callback 검증 보강. seed-tenant 추가보강

orgfront/package.json

@@ -12,6 +12,7 @@
     "lint": "biome check .",
     "preview": "vite preview",
     "test": "playwright test",
+    "test:unit": "vitest run",
     "test:roles": "playwright test tests/devfront-role-switch-report.spec.ts",
     "test:ui": "playwright test --ui"
   },
@@ -43,10 +44,12 @@
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
     "autoprefixer": "^10.4.23",
+    "jsdom": "^28.1.0",
     "postcss": "^8.5.6",
     "tailwindcss": "^3.4.14",
     "tailwindcss-animate": "^1.0.7",
     "typescript": "~5.9.3",
-    "vite": "^8.0.3"
+    "vite": "^8.0.3",
+    "vitest": "^4.1.5"
   }
 }

orgfront/scripts/runtime-mode.sh

@@ -3,6 +3,19 @@ set -eu
 
 app_env="$(printf '%s' "${APP_ENV:-development}" | tr '[:upper:]' '[:lower:]')"
 
+if [ -z "${VITE_ORGFRONT_PUBLIC_URL:-}" ] && [ -n "${ORGFRONT_URL:-}" ]; then
+  export VITE_ORGFRONT_PUBLIC_URL="$ORGFRONT_URL"
+fi
+
+if [ -z "${VITE_ORGFRONT_PUBLIC_URL:-}" ] && [ -n "${ORGFRONT_CALLBACK_URLS:-}" ]; then
+  first_orgfront_callback="${ORGFRONT_CALLBACK_URLS%%,*}"
+  case "$first_orgfront_callback" in
+    http://*/auth/callback | https://*/auth/callback)
+      export VITE_ORGFRONT_PUBLIC_URL="${first_orgfront_callback%/auth/callback}"
+      ;;
+  esac
+fi
+
 case "$app_env" in
   production|prod|stage|staging)
     mode="production"
@@ -12,6 +25,11 @@ case "$app_env" in
     ;;
 esac
 
+if [ "${1:-}" = "--print-public-url" ]; then
+  printf '%s\n' "${VITE_ORGFRONT_PUBLIC_URL:-}"
+  exit 0
+fi
+
 if [ "${1:-}" = "--print-mode" ]; then
   printf '%s\n' "$mode"
   exit 0

orgfront/src/app/routes.test.tsx

@@ -0,0 +1,13 @@
+import { matchRoutes } from "react-router-dom";
+import { describe, expect, it } from "vitest";
+import { ORGFRONT_AUTH_CALLBACK_PATH } from "../lib/authConfig";
+import { orgFrontRoutes } from "./routes";
+
+describe("orgfront routes", () => {
+  it("accepts the auth callback path used by the OIDC redirect URI", () => {
+    const matches = matchRoutes(orgFrontRoutes, ORGFRONT_AUTH_CALLBACK_PATH);
+
+    expect(matches).not.toBeNull();
+    expect(matches?.at(-1)?.route.path).toBe(ORGFRONT_AUTH_CALLBACK_PATH);
+  });
+});

orgfront/src/app/routes.tsx

@@ -1,4 +1,8 @@
-import { Navigate, createBrowserRouter } from "react-router-dom";
+import {
+  Navigate,
+  type RouteObject,
+  createBrowserRouter,
+} from "react-router-dom";
 import AuthCallbackPage from "../features/auth/AuthCallbackPage";
 import AuthGuard from "../features/auth/AuthGuard";
 import LoginPage from "../features/auth/LoginPage";
@@ -9,38 +13,38 @@ import {
   OrgPickerEmbedPage,
   OrgPickerPage,
 } from "../features/orgchart/routes/OrgPickerPage";
+import { ORGFRONT_AUTH_CALLBACK_PATH } from "../lib/authConfig";
 
-export const router = createBrowserRouter(
-  [
-    {
-      path: "/login",
-      element: <LoginPage />,
-    },
-    {
-      path: "/auth/callback",
-      element: <AuthCallbackPage />,
-    },
-    {
-      path: "/",
-      element: <AuthGuard />,
-      children: [
-        { index: true, element: <Navigate to="/chart" replace /> },
-        {
-          element: <OrgFrontLayout />,
-          children: [
-            { path: "chart", element: <TenantOrgChartPage /> },
-            { path: "chart/:tenantId", element: <TenantOrgChartPage /> },
-            { path: "picker", element: <OrgPickerPage /> },
-            { path: "embed-preview", element: <OrgPickerEmbedPreviewPage /> },
-          ],
-        },
-        { path: "embed/picker", element: <OrgPickerEmbedPage /> },
-      ],
-    },
-  ],
+export const orgFrontRoutes: RouteObject[] = [
   {
-    future: {
-      v7_startTransition: true,
-    },
-  } as unknown as Parameters<typeof createBrowserRouter>[1],
-);
+    path: "/login",
+    element: <LoginPage />,
+  },
+  {
+    path: ORGFRONT_AUTH_CALLBACK_PATH,
+    element: <AuthCallbackPage />,
+  },
+  {
+    path: "/",
+    element: <AuthGuard />,
+    children: [
+      { index: true, element: <Navigate to="/chart" replace /> },
+      {
+        element: <OrgFrontLayout />,
+        children: [
+          { path: "chart", element: <TenantOrgChartPage /> },
+          { path: "chart/:tenantId", element: <TenantOrgChartPage /> },
+          { path: "picker", element: <OrgPickerPage /> },
+          { path: "embed-preview", element: <OrgPickerEmbedPreviewPage /> },
+        ],
+      },
+      { path: "embed/picker", element: <OrgPickerEmbedPage /> },
+    ],
+  },
+];
+
+export const router = createBrowserRouter(orgFrontRoutes, {
+  future: {
+    v7_startTransition: true,
+  },
+} as unknown as Parameters<typeof createBrowserRouter>[1]);

