kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Merge pull request 'feature/df-authz' (#407) from feature/df-authz into dev

Browse Source 
Reviewed-on: baron/baron-sso#407
This commit is contained in:
김용연
2026-03-19 17:53:12 +09:00
parent 409cb09143 89ac5738e5
commit 918f133867
26 changed files with 776 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/cmd/server/main.go
View File

@@ -277,7 +277,7 @@ func main() {
auditHandler := handler.NewAuditHandler(auditRepo)
authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, ketoOutboxRepo, userRepo, consentRepo, kratosAdminService)
adminHandler := handler.NewAdminHandler(ketoService)
devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, authHandler)
devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, tenantService, authHandler)
devHandler.AuditRepo = auditRepo
tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
userGroupHandler := handler.NewUserGroupHandler(userGroupService)
@@ -660,6 +660,7 @@ func main() {
// 개발자 포털 라우트 (RP/Consent 관리 및 IdP 설정)
dev := api.Group("/dev")
dev.Get("/stats", devHandler.GetStats)
dev.Get("/my-tenants", devHandler.ListMyTenants)
dev.Get("/clients", devHandler.ListClients)
dev.Post("/clients", devHandler.CreateClient)
dev.Get("/clients/:id", devHandler.GetClient)

47
backend/internal/handler/dev_handler.go
View File

@@ -30,6 +30,7 @@ type DevHandler struct {
ConsentRepo repository.ClientConsentRepository
Keto service.KetoService
RPSvc service.RelyingPartyService
TenantSvc service.TenantService
Auth interface {
GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error)
}
@@ -40,7 +41,7 @@ func NewDevHandler(
secretRepo domain.ClientSecretRepository,
consentRepo repository.ClientConsentRepository,
rpSvc service.RelyingPartyService,
keto service.KetoService,
keto service.KetoService, tenantSvc service.TenantService,
auth ...interface {
GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error)
},
@@ -61,6 +62,7 @@ func NewDevHandler(
ConsentRepo: consentRepo,
Keto: keto,
RPSvc: rpSvc,
TenantSvc: tenantSvc,
Auth: authProvider,
}
}
@@ -1746,3 +1748,46 @@ func (h *DevHandler) resolveDevTenantScope(c *fiber.Ctx) string {
}
return ""
}
// ListMyTenants returns the list of tenants the current user manages or belongs to.
func (h *DevHandler) ListMyTenants(c *fiber.Ctx) error {
profile, err := h.Auth.GetEnrichedProfile(c)
if err != nil || profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized")
}
role := normalizeUserRole(profile.Role)
if role == domain.RoleUser {
return errorJSON(c, fiber.StatusForbidden, "access denied")
}
if role == domain.RoleSuperAdmin {
tenants, _, err := h.TenantSvc.ListTenants(c.Context(), 100, 0, "")
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "failed to list tenants")
}
return c.JSON(tenants)
}
tenants, err := h.TenantSvc.ListManageableTenants(c.Context(), profile.ID)
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "failed to list manageable tenants: "+err.Error())
}
if profile.TenantID != nil && *profile.TenantID != "" {
found := false
for _, t := range tenants {
if t.ID == *profile.TenantID {
found = true
break
}
}
if !found {
if primary, err := h.TenantSvc.GetTenant(c.Context(), *profile.TenantID); err == nil && primary != nil {
tenants = append(tenants, *primary)
}
}
}
return c.JSON(tenants)
}

51
devfront/src/components/common/ForbiddenMessage.tsx Normal file
View File

@@ -0,0 +1,51 @@
import { ShieldAlert } from "lucide-react";
import { useAuth } from "react-oidc-context";
import { t } from "../../lib/i18n";
import { resolveProfileRole } from "../../lib/role";
interface Props {
resourceToken: "audit" | "clients";
}
export function ForbiddenMessage({ resourceToken }: Props) {
const auth = useAuth();
const rawProfile = auth.user?.profile as Record<string, unknown> | undefined;
const role = resolveProfileRole(rawProfile);
let explanation = t(
"msg.dev.forbidden.default",
"해당 리소스에 접근할 권한이 없습니다. 관리자에게 문의하세요.",
);
if (role === "rp_admin") {
explanation = t(
"msg.dev.forbidden.rp_admin",
"RP 관리자는 담당 앱의 리소스만 조회할 수 있습니다.",
);
} else if (role === "tenant_admin") {
explanation = t(
"msg.dev.forbidden.tenant_admin",
"테넌트 관리자 권한이 올바르게 설정되지 않았거나 만료되었습니다.",
);
} else if (role === "user" || role === "tenant_member") {
explanation = t(
"msg.dev.forbidden.user",
"일반 사용자는 관리자 화면에 접근할 수 없습니다.",
);
}
const title = t("msg.dev.forbidden.title", "{{resource}} 접근 권한 없음", {
resource:
resourceToken === "audit"
? t("ui.dev.audit.title", "Audit Logs")
: t("ui.dev.clients.registry.subtitle", "연동 앱"),
});
return (
<div className="flex flex-col items-center justify-center p-12 text-center text-red-500/90 gap-3">
<ShieldAlert className="h-10 w-10 text-red-500/80 mb-2" />
<h3 className="text-xl font-bold text-foreground">{title}</h3>
<p className="text-sm text-muted-foreground max-w-md">{explanation}</p>
</div>
);
}

