kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

feat: implement multi-identifier architecture (Issue #496)

Browse Source 
- Database: Add user_login_ids table for 1:N identifier mapping and remove legacy login_id column
- Kratos: Update identity schema to use custom_login_ids array instead of a single id trait
- Backend: Implement syncCustomLoginIDs to collect isLoginId fields across tenant schemas
- Backend: Add backtracking logic to auto-assign session tenant based on used login identifier
- Backend: Add 409 Conflict exception handling for Create/Update operations
- AdminFront: Refactor UserDetailPage to a tabbed grid layout (Info, Tenants, Security)
- AdminFront: Show '로그인 ID' badge on tenant schema fields used for authentication
- UserFront: Remove legacy optional 'Login ID' input from signup flow
- Tests: Add multi-identifier repository tests and update handler tests
This commit is contained in:
조찬영
2026-04-02 16:07:33 +09:00
parent 71a006cd7b
commit b582c82c6f
25 changed files with 1154 additions and 1160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
adminfront/src/features/tenants/routes/TenantSchemaPage.tsx
View File

@@ -97,7 +97,6 @@ export function TenantSchemaPage() {
useEffect(() => {
const rawSchema = tenantQuery.data?.config?.userSchema;
const loginIdField = tenantQuery.data?.config?.loginIdField;
if (Array.isArray(rawSchema)) {
setFields(
@@ -118,7 +117,7 @@ export function TenantSchemaPage() {
validation:
typeof field?.validation === "string" ? field.validation : "",
unsigned: Boolean(field?.unsigned),
isLoginId: field?.key === loginIdField,
isLoginId: Boolean(field?.isLoginId),
})),
);
}
@@ -126,13 +125,13 @@ export function TenantSchemaPage() {
const updateMutation = useMutation({
mutationFn: (newFields: SchemaField[]) => {
const loginIdField = newFields.find((f) => f.isLoginId)?.key || "";
// Remove legacy loginIdField, keep isLoginId natively in userSchema
const newConfig = { ...tenantQuery.data?.config };
delete newConfig.loginIdField;
newConfig.userSchema = newFields;
return updateTenant(tenantId, {
config: {
...tenantQuery.data?.config,
userSchema: newFields,
loginIdField: loginIdField,
},
config: newConfig,
});
},
onSuccess: () => {
@@ -344,14 +343,10 @@ export function TenantSchemaPage() {
<label className="flex items-center gap-2 cursor-pointer">
<input
type="checkbox"
checked={field.isLoginId}
onChange={(e) => {
const newFields = fields.map((f, i) => ({
...f,
isLoginId: i === index ? e.target.checked : false,
}));
setFields(newFields);
}}
checked={field.isLoginId || false}
onChange={(e) =>
updateField(index, { isLoginId: e.target.checked })
}
className="w-4 h-4 rounded border-gray-300 text-primary focus:ring-primary"
/>
<span className="text-sm font-medium text-blue-600">

27
adminfront/src/features/users/UserCreatePage.tsx
View File

@@ -31,6 +31,7 @@ type UserSchemaField = {
required?: boolean;
adminOnly?: boolean;
validation?: string;
isLoginId?: boolean;
};
type UserFormValues = UserCreateRequest & { metadata: Record<string, unknown> };
@@ -65,7 +66,6 @@ function UserCreatePage() {
} = useForm<UserFormValues>({
defaultValues: {
email: "",
loginId: "",
password: "",
name: "",
phone: "",
@@ -274,26 +274,6 @@ function UserCreatePage() {
)}
</div>
<div className="space-y-2">
<Label htmlFor="loginId">
{t("ui.admin.users.create.form.login_id", "로그인 ID (선택)")}
</Label>
<Input
id="loginId"
placeholder={t(
"ui.admin.users.create.form.login_id_placeholder",
"사번 또는 아이디",
)}
{...register("loginId")}
/>
<p className="text-[10px] text-muted-foreground">
{t(
"msg.admin.users.create.form.login_id_help",
"이메일/전화번호 외에 별도의 식별자로 로그인할 때 사용합니다.",
)}
</p>
</div>
<div className="space-y-2">
<div className="flex items-center justify-between">
<Label htmlFor="password">
@@ -470,6 +450,11 @@ function UserCreatePage() {
Admin Only
</span>
)}
{field.isLoginId && (
<span className="ml-2 text-[10px] bg-green-500/10 text-green-600 px-1.5 py-0.5 rounded uppercase font-bold">
{t("ui.admin.users.create.form.is_login_id", "로그인 ID")}
</span>
)}
</Label>
<Input

1089
adminfront/src/features/users/UserDetailPage.tsx
View File

File diff suppressed because it is too large Load Diff

8
adminfront/src/features/users/UserListPage.tsx
View File

@@ -430,9 +430,6 @@ function UserListPage() {
"NAME / EMAIL",
)}
</TableHead>
<TableHead>
{t("ui.admin.users.list.table.login_id", "LOGIN ID")}
</TableHead>
<TableHead>
{t("ui.admin.users.list.table.role", "ROLE")}
</TableHead>
@@ -514,11 +511,6 @@ function UserListPage() {
</div>
</div>
</TableCell>
<TableCell>
<span className="text-sm font-mono">
{user.loginId || "-"}
</span>
</TableCell>
<TableCell>
<Badge variant="outline">
{t(`ui.admin.role.${user.role}`, user.role)}

14
adminfront/src/lib/adminApi.ts
View File

@@ -549,6 +549,20 @@ export async function deleteUser(userId: string) {
await apiClient.delete(`/v1/admin/users/${userId}`);
}
export type UserRpHistoryItem = {
client_id: string;
client_name: string;
lastLoginAt: string;
status: string;
};
export async function fetchUserRpHistory(userId: string) {
const { data } = await apiClient.get<UserRpHistoryItem[]>(
`/v1/admin/users/${userId}/rp-history`,
);
return data;
}
export type UserProfileResponse = {
id: string;
email: string;

3
backend/cmd/server/main.go
View File

@@ -294,7 +294,7 @@ func main() {
tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
userGroupHandler := handler.NewUserGroupHandler(userGroupService)
relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService)
userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo)
userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo, auditRepo)
apiKeyHandler := handler.NewApiKeyHandler(db)
orgChartService := service.NewOrgChartService(tenantRepo, userGroupRepo, userRepo, ketoOutboxRepo, kratosAdminService)
@@ -669,6 +669,7 @@ func main() {
admin.Put("/users/bulk", requireAdmin, userHandler.BulkUpdateUsers)
admin.Delete("/users/bulk", requireAdmin, userHandler.BulkDeleteUsers)
admin.Get("/users/:id", requireAdmin, userHandler.GetUser)
admin.Get("/users/:id/rp-history", requireAdmin, userHandler.GetUserRpHistory)
admin.Put("/users/:id", requireAdmin, userHandler.UpdateUser)
admin.Delete("/users/:id", requireAdmin, userHandler.DeleteUser)

1
backend/internal/bootstrap/bootstrap.go
View File

@@ -34,6 +34,7 @@ func migrateSchemas(db *gorm.DB) error {
&domain.Tenant{},
&domain.TenantDomain{},
&domain.User{},
&domain.UserLoginID{},
&domain.UserGroup{},
&domain.ApiKey{},
&domain.IdentityProviderConfig{},

1
backend/internal/domain/auth_models.go
View File

@@ -80,6 +80,7 @@ type UserProfileResponse struct {
AffiliationType string `json:"affiliationType"`
CompanyCode string `json:"companyCode,omitempty"`
TenantID *string `json:"tenantId,omitempty"` // 추가
SessionTenantID *string `json:"sessionTenantId,omitempty"` // [New] 로그인에 사용된 식별자 기반 테넌트
RelyingPartyID *string `json:"relyingPartyId,omitempty"` // 추가
Metadata map[string]any `json:"metadata,omitempty"`
Tenant *Tenant `json:"tenant,omitempty"`

