == nil {
|
||||
loginID = decoded
|
||||
}
|
||||
|
||||
var req struct {
|
||||
Email *string `json:"email"`
|
||||
Phone *string `json:"phone"`
|
||||
DisplayName *string `json:"displayName"`
|
||||
}
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
var err error
|
||||
|
||||
// Update Display Name
|
||||
if req.DisplayName != nil {
|
||||
_, err = h.DescopeClient.Management.User().UpdateDisplayName(ctx, loginID, *req.DisplayName)
|
||||
if err != nil {
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to update name: " + err.Error()})
|
||||
}
|
||||
}
|
||||
|
||||
// Update Email
|
||||
if req.Email != nil {
|
||||
_, err = h.DescopeClient.Management.User().UpdateEmail(ctx, loginID, *req.Email, true, false) // verified=true, addToLoginIDs=false
|
||||
if err != nil {
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to update email: " + err.Error()})
|
||||
}
|
||||
}
|
||||
|
||||
// Update Phone
|
||||
if req.Phone != nil {
|
||||
phone := *req.Phone
|
||||
// Normalize
|
||||
if strings.HasPrefix(phone, "010") {
|
||||
phone = "+82" + phone[1:]
|
||||
}
|
||||
_, err = h.DescopeClient.Management.User().UpdatePhone(ctx, loginID, phone, true, false) // verified=true, addToLoginIDs=false
|
||||
if err != nil {
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to update phone: " + err.Error()})
|
||||
}
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{"message": "User updated successfully"})
|
||||
}
|
||||
|
||||
func (h *AdminHandler) CreateUser(c *fiber.Ctx) error {
|
||||
if err := h.checkAuth(c); err != nil { return err }
|
||||
|
||||
if h.DescopeClient == nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Descope Client not configured"})
|
||||
}
|
||||
|
||||
var req CreateUserRequest
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
||||
}
|
||||
|
||||
if req.LoginID == "" {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "LoginID is required"})
|
||||
}
|
||||
|
||||
// Normalize Phone
|
||||
normalizedPhone := req.Phone
|
||||
if normalizedPhone != "" {
|
||||
if strings.HasPrefix(normalizedPhone, "010") {
|
||||
normalizedPhone = "+82" + normalizedPhone[1:]
|
||||
} else if strings.HasPrefix(normalizedPhone, "82") {
|
||||
normalizedPhone = "+" + normalizedPhone
|
||||
}
|
||||
}
|
||||
|
||||
userObj := &descope.UserRequest{
|
||||
User: descope.User{
|
||||
Email: req.Email,
|
||||
Phone: normalizedPhone,
|
||||
Name: req.DisplayName,
|
||||
},
|
||||
VerifiedEmail: boolPtr(req.Email != ""),
|
||||
VerifiedPhone: boolPtr(normalizedPhone != ""),
|
||||
}
|
||||
|
||||
// Add Roles if provided
|
||||
if len(req.Roles) > 0 {
|
||||
userObj.Roles = req.Roles
|
||||
}
|
||||
|
||||
// Add Tenants if provided
|
||||
if len(req.Tenants) > 0 {
|
||||
// Convert map[string][]string to []*descope.AssociatedTenant
|
||||
userTenants := []*descope.AssociatedTenant{}
|
||||
for tenantID, roles := range req.Tenants {
|
||||
userTenants = append(userTenants, &descope.AssociatedTenant{
|
||||
TenantID: tenantID,
|
||||
Roles: roles,
|
||||
})
|
||||
}
|
||||
userObj.Tenants = userTenants
|
||||
}
|
||||
|
||||
log.Printf("[Admin] Creating user: %s (Email: %s, Phone: %s)", req.LoginID, req.Email, normalizedPhone)
|
||||
|
||||
res, err := h.DescopeClient.Management.User().Create(context.Background(), req.LoginID, userObj)
|
||||
if err != nil {
|
||||
log.Printf("[Admin] Failed to create user: %v", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"message": "User created successfully",
|
||||
"user": res,
|
||||
})
|
||||
}
|
||||
@@ -222,30 +222,64 @@ func (h *AuthHandler) VerifyMagicLink(c *fiber.Ctx) error {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Descope Client not configured"})
|
||||
}
|
||||
|
||||
log.Printf("[Verify] Generating embedded link for %s", loginID)
|
||||
embeddedToken, err := h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), loginID, nil, 0)
|
||||
// [Fix] Search for existing user by phone to prevent fragmentation
|
||||
// Normalize Phone Number for Search (E.164)
|
||||
searchPhone := loginID
|
||||
if !strings.Contains(searchPhone, "@") {
|
||||
// If it looks like a KR mobile number (010...), format to +8210...