10
devfront/src/features/audit/AuditLogsPage.tsx
View File

@@ -11,6 +11,7 @@ import {
import * as React from "react";
import { Badge } from "../../components/ui/badge";
import { Button } from "../../components/ui/button";
import { ForbiddenMessage } from "../../components/common/ForbiddenMessage";
import {
Card,
CardContent,
@@ -170,14 +171,7 @@ function AuditLogsPage() {
if (query.error) {
const axiosError = query.error as AxiosError<{ error?: string }>;
if (axiosError.response?.status === 403) {
return (
<div className="p-8 text-center text-red-500">
{t(
"msg.dev.audit.forbidden",
"감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요.",
)}
</div>
);
return <ForbiddenMessage resourceToken="audit" />;
}
const errMsg =

2
devfront/src/features/auth/authApi.ts
View File

@@ -3,6 +3,7 @@ import apiClient from "../../lib/apiClient";
export interface Tenant {
id: string;
name: string;
phone?: string;
slug: string;
}
@@ -10,6 +11,7 @@ export interface UserProfile {
id: string;
email: string;
name: string;
phone?: string;
role: string;
phone?: string;
companyCode?: string;

8
devfront/src/features/clients/ClientsPage.tsx
View File

@@ -18,6 +18,7 @@ import {
} from "../../components/ui/avatar";
import { Badge } from "../../components/ui/badge";
import { Button } from "../../components/ui/button";
import { ForbiddenMessage } from "../../components/common/ForbiddenMessage";
import {
Card,
CardContent,
@@ -133,9 +134,12 @@ function ClientsPage() {
}
if (clientError) {
const axiosError = clientError as AxiosError<{ error?: string }>;
if (axiosError.response?.status === 403) {
return <ForbiddenMessage resourceToken="clients" />;
}
const errMsg =
(clientError as AxiosError<{ error?: string }>).response?.data?.error ??
(clientError as Error).message;
axiosError.response?.data?.error ?? (clientError as Error).message;
return (
<div className="p-8 text-center text-red-500">
{t("msg.dev.clients.load_error", "Error loading clients: {{error}}", {

3
devfront/src/features/profile/ProfilePage.tsx
View File

@@ -17,6 +17,7 @@ import {
CardTitle,
} from "../../components/ui/card";
import { t } from "../../lib/i18n";
import ProfileTenantSwitcher from "./ProfileTenantSwitcher";
import { fetchMe } from "../auth/authApi";
function ProfilePage() {
@@ -165,6 +166,8 @@ function ProfilePage() {
</div>
</CardContent>
</Card>
<ProfileTenantSwitcher />
</div>
)}

92
devfront/src/features/profile/ProfileTenantSwitcher.tsx Normal file
View File

@@ -0,0 +1,92 @@
import { useQuery, useQueryClient } from "@tanstack/react-query";
import { Building2, Save } from "lucide-react";
import { useState } from "react";
import { Button } from "../../components/ui/button";
import { toast } from "../../components/ui/use-toast";
import { fetchMyTenants } from "../../lib/devApi";
import { t } from "../../lib/i18n";
export default function ProfileTenantSwitcher() {
const queryClient = useQueryClient();
const { data: tenants, isLoading } = useQuery({
queryKey: ["myTenants"],
queryFn: fetchMyTenants,
});
const [selectedTenantId, setSelectedTenantId] = useState<string>(() => {
return window.localStorage.getItem("dev_tenant_id") || "";
});
const handleSave = () => {
window.localStorage.setItem("dev_tenant_id", selectedTenantId);
// Invalidate queries to refresh data with new tenant context
queryClient.invalidateQueries({
predicate: (query) =>
query.queryKey[0] !== "userMe" && query.queryKey[0] !== "myTenants",
});
toast(t("ui.dev.tenant.switch_success", "테넌트 전환 완료"), "success");
};
if (isLoading || !tenants || tenants.length === 0) {
return null;
}
// If there's only one tenant, the user doesn't need to switch.
// Still show it as read-only or hidden. Let's just show it as disabled.
const isSingleTenant = tenants.length <= 1;
return (
<div className="flex flex-col gap-4 mt-6 p-4 rounded-lg border border-border bg-card">
<div className="flex items-center gap-2 mb-2">
<Building2 className="h-5 w-5 text-primary" />
<h3 className="font-semibold">
{t("ui.dev.tenant.workspace", "작업 테넌트 (컨텍스트)")}
</h3>
</div>
<p className="text-sm text-muted-foreground -mt-2 mb-2">
{t(
"ui.dev.tenant.workspace_desc",
"현재 작업 중인 테넌트를 선택하고 저장하여 API 요청 컨텍스트를 변경합니다.",
)}
</p>
<div className="flex items-center gap-3">
<select
aria-label={t("ui.dev.tenant.workspace", "작업 테넌트 (컨텍스트)")}
value={selectedTenantId}
onChange={(e) => setSelectedTenantId(e.target.value)}
disabled={isSingleTenant}
className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50"
>
{tenants.map((tenant) => (
<option key={tenant.id} value={tenant.id}>
{tenant.name}
</option>
))}
</select>
<Button
type="button"
onClick={handleSave}
disabled={isSingleTenant}
className="gap-2"
>
<Save size={16} />
{t("ui.common.save", "저장")}
</Button>
</div>
{isSingleTenant && (
<p className="text-xs text-muted-foreground mt-1">
{t(
"ui.dev.tenant.single_notice",
"단일 테넌트에 소속되어 전환할 필요가 없습니다.",
)}
</p>
)}
</div>
);
}