11
backend/internal/domain/idp_models.go
View File

@@ -12,11 +12,12 @@ var ErrNotSupported = errors.New("idp: not supported")
// BrokerUser is the standard user model used within Baron SSO business logic.
// It defines the canonical set of fields that must be supported by any underlying IDP.
type BrokerUser struct {
ID string `json:"id" required:"true"`
Email string `json:"email" required:"true"`
LoginID string `json:"login_id"`
Name string `json:"name"`
PhoneNumber string `json:"phone_number"`
ID string `json:"id" required:"true"`
Email string `json:"email" required:"true"`
LoginID string `json:"login_id"`
CustomLoginIDs []string `json:"custom_login_ids"` // [New] 다중 로그인 ID
Name string `json:"name"`
PhoneNumber string `json:"phone_number"`
// Attributes stores custom user attributes.
// The "required_keys" tag specifies which keys MUST be present in the IDP's schema support.
Attributes map[string]interface{} `json:"attributes" required_keys:"grade,department"`

15
backend/internal/domain/user.go
View File

@@ -35,14 +35,13 @@ func NormalizeRole(role string) string {
type User struct {
ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
Email string `gorm:"uniqueIndex;not null" json:"email"`
LoginID string `gorm:"column:login_id;uniqueIndex:idx_tenant_login_id" json:"loginId"`
PasswordHash *string `gorm:"column:password_hash" json:"-"`
Name string `gorm:"column:name;not null" json:"name"`
Phone string `gorm:"column:phone" json:"phone"`
Role string `gorm:"column:role;default:'user';not null" json:"role"` // super_admin, tenant_admin, rp_admin, user
AffiliationType string `gorm:"column:affiliation_type" json:"affiliationType"`
CompanyCode string `gorm:"column:company_code;index" json:"companyCode"`
TenantID *string `gorm:"column:tenant_id;type:uuid;index;uniqueIndex:idx_tenant_login_id" json:"tenantId,omitempty"`
TenantID *string `gorm:"column:tenant_id;type:uuid;index" json:"tenantId,omitempty"`
Tenant *Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
RelyingPartyID *string `gorm:"column:relying_party_id;type:uuid;index" json:"relyingPartyId,omitempty"` // RP Admin용
Department string `gorm:"column:department" json:"department"`
@@ -53,6 +52,18 @@ type User struct {
CreatedAt time.Time `gorm:"column:created_at" json:"createdAt"`
UpdatedAt time.Time `gorm:"column:updated_at" json:"updatedAt"`
DeletedAt gorm.DeletedAt `gorm:"column:deleted_at;index" json:"-"`
// Multiple identifiers support
UserLoginIDs []UserLoginID `gorm:"foreignKey:UserID" json:"userLoginIds,omitempty"`
}
// UserLoginID represents multiple custom identifiers for a user
type UserLoginID struct {
ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
UserID string `gorm:"type:uuid;not null;index" json:"userId"`
TenantID string `gorm:"type:uuid;not null;index" json:"tenantId"` // 발급 테넌트
FieldKey string `gorm:"not null" json:"fieldKey"` // 스키마 필드 키 (예: emp_id)
LoginID string `gorm:"uniqueIndex;not null" json:"loginId"` // 실제 값 (예: EMP001)
}
// BeforeCreate hook to generate UUID if not present

