kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

feat: implement multi-identifier architecture (Issue #496)

Browse Source 
- Database: Add user_login_ids table for 1:N identifier mapping and remove legacy login_id column
- Kratos: Update identity schema to use custom_login_ids array instead of a single id trait
- Backend: Implement syncCustomLoginIDs to collect isLoginId fields across tenant schemas
- Backend: Add backtracking logic to auto-assign session tenant based on used login identifier
- Backend: Add 409 Conflict exception handling for Create/Update operations
- AdminFront: Refactor UserDetailPage to a tabbed grid layout (Info, Tenants, Security)
- AdminFront: Show '로그인 ID' badge on tenant schema fields used for authentication
- UserFront: Remove legacy optional 'Login ID' input from signup flow
- Tests: Add multi-identifier repository tests and update handler tests
This commit is contained in:
조찬영
2026-04-02 16:07:33 +09:00
parent 71a006cd7b
commit b582c82c6f
25 changed files with 1154 additions and 1160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

241
backend/internal/handler/auth_handler.go
View File

@@ -287,6 +287,16 @@ func (h *AuthHandler) CheckLoginID(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusServiceUnavailable, "Identity provider unavailable")
}
if !exists && h.UserRepo != nil {
// [New] Check local DB for custom login IDs (Plan A)
taken, err := h.UserRepo.IsLoginIDTaken(c.Context(), req.LoginID)
if err != nil {
slog.Error("Failed to check login ID in local DB", "error", err)
} else if taken {
exists = true
}
}
if exists {
return c.JSON(fiber.Map{"available": false, "message": "ID already registered"})
}
@@ -596,27 +606,20 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
"grade": "member",
}
if req.LoginID != "" {
attributes["id"] = req.LoginID
}
// Sync all custom login IDs based on tenant schemas
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
// Sync custom field to LoginID if configured
if tenantID != nil && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenant(c.Context(), *tenantID); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(attributes, req.Metadata, *tenantID, loginIdField)
// Validate all collected LoginIDs
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, req.Email, normalizedPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
finalLoginID := extractTraitString(attributes, "id")
if err := domain.ValidateLoginID(finalLoginID, req.Email, normalizedPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
}
brokerUser := &domain.BrokerUser{
Email: req.Email,
LoginID: finalLoginID,
Name: req.Name,
PhoneNumber: normalizedPhone,
Attributes: attributes,
@@ -629,7 +632,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
}
slog.Error("[Signup] Failed to create user via IDP", "provider", h.IdpProvider.Name(), "error", err)
if strings.Contains(err.Error(), "already exists") {
return errorJSON(c, fiber.StatusConflict, "User already exists")
return errorJSON(c, fiber.StatusConflict, "User or login identifier already exists")
}
// Include the actual error message in the response for debugging
return errorJSON(c, fiber.StatusInternalServerError, fmt.Sprintf("Failed to create user: %v", err))
@@ -644,29 +647,47 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
// [SoT Policy] Kratos가 SoT이므로 로컬 DB 저장은 비동기 Read-Model 동기화로 처리합니다.
// 로컬 DB 저장이 실패하더라도 회원가입 프로세스는 성공으로 간주합니다.
localUser := &domain.User{
ID: providerID, // Match IDP Subject
ID: providerID,
Email: req.Email,
Name: req.Name,
Phone: normalizedPhone,
Role: "user",
AffiliationType: req.AffiliationType,
CompanyCode: companyCode,
TenantID: tenantID,
Department: req.Department,
Role: "user",
Status: "active",
Metadata: req.Metadata,
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
}
if tenantID != nil {
localUser.TenantID = tenantID
}
// Merge metadata
localUser.Metadata = make(domain.JSONMap)
for k, v := range req.Metadata {
localUser.Metadata[k] = v
}
if h.UserRepo != nil {
go func(u *domain.User) {
// 요청 Context가 취소될 수 있으므로 Background Context 사용
go func(u *domain.User, ids []domain.UserLoginID) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
if err := h.UserRepo.Create(ctx, u); err != nil {
if err := h.UserRepo.Update(ctx, u); err != nil {
slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
} else {
slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)
// Update User Login IDs
for i := range ids {
ids[i].UserID = u.ID
}
if err := h.UserRepo.UpdateUserLoginIDs(ctx, u.ID, ids); err != nil {
slog.Error("[Signup] Failed to update user login IDs", "userID", u.ID, "error", err)
}
// [Keto] Sync user-tenant relationship via Outbox
if h.KetoOutboxRepo != nil && u.TenantID != nil {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
@@ -678,7 +699,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
})
}
}
}(localUser)
}(localUser, loginIDRecords)
}
return c.JSON(fiber.Map{
@@ -3182,7 +3203,7 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Missing session token")
}