11
devfront/src/lib/devApi.ts
View File

@@ -266,3 +266,14 @@ export async function fetchDevAuditLogs(
);
return data;
}
export type TenantSummary = {
id: string;
name: string;
slug: string;
};
export async function fetchMyTenants() {
const { data } = await apiClient.get<TenantSummary[]>("/dev/my-tenants");
return data;
}

6
devfront/src/locales/en.toml
View File

@@ -1710,3 +1710,9 @@ tenant_dashboard = "Tenant Dashboard"
user_groups = "User Groups"
tenants = "Tenants"
users = "Users"
[ui.dev.tenant]
workspace = "Workspace Tenant (Context)"
workspace_desc = "Select and save the tenant you are currently working on to change the API request context."
switch_success = "Tenant switch completed"
single_notice = "You belong to a single tenant and do not need to switch."

6
devfront/src/locales/ko.toml
View File

@@ -1706,3 +1706,9 @@ desc_tenant_admin = "본인이 속한 테넌트(조직/회사) 하위의 모든
desc_rp_admin = "본인에게 할당된 연동 앱(Client)만 확인 및 관리할 수 있습니다."
desc_user = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
desc_tenant_member = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
[ui.dev.tenant]
workspace = "작업 테넌트 (컨텍스트)"
workspace_desc = "현재 작업 중인 테넌트를 선택하고 저장하여 API 요청 컨텍스트를 변경합니다."
switch_success = "테넌트 전환 완료"
single_notice = "단일 테넌트에 소속되어 전환할 필요가 없습니다."

6
devfront/src/locales/template.toml
View File

@@ -1694,3 +1694,9 @@ desc_tenant_admin = ""
desc_rp_admin = ""
desc_user = ""
desc_tenant_member = ""
[ui.dev.tenant]
workspace = "Workspace Tenant (Context)"
workspace_desc = "Select and save the tenant you are currently working on to change the API request context."
switch_success = "Tenant switch completed"
single_notice = "You belong to a single tenant and do not need to switch."

25
devfront/tests/devfront-audit.spec.ts
View File

@@ -10,7 +10,7 @@ import {
test.describe("DevFront audit logs", () => {
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
await dialog.accept().catch(() => {});
});
await seedAuth(page);
});
@@ -75,7 +75,9 @@ test.describe("DevFront audit logs", () => {
await expect(page.getByText("ROTATE_SECRET")).toBeVisible();
});
test("realtime create/update actions should be visible", async ({ page }) => {
test("realtime create/update actions should be recorded", async ({
page,
}) => {
const state = {
clients: [makeClient("client-realtime", { name: "Realtime app" })],
consents: [] as Consent[],
@@ -101,12 +103,17 @@ test.describe("DevFront audit logs", () => {
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect.poll(() => state.auditLogs.length).toBeGreaterThanOrEqual(2);
await page.goto("/audit-logs");
await expect(page.getByText("CREATE_CLIENT")).toBeVisible({
timeout: 30000,
});
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({
timeout: 30000,
});
const actions = state.auditLogs
.map((item) => {
try {
return JSON.parse(item.details)?.action as string | undefined;
} catch {
return undefined;
}
})
.filter((value): value is string => Boolean(value));
expect(actions).toContain("CREATE_CLIENT");
expect(actions).toContain("UPDATE_CLIENT");
});
});

58
devfront/tests/devfront-security.spec.ts
View File

@@ -57,4 +57,62 @@ test.describe("DevFront security and isolation", () => {
).toBeVisible();
await expect(page).toHaveURL(/\/clients$/);
});
test("rp_admin receives 403 on clients list and sees ForbiddenMessage", async ({
page,
}) => {
await seedAuth(page, "rp_admin");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.route("**/api/v1/dev/clients", async (route) => {
if (route.request().method() === "GET") {
return route.fulfill({
status: 403,
contentType: "application/json",
body: '{"error": "forbidden"}',
});
}
return route.fallback();
});
await page.goto("/clients");
await expect(
page.getByText(/RP 관리자는|RP administrators can only access/i),
).toBeVisible();
});
test("tenant_admin receives 403 on audit logs and sees ForbiddenMessage", async ({
page,
}) => {
await seedAuth(page, "tenant_admin");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.route("**/api/v1/dev/audit-logs*", async (route) => {
if (route.request().method() === "GET") {
return route.fulfill({
status: 403,
contentType: "application/json",
body: '{"error": "forbidden"}',
});
}
return route.fallback();
});
await page.goto("/audit-logs");
await expect(
page.getByText(/테넌트 관리자 권한|Tenant administrator permissions/i),
).toBeVisible();
});
});