241
backend/internal/handler/auth_handler.go
View File

@@ -287,6 +287,16 @@ func (h *AuthHandler) CheckLoginID(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusServiceUnavailable, "Identity provider unavailable")
}
if !exists && h.UserRepo != nil {
// [New] Check local DB for custom login IDs (Plan A)
taken, err := h.UserRepo.IsLoginIDTaken(c.Context(), req.LoginID)
if err != nil {
slog.Error("Failed to check login ID in local DB", "error", err)
} else if taken {
exists = true
}
}
if exists {
return c.JSON(fiber.Map{"available": false, "message": "ID already registered"})
}
@@ -596,27 +606,20 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
"grade": "member",
}
if req.LoginID != "" {
attributes["id"] = req.LoginID
}
// Sync all custom login IDs based on tenant schemas
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
// Sync custom field to LoginID if configured
if tenantID != nil && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenant(c.Context(), *tenantID); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(attributes, req.Metadata, *tenantID, loginIdField)
// Validate all collected LoginIDs
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, req.Email, normalizedPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
finalLoginID := extractTraitString(attributes, "id")
if err := domain.ValidateLoginID(finalLoginID, req.Email, normalizedPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
}
brokerUser := &domain.BrokerUser{
Email: req.Email,
LoginID: finalLoginID,
Name: req.Name,
PhoneNumber: normalizedPhone,
Attributes: attributes,
@@ -629,7 +632,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
}
slog.Error("[Signup] Failed to create user via IDP", "provider", h.IdpProvider.Name(), "error", err)
if strings.Contains(err.Error(), "already exists") {
return errorJSON(c, fiber.StatusConflict, "User already exists")
return errorJSON(c, fiber.StatusConflict, "User or login identifier already exists")
}
// Include the actual error message in the response for debugging
return errorJSON(c, fiber.StatusInternalServerError, fmt.Sprintf("Failed to create user: %v", err))
@@ -644,29 +647,47 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
// [SoT Policy] Kratos가 SoT이므로 로컬 DB 저장은 비동기 Read-Model 동기화로 처리합니다.
// 로컬 DB 저장이 실패하더라도 회원가입 프로세스는 성공으로 간주합니다.
localUser := &domain.User{
ID: providerID, // Match IDP Subject
ID: providerID,
Email: req.Email,
Name: req.Name,
Phone: normalizedPhone,
Role: "user",
AffiliationType: req.AffiliationType,
CompanyCode: companyCode,
TenantID: tenantID,
Department: req.Department,
Role: "user",
Status: "active",
Metadata: req.Metadata,
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
}
if tenantID != nil {
localUser.TenantID = tenantID
}
// Merge metadata
localUser.Metadata = make(domain.JSONMap)
for k, v := range req.Metadata {
localUser.Metadata[k] = v
}
if h.UserRepo != nil {
go func(u *domain.User) {
// 요청 Context가 취소될 수 있으므로 Background Context 사용
go func(u *domain.User, ids []domain.UserLoginID) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
if err := h.UserRepo.Create(ctx, u); err != nil {
if err := h.UserRepo.Update(ctx, u); err != nil {
slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
} else {
slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)
// Update User Login IDs
for i := range ids {
ids[i].UserID = u.ID
}
if err := h.UserRepo.UpdateUserLoginIDs(ctx, u.ID, ids); err != nil {
slog.Error("[Signup] Failed to update user login IDs", "userID", u.ID, "error", err)
}
// [Keto] Sync user-tenant relationship via Outbox
if h.KetoOutboxRepo != nil && u.TenantID != nil {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
@@ -678,7 +699,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
})
}
}
}(localUser)
}(localUser, loginIDRecords)
}
return c.JSON(fiber.Map{
@@ -3182,7 +3203,7 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Missing session token")
}
_, traits, err := h.getKratosIdentityWithCookie(cookie)
_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
slog.Warn("[QR] Cookie session invalid", "error", err)
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -4252,7 +4273,7 @@ func (h *AuthHandler) GetAuthTimeline(c *fiber.Ctx) error {
if strings.Contains(path, "/api/v1/auth/oidc/login/accept") {
appName = "OIDC 로그인"
// 우선 audit details의 client 정보를 사용하고, 없으면 Hydra 조회로 보강
if details, err := parseAuditDetails(log.Details); err == nil && details != nil {
if details, err := utils.ParseAuditDetails(log.Details); err == nil && details != nil {
if name, ok := details["client_name"].(string); ok && strings.TrimSpace(name) != "" {
appName = strings.TrimSpace(name)
}
@@ -5089,6 +5110,15 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
profile.Role = domain.RoleUser
}
// [New] Backtracking Logic for Session Tenant (Plan A)
if usedID, ok := profile.Metadata["_used_identifier"].(string); ok && usedID != "" && h.UserRepo != nil {
if tid, err := h.UserRepo.FindTenantIDByLoginID(c.Context(), usedID); err == nil && tid != "" {
profile.SessionTenantID = &tid
slog.Debug("Auto-assigned session tenant via backtracking", "loginID", usedID, "tenantID", tid)
}
delete(profile.Metadata, "_used_identifier") // Cleanup
}
// Fetch Tenant Metadata if missing
if profile.Tenant == nil && profile.TenantID != nil && *profile.TenantID != "" {
if tenant, err := h.TenantService.GetTenant(c.Context(), *profile.TenantID); err == nil {
@@ -5140,7 +5170,7 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
return identityID, nil
}
if cookie := c.Get("Cookie"); cookie != "" {
cookieID, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
cookieID, _, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
if cookieErr == nil && cookieID != "" {
return cookieID, nil
}
@@ -5151,14 +5181,14 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
if cookie == "" {
return "", fmt.Errorf("missing authorization token")
}
identityID, _, err := h.getKratosIdentityWithCookie(cookie)
identityID, _, _, err := h.getKratosIdentityWithCookie(cookie)
return identityID, err
}
func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
token := h.getBearerToken(c)
if token != "" {
identityID, traits, err := h.getKratosIdentity(token)
identityID, traits, _, err := h.getKratosIdentity(token)
if err == nil && identityID != "" {
subjects := []string{identityID}
subjects = appendLoginIDsFromTraits(subjects, traits)
@@ -5170,7 +5200,7 @@ func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
if cookie == "" {
return nil, fmt.Errorf("missing authorization token")
}
identityID, traits, err := h.getKratosIdentityWithCookie(cookie)
identityID, traits, _, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
return nil, err
}
@@ -5250,7 +5280,7 @@ func isAuthEventType(eventType string) bool {
func extractAuditPath(log domain.AuditLog) string {
if log.Details != "" {
if payload, err := parseAuditDetails(log.Details); err == nil {
if payload, err := utils.ParseAuditDetails(log.Details); err == nil {
if path, ok := payload["path"].(string); ok && path != "" {
return path
}
@@ -5263,17 +5293,6 @@ func extractAuditPath(log domain.AuditLog) string {
return ""
}
func parseAuditDetails(details string) (map[string]any, error) {
var payload map[string]any
if details == "" {
return nil, fmt.Errorf("empty details")
}
if err := json.Unmarshal([]byte(details), &payload); err != nil {
return nil, err
}
return payload, nil
}
func extractRequestBody(details map[string]any) map[string]any {
if details == nil {
return nil
@@ -5290,7 +5309,7 @@ func extractRequestBody(details map[string]any) map[string]any {
}
func shouldSkipAuthTimeline(log domain.AuditLog) bool {
details, _ := parseAuditDetails(log.Details)
details, _ := utils.ParseAuditDetails(log.Details)
path := strings.ToLower(extractAuditPath(log))
if path != "" && strings.Contains(path, "/api/v1/auth/enchanted-link/init") {
return true
@@ -5384,7 +5403,7 @@ func deriveAuthMethod(log domain.AuditLog) string {
loginID := extractLoginIDFromAuditDetails(log.Details)
kind := loginIDKind(loginID)
details, _ := parseAuditDetails(log.Details)
details, _ := utils.ParseAuditDetails(log.Details)
requestBody := extractRequestBody(details)
if details != nil {
if raw, ok := details["auth_timeline_skip"]; ok {
@@ -5603,7 +5622,7 @@ func extractLoginChallengeFromAuditDetails(details string) string {
if details == "" {
return ""
}
payload, err := parseAuditDetails(details)
payload, err := utils.ParseAuditDetails(details)
if err != nil {
return ""
}
@@ -5750,12 +5769,12 @@ func extractApprovedSessionIDFromAuditDetails(details string) string {
}
func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, error) {
id, _, err := h.getKratosIdentity(token)
id, _, _, err := h.getKratosIdentity(token)
return id, err
}
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
_, traits, err := h.getKratosIdentity(token)
_, traits, _, err := h.getKratosIdentity(token)
if err != nil {
return "", err
}
@@ -5943,44 +5962,56 @@ func extractLoginIDFromClaims(claims map[string]any) string {
return ""
}
func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, error) {
identityID, traits, _, err := h.getKratosIdentityWithSession(sessionToken)
return identityID, traits, err
func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, string, error) {
identityID, traits, _, usedID, err := h.getKratosIdentityWithSession(sessionToken)
return identityID, traits, usedID, err
}
func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, error) {
func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, string, error) {
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
if kratosURL == "" {
kratosURL = "http://kratos:4433"
}
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
req.Header.Set("X-Session-Token", sessionToken)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
}
var result struct {
AuthenticatedAt string `json:"authenticated_at"`
Identity struct {
AuthenticatedAt string `json:"authenticated_at"`
AuthenticationMethods []struct {
Method string `json:"method"`
Identifier string `json:"identifier"`
} `json:"authentication_methods"`
Identity struct {
ID string `json:"id"`
Traits map[string]interface{} `json:"traits"`
} `json:"identity"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
usedIdentifier := ""
for _, m := range result.AuthenticationMethods {
if m.Identifier != "" {
usedIdentifier = m.Identifier
break
}
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
}
func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
@@ -6056,44 +6087,56 @@ func (h *AuthHandler) issueKratosSession(ctx context.Context, identityID string)
return parsed.SessionToken, nil
}
func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, error) {
identityID, traits, _, err := h.getKratosIdentityWithCookieAndSession(cookie)
return identityID, traits, err
func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, string, error) {
identityID, traits, _, usedID, err := h.getKratosIdentityWithCookieAndSession(cookie)
return identityID, traits, usedID, err
}
func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, error) {
func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, string, error) {
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
if kratosURL == "" {
kratosURL = "http://kratos:4433"
}
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
req.Header.Set("Cookie", cookie)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
}
var result struct {
AuthenticatedAt string `json:"authenticated_at"`
Identity struct {
AuthenticatedAt string `json:"authenticated_at"`
AuthenticationMethods []struct {
Method string `json:"method"`
Identifier string `json:"identifier"`
} `json:"authentication_methods"`
Identity struct {
ID string `json:"id"`
Traits map[string]interface{} `json:"traits"`
} `json:"identity"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
usedIdentifier := ""
for _, m := range result.AuthenticationMethods {
if m.Identifier != "" {
usedIdentifier = m.Identifier
break
}
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
}
func (h *AuthHandler) getKratosSessionIDWithCookie(cookie string) (string, error) {
@@ -6228,33 +6271,41 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
return profile
}
func (h *AuthHandler) applySessionAuthenticatedAtFromWhoami(profile *domain.UserProfileResponse, authenticatedAt string) *domain.UserProfileResponse {
func (h *AuthHandler) applySessionInfoFromWhoami(profile *domain.UserProfileResponse, authenticatedAt, usedIdentifier string) *domain.UserProfileResponse {
if profile == nil {
return nil
}
profile.SessionAuthenticatedAt = strings.TrimSpace(authenticatedAt)
if usedIdentifier != "" {
if profile.Metadata == nil {
profile.Metadata = make(map[string]any)
}
profile.Metadata["_used_identifier"] = usedIdentifier
}
return profile
}
func (h *AuthHandler) getKratosProfile(sessionToken string) (*domain.UserProfileResponse, error) {
identityID, traits, authenticatedAt, err := h.getKratosIdentityWithSession(sessionToken)
identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithSession(sessionToken)
if err != nil {
return nil, err
}
return h.applySessionAuthenticatedAtFromWhoami(
return h.applySessionInfoFromWhoami(
h.mapKratosIdentityToProfile(identityID, traits),
authenticatedAt,
usedIdentifier,
), nil
}
func (h *AuthHandler) getKratosProfileWithCookie(cookie string) (*domain.UserProfileResponse, error) {
identityID, traits, authenticatedAt, err := h.getKratosIdentityWithCookieAndSession(cookie)
identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithCookieAndSession(cookie)
if err != nil {
return nil, err
}
return h.applySessionAuthenticatedAtFromWhoami(
return h.applySessionInfoFromWhoami(
h.mapKratosIdentityToProfile(identityID, traits),
authenticatedAt,
usedIdentifier,
), nil
}
@@ -6272,13 +6323,13 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
err error
)
if token != "" {
identityID, traits, err = h.getKratosIdentity(token)
identityID, traits, _, err = h.getKratosIdentity(token)
} else {
cookie := c.Get("Cookie")
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
}
identityID, traits, err = h.getKratosIdentityWithCookie(cookie)
identityID, traits, _, err = h.getKratosIdentityWithCookie(cookie)
}
if err != nil {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6331,27 +6382,35 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
// [LoginID Sync based on Tenant Settings]
// Perform sync AFTER metadata merge to ensure traits contains current values
syncCompCode := extractTraitString(traits, "companyCode")
if syncCompCode != "" && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, identityID)
// Validate all collected LoginIDs
userEmail := extractTraitString(traits, "email")
userPhone := extractTraitString(traits, "phone_number")
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
finalLoginID := extractTraitString(traits, "id")
userEmail := extractTraitString(traits, "email")
userPhone := extractTraitString(traits, "phone")
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
}
if err := h.updateKratosIdentity(identityID, traits); err != nil {
slog.Error("Failed to update profile in Kratos", "error", err)
return errorJSON(c, fiber.StatusInternalServerError, "프로필 업데이트에 실패했습니다.")
}
// [New] Local DB Sync - Sync synchronously to ensure immediate consistency
if h.UserRepo != nil {
ctx := context.Background()
// Also update local User record (read-model)
// We can fetch updated identity or just map current traits
// Since mapKratosIdentityToProfile is for UI, let's just use UpdateUserLoginIDs first
if err := h.UserRepo.UpdateUserLoginIDs(ctx, identityID, loginIDRecords); err != nil {
slog.Error("[UpdateMe] Failed to update user login IDs", "userID", identityID, "error", err)
}
}
// Invalidate token-based profile cache so refreshed /user/me returns latest traits.
if h.RedisService != nil && token != "" {
cacheKey := "cache:profile:token:" + token
@@ -6396,7 +6455,7 @@ func (h *AuthHandler) ChangeMyPassword(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
}
_, traits, err := h.getKratosIdentityWithCookie(cookie)
_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
}
@@ -6434,7 +6493,7 @@ func (h *AuthHandler) SendUpdateCode(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Unauthorized")
}
userID, _, err = h.getKratosIdentityWithCookie(cookie)
userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
}
if err != nil || userID == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6475,7 +6534,7 @@ func (h *AuthHandler) VerifyUpdateCode(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
}
userID, _, err = h.getKratosIdentityWithCookie(cookie)
userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
}
if err != nil || userID == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6625,7 +6684,7 @@ func (h *AuthHandler) ListRpHistory(c *fiber.Ctx) error {
// Logs are DESC (newest first). Iterate in reverse (oldest first) to build state.
for i := len(logs) - 1; i >= 0; i-- {
log := logs[i]
details, _ := parseAuditDetails(log.Details)
details, _ := utils.ParseAuditDetails(log.Details)
clientID, _ := details["client_id"].(string)
if clientID == "" {
continue