_, traits, err := h.getKratosIdentityWithCookie(cookie)
_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
slog.Warn("[QR] Cookie session invalid", "error", err)
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -4252,7 +4273,7 @@ func (h *AuthHandler) GetAuthTimeline(c *fiber.Ctx) error {
if strings.Contains(path, "/api/v1/auth/oidc/login/accept") {
appName = "OIDC 로그인"
// 우선 audit details의 client 정보를 사용하고, 없으면 Hydra 조회로 보강
if details, err := parseAuditDetails(log.Details); err == nil && details != nil {
if details, err := utils.ParseAuditDetails(log.Details); err == nil && details != nil {
if name, ok := details["client_name"].(string); ok && strings.TrimSpace(name) != "" {
appName = strings.TrimSpace(name)
}
@@ -5089,6 +5110,15 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
profile.Role = domain.RoleUser
}
// [New] Backtracking Logic for Session Tenant (Plan A)
if usedID, ok := profile.Metadata["_used_identifier"].(string); ok && usedID != "" && h.UserRepo != nil {
if tid, err := h.UserRepo.FindTenantIDByLoginID(c.Context(), usedID); err == nil && tid != "" {
profile.SessionTenantID = &tid
slog.Debug("Auto-assigned session tenant via backtracking", "loginID", usedID, "tenantID", tid)
}
delete(profile.Metadata, "_used_identifier") // Cleanup
}
// Fetch Tenant Metadata if missing
if profile.Tenant == nil && profile.TenantID != nil && *profile.TenantID != "" {
if tenant, err := h.TenantService.GetTenant(c.Context(), *profile.TenantID); err == nil {
@@ -5140,7 +5170,7 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
return identityID, nil
}
if cookie := c.Get("Cookie"); cookie != "" {
cookieID, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
cookieID, _, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
if cookieErr == nil && cookieID != "" {
return cookieID, nil
}
@@ -5151,14 +5181,14 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
if cookie == "" {
return "", fmt.Errorf("missing authorization token")
}
identityID, _, err := h.getKratosIdentityWithCookie(cookie)
identityID, _, _, err := h.getKratosIdentityWithCookie(cookie)
return identityID, err
}
func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
token := h.getBearerToken(c)
if token != "" {
identityID, traits, err := h.getKratosIdentity(token)
identityID, traits, _, err := h.getKratosIdentity(token)
if err == nil && identityID != "" {
subjects := []string{identityID}
subjects = appendLoginIDsFromTraits(subjects, traits)
@@ -5170,7 +5200,7 @@ func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
if cookie == "" {
return nil, fmt.Errorf("missing authorization token")
}
identityID, traits, err := h.getKratosIdentityWithCookie(cookie)
identityID, traits, _, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
return nil, err
}
@@ -5250,7 +5280,7 @@ func isAuthEventType(eventType string) bool {
func extractAuditPath(log domain.AuditLog) string {
if log.Details != "" {
if payload, err := parseAuditDetails(log.Details); err == nil {
if payload, err := utils.ParseAuditDetails(log.Details); err == nil {
if path, ok := payload["path"].(string); ok && path != "" {
return path
}
@@ -5263,17 +5293,6 @@ func extractAuditPath(log domain.AuditLog) string {
return ""
}
func parseAuditDetails(details string) (map[string]any, error) {
var payload map[string]any
if details == "" {
return nil, fmt.Errorf("empty details")
}
if err := json.Unmarshal([]byte(details), &payload); err != nil {
return nil, err
}
return payload, nil
}
func extractRequestBody(details map[string]any) map[string]any {
if details == nil {
return nil
@@ -5290,7 +5309,7 @@ func extractRequestBody(details map[string]any) map[string]any {
}
func shouldSkipAuthTimeline(log domain.AuditLog) bool {
details, _ := parseAuditDetails(log.Details)
details, _ := utils.ParseAuditDetails(log.Details)
path := strings.ToLower(extractAuditPath(log))
if path != "" && strings.Contains(path, "/api/v1/auth/enchanted-link/init") {
return true
@@ -5384,7 +5403,7 @@ func deriveAuthMethod(log domain.AuditLog) string {
loginID := extractLoginIDFromAuditDetails(log.Details)
kind := loginIDKind(loginID)
details, _ := parseAuditDetails(log.Details)
details, _ := utils.ParseAuditDetails(log.Details)
requestBody := extractRequestBody(details)
if details != nil {
if raw, ok := details["auth_timeline_skip"]; ok {
@@ -5603,7 +5622,7 @@ func extractLoginChallengeFromAuditDetails(details string) string {
if details == "" {
return ""
}
payload, err := parseAuditDetails(details)
payload, err := utils.ParseAuditDetails(details)
if err != nil {
return ""
}
@@ -5750,12 +5769,12 @@ func extractApprovedSessionIDFromAuditDetails(details string) string {
}
func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, error) {
id, _, err := h.getKratosIdentity(token)
id, _, _, err := h.getKratosIdentity(token)
return id, err
}
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
_, traits, err := h.getKratosIdentity(token)
_, traits, _, err := h.getKratosIdentity(token)
if err != nil {
return "", err
}
