gateway 분리 아키텍처

backend/internal/handler/auth_handler.go

@@ -74,6 +74,7 @@ type AuthHandler struct {
 	EmailService  domain.EmailService
 	RedisService  *service.RedisService
 	DescopeClient *client.DescopeClient
+	KratosAdmin   *service.KratosAdminService
 	IdpProvider   domain.IdentityProvider
 	AuditRepo     domain.AuditRepository
 	Hydra         *service.HydraAdminService
@@ -156,6 +157,7 @@ func NewAuthHandler(redisService *service.RedisService, idpProvider domain.Ident
 		EmailService:  service.NewEmailService(),
 		RedisService:  redisService,
 		DescopeClient: descopeClient,
+		KratosAdmin:   service.NewKratosAdminService(),
 		IdpProvider:   idpProvider,
 		AuditRepo:     auditRepo,
 		Hydra:         service.NewHydraAdminService(),
@@ -823,13 +825,20 @@ func (h *AuthHandler) VerifyMagicLink(c *fiber.Ctx) error {
 	sessionToken := authInfo.SessionToken.JWT
 	c.Locals("login_id", loginID)
 	setSessionIDLocal(c, authInfo.SessionToken)
+	sessionID := extractSessionIDFromToken(authInfo.SessionToken)
 
 	slog.Info("[Verify] Success! Updating Redis session", "pendingRef", pendingRef)
-	sessionData, _ := json.Marshal(map[string]string{
+	sessionData := map[string]string{
 		"status": statusSuccess,
 		"jwt":    sessionToken,
-	})
-	h.RedisService.Set(prefixSession+pendingRef, string(sessionData), defaultExpiration)
+	}
+	if sessionID != "" {
+		sessionData["session_id"] = sessionID
+	}
+	sessionDataJSON, _ := json.Marshal(sessionData)
+	h.RedisService.Set(prefixSession+pendingRef, string(sessionDataJSON), defaultExpiration)
+
+	h.writeLinkAuditLog(loginID, pendingRef, authInfo.SessionToken, c)
 
 	return c.JSON(fiber.Map{
 		"token":   sessionToken,
@@ -2226,6 +2235,43 @@ func (h *AuthHandler) writeQrAuditLog(loginID, pendingRef string, sessionToken *
 	_ = h.AuditRepo.Create(log)
 }
 
+func (h *AuthHandler) writeLinkAuditLog(loginID, pendingRef string, sessionToken *domain.Token, c *fiber.Ctx) {
+	if h.AuditRepo == nil {
+		return
+	}
+	meta := qrMeta{
+		IPAddress: extractClientIPFromHeaders(c),
+		UserAgent: "",
+	}
+	if c != nil {
+		meta.UserAgent = c.Get("User-Agent")
+	}
+	sessionID := extractSessionIDFromToken(sessionToken)
+	details := map[string]any{
+		"path":        "/api/v1/auth/magic-link/verify",
+		"login_id":    loginID,
+		"pending_ref": pendingRef,
+	}
+	if sessionID != "" {
+		details["session_id"] = sessionID
+	}
+	detailsJSON, _ := json.Marshal(details)
+
+	log := &domain.AuditLog{
+		EventID:    GenerateSecureToken(16),
+		Timestamp:  time.Now(),
+		UserID:     "",
+		SessionID:  sessionID,
+		EventType:  "POST /api/v1/auth/magic-link/verify",
+		Status:     "success",
+		IPAddress:  meta.IPAddress,
+		UserAgent:  meta.UserAgent,
+		Details:    string(detailsJSON),
+		AuthMethod: "링크",
+	}
+	_ = h.AuditRepo.Create(log)
+}
+
 func extractClientIPFromHeaders(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
@@ -2451,6 +2497,26 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
 func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
 	token := h.getBearerToken(c)
 	if token != "" {
+		if looksLikeJWT(token) && h.DescopeClient != nil && h.KratosAdmin != nil {
+			authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
+			if err == nil && authorized {
+				userResponse, loadErr := h.DescopeClient.Management.User().Load(c.Context(), userToken.ID)
+				if loadErr == nil {
+					if email := strings.TrimSpace(userResponse.Email); email != "" {
+						if identityID, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email); err == nil && identityID != "" {
+							return identityID, nil
+						}
+					}
+					if phone := strings.TrimSpace(userResponse.Phone); phone != "" {
+						normalized := normalizePhoneForLoginID(phone)
+						if identityID, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), normalized); err == nil && identityID != "" {
+							return identityID, nil
+						}
+					}
+				}
+				return userToken.ID, nil
+			}
+		}
 		return h.resolveIdentityID(c, token)
 	}
 	cookie := c.Get("Cookie")

backend/internal/service/kratos_admin_service.go

@@ -57,6 +57,48 @@ func (s *KratosAdminService) ListIdentities(ctx context.Context) ([]KratosIdenti
 	return identities, nil
 }
 
+func (s *KratosAdminService) FindIdentityIDByIdentifier(ctx context.Context, identifier string) (string, error) {
+	identifier = strings.TrimSpace(identifier)
+	if identifier == "" {
+		return "", nil
+	}
+
+	endpoint := strings.TrimRight(s.AdminURL, "/") + "/admin/identities"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return "", err
+	}
+
+	query := req.URL.Query()
+	query.Set("credentials_identifier", identifier)
+	req.URL.RawQuery = query.Encode()
+
+	resp, err := s.httpClient().Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusNotFound {
+		return "", nil
+	}
+	if resp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
+		return "", fmt.Errorf("kratos admin search failed status=%d body=%s", resp.StatusCode, string(body))
+	}
+
+	var identities []struct {
+		ID string `json:"id"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&identities); err != nil {
+		return "", err
+	}
+	if len(identities) == 0 {
+		return "", nil
+	}
+	return identities[0].ID, nil
+}
+
 func (s *KratosAdminService) GetIdentity(ctx context.Context, identityID string) (*KratosIdentity, error) {
 	endpoint := fmt.Sprintf("%s/admin/identities/%s", strings.TrimRight(s.AdminURL, "/"), identityID)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)

backend/internal/service/ory_service.go

@@ -77,7 +77,9 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
 	traits := map[string]interface{}{
 		"email":        user.Email,
 		"name":         user.Name,
-		"phone_number": user.PhoneNumber,
+	}
+	if user.PhoneNumber != "" {
+		traits["phone_number"] = user.PhoneNumber
 	}
 	for k, v := range user.Attributes {
 		traits[k] = v