26
backend/internal/handler/auth_handler_async_test.go
View File

@@ -80,7 +80,13 @@ func (m *AsyncMockUserRepo) Create(ctx context.Context, user *domain.User) error
}
return args.Error(0)
}
func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error { return nil }
func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error {
args := m.Called(ctx, user)
if m.createCalled != nil {
m.createCalled <- true
}
return args.Error(0)
}
func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error { return nil }
func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
return nil, nil
@@ -114,6 +120,22 @@ func (m *AsyncMockUserRepo) CountByCompanyCodes(ctx context.Context, codes []str
return nil, nil
}
func (m *AsyncMockUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
return nil
}
func (m *AsyncMockUserRepo) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
return nil, nil
}
func (m *AsyncMockUserRepo) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
return false, nil
}
func (m *AsyncMockUserRepo) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
return "", nil
}
type AsyncMockRedisRepo struct {
mock.Mock
}
@@ -254,7 +276,7 @@ func TestSignup_AsyncDB_Isolation(t *testing.T) {
// UserRepo Mocks (Async & Failure)
mockUserRepo.createCalled = make(chan bool, 1)
mockUserRepo.On("Create", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
mockUserRepo.On("Update", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
return u.Email == email
})).Return(errors.New("db connection error"))

3
backend/internal/handler/dev_handler.go
View File

@@ -4,6 +4,7 @@ import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/repository"
"baron-sso-backend/internal/service"
"baron-sso-backend/internal/utils"
"context"
"crypto/rand"
"encoding/base64"
@@ -2106,7 +2107,7 @@ func (h *DevHandler) matchesDevAuditFilter(
if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
return false
}
details, _ := parseAuditDetails(logItem.Details)
details, _ := utils.ParseAuditDetails(logItem.Details)
if statusFilter != "" && statusFilter != "all" && strings.ToLower(logItem.Status) != statusFilter {
return false
}

16
backend/internal/handler/tenant_handler_test.go
View File

@@ -131,6 +131,22 @@ func (m *MockUserRepoForHandler) CountByCompanyCodes(ctx context.Context, codes
return args.Get(0).(map[string]int64), args.Error(1)
}
func (m *MockUserRepoForHandler) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
return nil
}
func (m *MockUserRepoForHandler) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
return nil, nil
}
func (m *MockUserRepoForHandler) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
return false, nil
}
func (m *MockUserRepoForHandler) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
return "", nil
}
func TestTenantHandler_CreateTenant(t *testing.T) {
app := fiber.New()
mockSvc := new(MockTenantService)

