Merge commit 'e345570210aa0fc8acdb9cf042561f35f00812f0'

backend/internal/handler/auth_handler.go

@@ -1266,8 +1266,9 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
 	ale.Operation = "Auth.Password().SignIn"
 
 	var req struct {
-		LoginID  string `json:"loginId"`
-		Password string `json:"password"`
+		LoginID        string `json:"loginId"`
+		Password       string `json:"password"`
+		LoginChallenge string `json:"login_challenge,omitempty"`
 	}
 
 	if err := c.BodyParser(&req); err != nil {
@@ -1314,6 +1315,21 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
 	setSessionIDLocal(c, authInfo.SessionToken)
 	ale.Log(slog.LevelInfo, "Login successful", slog.String("provider", h.IdpProvider.Name()), slog.String("subject", authInfo.Subject))
 
+	// --- OIDC 로그인 흐름 처리 ---
+	if req.LoginChallenge != "" {
+		slog.Info("OIDC login flow detected", "challenge", req.LoginChallenge)
+		acceptResp, err := h.Hydra.AcceptLoginRequest(c.Context(), req.LoginChallenge, authInfo.Subject)
+		if err != nil {
+			slog.Error("failed to accept hydra login request", "error", err)
+			return fiber.NewError(fiber.StatusInternalServerError, "Failed to accept OIDC login request")
+		}
+		slog.Info("Hydra login request accepted", "redirectTo", acceptResp.RedirectTo)
+		return c.JSON(fiber.Map{
+			"redirectTo": acceptResp.RedirectTo,
+		})
+	}
+	// --- OIDC 로그인 흐름 처리 끝 ---
+
 	resp := fiber.Map{
 		"sessionJwt": authInfo.SessionToken.JWT,
 		"status":     "ok",
@@ -2898,6 +2914,48 @@ func (h *AuthHandler) ListLinkedRps(c *fiber.Ctx) error {
 	return c.JSON(linkedRpListResponse{Items: items})
 }
 
+func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
+	challenge := c.Query("consent_challenge")
+	if challenge == "" {
+		return fiber.NewError(fiber.StatusBadRequest, "consent_challenge is required")
+	}
+
+	consentRequest, err := h.Hydra.GetConsentRequest(c.Context(), challenge)
+	if err != nil {
+		slog.Error("failed to get hydra consent request", "error", err)
+		return fiber.NewError(fiber.StatusInternalServerError, "Failed to get consent information")
+	}
+
+	return c.JSON(consentRequest)
+}
+
+func (h *AuthHandler) AcceptConsentRequest(c *fiber.Ctx) error {
+	var req struct {
+		ConsentChallenge string `json:"consent_challenge"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, "Invalid request body")
+	}
+	if req.ConsentChallenge == "" {
+		return fiber.NewError(fiber.StatusBadRequest, "consent_challenge is required")
+	}
+
+	consentRequest, err := h.Hydra.GetConsentRequest(c.Context(), req.ConsentChallenge)
+	if err != nil {
+		slog.Error("failed to get hydra consent request before accepting", "error", err)
+		return fiber.NewError(fiber.StatusInternalServerError, "Failed to get consent information")
+	}
+
+	acceptResp, err := h.Hydra.AcceptConsentRequest(c.Context(), req.ConsentChallenge, consentRequest)
+	if err != nil {
+		slog.Error("failed to accept hydra consent request", "error", err)
+		return fiber.NewError(fiber.StatusInternalServerError, "Failed to accept consent request")
+	}
+
+	return c.JSON(acceptResp)
+}
+
+
 func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error) {
 	token := h.getBearerToken(c)
 	if token != "" {
@@ -3997,6 +4055,72 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
 	})
 }
 
+// ChangeMyPassword - 로그인 상태에서 현재 비밀번호를 확인한 뒤 변경합니다.
+func (h *AuthHandler) ChangeMyPassword(c *fiber.Ctx) error {
+	var req domain.PasswordChangeRequest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
+	}
+
+	currentPassword := strings.TrimSpace(req.CurrentPassword)
+	newPassword := strings.TrimSpace(req.NewPassword)
+	if currentPassword == "" || newPassword == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Current password and new password are required"})
+	}
+
+	policy := h.resolvePasswordPolicy()
+	if err := validatePasswordWithPolicy(policy, newPassword); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	loginID := ""
+	token := h.getBearerToken(c)
+	if token != "" && looksLikeJWT(token) && h.DescopeClient != nil {
+		authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
+		if err == nil && authorized {
+			resolved, err := h.resolveDescopeLoginID(c.Context(), userToken)
+			if err != nil {
+				return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Failed to resolve login ID"})
+			}
+			loginID = resolved
+		}
+	}
+
+	if loginID == "" && token != "" {
+		if resolved, err := h.resolveKratosLoginID(token); err == nil {
+			loginID = resolved
+		}
+	}
+
+	if loginID == "" {
+		cookie := c.Get("Cookie")
+		if cookie == "" {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing authorization token"})
+		}
+		_, traits, err := h.getKratosIdentityWithCookie(cookie)
+		if err != nil {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
+		}
+		loginID = pickLoginIDFromTraits(traits)
+		if loginID == "" {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Login ID not found"})
+		}
+		if !strings.Contains(loginID, "@") {
+			loginID = normalizePhoneForLoginID(loginID)
+		}
+	}
+
+	if _, err := h.IdpProvider.SignIn(loginID, currentPassword); err != nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Current password is invalid"})
+	}
+
+	if err := h.IdpProvider.UpdateUserPassword(loginID, newPassword, nil); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to update password"})
+	}
+
+	return c.JSON(fiber.Map{"message": "Password updated"})
+}
+
 // SendUpdateCode - Sends OTP for phone number change
 func (h *AuthHandler) SendUpdateCode(c *fiber.Ctx) error {
 	token := h.getBearerToken(c)