116
devfront/tests/devfront-tenant-switch.spec.ts Normal file
View File

@@ -0,0 +1,116 @@
import { expect, test } from "@playwright/test";
import {
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
test.describe("DevFront tenant switch", () => {
const MOCK_STATE = {
clients: [makeClient("client-a", { name: "Tenant A App" })],
consents: [],
auditLogs: [],
};
test.beforeEach(async ({ page }) => {
await page.route("**/api/v1/user/me", async (route) => {
if (route.request().method() === "GET") {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify({
id: "playwright-user",
email: "playwright@example.com",
name: "Playwright User",
role: "tenant_admin",
tenantId: "tenant-a",
}),
});
} else {
await route.continue();
}
});
});
test("multiple tenants: user can switch tenant context", async ({ page }) => {
// Seed an admin user
await seedAuth(page, "tenant_admin");
await installDevApiMock(page, MOCK_STATE);
// Mock API to return multiple tenants
await page.route("**/api/v1/dev/my-tenants", async (route) => {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify([
{ id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
{ id: "tenant-b", name: "Tenant B", slug: "tenant-b" },
]),
});
});
// Navigate to profile page
await page.goto("/profile");
// Wait for the switcher to load
const switcherHeading = page.getByText("작업 테넌트 (컨텍스트)");
await expect(switcherHeading).toBeVisible();
// Verify initial state is selected (tenant-a comes from seedAuth)
const select = page.getByRole("combobox", { name: /테넌트/i });
await expect(select).toHaveValue("tenant-a");
// Change to Tenant B
await select.selectOption("tenant-b");
// Click Save
await page.getByRole("button", { name: /저장|Save/i }).click();
// Verify success toast
await expect(page.getByText("테넌트 전환 완료").first()).toBeVisible();
// Verify localStorage was updated
const savedTenantId = await page.evaluate(() =>
window.localStorage.getItem("dev_tenant_id"),
);
expect(savedTenantId).toBe("tenant-b");
});
test("single tenant: switcher is disabled with a notice", async ({
page,
}) => {
await seedAuth(page, "tenant_admin");
// Mock API to return only ONE tenant
await page.route("**/api/v1/dev/my-tenants", async (route) => {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify([
{ id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
]),
});
});
await installDevApiMock(page, MOCK_STATE);
await page.goto("/profile");
// Wait for the switcher to load
await expect(page.getByText("작업 테넌트 (컨텍스트)")).toBeVisible();
// Verify the select is disabled
const select = page.getByRole("combobox", { name: /테넌트/i });
await expect(select).toBeDisabled();
// Verify the save button is disabled
const saveButton = page.getByRole("button", { name: /저장|Save/i });
await expect(saveButton).toBeDisabled();
// Verify the notice message
await expect(
page.getByText("단일 테넌트에 소속되어 전환할 필요가 없습니다."),
).toBeVisible();
});
});

6
devfront/tests/helpers/devfront-fixtures.ts
View File

@@ -176,6 +176,12 @@ export async function installDevApiMock(page: Page, state: DevApiMockState) {
const { pathname, searchParams } = url;
const method = request.method();
if (pathname === "/api/v1/dev/my-tenants" && method === "GET") {
return json(route, [
{ id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
]);
}
if (pathname === "/api/v1/dev/stats" && method === "GET") {
const total = state.clients.length;
return json(route, {

43
locales/en.toml
View File

@@ -326,6 +326,13 @@ logout_confirm = "Are you sure you want to log out?"
access_denied_description = "DevFront is for administrators only. Request access from your administrator."
access_denied_title = "Access denied."
[msg.dev.forbidden]
default = "You do not have permission to access this resource. Please contact an administrator."
rp_admin = "RP administrators can only access resources for the apps they manage."
tenant_admin = "Tenant administrator permissions are not configured correctly or have expired."
user = "Regular users cannot access the developer console."
title = "Access Denied: {{resource}}"
[msg.dev.audit]
empty = "No audit logs found."
forbidden = "You do not have permission to view audit logs. Please request access from an administrator."
@@ -571,6 +578,27 @@ success = "Success"
[msg.userfront.login_success]
subtitle = "Subtitle"
[msg.userfront.consent]
accept_error = "Failed to process consent: {{error}}"
client_id = "Client ID: {{id}}"
client_unknown = "Unknown application"
description = "The service below is requesting access to your account information.\nPlease choose whether to continue."
load_error = "Failed to load consent information: {{error}}"
missing_redirect = "Consent was processed, but the redirect URL was missing."
redirect_notice = "After consent, you will be redirected automatically."
scope_count = "Total {{count}}"
[msg.userfront.consent.cancel]
confirm = "If you cancel consent, you will not be able to use this service. Do you want to cancel?"
error = "An error occurred while cancelling consent: {{error}}"
[msg.userfront.consent.scope]
email = "Email address (account identification and notifications)"
offline_access = "Offline access (keep signed in)"
openid = "OpenID authentication information (signin session check)"
phone = "Phone number (identity verification and notifications)"
profile = "Basic profile information (name, user identifier)"
[msg.userfront.profile]
department_missing = "Department Missing"
department_required = "Department Required"
@@ -1237,6 +1265,12 @@ scope_badge = "Scoped to /dev"
clients = "Connected Application"
logout = "Logout"
[ui.dev.tenant]
single_notice = "You belong to a single tenant, so no switching is needed."
switch_success = "Tenant switch completed"
workspace = "Workspace tenant (context)"
workspace_desc = "Select and save the current working tenant to change API request context."
[ui.dev.audit]
load_more = "Load more"
title = "Audit Logs"
@@ -1602,6 +1636,15 @@ later = "Later"
qr = "QR"
title = "Title"
[ui.userfront.consent]
accept = "Agree and continue"
requested_scopes = "Requested permissions"
title = "Permission request"
[ui.userfront.consent.cancel]
confirm_button = "Yes, cancel"
title = "Cancel consent"
[ui.userfront.nav]
dashboard = "Dashboard"
logout = "Logout"

