비활성화 클라이언트 OIDC 인증 차단 로직 구현

2026-02-04 15:49:16 +09:00
parent 9f7c6bfd27
commit 7144c1176c
1 changed files with 23 additions and 0 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -1558,6 +1558,18 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
 	// --- OIDC 로그인 흐름 처리 ---
 	if req.LoginChallenge != "" {
 		slog.Info("OIDC login flow detected", "challenge", req.LoginChallenge)
+
+		// Check if the client is active
+		loginReq, err := h.Hydra.GetLoginRequest(c.Context(), req.LoginChallenge)
+		if err == nil && loginReq != nil && loginReq.Client.Metadata != nil {
+			if status, ok := loginReq.Client.Metadata["status"].(string); ok {
+				if strings.ToLower(status) == "inactive" {
+					slog.Warn("Login rejected for inactive client in PasswordLogin", "client_id", loginReq.Client.ClientID)
+					return fiber.NewError(fiber.StatusForbidden, "The client application is disabled.")
+				}
+			}
+		}
+
 		acceptResp, err := h.Hydra.AcceptLoginRequest(c.Context(), req.LoginChallenge, subject)
 		if err != nil {
 			slog.Error("failed to accept hydra login request", "error", err)
@@ -3546,6 +3558,17 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusBadRequest, "login_challenge is required")
 	}

+	// Check if the client is active
+	loginReq, err := h.Hydra.GetLoginRequest(c.Context(), req.LoginChallenge)
+	if err == nil && loginReq != nil && loginReq.Client.Metadata != nil {
+		if status, ok := loginReq.Client.Metadata["status"].(string); ok {
+			if strings.ToLower(status) == "inactive" {
+				slog.Warn("Login rejected for inactive client in AcceptOidcLoginRequest", "client_id", loginReq.Client.ClientID)
+				return fiber.NewError(fiber.StatusForbidden, "The client application is disabled.")
+			}
+		}
+	}
+
 	subject, err := h.resolveConsentSubject(c)
 	if err != nil || subject == "" {
 		return fiber.NewError(fiber.StatusUnauthorized, "Authentication required")