429
backend/internal/handler/user_handler.go
View File

@@ -35,9 +35,10 @@ type UserHandler struct {
KetoOutboxRepo repository.KetoOutboxRepository
UserRepo repository.UserRepository
UserGroupRepo repository.UserGroupRepository
AuditRepo domain.AuditRepository
}
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository) *UserHandler {
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
return &UserHandler{
KratosAdmin: kratosAdmin,
OryProvider: oryProvider,
@@ -46,6 +47,7 @@ func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProvi
KetoOutboxRepo: ketoOutboxRepo,
UserRepo: userRepo,
UserGroupRepo: userGroupRepo,
AuditRepo: auditRepo,
}
}
@@ -53,6 +55,7 @@ type userSummary struct {
ID string `json:"id"`
Email string `json:"email"`
LoginID string `json:"loginId,omitempty"`
CustomLoginIDs []string `json:"customLoginIds,omitempty"` // [New] 다중 로그인 ID 목록
Name string `json:"name"`
Phone string `json:"phone"`
Role string `json:"role"`
@@ -325,40 +328,23 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
// [Override with explicit LoginID if provided]
if req.LoginID != "" {
attributes["id"] = req.LoginID
if ids, ok := attributes["custom_login_ids"].([]string); ok {
attributes["custom_login_ids"] = append(ids, req.LoginID)
} else {
attributes["custom_login_ids"] = []string{req.LoginID}
}
}
// [Resolve TenantID and LoginID before Kratos creation]
// [Resolve TenantID and Custom Login IDs before Kratos creation]
var tenantID string
synced := false
if req.CompanyCode != "" && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode); err == nil && tenant != nil {
tenantID = tenant.ID
// Sync custom field to LoginID if configured
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(attributes, req.Metadata, tenantID, loginIdField)
synced = true
}
}
}
// Fallback: Try syncing based on the tenant namespaces being updated
if !synced && h.TenantService != nil {
for k := range req.Metadata {
if len(k) >= 32 { // Looks like a UUID (tenant ID)
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
if tenantID == "" {
tenantID = tenant.ID
}
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(attributes, req.Metadata, tenant.ID, loginIdField)
break
}
}
}
}
}
// Collect and sync all custom login IDs based on tenant schemas
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
attributes["role"] = role
if tenantID != "" {
@@ -373,22 +359,25 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
}
}
finalLoginID := extractTraitString(attributes, "id")
if err := domain.ValidateLoginID(finalLoginID, email, normalizePhoneNumber(req.Phone)); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
// Validate all collected LoginIDs
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, email, normalizePhoneNumber(req.Phone)); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
brokerUser := &domain.BrokerUser{
Email: email,
LoginID: finalLoginID,
Name: name,
PhoneNumber: normalizePhoneNumber(req.Phone),
Attributes: attributes,
}
// [Validation] Based on Tenant Schema
if req.CompanyCode != "" && h.TenantService != nil {
tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode)
if tenantID != "" && h.TenantService != nil {
tenant, err := h.TenantService.GetTenant(c.Context(), tenantID)
if err == nil && tenant != nil {
if schema, ok := tenant.Config["userSchema"].([]interface{}); ok {
if err := h.validateMetadata(req.Metadata, schema, true); err != nil {
@@ -400,8 +389,8 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
identityID, err := h.OryProvider.CreateUser(brokerUser, password)
if err != nil {
if strings.Contains(err.Error(), "already exists") {
return errorJSON(c, fiber.StatusConflict, "email already exists")
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
return errorJSON(c, fiber.StatusConflict, "이미 사용 중인 식별자(이메일/전화번호/사번 등)입니다.")
}
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
@@ -424,6 +413,14 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
}
// Update User Login IDs in local DB
for i := range loginIDRecords {
loginIDRecords[i].UserID = localUser.ID
}
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
}
// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
if h.KetoOutboxRepo != nil {
// 1. Role based relations
@@ -580,15 +577,8 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
"role": role,
}
// Override with explicit LoginID if provided
if item.LoginID != "" {
attributes["id"] = item.LoginID
}
// Sync LoginID from configured custom field (overrides explicit LoginID)
if tItem.LoginIDField != "" {
syncLoginID(attributes, item.Metadata, tItem.ID, tItem.LoginIDField)
}
// Sync all custom login IDs based on tenant schemas
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, item.Metadata, "")
// Merge metadata
for k, v := range item.Metadata {
@@ -597,28 +587,36 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
}
}
finalLoginID := extractTraitString(attributes, "id")
userEmail := email
userPhone := normalizePhoneNumber(item.Phone)
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
results = append(results, bulkUserResult{Email: email, Success: false, Message: err.Error()})
continue
// Validate all collected LoginIDs
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
valid := true
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
results = append(results, bulkUserResult{Email: email, Success: false, Message: "Invalid LoginID (" + lid + "): " + err.Error()})
valid = false
break
}
}
if !valid {
continue
}
}
identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
Email: userEmail,
LoginID: finalLoginID,
Name: item.Name,
PhoneNumber: userPhone,
Attributes: attributes,
}, password)
if err != nil {
// 만약 이미 존재하는 사용자라면 로컬 DB 및 Keto 관계만 업데이트(Sync)를 시도
if strings.Contains(err.Error(), "already exists") {
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
identityID, err = h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email)
if err != nil || identityID == "" {
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 존재하는 사용자지만 ID를 찾을 수 없습니다."})
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 다른 사용자가 해당 식별자(이메일/사번 등)를 사용 중입니다."})
continue
}
slog.Info("BulkCreate: User already exists, syncing local DB and Keto", "email", email, "identityID", identityID)
@@ -634,7 +632,6 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
localUser := &domain.User{
ID: identityID,
Email: email,
LoginID: extractTraitString(attributes, "id"),
Name: name,
Phone: normalizePhoneNumber(item.Phone),
Role: role,
@@ -660,6 +657,14 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
}
// Update User Login IDs in local DB
for i := range loginIDRecords {
loginIDRecords[i].UserID = localUser.ID
}
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
}
if h.KetoOutboxRepo != nil {
// 1. Sync Role based relationship
h.syncKetoRole(c.Context(), localUser.ID, role, "", "", localUser.TenantID)
@@ -961,10 +966,6 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
}
}
if localUser.LoginID == "" {
localUser.LoginID = localUser.ID
}
_ = h.UserRepo.Update(c.Context(), localUser)
// [Keto Sync]
@@ -1184,20 +1185,12 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
traits["role"] = role
}
// [Override with explicit LoginID if provided]
// This is done FIRST so that if a custom loginIdField is configured in the tenant,
// the metadata sync below will override this explicit value, preventing the UI's
// pre-filled explicit loginId from clobbering the updated custom field.
if req.LoginID != nil && *req.LoginID != "" {
traits["id"] = *req.LoginID
}
// [Namespaced Metadata Sync]
coreTraits := map[string]bool{
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true,
"id": true,
"custom_login_ids": true, "id": true,
}
// For namespaced metadata, we don't delete everything, we merge.
@@ -1221,51 +1214,29 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
// [LoginID Sync based on Tenant Settings]
// Perform sync AFTER metadata merge to ensure traits contains current values
syncCompCode := extractTraitString(traits, "companyCode")
synced := false
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, userID)
if syncCompCode != "" && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
synced = true
}
}
}
// Fallback: If companyCode is empty or didn't sync, try syncing based on the tenant namespaces being updated
if !synced && h.TenantService != nil {
for k := range req.Metadata {
if len(k) >= 32 { // Looks like a UUID (tenant ID)
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
synced = true
break // Apply first matched tenant config
}
}
}
}
}
finalLoginID := extractTraitString(traits, "id")
// Validate all collected LoginIDs
userEmail := extractTraitString(traits, "email")
userPhone := extractTraitString(traits, "phone_number")
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
// resolvePasswordLoginID might be doing something else but we already have finalLoginID.
// We should just use finalLoginID if it's the intended identifier.
// But let's check if resolvePasswordLoginID exists and what it returns. Assuming it returns a string.
// If it overrides, we assign it. Let's just use finalLoginID for now.
finalLoginID = resolvePasswordLoginID(traits)
state := normalizeKratosState(req.Status)
slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)
updated, err := h.KratosAdmin.UpdateIdentity(c.Context(), userID, traits, state)
if err != nil {
// [Exception Handling] Check for 409 Conflict (Duplicate Identifier)
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "exists already") {
return errorJSON(c, fiber.StatusConflict, "이미 다른 사용자가 사용 중인 식별자(이메일/전화번호/사번 등)가 포함되어 있습니다.")
}
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
@@ -1273,15 +1244,16 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
if h.UserRepo != nil {
updatedLocalUser := h.mapToLocalUser(*updated)
if updatedLocalUser.LoginID == "" {
updatedLocalUser.LoginID = updatedLocalUser.ID