@@ -5943,44 +5962,56 @@ func extractLoginIDFromClaims(claims map[string]any) string {
return ""
}
func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, error) {
identityID, traits, _, err := h.getKratosIdentityWithSession(sessionToken)
return identityID, traits, err
func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, string, error) {
identityID, traits, _, usedID, err := h.getKratosIdentityWithSession(sessionToken)
return identityID, traits, usedID, err
}
func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, error) {
func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, string, error) {
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
if kratosURL == "" {
kratosURL = "http://kratos:4433"
}
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
req.Header.Set("X-Session-Token", sessionToken)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
}
var result struct {
AuthenticatedAt string `json:"authenticated_at"`
Identity struct {
AuthenticatedAt string `json:"authenticated_at"`
AuthenticationMethods []struct {
Method string `json:"method"`
Identifier string `json:"identifier"`
} `json:"authentication_methods"`
Identity struct {
ID string `json:"id"`
Traits map[string]interface{} `json:"traits"`
} `json:"identity"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
usedIdentifier := ""
for _, m := range result.AuthenticationMethods {
if m.Identifier != "" {
usedIdentifier = m.Identifier
break
}
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
}
func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
@@ -6056,44 +6087,56 @@ func (h *AuthHandler) issueKratosSession(ctx context.Context, identityID string)
return parsed.SessionToken, nil
}
func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, error) {
identityID, traits, _, err := h.getKratosIdentityWithCookieAndSession(cookie)
return identityID, traits, err
func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, string, error) {
identityID, traits, _, usedID, err := h.getKratosIdentityWithCookieAndSession(cookie)
return identityID, traits, usedID, err
}
func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, error) {
func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, string, error) {
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
if kratosURL == "" {
kratosURL = "http://kratos:4433"
}
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
req.Header.Set("Cookie", cookie)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
}
var result struct {
AuthenticatedAt string `json:"authenticated_at"`
Identity struct {
AuthenticatedAt string `json:"authenticated_at"`
AuthenticationMethods []struct {
Method string `json:"method"`
Identifier string `json:"identifier"`
} `json:"authentication_methods"`
Identity struct {
ID string `json:"id"`
Traits map[string]interface{} `json:"traits"`
} `json:"identity"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", nil, "", err
return "", nil, "", "", err
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
usedIdentifier := ""
for _, m := range result.AuthenticationMethods {
if m.Identifier != "" {
usedIdentifier = m.Identifier
break
}
}
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
}
func (h *AuthHandler) getKratosSessionIDWithCookie(cookie string) (string, error) {
@@ -6228,33 +6271,41 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
return profile
}
func (h *AuthHandler) applySessionAuthenticatedAtFromWhoami(profile *domain.UserProfileResponse, authenticatedAt string) *domain.UserProfileResponse {
func (h *AuthHandler) applySessionInfoFromWhoami(profile *domain.UserProfileResponse, authenticatedAt, usedIdentifier string) *domain.UserProfileResponse {
if profile == nil {
return nil
}
profile.SessionAuthenticatedAt = strings.TrimSpace(authenticatedAt)
if usedIdentifier != "" {
if profile.Metadata == nil {
profile.Metadata = make(map[string]any)
}
profile.Metadata["_used_identifier"] = usedIdentifier
}
return profile
}
func (h *AuthHandler) getKratosProfile(sessionToken string) (*domain.UserProfileResponse, error) {
identityID, traits, authenticatedAt, err := h.getKratosIdentityWithSession(sessionToken)
identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithSession(sessionToken)
if err != nil {
return nil, err
}
return h.applySessionAuthenticatedAtFromWhoami(
return h.applySessionInfoFromWhoami(
h.mapKratosIdentityToProfile(identityID, traits),
authenticatedAt,
usedIdentifier,
), nil
}
func (h *AuthHandler) getKratosProfileWithCookie(cookie string) (*domain.UserProfileResponse, error) {
identityID, traits, authenticatedAt, err := h.getKratosIdentityWithCookieAndSession(cookie)
identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithCookieAndSession(cookie)
if err != nil {
return nil, err
}
return h.applySessionAuthenticatedAtFromWhoami(
return h.applySessionInfoFromWhoami(
h.mapKratosIdentityToProfile(identityID, traits),
authenticatedAt,
usedIdentifier,
), nil
}
@@ -6272,13 +6323,13 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
err error
)
if token != "" {
