조직도 M2M조회 추가, 자동로그인 보완

2026-05-13 13:44:30 +09:00
parent 72288f1d39
commit 8c2b2f71ef
29 changed files with 2985 additions and 81 deletions
--- a/devfront/src/lib/authConfig.test.ts
+++ b/devfront/src/lib/authConfig.test.ts
@@ -2,6 +2,7 @@ import { describe, expect, it } from "vitest";
 import {
  DEVFRONT_AUTH_CALLBACK_PATH,
  buildDevFrontAuthRedirectUris,
+  canStartBrowserPkceLogin,
  resolveDevFrontPublicOrigin,
 } from "./authConfig";

@@ -26,4 +27,69 @@ describe("devfront auth config", () => {
  it("keeps the callback path aligned with the registered redirect path", () => {
    expect(DEVFRONT_AUTH_CALLBACK_PATH).toBe("/auth/callback");
  });
+
+  it("blocks browser PKCE login in an insecure context", () => {
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: false,
+        origin: "http://172.16.9.189:5174",
+        cryptoSubtleAvailable: false,
+      }),
+    ).toBe(false);
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: true,
+        origin: "http://172.16.9.189:5174",
+        cryptoSubtleAvailable: true,
+      }),
+    ).toBe(true);
+  });
+
+  it("allows host.docker.internal when WebCrypto is enabled by the browser", () => {
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: false,
+        origin: "http://host.docker.internal:5000",
+        cryptoSubtleAvailable: true,
+      }),
+    ).toBe(true);
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: false,
+        origin: "http://host.docker.internal:5000",
+        cryptoSubtleAvailable: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("allows private network IPv4 origins when WebCrypto is enabled by the browser", () => {
+    for (const origin of [
+      "http://10.0.0.10:5000",
+      "http://172.16.9.189:5000",
+      "http://172.31.255.255:5000",
+      "http://192.168.0.20:5000",
+    ]) {
+      expect(
+        canStartBrowserPkceLogin({
+          isSecureContext: false,
+          origin,
+          cryptoSubtleAvailable: true,
+        }),
+      ).toBe(true);
+    }
+
+    for (const origin of [
+      "http://172.15.255.255:5000",
+      "http://172.32.0.1:5000",
+      "http://8.8.8.8:5000",
+    ]) {
+      expect(
+        canStartBrowserPkceLogin({
+          isSecureContext: false,
+          origin,
+          cryptoSubtleAvailable: true,
+        }),
+      ).toBe(false);
+    }
+  });
 });
--- a/devfront/src/lib/authConfig.ts
+++ b/devfront/src/lib/authConfig.ts
@@ -31,3 +31,54 @@ export function buildDevFrontAuthRedirectUris(
    popupRedirectUri: `${publicOrigin}${DEVFRONT_AUTH_CALLBACK_PATH}`,
  };
 }
+
+export type BrowserPkceLoginCheck = {
+  isSecureContext?: boolean;
+  origin?: string;
+  cryptoSubtleAvailable?: boolean;
+};
+
+const devTrustedPkceHosts = new Set([
+  "localhost",
+  "127.0.0.1",
+  "::1",
+  "host.docker.internal",
+]);
+
+function isPrivateIPv4(hostname: string) {
+  const parts = hostname.split(".").map((part) => Number.parseInt(part, 10));
+  if (
+    parts.length !== 4 ||
+    parts.some((part) => Number.isNaN(part) || part < 0 || part > 255)
+  ) {
+    return false;
+  }
+
+  const [first, second] = parts;
+  return (
+    first === 10 ||
+    (first === 172 && second >= 16 && second <= 31) ||
+    (first === 192 && second === 168)
+  );
+}
+
+function isDevTrustedPkceOrigin(origin: string) {
+  try {
+    const hostname = new URL(origin).hostname;
+    return devTrustedPkceHosts.has(hostname) || isPrivateIPv4(hostname);
+  } catch {
+    return false;
+  }
+}
+
+export function canStartBrowserPkceLogin({
+  isSecureContext = window.isSecureContext,
+  origin = window.location.origin,
+  cryptoSubtleAvailable = Boolean(window.crypto?.subtle),
+}: BrowserPkceLoginCheck = {}) {
+  if (isSecureContext) {
+    return true;
+  }
+
+  return isDevTrustedPkceOrigin(origin) && cryptoSubtleAvailable;
+}