}
ctx := context.Background() // Use request context if appropriate, but sync must finish
if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
}
// Update User Login IDs in local DB
if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
}
// [Keto Sync] asynchronously as it's less critical for immediate UI count
go func() {
bgCtx := context.Background()
@@ -1345,7 +1317,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
if h.OryProvider == nil {
return errorJSON(c, fiber.StatusServiceUnavailable, "password provider not available")
}
if err := h.OryProvider.UpdateUserPassword(finalLoginID, *req.Password, nil); err != nil {
// [New] Resolve a representative LoginID for the password update call
updateLoginID := resolvePasswordLoginID(updated.Traits)
if err := h.OryProvider.UpdateUserPassword(updateLoginID, *req.Password, nil); err != nil {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
}
@@ -1408,19 +1382,34 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
compCode := extractTraitString(traits, "companyCode")
slog.Debug("Mapping identity", "email", extractTraitString(traits, "email"), "compCode", compCode)
var customLoginIDs []string
if raw, ok := traits["custom_login_ids"]; ok {
if ids, ok := raw.([]interface{}); ok {
for _, id := range ids {
if s, ok := id.(string); ok {
customLoginIDs = append(customLoginIDs, s)
}
}
} else if ids, ok := raw.([]string); ok {
customLoginIDs = ids
}
}
summary := userSummary{
ID: identity.ID,
Email: extractTraitString(traits, "email"),
LoginID: extractTraitString(traits, "id"), // id in Kratos traits maps to LoginID
Name: extractTraitString(traits, "name"),
Phone: extractTraitString(traits, "phone_number"),
Role: role,
Status: normalizeStatus(identity.State),
CompanyCode: compCode,
Department: extractTraitString(traits, "department"),
Metadata: make(domain.JSONMap),
CreatedAt: formatTime(identity.CreatedAt),
UpdatedAt: formatTime(identity.UpdatedAt),
ID: identity.ID,
Email: extractTraitString(traits, "email"),
LoginID: resolvePasswordLoginID(traits),
CustomLoginIDs: customLoginIDs,
Name: extractTraitString(traits, "name"),
Phone: extractTraitString(traits, "phone_number"),
Role: role,
Status: normalizeStatus(identity.State),
CompanyCode: compCode,
Department: extractTraitString(traits, "department"),
Metadata: make(domain.JSONMap),
CreatedAt: formatTime(identity.CreatedAt),
UpdatedAt: formatTime(identity.UpdatedAt),
}
// [New] Fetch all manageable tenants (for Multi-tenancy support)
@@ -1438,6 +1427,7 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true,
"custom_login_ids": true, "id": true,
}
for k, v := range traits {
@@ -1477,17 +1467,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
compCode = extractTraitString(traits, "company_code")
}
loginID := extractTraitString(traits, "id")
if loginID == "" {
// Fallback to UUID to prevent unique constraint violations on idx_tenant_login_id
// for users that use email/phone exclusively and don't have a specific loginId trait.
loginID = identity.ID
}
user := &domain.User{
ID: identity.ID,
Email: extractTraitString(traits, "email"),
LoginID: loginID,
Name: extractTraitString(traits, "name"),
Phone: extractTraitString(traits, "phone_number"),
Role: role,
@@ -1520,6 +1502,7 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true, "company_code": true,
"custom_login_ids": true, "id": true,
}
for k, v := range traits {
if !coreTraits[k] {
@@ -1628,6 +1611,17 @@ func extractTraitString(traits map[string]interface{}, key string) string {
}
func resolvePasswordLoginID(traits map[string]interface{}) string {
// First check custom_login_ids (array)
if raw, ok := traits["custom_login_ids"]; ok {
if ids, ok := raw.([]interface{}); ok && len(ids) > 0 {
if first, ok := ids[0].(string); ok {
return first
}
} else if ids, ok := raw.([]string); ok && len(ids) > 0 {
return ids[0]
}
}
// Fallback to legacy id (if still exists in some old identities)
if loginID := strings.TrimSpace(extractTraitString(traits, "id")); loginID != "" {
return loginID
}
@@ -1637,57 +1631,110 @@ func resolvePasswordLoginID(traits map[string]interface{}) string {
return strings.TrimSpace(extractTraitString(traits, "phone_number"))
}
// syncLoginID ensures that the 'id' trait (used as Kratos identifier) is in sync with the configured custom field.
func syncLoginID(traits map[string]interface{}, metadata map[string]any, tenantID string, loginIDField string) {
if loginIDField == "" {
return
// syncCustomLoginIDs collects all fields marked as isLoginId: true from tenant schemas
// and populates traits["custom_login_ids"] and returns domain.UserLoginID records for DB.
func syncCustomLoginIDs(ctx context.Context, tenantService service.TenantService, traits map[string]interface{}, metadata map[string]any, userID string) []domain.UserLoginID {
if tenantService == nil {
return nil
}
var loginID string
var loginIDRecords []domain.UserLoginID
var allCustomIDs []string
idSet := make(map[string]bool)
// 1. Check incoming metadata (flat)
if val, ok := metadata[loginIDField].(string); ok && val != "" {
loginID = val
// Collect tenant IDs to check schemas for
tenantIDsToCheck := make(map[string]bool)
for k, v := range metadata {
// Heuristic: if it's a map, it's likely namespaced metadata for a tenant
if _, ok := v.(map[string]any); ok {
tenantIDsToCheck[k] = true
} else if _, ok := v.(map[string]interface{}); ok {
tenantIDsToCheck[k] = true
}
}
// Also check primary tenant if available
if tid := extractTraitString(traits, "tenant_id"); tid != "" {
tenantIDsToCheck[tid] = true
}
// 2. Check incoming metadata (namespaced by tenant ID)
if loginID == "" && tenantID != "" {
if namespaced, ok := metadata[tenantID].(map[string]any); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
for tid := range tenantIDsToCheck {
tenant, err := tenantService.GetTenant(ctx, tid)
if err != nil || tenant == nil {
continue
}
schema, ok := tenant.Config["userSchema"].([]interface{})
if !ok {
continue
}
for _, fieldRaw := range schema {
field, ok := fieldRaw.(map[string]interface{})
if !ok {
continue
}
} else if namespaced, ok := metadata[tenantID].(map[string]interface{}); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
isLoginId, _ := field["isLoginId"].(bool)
if !isLoginId {
continue
}
fieldKey, ok := field["key"].(string)
if !ok {
continue
}
// Try to find value in namespaced metadata first, then flat metadata, then existing traits
var val string
if namespaced, ok := metadata[tid].(map[string]any); ok {
val, _ = namespaced[fieldKey].(string)
} else if namespaced, ok := metadata[tid].(map[string]interface{}); ok {
val, _ = namespaced[fieldKey].(string)
}
if val == "" {
val, _ = metadata[fieldKey].(string)
}
if val == "" {
// Check existing trait (namespaced)
if namespaced, ok := traits[tid].(map[string]interface{}); ok {
val, _ = namespaced[fieldKey].(string)
} else if namespaced, ok := traits[tid].(map[string]any); ok {
val, _ = namespaced[fieldKey].(string)
}
}
if val == "" {
// Fallback: Check flat traits
val = extractTraitString(traits, fieldKey)
}
if val != "" {
if !idSet[val] {
idSet[val] = true
allCustomIDs = append(allCustomIDs, val)
}
loginIDRecords = append(loginIDRecords, domain.UserLoginID{
UserID: userID,
TenantID: tid,
FieldKey: fieldKey,
LoginID: val,
})
}
}
}
// 3. Check merged traits (which includes existing metadata)
// Important: Skip this if loginIDField is "id" because traits["id"] is the TARGET,
// and we don't want to sync "id" to "id" if we already checked metadata.
if loginID == "" && loginIDField != "id" {
// Existing trait (flat)
if val, ok := traits[loginIDField].(string); ok && val != "" {
loginID = val
} else if tenantID != "" {
// Existing trait (namespaced)
if namespaced, ok := traits[tenantID].(map[string]interface{}); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
}
} else if namespaced, ok := traits[tenantID].(map[string]any); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
}
}
}
if len(allCustomIDs) > 0 {
traits["custom_login_ids"] = allCustomIDs
} else {
delete(traits, "custom_login_ids")
}
if loginID != "" {
slog.Info("Syncing LoginID from custom field", "field", loginIDField, "value", loginID, "tenantID", tenantID)
traits["id"] = loginID
}
// Always remove legacy "id" trait to avoid confusion
delete(traits, "id")
return loginIDRecords
}
func formatTime(value time.Time) string {
@@ -1882,3 +1929,61 @@ func (h *UserHandler) validateMetadataWithAuth(metadata map[string]any, schema [
return nil
}
func (h *UserHandler) GetUserRpHistory(c *fiber.Ctx) error {
userId := c.Params("id")
if userId == "" {
return errorJSON(c, fiber.StatusBadRequest, "user id is required")
}
if h.AuditRepo == nil {
return errorJSON(c, fiber.StatusServiceUnavailable, "Audit service unavailable")
}
logs, err := h.AuditRepo.FindByUserAndEvents(c.Context(), userId, []string{"consent.granted", "consent.revoked"}, 100)
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "Failed to fetch history")
}
type rpHistoryItem struct {
ClientID string `json:"client_id"`
ClientName string `json:"client_name"`
LastLoginAt string `json:"lastLoginAt"`
Status string `json:"status"`
}
historyMap := make(map[string]*rpHistoryItem)
// Logs are DESC (newest first).
for _, log := range logs {
details, _ := utils.ParseAuditDetails(log.Details)
cid, _ := details["client_id"].(string)
if cid == "" {
continue
}
if _, exists := historyMap[cid]; !exists {
cname, _ := details["client_name"].(string)
if cname == "" {
cname = cid
}
historyMap[cid] = &rpHistoryItem{
ClientID: cid,
ClientName: cname,
LastLoginAt: log.Timestamp.Format(time.RFC3339),
Status: "active", // Default based on latest grant
}
if log.EventType == "consent.revoked" {
historyMap[cid].Status = "revoked"
}
}
}
result := make([]*rpHistoryItem, 0, len(historyMap))
for _, item := range historyMap {
result = append(result, item)
}
return c.JSON(result)
}