identityID, traits, err = h.getKratosIdentity(token)
identityID, traits, _, err = h.getKratosIdentity(token)
} else {
cookie := c.Get("Cookie")
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
}
identityID, traits, err = h.getKratosIdentityWithCookie(cookie)
identityID, traits, _, err = h.getKratosIdentityWithCookie(cookie)
}
if err != nil {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6331,27 +6382,35 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
// [LoginID Sync based on Tenant Settings]
// Perform sync AFTER metadata merge to ensure traits contains current values
syncCompCode := extractTraitString(traits, "companyCode")
if syncCompCode != "" && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, identityID)
// Validate all collected LoginIDs
userEmail := extractTraitString(traits, "email")
userPhone := extractTraitString(traits, "phone_number")
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
finalLoginID := extractTraitString(traits, "id")
userEmail := extractTraitString(traits, "email")
userPhone := extractTraitString(traits, "phone")
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
}
if err := h.updateKratosIdentity(identityID, traits); err != nil {
slog.Error("Failed to update profile in Kratos", "error", err)
return errorJSON(c, fiber.StatusInternalServerError, "프로필 업데이트에 실패했습니다.")
}
// [New] Local DB Sync - Sync synchronously to ensure immediate consistency
if h.UserRepo != nil {
ctx := context.Background()
// Also update local User record (read-model)
// We can fetch updated identity or just map current traits
// Since mapKratosIdentityToProfile is for UI, let's just use UpdateUserLoginIDs first
if err := h.UserRepo.UpdateUserLoginIDs(ctx, identityID, loginIDRecords); err != nil {
slog.Error("[UpdateMe] Failed to update user login IDs", "userID", identityID, "error", err)
}
}
// Invalidate token-based profile cache so refreshed /user/me returns latest traits.
if h.RedisService != nil && token != "" {
cacheKey := "cache:profile:token:" + token
@@ -6396,7 +6455,7 @@ func (h *AuthHandler) ChangeMyPassword(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
}
_, traits, err := h.getKratosIdentityWithCookie(cookie)
_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
if err != nil {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
}
@@ -6434,7 +6493,7 @@ func (h *AuthHandler) SendUpdateCode(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Unauthorized")
}
userID, _, err = h.getKratosIdentityWithCookie(cookie)
userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
}
if err != nil || userID == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6475,7 +6534,7 @@ func (h *AuthHandler) VerifyUpdateCode(c *fiber.Ctx) error {
if cookie == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
}
userID, _, err = h.getKratosIdentityWithCookie(cookie)
userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
}
if err != nil || userID == "" {
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6625,7 +6684,7 @@ func (h *AuthHandler) ListRpHistory(c *fiber.Ctx) error {
// Logs are DESC (newest first). Iterate in reverse (oldest first) to build state.
for i := len(logs) - 1; i >= 0; i-- {
log := logs[i]
details, _ := parseAuditDetails(log.Details)
details, _ := utils.ParseAuditDetails(log.Details)
clientID, _ := details["client_id"].(string)
if clientID == "" {
continue

26
backend/internal/handler/auth_handler_async_test.go
View File

@@ -80,7 +80,13 @@ func (m *AsyncMockUserRepo) Create(ctx context.Context, user *domain.User) error
}
return args.Error(0)
}
func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error { return nil }
func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error {
args := m.Called(ctx, user)
if m.createCalled != nil {
m.createCalled <- true
}
return args.Error(0)
}
func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error { return nil }
func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
return nil, nil
@@ -114,6 +120,22 @@ func (m *AsyncMockUserRepo) CountByCompanyCodes(ctx context.Context, codes []str
return nil, nil
}
func (m *AsyncMockUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
return nil
}
func (m *AsyncMockUserRepo) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
return nil, nil
}
func (m *AsyncMockUserRepo) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
return false, nil
}
func (m *AsyncMockUserRepo) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
return "", nil
}
type AsyncMockRedisRepo struct {
mock.Mock
}
@@ -254,7 +276,7 @@ func TestSignup_AsyncDB_Isolation(t *testing.T) {
// UserRepo Mocks (Async & Failure)
mockUserRepo.createCalled = make(chan bool, 1)
mockUserRepo.On("Create", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
mockUserRepo.On("Update", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
return u.Email == email
})).Return(errors.New("db connection error"))

3
backend/internal/handler/dev_handler.go
View File

@@ -4,6 +4,7 @@ import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/repository"
