callback 검증 보강. seed-tenant 추가보강

2026-05-11 11:03:11 +09:00
parent f46a7cc088
commit 9a64a16cb9
28 changed files with 2832 additions and 133 deletions
--- a/orgfront/src/lib/auth.ts
+++ b/orgfront/src/lib/auth.ts
@@ -1,15 +1,26 @@
 import { UserManager, WebStorageStateStore } from "oidc-client-ts";
 import type { AuthProviderProps } from "react-oidc-context";
+import {
+  buildOrgFrontAuthRedirectUris,
+  resolveOrgFrontPublicOrigin,
+} from "./authConfig";
+
+const orgFrontPublicOrigin = resolveOrgFrontPublicOrigin(
+  import.meta.env.VITE_ORGFRONT_PUBLIC_URL,
+  window.location.origin,
+);
+const orgFrontRedirectUris =
+  buildOrgFrontAuthRedirectUris(orgFrontPublicOrigin);

 export const oidcConfig: AuthProviderProps = {
  authority:
    import.meta.env.VITE_OIDC_AUTHORITY || "http://localhost:5000/oidc", // Gateway Proxy URL
  client_id: import.meta.env.VITE_OIDC_CLIENT_ID || "orgfront",
-  redirect_uri: `${window.location.origin}/auth/callback`,
+  redirect_uri: orgFrontRedirectUris.redirectUri,
  response_type: "code",
  scope: "openid offline_access profile email", // offline_access for refresh token
-  post_logout_redirect_uri: window.location.origin,
-  popup_redirect_uri: `${window.location.origin}/auth/callback`,
+  post_logout_redirect_uri: orgFrontRedirectUris.postLogoutRedirectUri,
+  popup_redirect_uri: orgFrontRedirectUris.popupRedirectUri,
  userStore: new WebStorageStateStore({ store: window.localStorage }),
  automaticSilentRenew: false,
 };
--- a/orgfront/src/lib/authConfig.test.ts
+++ b/orgfront/src/lib/authConfig.test.ts
@@ -0,0 +1,29 @@
+import { describe, expect, it } from "vitest";
+import {
+  ORGFRONT_AUTH_CALLBACK_PATH,
+  buildOrgFrontAuthRedirectUris,
+  resolveOrgFrontPublicOrigin,
+} from "./authConfig";
+
+describe("orgfront auth config", () => {
+  it("builds callback URLs from the public origin", () => {
+    expect(buildOrgFrontAuthRedirectUris("https://sorg.hmac.kr")).toEqual({
+      redirectUri: "https://sorg.hmac.kr/auth/callback",
+      postLogoutRedirectUri: "https://sorg.hmac.kr",
+      popupRedirectUri: "https://sorg.hmac.kr/auth/callback",
+    });
+  });
+
+  it("uses the browser origin when the configured origin is empty or invalid", () => {
+    expect(resolveOrgFrontPublicOrigin("", "http://localhost:5174")).toBe(
+      "http://localhost:5174",
+    );
+    expect(
+      resolveOrgFrontPublicOrigin("not a url", "http://localhost:5174"),
+    ).toBe("http://localhost:5174");
+  });
+
+  it("keeps the callback path aligned with the registered redirect path", () => {
+    expect(ORGFRONT_AUTH_CALLBACK_PATH).toBe("/auth/callback");
+  });
+});
--- a/orgfront/src/lib/authConfig.ts
+++ b/orgfront/src/lib/authConfig.ts
@@ -0,0 +1,33 @@
+export interface OrgFrontAuthRedirectUris {
+  redirectUri: string;
+  postLogoutRedirectUri: string;
+  popupRedirectUri: string;
+}
+
+export const ORGFRONT_AUTH_CALLBACK_PATH = "/auth/callback";
+
+export function resolveOrgFrontPublicOrigin(
+  configuredOrigin: string | undefined,
+  browserOrigin: string,
+) {
+  const trimmed = configuredOrigin?.trim();
+  if (!trimmed) {
+    return browserOrigin;
+  }
+
+  try {
+    return new URL(trimmed).origin;
+  } catch {
+    return browserOrigin;
+  }
+}
+
+export function buildOrgFrontAuthRedirectUris(
+  publicOrigin: string,
+): OrgFrontAuthRedirectUris {
+  return {
+    redirectUri: `${publicOrigin}${ORGFRONT_AUTH_CALLBACK_PATH}`,
+    postLogoutRedirectUri: publicOrigin,
+    popupRedirectUri: `${publicOrigin}${ORGFRONT_AUTH_CALLBACK_PATH}`,
+  };
+}