125
backend/internal/handler/user_handler_test.go
View File

@@ -87,6 +87,14 @@ func (m *MockTenantServiceForUser) GetTenantBySlug(ctx context.Context, slug str
return args.Get(0).(*domain.Tenant), args.Error(1)
}
func (m *MockTenantServiceForUser) GetTenant(ctx context.Context, id string) (*domain.Tenant, error) {
args := m.Called(ctx, id)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*domain.Tenant), args.Error(1)
}
func (m *MockTenantServiceForUser) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
args := m.Called(ctx, userID)
if args.Get(0) == nil {
@@ -117,11 +125,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil).Once()
mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
ID: "t-123",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil)
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
mockOry.On("CreateUser", mock.Anything, mock.Anything).Return("u-1", nil).Twice()
@@ -188,11 +206,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil).Once()
mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
ID: "t-123",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil)
payload := map[string]interface{}{
"users": []map[string]interface{}{
{
@@ -391,23 +419,32 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"loginIdField": "emp_no",
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No"},
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil) // Allow multiple calls for validation and sync
}, nil)
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil)
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
// Expect traits to include 'id' synced from 'emp_no'
// Expect traits to include 'custom_login_ids' synced from 'emp_no'
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
return traits["id"] == "E1001"
ids, ok := traits["custom_login_ids"].([]string)
return ok && len(ids) > 0 && ids[0] == "E1001"
}), mock.Anything).Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "E1001",
"email": "user@test.com",
"custom_login_ids": []interface{}{"E1001"},
"email": "user@test.com",
},
}, nil).Once()
@@ -459,7 +496,18 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"loginIdField": "emp_no",
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "isLoginId": true},
},
},
}, nil)
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "isLoginId": true},
},
},
}, nil)
@@ -467,11 +515,12 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
// Even if metadata is empty, it should sync from existing traits
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
return traits["id"] == "E2002"
ids, ok := traits["custom_login_ids"].([]string)
return ok && len(ids) > 0 && ids[0] == "E2002"
}), mock.Anything).Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "E2002",
"custom_login_ids": []interface{}{"E2002"},
},
}, nil).Once()
@@ -508,25 +557,42 @@ func TestUserHandler_UpdateUser_PasswordUsesProvider(t *testing.T) {
mockKratos.On("GetIdentity", mock.Anything, userID).Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "dyddus1210",
"email": "dyddus1210@gmail.com",
"companyCode": "test-tenant",
"custom_login_ids": []interface{}{"dyddus1210"},
"email": "dyddus1210@gmail.com",
"companyCode": "test-tenant",
"tenant_id": "t-1",
"emp_id": "dyddus1210",
},
}, nil).Once()
mockTenant.On("GetTenantBySlug", mock.Anything, "test-tenant").Return(&domain.Tenant{
ID: "t-1",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "isLoginId": true},
},
},
}, nil)
mockTenant.On("GetTenant", mock.Anything, "t-1").Return(&domain.Tenant{
ID: "t-1",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "isLoginId": true},
},
},
}, nil)
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
return traits["id"] == "dyddus1210"
ids, ok := traits["custom_login_ids"].([]string)
return ok && len(ids) > 0 && ids[0] == "dyddus1210"
}), "").Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "dyddus1210",
"email": "dyddus1210@gmail.com",
"custom_login_ids": []interface{}{"dyddus1210"},
"email": "dyddus1210@gmail.com",
},
}, nil).Once()
@@ -617,27 +683,36 @@ func TestUserHandler_CreateUser_LoginIDSync(t *testing.T) {
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"loginIdField": "emp_no",
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No"},
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil)
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil)
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
// Expect OryProvider.CreateUser to be called with attributes["id"] synced from metadata
// Expect OryProvider.CreateUser to be called with attributes["custom_login_ids"] synced from metadata
mockOry.On("CreateUser", mock.MatchedBy(func(user *domain.BrokerUser) bool {
return user.LoginID == "E1001" && user.Attributes["id"] == "E1001"
customIDs, ok := user.Attributes["custom_login_ids"].([]string)
return ok && len(customIDs) > 0 && customIDs[0] == "E1001"
}), mock.Anything).Return("u-1", nil).Once()
// Mock GetIdentity after creation
mockKratos.On("GetIdentity", mock.Anything, "u-1").Return(&service.KratosIdentity{
ID: "u-1",
Traits: map[string]interface{}{
"id": "E1001",
"email": "new@test.com",
"companyCode": "test-tenant",
"custom_login_ids": []interface{}{"E1001"},
"email": "new@test.com",
"companyCode": "test-tenant",
},
}, nil).Once()

48
backend/internal/repository/user_repository.go
View File

@@ -21,6 +21,12 @@ type UserRepository interface {
CountByTenantIDs(ctx context.Context, tenantIDs []string) (map[string]int64, error)
CountByCompanyCodes(ctx context.Context, codes []string) (map[string]int64, error)
Delete(ctx context.Context, id string) error
// Multiple identifiers support
UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error
GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error)
IsLoginIDTaken(ctx context.Context, loginID string) (bool, error)
FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error)
}
type userRepository struct {
@@ -193,3 +199,45 @@ func (r *userRepository) List(ctx context.Context, offset, limit int, search str
func (r *userRepository) Delete(ctx context.Context, id string) error {
return r.db.WithContext(ctx).Delete(&domain.User{}, "id = ?", id).Error
}
func (r *userRepository) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
// Delete existing login IDs for this user
if err := tx.Where("user_id = ?", userID).Delete(&domain.UserLoginID{}).Error; err != nil {
return err
}
// Insert new login IDs if any
if len(loginIDs) > 0 {
if err := tx.Create(&loginIDs).Error; err != nil {
return err
}
}
return nil
})
}
func (r *userRepository) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
var results []domain.UserLoginID
if err := r.db.WithContext(ctx).Where("user_id = ?", userID).Find(&results).Error; err != nil {
return nil, err
}
return results, nil
}
func (r *userRepository) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
var count int64
if err := r.db.WithContext(ctx).Model(&domain.UserLoginID{}).Where("login_id = ?", loginID).Count(&count).Error; err != nil {
return false, err
}
return count > 0, nil
}
func (r *userRepository) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
var record domain.UserLoginID
if err := r.db.WithContext(ctx).Where("login_id = ?", loginID).First(&record).Error; err != nil {
return "", err
}
return record.TenantID, nil
}

50
backend/internal/repository/user_repository_test.go
View File

@@ -94,4 +94,54 @@ func TestUserRepository(t *testing.T) {
assert.Equal(t, int64(1), counts["tenant-b"])
assert.Equal(t, int64(0), counts["tenant-c"])
})
t.Run("Multi-Identifier Support", func(t *testing.T) {
_ = testDB.AutoMigrate(&domain.UserLoginID{})
testDB.Exec("DELETE FROM user_login_ids")
testDB.Exec("DELETE FROM users")
user := &domain.User{Email: "multi@test.com", Name: "Multi"}
_ = repo.Create(ctx, user)
t1 := "00000000-0000-0000-0000-000000000001"
t2 := "00000000-0000-0000-0000-000000000002"
loginIDs := []domain.UserLoginID{
{UserID: user.ID, TenantID: t1, FieldKey: "emp_id", LoginID: "E001"},
{UserID: user.ID, TenantID: t2, FieldKey: "student_id", LoginID: "S001"},
}
err := repo.UpdateUserLoginIDs(ctx, user.ID, loginIDs)
assert.NoError(t, err)
// Get and Verify
saved, err := repo.GetUserLoginIDs(ctx, user.ID)
assert.NoError(t, err)
assert.Len(t, saved, 2)
// IsLoginIDTaken
taken, err := repo.IsLoginIDTaken(ctx, "E001")
assert.NoError(t, err)
assert.True(t, taken)
taken, err = repo.IsLoginIDTaken(ctx, "UNKNOWN")
assert.NoError(t, err)
assert.False(t, taken)
// FindTenantIDByLoginID
tid, err := repo.FindTenantIDByLoginID(ctx, "S001")
assert.NoError(t, err)
assert.Equal(t, t2, tid)
// Update (Replace)
newList := []domain.UserLoginID{
{UserID: user.ID, TenantID: t1, FieldKey: "emp_id", LoginID: "E002"},
}
err = repo.UpdateUserLoginIDs(ctx, user.ID, newList)
assert.NoError(t, err)
saved, _ = repo.GetUserLoginIDs(ctx, user.ID)
assert.Len(t, saved, 1)
assert.Equal(t, "E002", saved[0].LoginID)
})
}