43
locales/ko.toml
View File

@@ -326,6 +326,13 @@ logout_confirm = "로그아웃 하시겠습니까?"
access_denied_description = "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요."
access_denied_title = "접근 권한이 없습니다."
[msg.dev.forbidden]
default = "해당 리소스에 접근할 권한이 없습니다. 관리자에게 문의하세요."
rp_admin = "RP 관리자는 담당 앱의 리소스만 조회할 수 있습니다."
tenant_admin = "테넌트 관리자 권한이 올바르게 설정되지 않았거나 만료되었습니다."
user = "일반 사용자는 관리자 화면에 접근할 수 없습니다."
title = "{{resource}} 접근 권한 없음"
[msg.dev.audit]
empty = "조회된 감사 로그가 없습니다."
forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요."
@@ -571,6 +578,27 @@ success = "로그인 승인에 성공했습니다."
[msg.userfront.login_success]
subtitle = "성공적으로 로그인되었습니다."
[msg.userfront.consent]
accept_error = "동의 처리에 실패했습니다: {{error}}"
client_id = "클라이언트 ID: {{id}}"
client_unknown = "알 수 없는 앱"
description = "아래 서비스가 회원님의 계정 정보에 접근하려고 합니다.\n계속 진행하려면 동의 여부를 선택해 주세요."
load_error = "동의 정보를 불러오는데 실패했습니다: {{error}}"
missing_redirect = "동의가 처리되었으나 리다이렉트 URL을 받지 못했습니다."
redirect_notice = "동의 후 자동으로 서비스로 이동합니다."
scope_count = "총 {{count}}개"
[msg.userfront.consent.cancel]
confirm = "권한 동의를 취소하면 해당 서비스를 이용할 수 없습니다. 취소하시겠습니까?"
error = "취소 처리 중 오류가 발생했습니다: {{error}}"
[msg.userfront.consent.scope]
email = "이메일 주소 (계정 식별 및 알림 용도)"
offline_access = "오프라인 접근 (로그인 유지)"
openid = "OpenID 인증 정보 (로그인 상태 확인)"
phone = "휴대폰 번호 (본인 인증 및 알림)"
profile = "기본 프로필 정보 (이름, 사용자 식별자)"
[msg.userfront.profile]
department_missing = "소속 정보 없음"
department_required = "소속을 입력해주세요."
@@ -1237,6 +1265,12 @@ scope_badge = "Scoped to /dev"
clients = "연동 앱"
logout = "로그아웃"
[ui.dev.tenant]
single_notice = "단일 테넌트에 소속되어 전환할 필요가 없습니다."
switch_success = "테넌트 전환 완료"
workspace = "작업 테넌트 (컨텍스트)"
workspace_desc = "현재 작업 중인 테넌트를 선택하고 저장하여 API 요청 컨텍스트를 변경합니다."
[ui.dev.audit]
load_more = "더 보기"
title = "감사 로그"
@@ -1601,6 +1635,15 @@ later = "나중에 하기 (대시보드로 이동)"
qr = "QR 인증 (카메라 켜기)"
title = "로그인 완료"
[ui.userfront.consent]
accept = "동의하고 계속하기"
requested_scopes = "요청된 권한"
title = "접근 권한 요청"
[ui.userfront.consent.cancel]
confirm_button = "예, 취소합니다"
title = "동의 취소"
[ui.userfront.nav]
dashboard = "대시보드"
logout = "로그아웃"

43
locales/template.toml
View File

@@ -326,6 +326,13 @@ logout_confirm = ""
access_denied_description = ""
access_denied_title = ""
[msg.dev.forbidden]
default = ""
rp_admin = ""
tenant_admin = ""
user = ""
title = ""
[msg.dev.audit]
empty = ""
forbidden = ""
@@ -571,6 +578,27 @@ success = ""
[msg.userfront.login_success]
subtitle = ""
[msg.userfront.consent]
accept_error = ""
client_id = ""
client_unknown = ""
description = ""
load_error = ""
missing_redirect = ""
redirect_notice = ""
scope_count = ""
[msg.userfront.consent.cancel]
confirm = ""
error = ""
[msg.userfront.consent.scope]
email = ""
offline_access = ""
openid = ""
phone = ""
profile = ""
[msg.userfront.profile]
department_missing = ""
department_required = ""
@@ -1237,6 +1265,12 @@ scope_badge = ""
clients = ""
logout = ""
[ui.dev.tenant]
single_notice = ""
switch_success = ""
workspace = ""
workspace_desc = ""
[ui.dev.audit]
load_more = ""
title = ""
@@ -1601,6 +1635,15 @@ later = ""
qr = ""
title = ""
[ui.userfront.consent]
accept = ""
requested_scopes = ""
title = ""
[ui.userfront.consent.cancel]
confirm_button = ""
title = ""
[ui.userfront.nav]
dashboard = ""
logout = ""

