forked from baron/baron-sso
가입 전략 수립
This commit is contained in:
@@ -388,8 +388,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Identity provider unavailable"})
|
||||
}
|
||||
|
||||
// [Strict] Enforce Tenant Auto-Assignment by Domain ONLY
|
||||
// Manual companyCode from request is ignored to prevent unauthorized tenant joining
|
||||
// [Strict] Enforce Tenant Auto-Assignment
|
||||
companyCode := ""
|
||||
var tenantID *string
|
||||
|
||||
@@ -399,19 +398,36 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
||||
tenant, err := h.TenantService.GetTenantByDomain(c.Context(), domainName)
|
||||
if err == nil && tenant != nil {
|
||||
if tenant.Status == domain.TenantStatusActive {
|
||||
slog.Info("[Signup] Auto-assigning tenant", "email", req.Email, "tenant", tenant.Slug)
|
||||
slog.Info("[Signup] Auto-assigning tenant by domain", "email", req.Email, "tenant", tenant.Slug)
|
||||
companyCode = tenant.Slug
|
||||
tenantID = &tenant.ID
|
||||
} else {
|
||||
slog.Warn("[Signup] Attempted to join non-active tenant", "email", req.Email, "tenant", tenant.Slug, "status", tenant.Status)
|
||||
// Policy: If tenant exists but not active, reject signup or allow as general?
|
||||
// For now, let's allow as general but log it.
|
||||
// Or return error if we want strict domain locking.
|
||||
slog.Warn("[Signup] Attempted to join non-active tenant by domain", "email", req.Email, "tenant", tenant.Slug, "status", tenant.Status)
|
||||
return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "Your organization's tenant is currently not active."})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Fallback/Validation for manually provided CompanyCode if domain lookup didn't yield a tenant
|
||||
if tenantID == nil && req.CompanyCode != "" {
|
||||
tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode)
|
||||
if err == nil && tenant != nil {
|
||||
if tenant.Status == domain.TenantStatusActive {
|
||||
// Policy: Should we allow manual joining by Slug?
|
||||
// For now, let's allow it but log it as manual.
|
||||
slog.Info("[Signup] Assigning tenant by manual slug", "email", req.Email, "tenant", tenant.Slug)
|
||||
companyCode = tenant.Slug
|
||||
tenantID = &tenant.ID
|
||||
} else {
|
||||
return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "The specified organization is not active."})
|
||||
}
|
||||
} else {
|
||||
// If companyCode provided but not found, we should probably reject if we want strictness,
|
||||
// or just treat as GENERAL user. Given the risk "존재하지 않는 테넌트도 저장됨", we should reject.
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid company code."})
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize Phone (E.164 형태로 보관)
|
||||
normalizedPhone := strings.ReplaceAll(req.Phone, "-", "")
|
||||
normalizedPhone = strings.ReplaceAll(normalizedPhone, " ", "")
|
||||
|
||||
Reference in New Issue
Block a user