11
backend/internal/service/descope_service.go
View File

@@ -97,10 +97,13 @@ func (d *DescopeProvider) CreateUser(user *domain.BrokerUser, password string) (
return "", fmt.Errorf("descope provider: user already exists")
}
descopeUser := &descope.UserRequest{}
descopeUser.Email = user.Email
descopeUser.Phone = normalizedPhone
descopeUser.Name = user.Name
descopeUser := &descope.UserRequest{
User: descope.User{
Email: user.Email,
Name: user.Name,
Phone: normalizedPhone,
},
}
descopeUser.CustomAttributes = map[string]any{}
for k, v := range user.Attributes {
descopeUser.CustomAttributes[k] = v

28
backend/internal/service/ory_service.go
View File

@@ -43,7 +43,7 @@ func (o *OryProvider) Name() string {
func (o *OryProvider) GetMetadata() (*domain.IDPMetadata, error) {
return &domain.IDPMetadata{
SupportedFields: []string{
"id", "login_id", "email", "name", "phone_number",
"id", "custom_login_ids", "login_id", "email", "name", "phone_number",
"grade", "department", "affiliationType", "companyCode",
},
}, nil
@@ -67,6 +67,21 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
return "", fmt.Errorf("ory provider: identity already exists for email=%s", user.Email)
}
// [New] Check all custom login IDs for collisions
for _, lid := range user.CustomLoginIDs {
if lid == "" {
continue
}
existing, err := o.findIdentityID(lid)
if err != nil {
return "", fmt.Errorf("ory provider: search identity failed for %s: %w", lid, err)
}
if existing != "" {
return "", fmt.Errorf("ory provider: identifier %s already exists", lid)
}
}
// [Legacy] check single LoginID
if user.LoginID != "" {
existingLoginID, err := o.findIdentityID(user.LoginID)
if err != nil {
@@ -91,13 +106,20 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
"email": user.Email,
"name": user.Name,
}
if user.LoginID != "" {
traits["id"] = user.LoginID
if len(user.CustomLoginIDs) > 0 {
traits["custom_login_ids"] = user.CustomLoginIDs
} else if user.LoginID != "" {
traits["custom_login_ids"] = []string{user.LoginID}
}
if user.PhoneNumber != "" {
traits["phone_number"] = user.PhoneNumber
}
for k, v := range user.Attributes {
// [SoT Fix] Don't let attributes overwrite core traits or use old 'id' trait
if k == "id" || k == "email" || k == "custom_login_ids" {
continue
}
traits[k] = v
}

3
backend/internal/service/user_group_service.go
View File

@@ -243,9 +243,6 @@ func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string
localUser.CompanyCode = tenant.Slug
localUser.TenantID = &tenant.ID
localUser.Department = group.Name
if localUser.LoginID == "" {
localUser.LoginID = localUser.ID
}
_ = s.userRepo.Update(ctx, localUser)
}
}

17
backend/internal/utils/audit.go Normal file
View File

@@ -0,0 +1,17 @@
package utils
import (
"encoding/json"
"fmt"
)
func ParseAuditDetails(details string) (map[string]any, error) {
var payload map[string]any
if details == "" {
return nil, fmt.Errorf("empty details")
}
if err := json.Unmarshal([]byte(details), &payload); err != nil {
return nil, err
}
return payload, nil
}

17
docker/ory/kratos/identity.schema.json
View File

@@ -7,13 +7,16 @@
"traits": {
"type": "object",
"properties": {
"id": {
"type": "string",
"title": "ID",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
"custom_login_ids": {
"type": "array",
"title": "Custom Login IDs",
"items": {
"type": "string",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
}
}
}

4
userfront/lib/core/services/auth_proxy_service.dart
View File

@@ -964,7 +964,6 @@ class AuthProxyService {
static Future<void> signup({
required String email,
String? loginId,
required String password,
required String name,
required String phone,
@@ -980,12 +979,11 @@ class AuthProxyService {
headers: {'Content-Type': 'application/json'},
body: jsonEncode({
'email': email,
if (loginId != null && loginId.isNotEmpty) 'loginId': loginId,
'password': password,
'name': name,
'phone': phone,
'affiliationType': affiliationType,
'companyCode': ?companyCode,
'companyCode': companyCode,
'department': department,
'termsAccepted': termsAccepted,
}),

100
userfront/lib/features/auth/presentation/signup_screen.dart
View File

@@ -32,13 +32,12 @@ class _SignupScreenState extends State<SignupScreen> {
// Controllers
final _emailController = TextEditingController();
final _loginIdController = TextEditingController();
final _emailCodeController = TextEditingController();
final _phoneController = TextEditingController();
final _phoneCodeController = TextEditingController();
final _emailCodeController = TextEditingController(); // [Restore]
final _nameController = TextEditingController();
final _passwordController = TextEditingController();
final _confirmPasswordController = TextEditingController();
final _phoneController = TextEditingController();
final _phoneCodeController = TextEditingController(); // [Restore]
final _deptController = TextEditingController();
// State
@@ -60,8 +59,6 @@ class _SignupScreenState extends State<SignupScreen> {
String? _phoneError;
String? _passwordError;
String? _confirmPasswordError;
String? _loginIdError;
String? _loginIdSuccess;
// Timers
Timer? _emailTimer;
@@ -102,7 +99,6 @@ class _SignupScreenState extends State<SignupScreen> {
_emailTimer?.cancel();
_phoneTimer?.cancel();
_emailController.dispose();
_loginIdController.dispose();
_emailCodeController.dispose();
_phoneController.dispose();
_phoneCodeController.dispose();
@@ -316,7 +312,6 @@ class _SignupScreenState extends State<SignupScreen> {
try {
await AuthProxyService.signup(
email: _emailController.text.trim(),
loginId: _loginIdController.text.trim(),
password: _passwordController.text,
name: _nameController.text.trim(),
phone: _phoneController.text.trim(),
@@ -1437,95 +1432,6 @@ class _SignupScreenState extends State<SignupScreen> {
),
),
const SizedBox(height: 18),
_buildProfileFieldGroup(
title: '로그인 ID (선택)',
description: '이메일/전화번호 외에 별도의 식별자로 로그인할 때 사용합니다.',
isDesktop: isDesktop,
child: Column(
crossAxisAlignment: CrossAxisAlignment.stretch,
children: [
TextFormField(
controller: _loginIdController,
onChanged: (val) {
setState(() {
_loginIdError = null;
_loginIdSuccess = null;
});
},
decoration: InputDecoration(
labelText: '사번 또는 아이디',
border: const OutlineInputBorder(),
errorText: _loginIdError,
suffixIcon: TextButton(
onPressed: _isLoading
? null
: () async {
final loginId = _loginIdController.text
.trim();
if (loginId.isEmpty) {
setState(
() => _loginIdError = 'ID를 입력해주세요.',
);
return;
}
setState(() {
_isLoading = true;
_loginIdError = null;
_loginIdSuccess = null;
});
try {
final result =
await AuthProxyService.checkLoginIDAvailability(
loginId,
companyCode:
_affiliationType ==
'AFFILIATE'
? _companyCode
: null,
);
setState(() {
if (result['available'] == true) {
_loginIdSuccess = '사용 가능한 ID입니다.';
} else {
_loginIdError =
result['message'] ??
'사용할 수 없는 ID입니다.';
}
});
} catch (e) {
setState(
() => _loginIdError = e
.toString()
.replaceAll('Exception: ', ''),
);
} finally {
if (mounted) {
setState(() => _isLoading = false);
}
}
},
child: const Text('중복 확인'),
),
),
),
if (_loginIdSuccess != null)
Padding(
padding: const EdgeInsets.only(
top: 8.0,
left: 12.0,
),
child: Text(
_loginIdSuccess!,
style: const TextStyle(
color: Colors.green,
fontSize: 12,
),
),
),
],
),
),
const SizedBox(height: 18),
_buildProfileFieldGroup(
title: tr('ui.userfront.signup.profile.affiliation_type'),
description: _isAffiliateEmail