"baron-sso-backend/internal/service"
"baron-sso-backend/internal/utils"
"context"
"crypto/rand"
"encoding/base64"
@@ -2106,7 +2107,7 @@ func (h *DevHandler) matchesDevAuditFilter(
if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
return false
}
details, _ := parseAuditDetails(logItem.Details)
details, _ := utils.ParseAuditDetails(logItem.Details)
if statusFilter != "" && statusFilter != "all" && strings.ToLower(logItem.Status) != statusFilter {
return false
}

16
backend/internal/handler/tenant_handler_test.go
View File

@@ -131,6 +131,22 @@ func (m *MockUserRepoForHandler) CountByCompanyCodes(ctx context.Context, codes
return args.Get(0).(map[string]int64), args.Error(1)
}
func (m *MockUserRepoForHandler) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
return nil
}
func (m *MockUserRepoForHandler) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
return nil, nil
}
func (m *MockUserRepoForHandler) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
return false, nil
}
func (m *MockUserRepoForHandler) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
return "", nil
}
func TestTenantHandler_CreateTenant(t *testing.T) {
app := fiber.New()
mockSvc := new(MockTenantService)

429
backend/internal/handler/user_handler.go
View File

@@ -35,9 +35,10 @@ type UserHandler struct {
KetoOutboxRepo repository.KetoOutboxRepository
UserRepo repository.UserRepository
UserGroupRepo repository.UserGroupRepository
AuditRepo domain.AuditRepository
}
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository) *UserHandler {
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
return &UserHandler{
KratosAdmin: kratosAdmin,
OryProvider: oryProvider,
@@ -46,6 +47,7 @@ func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProvi
KetoOutboxRepo: ketoOutboxRepo,
UserRepo: userRepo,
UserGroupRepo: userGroupRepo,
AuditRepo: auditRepo,
}
}
@@ -53,6 +55,7 @@ type userSummary struct {
ID string `json:"id"`
Email string `json:"email"`
LoginID string `json:"loginId,omitempty"`
CustomLoginIDs []string `json:"customLoginIds,omitempty"` // [New] 다중 로그인 ID 목록
Name string `json:"name"`
Phone string `json:"phone"`
Role string `json:"role"`
@@ -325,40 +328,23 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
// [Override with explicit LoginID if provided]
if req.LoginID != "" {
attributes["id"] = req.LoginID
if ids, ok := attributes["custom_login_ids"].([]string); ok {
attributes["custom_login_ids"] = append(ids, req.LoginID)
} else {
attributes["custom_login_ids"] = []string{req.LoginID}
}
}
// [Resolve TenantID and LoginID before Kratos creation]
// [Resolve TenantID and Custom Login IDs before Kratos creation]
var tenantID string
synced := false
if req.CompanyCode != "" && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode); err == nil && tenant != nil {
tenantID = tenant.ID
// Sync custom field to LoginID if configured
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(attributes, req.Metadata, tenantID, loginIdField)
synced = true
}
}
}
// Fallback: Try syncing based on the tenant namespaces being updated
if !synced && h.TenantService != nil {
for k := range req.Metadata {
if len(k) >= 32 { // Looks like a UUID (tenant ID)
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
if tenantID == "" {
tenantID = tenant.ID
}
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(attributes, req.Metadata, tenant.ID, loginIdField)
break
}
}
}
}
}
// Collect and sync all custom login IDs based on tenant schemas
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
attributes["role"] = role
if tenantID != "" {
@@ -373,22 +359,25 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
}
}
finalLoginID := extractTraitString(attributes, "id")
if err := domain.ValidateLoginID(finalLoginID, email, normalizePhoneNumber(req.Phone)); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
// Validate all collected LoginIDs
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, email, normalizePhoneNumber(req.Phone)); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
brokerUser := &domain.BrokerUser{
Email: email,
LoginID: finalLoginID,
Name: name,
PhoneNumber: normalizePhoneNumber(req.Phone),
Attributes: attributes,
}
// [Validation] Based on Tenant Schema
if req.CompanyCode != "" && h.TenantService != nil {
tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode)
if tenantID != "" && h.TenantService != nil {
tenant, err := h.TenantService.GetTenant(c.Context(), tenantID)
if err == nil && tenant != nil {
if schema, ok := tenant.Config["userSchema"].([]interface{}); ok {
if err := h.validateMetadata(req.Metadata, schema, true); err != nil {
@@ -400,8 +389,8 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
identityID, err := h.OryProvider.CreateUser(brokerUser, password)
if err != nil {
if strings.Contains(err.Error(), "already exists") {
return errorJSON(c, fiber.StatusConflict, "email already exists")
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
return errorJSON(c, fiber.StatusConflict, "이미 사용 중인 식별자(이메일/전화번호/사번 등)입니다.")