orgfront/src/lib/auth.ts

@@ -1,15 +1,26 @@
 import { UserManager, WebStorageStateStore } from "oidc-client-ts";
 import type { AuthProviderProps } from "react-oidc-context";
+import {
+  buildOrgFrontAuthRedirectUris,
+  resolveOrgFrontPublicOrigin,
+} from "./authConfig";
+
+const orgFrontPublicOrigin = resolveOrgFrontPublicOrigin(
+  import.meta.env.VITE_ORGFRONT_PUBLIC_URL,
+  window.location.origin,
+);
+const orgFrontRedirectUris =
+  buildOrgFrontAuthRedirectUris(orgFrontPublicOrigin);
 
 export const oidcConfig: AuthProviderProps = {
   authority:
     import.meta.env.VITE_OIDC_AUTHORITY || "http://localhost:5000/oidc", // Gateway Proxy URL
   client_id: import.meta.env.VITE_OIDC_CLIENT_ID || "orgfront",
-  redirect_uri: `${window.location.origin}/auth/callback`,
+  redirect_uri: orgFrontRedirectUris.redirectUri,
   response_type: "code",
   scope: "openid offline_access profile email", // offline_access for refresh token
-  post_logout_redirect_uri: window.location.origin,
-  popup_redirect_uri: `${window.location.origin}/auth/callback`,
+  post_logout_redirect_uri: orgFrontRedirectUris.postLogoutRedirectUri,
+  popup_redirect_uri: orgFrontRedirectUris.popupRedirectUri,
   userStore: new WebStorageStateStore({ store: window.localStorage }),
   automaticSilentRenew: false,
 };

orgfront/src/lib/authConfig.test.ts

@@ -0,0 +1,29 @@
+import { describe, expect, it } from "vitest";
+import {
+  ORGFRONT_AUTH_CALLBACK_PATH,
+  buildOrgFrontAuthRedirectUris,
+  resolveOrgFrontPublicOrigin,
+} from "./authConfig";
+
+describe("orgfront auth config", () => {
+  it("builds callback URLs from the public origin", () => {
+    expect(buildOrgFrontAuthRedirectUris("https://sorg.hmac.kr")).toEqual({
+      redirectUri: "https://sorg.hmac.kr/auth/callback",
+      postLogoutRedirectUri: "https://sorg.hmac.kr",
+      popupRedirectUri: "https://sorg.hmac.kr/auth/callback",
+    });
+  });
+
+  it("uses the browser origin when the configured origin is empty or invalid", () => {
+    expect(resolveOrgFrontPublicOrigin("", "http://localhost:5174")).toBe(
+      "http://localhost:5174",
+    );
+    expect(
+      resolveOrgFrontPublicOrigin("not a url", "http://localhost:5174"),
+    ).toBe("http://localhost:5174");
+  });
+
+  it("keeps the callback path aligned with the registered redirect path", () => {
+    expect(ORGFRONT_AUTH_CALLBACK_PATH).toBe("/auth/callback");
+  });
+});

orgfront/src/lib/authConfig.ts

@@ -0,0 +1,33 @@
+export interface OrgFrontAuthRedirectUris {
+  redirectUri: string;
+  postLogoutRedirectUri: string;
+  popupRedirectUri: string;
+}
+
+export const ORGFRONT_AUTH_CALLBACK_PATH = "/auth/callback";
+
+export function resolveOrgFrontPublicOrigin(
+  configuredOrigin: string | undefined,
+  browserOrigin: string,
+) {
+  const trimmed = configuredOrigin?.trim();
+  if (!trimmed) {
+    return browserOrigin;
+  }
+
+  try {
+    return new URL(trimmed).origin;
+  } catch {
+    return browserOrigin;
+  }
+}
+
+export function buildOrgFrontAuthRedirectUris(
+  publicOrigin: string,
+): OrgFrontAuthRedirectUris {
+  return {
+    redirectUri: `${publicOrigin}${ORGFRONT_AUTH_CALLBACK_PATH}`,
+    postLogoutRedirectUri: publicOrigin,
+    popupRedirectUri: `${publicOrigin}${ORGFRONT_AUTH_CALLBACK_PATH}`,
+  };
+}

orgfront/vitest.config.ts

@@ -0,0 +1,11 @@
+import react from "@vitejs/plugin-react";
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  plugins: [react()],
+  test: {
+    globals: true,
+    environment: "jsdom",
+    include: ["src/**/*.{test,spec}.{ts,tsx}"],
+  },
+});