32
userfront/assets/translations/en.toml
View File

@@ -179,6 +179,27 @@ success = "Success"
[msg.userfront.login_success]
subtitle = "Subtitle"
[msg.userfront.consent]
accept_error = "Failed to process consent: {error}"
client_id = "Client ID: {id}"
client_unknown = "Unknown application"
description = "The service below is requesting access to your account information.\nPlease choose whether to continue."
load_error = "Failed to load consent information: {error}"
missing_redirect = "Consent was processed, but the redirect URL was missing."
redirect_notice = "After consent, you will be redirected automatically."
scope_count = "Total {count}"
[msg.userfront.consent.cancel]
confirm = "If you cancel consent, you will not be able to use this service. Do you want to cancel?"
error = "An error occurred while cancelling consent: {error}"
[msg.userfront.consent.scope]
email = "Email address (account identification and notifications)"
offline_access = "Offline access (keep signed in)"
openid = "OpenID authentication information (signin session check)"
phone = "Phone number (identity verification and notifications)"
profile = "Basic profile information (name, user identifier)"
[msg.userfront.profile]
department_missing = "Department Missing"
department_required = "Department Required"
@@ -363,6 +384,7 @@ theme_dark = "Dark"
theme_light = "Light"
theme_toggle = "Theme Toggle"
unknown = "Unknown"
generate = "Generate"
[ui.common.badge]
admin_only = "Admin only"
@@ -487,6 +509,15 @@ later = "Later"
qr = "QR"
title = "Title"
[ui.userfront.consent]
accept = "Agree and continue"
requested_scopes = "Requested permissions"
title = "Permission request"
[ui.userfront.consent.cancel]
confirm_button = "Yes, cancel"
title = "Cancel consent"
[ui.userfront.nav]
dashboard = "Dashboard"
logout = "Logout"
@@ -588,3 +619,4 @@ verify = "Verify"
[ui.userfront.signup.success]
action = "Action"

32
userfront/assets/translations/ko.toml
View File

@@ -179,6 +179,27 @@ success = "로그인 승인에 성공했습니다."
[msg.userfront.login_success]
subtitle = "성공적으로 로그인되었습니다."
[msg.userfront.consent]
accept_error = "동의 처리에 실패했습니다: {error}"
client_id = "클라이언트 ID: {id}"
client_unknown = "알 수 없는 앱"
description = "아래 서비스가 회원님의 계정 정보에 접근하려고 합니다.\n계속 진행하려면 동의 여부를 선택해 주세요."
load_error = "동의 정보를 불러오는데 실패했습니다: {error}"
missing_redirect = "동의가 처리되었으나 리다이렉트 URL을 받지 못했습니다."
redirect_notice = "동의 후 자동으로 서비스로 이동합니다."
scope_count = "총 {count}개"
[msg.userfront.consent.cancel]
confirm = "권한 동의를 취소하면 해당 서비스를 이용할 수 없습니다. 취소하시겠습니까?"
error = "취소 처리 중 오류가 발생했습니다: {error}"
[msg.userfront.consent.scope]
email = "이메일 주소 (계정 식별 및 알림 용도)"
offline_access = "오프라인 접근 (로그인 유지)"
openid = "OpenID 인증 정보 (로그인 상태 확인)"
phone = "휴대폰 번호 (본인 인증 및 알림)"
profile = "기본 프로필 정보 (이름, 사용자 식별자)"
[msg.userfront.profile]
department_missing = "소속 정보 없음"
department_required = "소속을 입력해주세요."
@@ -363,6 +384,7 @@ theme_dark = "Dark"
theme_light = "Light"
theme_toggle = "테마 전환"
unknown = "Unknown"
generate = "생성"
[ui.common.badge]
admin_only = "Admin only"
@@ -487,6 +509,15 @@ later = "나중에 하기 (대시보드로 이동)"
qr = "QR 인증 (카메라 켜기)"
title = "로그인 완료"
[ui.userfront.consent]
accept = "동의하고 계속하기"
requested_scopes = "요청된 권한"
title = "접근 권한 요청"
[ui.userfront.consent.cancel]
confirm_button = "예, 취소합니다"
title = "동의 취소"
[ui.userfront.nav]
dashboard = "대시보드"
logout = "로그아웃"
@@ -585,3 +616,4 @@ verify = "본인인증"
[ui.userfront.signup.success]
action = "로그인하기"

46
userfront/assets/translations/template.toml
View File

@@ -12,6 +12,12 @@ jangheon = ""
ptc = ""
saman = ""
[domain.tenant_type]
company = ""
company_group = ""
personal = ""
user_group = ""
[err.userfront]
[err.userfront.auth_proxy]
@@ -173,6 +179,27 @@ success = ""
[msg.userfront.login_success]
subtitle = ""
[msg.userfront.consent]
accept_error = ""
client_id = ""
client_unknown = ""
description = ""
load_error = ""
missing_redirect = ""
redirect_notice = ""
scope_count = ""
[msg.userfront.consent.cancel]
confirm = ""
error = ""
[msg.userfront.consent.scope]
email = ""
offline_access = ""
openid = ""
phone = ""
profile = ""
[msg.userfront.profile]
department_missing = ""
department_required = ""
@@ -357,6 +384,7 @@ theme_dark = ""
theme_light = ""
theme_toggle = ""
unknown = ""
generate = ""
[ui.common.badge]
admin_only = ""
@@ -481,6 +509,15 @@ later = ""
qr = ""
title = ""
[ui.userfront.consent]
accept = ""
requested_scopes = ""
title = ""
[ui.userfront.consent.cancel]
confirm_button = ""
title = ""
[ui.userfront.nav]
dashboard = ""
logout = ""
@@ -580,12 +617,3 @@ verify = ""
[ui.userfront.signup.success]
action = ""
# Auto-added missing keys
[domain.tenant_type]
company = ""
company_group = ""
personal = ""
user_group = ""

122
userfront/lib/features/auth/presentation/consent_screen.dart
View File

@@ -1,5 +1,6 @@
import 'package:flutter/material.dart';
import 'package:go_router/go_router.dart';
import 'package:userfront/i18n.dart';
import 'package:userfront/core/i18n/locale_utils.dart';
import 'package:userfront/core/services/auth_proxy_service.dart';
import 'package:userfront/core/services/web_window.dart';
@@ -19,27 +20,42 @@ class _ConsentScreenState extends State<ConsentScreen> {
bool _isSubmitting = false;
String? _error;
// 사용자가 선택한 스코프 목록
final Set<String> _selectedScopes = {};
// 권한별 설명 매핑 (동적으로 업데이트됨)
final Map<String, String> _scopeDescriptions = {
'openid': 'OpenID 인증 정보 (로그인 상태 확인)',
'profile': '기본 프로필 정보 (이름, 사용자 식별자)',
'email': '이메일 주소 (계정 식별 및 알림 용도)',
'offline_access': '오프라인 접근 (로그인 유지)',
'phone': '휴대폰 번호 (본인 인증 및 알림)',
};
// 필수 권한 목록 (동적으로 업데이트됨)
final Map<String, String> _scopeDescriptions = {};
final Set<String> _mandatoryScopes = {'openid'};
@override
void initState() {
super.initState();
_scopeDescriptions.addAll(_defaultScopeDescriptions());
_fetchConsentInfo();
}
Map<String, String> _defaultScopeDescriptions() {
return {
'openid': tr(
'msg.userfront.consent.scope.openid',
fallback: 'OpenID authentication information (signin session check)',
),
'profile': tr(
'msg.userfront.consent.scope.profile',
fallback: 'Basic profile information (name, user identifier)',
),
'email': tr(
'msg.userfront.consent.scope.email',
fallback: 'Email address (account identification and notifications)',
),
'offline_access': tr(
'msg.userfront.consent.scope.offline_access',
fallback: 'Offline access (keep signed in)',
),
'phone': tr(
'msg.userfront.consent.scope.phone',
fallback: 'Phone number (identity verification and notifications)',
),
};
}
Future<void> _fetchConsentInfo() async {
try {
final info = await AuthProxyService.getConsentInfo(
@@ -90,7 +106,11 @@ class _ConsentScreenState extends State<ConsentScreen> {
});
} catch (e) {
setState(() {
_error = '동의 정보를 불러오는데 실패했습니다: $e';
_error = tr(
'msg.userfront.consent.load_error',
fallback: 'Failed to load consent information: {{error}}',
params: {'error': '$e'},
);
_isLoading = false;
});
}
@@ -112,13 +132,21 @@ class _ConsentScreenState extends State<ConsentScreen> {
webWindow.redirectTo(result['redirectTo']);
} else {
setState(() {
_error = '동의가 처리되었으나, 리다이렉트 URL을 받지 못했습니다.';
_error = tr(
'msg.userfront.consent.missing_redirect',
fallback:
'Consent was processed, but the redirect URL was missing.',
);
_isSubmitting = false;
});
}
} catch (e) {
setState(() {
_error = '동의 처리에 실패했습니다: $e';
_error = tr(
'msg.userfront.consent.accept_error',
fallback: 'Failed to process consent: {{error}}',
params: {'error': '$e'},
);
_isSubmitting = false;
});
}
@@ -128,17 +156,17 @@ class _ConsentScreenState extends State<ConsentScreen> {
final confirmed = await showDialog<bool>(
context: context,
builder: (context) => AlertDialog(
title: const Text('동의 취소'),
content: const Text('권한 동의를 취소하면 해당 서비스를 이용할 수 없습니다. 취소하시겠습니까?'),
title: Text(tr('ui.userfront.consent.cancel.title')),
content: Text(tr('msg.userfront.consent.cancel.confirm')),
actions: [
TextButton(
onPressed: () => Navigator.pop(context, false),
child: const Text('아니오'),
child: Text(tr('ui.common.cancel')),
),
TextButton(
onPressed: () => Navigator.pop(context, true),
style: TextButton.styleFrom(foregroundColor: Colors.red),
child: const Text('예, 취소합니다'),
child: Text(tr('ui.userfront.consent.cancel.confirm_button')),
),
],
),
@@ -159,9 +187,18 @@ class _ConsentScreenState extends State<ConsentScreen> {
} catch (e) {
setState(() => _isSubmitting = false);
if (mounted) {
ScaffoldMessenger.of(
context,
).showSnackBar(SnackBar(content: Text('취소 처리 중 오류가 발생했습니다: $e')));
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(
content: Text(
tr(
'msg.userfront.consent.cancel.error',
fallback:
'An error occurred while cancelling consent: {{error}}',
params: {'error': '$e'},
),
),
),
);
}
}
}
@@ -200,7 +237,9 @@ class _ConsentScreenState extends State<ConsentScreen> {
}
Widget _buildConsentCard(BuildContext context) {
final clientName = _consentInfo?['client']?['client_name'] ?? '알 수 없는 앱';
final clientName =
_consentInfo?['client']?['client_name'] ??
tr('msg.userfront.consent.client_unknown');
final clientId = _consentInfo?['client']?['client_id'] ?? '-';
final clientLogo = _consentInfo?['client']?['logo_uri'];
final requestedScopes =
@@ -223,14 +262,17 @@ class _ConsentScreenState extends State<ConsentScreen> {
crossAxisAlignment: CrossAxisAlignment.stretch,
children: [
// 1. 헤더 영역
const Text(
'접근 권한 요청',
style: TextStyle(fontSize: 24, fontWeight: FontWeight.bold),
Text(
tr('ui.userfront.consent.title'),
style: const TextStyle(
fontSize: 24,
fontWeight: FontWeight.bold,
),
textAlign: TextAlign.center,
),
const SizedBox(height: 12),
Text(
'아래 서비스가 회원님의 계정 정보에 접근하려고 합니다.\n계속 진행하려면 동의 여부를 선택해 주세요.',
tr('msg.userfront.consent.description'),
style: TextStyle(fontSize: 14, color: Colors.grey[600]),
textAlign: TextAlign.center,
),
@@ -277,7 +319,11 @@ class _ConsentScreenState extends State<ConsentScreen> {
),
const SizedBox(height: 4),
Text(
'클라이언트 ID: $clientId',
tr(
'msg.userfront.consent.client_id',
fallback: 'Client ID: {{id}}',
params: {'id': clientId},
),
style: TextStyle(
fontSize: 12,
color: Colors.grey[500],
@@ -296,15 +342,19 @@ class _ConsentScreenState extends State<ConsentScreen> {
Row(
mainAxisAlignment: MainAxisAlignment.spaceBetween,
children: [
const Text(
'요청된 권한',
style: TextStyle(
Text(
tr('ui.userfront.consent.requested_scopes'),
style: const TextStyle(
fontSize: 16,
fontWeight: FontWeight.bold,
),
),
Text(
'${requestedScopes.length}',
tr(
'msg.userfront.consent.scope_count',
fallback: 'Total {{count}}',
params: {'count': '${requestedScopes.length}'},
),
style: TextStyle(
fontSize: 14,
color: Theme.of(context).primaryColor,
@@ -367,8 +417,8 @@ class _ConsentScreenState extends State<ConsentScreen> {
color: Colors.white,
),
)
: const Text(
'동의하고 계속하기',
: Text(
tr('ui.userfront.consent.accept'),
style: TextStyle(
fontSize: 16,
fontWeight: FontWeight.bold,
@@ -384,11 +434,11 @@ class _ConsentScreenState extends State<ConsentScreen> {
borderRadius: BorderRadius.circular(8),
),
),
child: const Text('취소'),
child: Text(tr('ui.common.cancel')),
),
const SizedBox(height: 16),
Text(
'동의 후 자동으로 서비스로 이동합니다.',
tr('msg.userfront.consent.redirect_notice'),
style: TextStyle(fontSize: 12, color: Colors.grey[500]),
textAlign: TextAlign.center,
),