}
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
@@ -424,6 +413,14 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
}
// Update User Login IDs in local DB
for i := range loginIDRecords {
loginIDRecords[i].UserID = localUser.ID
}
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
}
// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
if h.KetoOutboxRepo != nil {
// 1. Role based relations
@@ -580,15 +577,8 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
"role": role,
}
// Override with explicit LoginID if provided
if item.LoginID != "" {
attributes["id"] = item.LoginID
}
// Sync LoginID from configured custom field (overrides explicit LoginID)
if tItem.LoginIDField != "" {
syncLoginID(attributes, item.Metadata, tItem.ID, tItem.LoginIDField)
}
// Sync all custom login IDs based on tenant schemas
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, item.Metadata, "")
// Merge metadata
for k, v := range item.Metadata {
@@ -597,28 +587,36 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
}
}
finalLoginID := extractTraitString(attributes, "id")
userEmail := email
userPhone := normalizePhoneNumber(item.Phone)
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
results = append(results, bulkUserResult{Email: email, Success: false, Message: err.Error()})
continue
// Validate all collected LoginIDs
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
valid := true
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
results = append(results, bulkUserResult{Email: email, Success: false, Message: "Invalid LoginID (" + lid + "): " + err.Error()})
valid = false
break
}
}
if !valid {
continue
}
}
identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
Email: userEmail,
LoginID: finalLoginID,
Name: item.Name,
PhoneNumber: userPhone,
Attributes: attributes,
}, password)
if err != nil {
// 만약 이미 존재하는 사용자라면 로컬 DB 및 Keto 관계만 업데이트(Sync)를 시도
if strings.Contains(err.Error(), "already exists") {
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
identityID, err = h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email)
if err != nil || identityID == "" {
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 존재하는 사용자지만 ID를 찾을 수 없습니다."})
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 다른 사용자가 해당 식별자(이메일/사번 등)를 사용 중입니다."})
continue
}
slog.Info("BulkCreate: User already exists, syncing local DB and Keto", "email", email, "identityID", identityID)
@@ -634,7 +632,6 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
localUser := &domain.User{
ID: identityID,
Email: email,
LoginID: extractTraitString(attributes, "id"),
Name: name,
Phone: normalizePhoneNumber(item.Phone),
Role: role,
@@ -660,6 +657,14 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
}
// Update User Login IDs in local DB
for i := range loginIDRecords {
loginIDRecords[i].UserID = localUser.ID
}
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
}
if h.KetoOutboxRepo != nil {
// 1. Sync Role based relationship
h.syncKetoRole(c.Context(), localUser.ID, role, "", "", localUser.TenantID)
@@ -961,10 +966,6 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
}
}
if localUser.LoginID == "" {
localUser.LoginID = localUser.ID
}
_ = h.UserRepo.Update(c.Context(), localUser)
// [Keto Sync]
@@ -1184,20 +1185,12 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
traits["role"] = role
}
// [Override with explicit LoginID if provided]
// This is done FIRST so that if a custom loginIdField is configured in the tenant,
// the metadata sync below will override this explicit value, preventing the UI's
// pre-filled explicit loginId from clobbering the updated custom field.
if req.LoginID != nil && *req.LoginID != "" {
traits["id"] = *req.LoginID
}
// [Namespaced Metadata Sync]
coreTraits := map[string]bool{
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true,
"id": true,
"custom_login_ids": true, "id": true,
}
// For namespaced metadata, we don't delete everything, we merge.
@@ -1221,51 +1214,29 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
// [LoginID Sync based on Tenant Settings]
// Perform sync AFTER metadata merge to ensure traits contains current values
syncCompCode := extractTraitString(traits, "companyCode")
synced := false
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, userID)
if syncCompCode != "" && h.TenantService != nil {
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
synced = true
}
}
}
// Fallback: If companyCode is empty or didn't sync, try syncing based on the tenant namespaces being updated
if !synced && h.TenantService != nil {
for k := range req.Metadata {
if len(k) >= 32 { // Looks like a UUID (tenant ID)
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
synced = true
break // Apply first matched tenant config
}
}
}
}
}
finalLoginID := extractTraitString(traits, "id")
// Validate all collected LoginIDs
userEmail := extractTraitString(traits, "email")
userPhone := extractTraitString(traits, "phone_number")
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, err.Error())
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
for _, lid := range collectedIDs {
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
}
}
}
// resolvePasswordLoginID might be doing something else but we already have finalLoginID.
