From 7144c1176c49e0cdabf6021a5b36f1cb82ab8fcd Mon Sep 17 00:00:00 2001 From: kyy Date: Wed, 4 Feb 2026 15:49:16 +0900 Subject: [PATCH] =?UTF-8?q?=EB=B9=84=ED=99=9C=EC=84=B1=ED=99=94=20?= =?UTF-8?q?=ED=81=B4=EB=9D=BC=EC=9D=B4=EC=96=B8=ED=8A=B8=20OIDC=20?= =?UTF-8?q?=EC=9D=B8=EC=A6=9D=20=EC=B0=A8=EB=8B=A8=20=EB=A1=9C=EC=A7=81=20?= =?UTF-8?q?=EA=B5=AC=ED=98=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- backend/internal/handler/auth_handler.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go index d5b5734e..7b5d4595 100644 --- a/backend/internal/handler/auth_handler.go +++ b/backend/internal/handler/auth_handler.go @@ -1558,6 +1558,18 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error { // --- OIDC 로그인 흐름 처리 --- if req.LoginChallenge != "" { slog.Info("OIDC login flow detected", "challenge", req.LoginChallenge) + + // Check if the client is active + loginReq, err := h.Hydra.GetLoginRequest(c.Context(), req.LoginChallenge) + if err == nil && loginReq != nil && loginReq.Client.Metadata != nil { + if status, ok := loginReq.Client.Metadata["status"].(string); ok { + if strings.ToLower(status) == "inactive" { + slog.Warn("Login rejected for inactive client in PasswordLogin", "client_id", loginReq.Client.ClientID) + return fiber.NewError(fiber.StatusForbidden, "The client application is disabled.") + } + } + } + acceptResp, err := h.Hydra.AcceptLoginRequest(c.Context(), req.LoginChallenge, subject) if err != nil { slog.Error("failed to accept hydra login request", "error", err) @@ -3546,6 +3558,17 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error { return fiber.NewError(fiber.StatusBadRequest, "login_challenge is required") } + // Check if the client is active + loginReq, err := h.Hydra.GetLoginRequest(c.Context(), req.LoginChallenge) + if err == nil && loginReq != nil && loginReq.Client.Metadata != nil { + if status, ok := loginReq.Client.Metadata["status"].(string); ok { + if strings.ToLower(status) == "inactive" { + slog.Warn("Login rejected for inactive client in AcceptOidcLoginRequest", "client_id", loginReq.Client.ClientID) + return fiber.NewError(fiber.StatusForbidden, "The client application is disabled.") + } + } + } + subject, err := h.resolveConsentSubject(c) if err != nil || subject == "" { return fiber.NewError(fiber.StatusUnauthorized, "Authentication required")