11
userfront/lib/features/auth/presentation/qr_scan_route.dart
View File

@@ -15,3 +15,14 @@ String buildQrApprovePath(
);
return '/$resolvedLocale/approve?ref=${Uri.encodeQueryComponent(value)}';
}
String buildQrBackFallbackPath({String? localeCode, Uri? currentUri}) {
final explicitLocale = localeCode?.trim();
final uri = currentUri ?? Uri.base;
final resolvedLocale = explicitLocale != null && explicitLocale.isNotEmpty
? explicitLocale.toLowerCase().replaceAll('_', '-')
: normalizeLocaleCode(
extractLocaleFromPath(uri) ?? resolvePreferredLocaleCode(),
);
return '/$resolvedLocale/dashboard';
}

11
userfront/lib/features/auth/presentation/qr_scan_screen_stub.dart
View File

@@ -38,6 +38,15 @@ class _QRScanScreenState extends State<QRScanScreen> {
context.go(buildQrApprovePath(raw));
}
void _handleBack() {
final router = GoRouter.of(context);
if (router.canPop()) {
router.pop();
return;
}
router.go(buildQrBackFallbackPath());
}
@override
Widget build(BuildContext context) {
return Scaffold(
@@ -45,7 +54,7 @@ class _QRScanScreenState extends State<QRScanScreen> {
title: Text(tr('ui.userfront.qr.title', fallback: 'Scan QR Code')),
leading: IconButton(
icon: const Icon(Icons.arrow_back),
onPressed: () => context.pop(),
onPressed: _handleBack,
),
),
body: Padding(

11
userfront/lib/features/auth/presentation/qr_scan_screen_web.dart
View File

@@ -131,6 +131,15 @@ class _QRScanScreenState extends State<QRScanScreen> {
}
}
void _handleBack() {
final router = GoRouter.of(context);
if (router.canPop()) {
router.pop();
return;
}
router.go(buildQrBackFallbackPath());
}
@override
Widget build(BuildContext context) {
return Scaffold(
@@ -138,7 +147,7 @@ class _QRScanScreenState extends State<QRScanScreen> {
title: Text(tr('ui.userfront.qr.title', fallback: 'Scan QR Code')),
leading: IconButton(
icon: const Icon(Icons.arrow_back),
onPressed: () => context.pop(),
onPressed: _handleBack,
),
),
body: Padding(