// We should just use finalLoginID if it's the intended identifier.
// But let's check if resolvePasswordLoginID exists and what it returns. Assuming it returns a string.
// If it overrides, we assign it. Let's just use finalLoginID for now.
finalLoginID = resolvePasswordLoginID(traits)
state := normalizeKratosState(req.Status)
slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)
updated, err := h.KratosAdmin.UpdateIdentity(c.Context(), userID, traits, state)
if err != nil {
// [Exception Handling] Check for 409 Conflict (Duplicate Identifier)
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "exists already") {
return errorJSON(c, fiber.StatusConflict, "이미 다른 사용자가 사용 중인 식별자(이메일/전화번호/사번 등)가 포함되어 있습니다.")
}
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
@@ -1273,15 +1244,16 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
if h.UserRepo != nil {
updatedLocalUser := h.mapToLocalUser(*updated)
if updatedLocalUser.LoginID == "" {
updatedLocalUser.LoginID = updatedLocalUser.ID
}
ctx := context.Background() // Use request context if appropriate, but sync must finish
if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
}
// Update User Login IDs in local DB
if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
}
// [Keto Sync] asynchronously as it's less critical for immediate UI count
go func() {
bgCtx := context.Background()
@@ -1345,7 +1317,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
if h.OryProvider == nil {
return errorJSON(c, fiber.StatusServiceUnavailable, "password provider not available")
}
if err := h.OryProvider.UpdateUserPassword(finalLoginID, *req.Password, nil); err != nil {
// [New] Resolve a representative LoginID for the password update call
updateLoginID := resolvePasswordLoginID(updated.Traits)
if err := h.OryProvider.UpdateUserPassword(updateLoginID, *req.Password, nil); err != nil {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
}
@@ -1408,19 +1382,34 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
compCode := extractTraitString(traits, "companyCode")
slog.Debug("Mapping identity", "email", extractTraitString(traits, "email"), "compCode", compCode)
var customLoginIDs []string
if raw, ok := traits["custom_login_ids"]; ok {
if ids, ok := raw.([]interface{}); ok {
for _, id := range ids {
if s, ok := id.(string); ok {
customLoginIDs = append(customLoginIDs, s)
}
}
} else if ids, ok := raw.([]string); ok {
customLoginIDs = ids
}
}
summary := userSummary{
ID: identity.ID,
Email: extractTraitString(traits, "email"),
LoginID: extractTraitString(traits, "id"), // id in Kratos traits maps to LoginID
Name: extractTraitString(traits, "name"),
Phone: extractTraitString(traits, "phone_number"),
Role: role,
Status: normalizeStatus(identity.State),
CompanyCode: compCode,
Department: extractTraitString(traits, "department"),
Metadata: make(domain.JSONMap),
CreatedAt: formatTime(identity.CreatedAt),
UpdatedAt: formatTime(identity.UpdatedAt),
ID: identity.ID,
Email: extractTraitString(traits, "email"),
LoginID: resolvePasswordLoginID(traits),
CustomLoginIDs: customLoginIDs,
Name: extractTraitString(traits, "name"),
Phone: extractTraitString(traits, "phone_number"),
Role: role,
Status: normalizeStatus(identity.State),
CompanyCode: compCode,
Department: extractTraitString(traits, "department"),
Metadata: make(domain.JSONMap),
CreatedAt: formatTime(identity.CreatedAt),
UpdatedAt: formatTime(identity.UpdatedAt),
}
// [New] Fetch all manageable tenants (for Multi-tenancy support)
@@ -1438,6 +1427,7 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true,
"custom_login_ids": true, "id": true,
}
for k, v := range traits {
@@ -1477,17 +1467,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
compCode = extractTraitString(traits, "company_code")
}
loginID := extractTraitString(traits, "id")
if loginID == "" {
// Fallback to UUID to prevent unique constraint violations on idx_tenant_login_id
// for users that use email/phone exclusively and don't have a specific loginId trait.