|
||||
if strings.HasPrefix(searchPhone, "010") {
|
||||
searchPhone = "+82" + searchPhone[1:]
|
||||
} else if strings.HasPrefix(searchPhone, "82") {
|
||||
searchPhone = "+" + searchPhone
|
||||
}
|
||||
}
|
||||
|
||||
log.Printf("[Verify] Searching for user with phone: %s", searchPhone)
|
||||
searchOptions := &descope.UserSearchOptions{
|
||||
Phones: []string{searchPhone},
|
||||
Limit: 1,
|
||||
}
|
||||
|
||||
var targetLoginID string
|
||||
users, _, errSearch := h.DescopeClient.Management.User().SearchAll(context.Background(), searchOptions)
|
||||
|
||||
if errSearch == nil && len(users) > 0 {
|
||||
if len(users[0].LoginIDs) > 0 {
|
||||
targetLoginID = users[0].LoginIDs[0]
|
||||
log.Printf("[Verify] User found! Existing LoginID: %s", targetLoginID)
|
||||
} else {
|
||||
// Should not happen for a valid user, but fallback to UserID or searchPhone
|
||||
log.Printf("[Verify] User found but no LoginIDs. Using UserID.")
|
||||
targetLoginID = users[0].UserID
|
||||
}
|
||||
} else {
|
||||
// Not found, or search error. Fallback to using the phone as LoginID.
|
||||
// Use the normalized phone number to ensure consistency (+82...)
|
||||
targetLoginID = searchPhone
|
||||
log.Printf("[Verify] User not found by phone. Will use/create: %s", targetLoginID)
|
||||
}
|
||||
|
||||
log.Printf("[Verify] Generating embedded link for %s", targetLoginID)
|
||||
embeddedToken, err := h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), targetLoginID, nil, 0)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "User not found") || strings.Contains(err.Error(), "E062108") {
|
||||
log.Printf("[Verify] User %s not found. Creating...", loginID)
|
||||
log.Printf("[Verify] User %s not found. Creating...", targetLoginID)
|
||||
|
||||
descopeLoginID := loginID
|
||||
// Create User with Explicit Phone Attribute
|
||||
userObj := &descope.UserRequest{}
|
||||
if strings.Contains(loginID, "@") {
|
||||
userObj.Email = loginID
|
||||
if strings.Contains(targetLoginID, "@") {
|
||||
userObj.Email = targetLoginID
|
||||
} else {
|
||||
if strings.HasPrefix(loginID, "010") {
|
||||
descopeLoginID = "+82" + loginID[1:]
|
||||
}
|
||||
userObj.Phone = descopeLoginID
|
||||
userObj.Phone = targetLoginID // Must be E.164
|
||||
}
|
||||
|
||||
_, errCreate := h.DescopeClient.Management.User().Create(context.Background(), descopeLoginID, userObj)
|
||||
_, errCreate := h.DescopeClient.Management.User().Create(context.Background(), targetLoginID, userObj)
|
||||
if errCreate != nil {
|
||||
log.Printf("[Verify] Failed to create user: %v", errCreate)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to create new user"})
|
||||
}
|
||||
|
||||
embeddedToken, err = h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), descopeLoginID, nil, 0)
|
||||
embeddedToken, err = h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), targetLoginID, nil, 0)
|
||||
if err != nil {
|
||||
log.Printf("[Verify] Failed to generate token after creation: %v", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate upstream token"})
|
||||
|
||||
Reference in New Issue
Block a user