feat: add robust login ID collision prevention and UI validation (#440)

- Add `ValidateLoginID` to enforce ID collision and security rules (prevents phone number collision, email format usage, and reserved words). - Add `POST /api/v1/auth/signup/check-login-id` endpoint for real-time ID availability checks. - Add `checkLoginIDAvailability` API call to userfront's `AuthProxyService`. - Implement "Check Duplication" button and error/success messaging for the Login ID field in the signup screen. - Add "000000" magic code bypass for `VerifySignupCode` in non-production environments to streamline testing.
2026-03-27 11:19:28 +09:00
parent aa60a22d57
commit 75cc6737bd
10 changed files with 257 additions and 14 deletions
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -352,9 +352,14 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		}
 	}

+	finalLoginID := extractTraitString(attributes, "id")
+	if err := domain.ValidateLoginID(finalLoginID, email, normalizePhoneNumber(req.Phone)); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, err.Error())
+	}
+
 	brokerUser := &domain.BrokerUser{
 		Email:       email,
-		LoginID:     extractTraitString(attributes, "id"),
+		LoginID:     finalLoginID,
 		Name:        name,
 		PhoneNumber: normalizePhoneNumber(req.Phone),
 		Attributes:  attributes,
@@ -571,11 +576,20 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			}
 		}

+		finalLoginID := extractTraitString(attributes, "id")
+		userEmail := email
+		userPhone := normalizePhoneNumber(item.Phone)
+		
+		if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
+			results = append(results, bulkUserResult{Email: email, Success: false, Message: err.Error()})
+			continue
+		}
+
 		identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
-			Email:       email,
-			LoginID:     extractTraitString(attributes, "id"),
+			Email:       userEmail,
+			LoginID:     finalLoginID,
 			Name:        item.Name,
-			PhoneNumber: normalizePhoneNumber(item.Phone),
+			PhoneNumber: userPhone,
 			Attributes:  attributes,
 		}, password)
 		if err != nil {
@@ -1189,6 +1203,13 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		}
 	}

+	finalLoginID := extractTraitString(traits, "id")
+	userEmail := extractTraitString(traits, "email")
+	userPhone := extractTraitString(traits, "phone")
+	if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, err.Error())
+	}
+
 	state := normalizeKratosState(req.Status)

 	slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)