loginID = identity.ID
}
user := &domain.User{
ID: identity.ID,
Email: extractTraitString(traits, "email"),
LoginID: loginID,
Name: extractTraitString(traits, "name"),
Phone: extractTraitString(traits, "phone_number"),
Role: role,
@@ -1520,6 +1502,7 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true, "company_code": true,
"custom_login_ids": true, "id": true,
}
for k, v := range traits {
if !coreTraits[k] {
@@ -1628,6 +1611,17 @@ func extractTraitString(traits map[string]interface{}, key string) string {
}
func resolvePasswordLoginID(traits map[string]interface{}) string {
// First check custom_login_ids (array)
if raw, ok := traits["custom_login_ids"]; ok {
if ids, ok := raw.([]interface{}); ok && len(ids) > 0 {
if first, ok := ids[0].(string); ok {
return first
}
} else if ids, ok := raw.([]string); ok && len(ids) > 0 {
return ids[0]
}
}
// Fallback to legacy id (if still exists in some old identities)
if loginID := strings.TrimSpace(extractTraitString(traits, "id")); loginID != "" {
return loginID
}
@@ -1637,57 +1631,110 @@ func resolvePasswordLoginID(traits map[string]interface{}) string {
return strings.TrimSpace(extractTraitString(traits, "phone_number"))
}
// syncLoginID ensures that the 'id' trait (used as Kratos identifier) is in sync with the configured custom field.
func syncLoginID(traits map[string]interface{}, metadata map[string]any, tenantID string, loginIDField string) {
if loginIDField == "" {
return
// syncCustomLoginIDs collects all fields marked as isLoginId: true from tenant schemas
// and populates traits["custom_login_ids"] and returns domain.UserLoginID records for DB.
func syncCustomLoginIDs(ctx context.Context, tenantService service.TenantService, traits map[string]interface{}, metadata map[string]any, userID string) []domain.UserLoginID {
if tenantService == nil {
return nil
}
var loginID string
var loginIDRecords []domain.UserLoginID
var allCustomIDs []string
idSet := make(map[string]bool)
// 1. Check incoming metadata (flat)
if val, ok := metadata[loginIDField].(string); ok && val != "" {
loginID = val
// Collect tenant IDs to check schemas for
tenantIDsToCheck := make(map[string]bool)
for k, v := range metadata {
// Heuristic: if it's a map, it's likely namespaced metadata for a tenant
if _, ok := v.(map[string]any); ok {
tenantIDsToCheck[k] = true
} else if _, ok := v.(map[string]interface{}); ok {
tenantIDsToCheck[k] = true
}
}
// Also check primary tenant if available
if tid := extractTraitString(traits, "tenant_id"); tid != "" {
tenantIDsToCheck[tid] = true
}
// 2. Check incoming metadata (namespaced by tenant ID)
if loginID == "" && tenantID != "" {
if namespaced, ok := metadata[tenantID].(map[string]any); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
for tid := range tenantIDsToCheck {
tenant, err := tenantService.GetTenant(ctx, tid)
if err != nil || tenant == nil {
continue
}
schema, ok := tenant.Config["userSchema"].([]interface{})
if !ok {
continue
}
for _, fieldRaw := range schema {
field, ok := fieldRaw.(map[string]interface{})
if !ok {
continue
}
} else if namespaced, ok := metadata[tenantID].(map[string]interface{}); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
isLoginId, _ := field["isLoginId"].(bool)
if !isLoginId {
continue
}
fieldKey, ok := field["key"].(string)
if !ok {
continue
}
// Try to find value in namespaced metadata first, then flat metadata, then existing traits
var val string
if namespaced, ok := metadata[tid].(map[string]any); ok {
val, _ = namespaced[fieldKey].(string)
} else if namespaced, ok := metadata[tid].(map[string]interface{}); ok {
val, _ = namespaced[fieldKey].(string)
}
if val == "" {
val, _ = metadata[fieldKey].(string)
}
if val == "" {
// Check existing trait (namespaced)
if namespaced, ok := traits[tid].(map[string]interface{}); ok {
val, _ = namespaced[fieldKey].(string)
} else if namespaced, ok := traits[tid].(map[string]any); ok {
val, _ = namespaced[fieldKey].(string)
}
}
if val == "" {
// Fallback: Check flat traits
val = extractTraitString(traits, fieldKey)
}
if val != "" {
if !idSet[val] {
idSet[val] = true
allCustomIDs = append(allCustomIDs, val)
}
loginIDRecords = append(loginIDRecords, domain.UserLoginID{
UserID: userID,
TenantID: tid,
FieldKey: fieldKey,
LoginID: val,
})
}
}
}
// 3. Check merged traits (which includes existing metadata)
// Important: Skip this if loginIDField is "id" because traits["id"] is the TARGET,
// and we don't want to sync "id" to "id" if we already checked metadata.
if loginID == "" && loginIDField != "id" {
// Existing trait (flat)
if val, ok := traits[loginIDField].(string); ok && val != "" {
loginID = val
} else if tenantID != "" {
// