조직도 M2M조회 추가, 자동로그인 보완

2026-05-13 13:44:30 +09:00
parent 72288f1d39
commit 8c2b2f71ef
29 changed files with 2985 additions and 81 deletions
--- a/devfront/src/lib/authConfig.test.ts
+++ b/devfront/src/lib/authConfig.test.ts
@@ -2,6 +2,7 @@ import { describe, expect, it } from "vitest";
 import {
  DEVFRONT_AUTH_CALLBACK_PATH,
  buildDevFrontAuthRedirectUris,
+  canStartBrowserPkceLogin,
  resolveDevFrontPublicOrigin,
 } from "./authConfig";

@@ -26,4 +27,69 @@ describe("devfront auth config", () => {
  it("keeps the callback path aligned with the registered redirect path", () => {
    expect(DEVFRONT_AUTH_CALLBACK_PATH).toBe("/auth/callback");
  });
+
+  it("blocks browser PKCE login in an insecure context", () => {
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: false,
+        origin: "http://172.16.9.189:5174",
+        cryptoSubtleAvailable: false,
+      }),
+    ).toBe(false);
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: true,
+        origin: "http://172.16.9.189:5174",
+        cryptoSubtleAvailable: true,
+      }),
+    ).toBe(true);
+  });
+
+  it("allows host.docker.internal when WebCrypto is enabled by the browser", () => {
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: false,
+        origin: "http://host.docker.internal:5000",
+        cryptoSubtleAvailable: true,
+      }),
+    ).toBe(true);
+    expect(
+      canStartBrowserPkceLogin({
+        isSecureContext: false,
+        origin: "http://host.docker.internal:5000",
+        cryptoSubtleAvailable: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("allows private network IPv4 origins when WebCrypto is enabled by the browser", () => {
+    for (const origin of [
+      "http://10.0.0.10:5000",
+      "http://172.16.9.189:5000",
+      "http://172.31.255.255:5000",
+      "http://192.168.0.20:5000",
+    ]) {
+      expect(
+        canStartBrowserPkceLogin({
+          isSecureContext: false,
+          origin,
+          cryptoSubtleAvailable: true,
+        }),
+      ).toBe(true);
+    }
+
+    for (const origin of [
+      "http://172.15.255.255:5000",
+      "http://172.32.0.1:5000",
+      "http://8.8.8.8:5000",
+    ]) {
+      expect(
+        canStartBrowserPkceLogin({
+          isSecureContext: false,
+          origin,
+          cryptoSubtleAvailable: true,
+        }),
+      ).toBe(false);
+    }
+  });
 });