kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

중복 AdminFront/DevFront 항목 생성 차단 및 목록 숨김

Browse Source
This commit is contained in:
김용연
2026-03-24 16:46:21 +09:00
parent 870c11381c
commit 96be117851
2 changed files with 202 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
backend/internal/handler/dev_handler.go
View File

@@ -146,6 +146,11 @@ var protectedSystemClientIDs = map[string]struct{}{
"oathkeeper-introspect": {},
}
var reservedSystemClientNames = map[string]string{
"adminfront": "adminfront",
"devfront": "devfront",
}
func normalizeUserRole(role string) string {
return domain.NormalizeRole(role)
}
@@ -276,6 +281,34 @@ func isProtectedSystemClient(client domain.HydraClient) bool {
return isProtectedSystemClientID(client.ClientID)
}
func isReservedSystemClientAlias(client domain.HydraClient) bool {
ownerID, reserved := reservedSystemClientOwnerID(client.ClientName)
if !reserved {
return false
}
return !strings.EqualFold(strings.TrimSpace(client.ClientID), ownerID)
}
func isHiddenSystemClient(client domain.HydraClient) bool {
return isProtectedSystemClient(client) || isReservedSystemClientAlias(client)
}
func reservedSystemClientOwnerID(name string) (string, bool) {
ownerID, ok := reservedSystemClientNames[strings.ToLower(strings.TrimSpace(name))]
return ownerID, ok
}
func validateReservedSystemClientName(clientID, name string) error {
ownerID, reserved := reservedSystemClientOwnerID(name)
if !reserved {
return nil
}
if strings.EqualFold(strings.TrimSpace(clientID), ownerID) {
return nil
}
return fmt.Errorf("forbidden: reserved system client name")
}
func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
if (!ok || profile == nil) && h.Auth != nil {
@@ -570,7 +603,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
items := make([]clientSummary, 0, len(clients))
for _, client := range clients {
if isProtectedSystemClient(client) {
if isHiddenSystemClient(client) {
continue
}
@@ -621,7 +654,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
if isProtectedSystemClient(*client) {
if isHiddenSystemClient(*client) {
return errorJSON(c, fiber.StatusNotFound, "client not found")
}
@@ -699,7 +732,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
if isProtectedSystemClient(*current) {
if isHiddenSystemClient(*current) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
}
@@ -792,6 +825,9 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
if name == "" {
name = clientID
}
if err := validateReservedSystemClientName(clientID, name); err != nil {
return errorJSON(c, fiber.StatusForbidden, err.Error())
}
redirectURIs := derefSlice(req.RedirectURIs, nil)
if len(redirectURIs) == 0 {
@@ -927,7 +963,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
if isProtectedSystemClient(*current) {
if isHiddenSystemClient(*current) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
}
@@ -1012,6 +1048,9 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
TokenEndpointAuthMethod: resolveTokenAuthMethod(tokenAuthMethod, current.TokenEndpointAuthMethod),
Metadata: metadata,
}
if err := validateReservedSystemClientName(updated.ClientID, updated.ClientName); err != nil {
return errorJSON(c, fiber.StatusForbidden, err.Error())
}
h.setAuditDetailsExtra(c, map[string]any{
"action": "UPDATE_CLIENT",
@@ -1062,7 +1101,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
if isProtectedSystemClient(*current) {
if isHiddenSystemClient(*current) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
}
@@ -1301,7 +1340,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
if isProtectedSystemClient(*current) {
if isHiddenSystemClient(*current) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: protected system client")
}
@@ -1502,7 +1541,7 @@ func (h *DevHandler) GetStats(c *fiber.Ctx) error {
var totalClients int64
if err == nil {
for _, client := range clients {
if isProtectedSystemClient(client) {
if isHiddenSystemClient(client) {
continue
}
if isSuperAdmin {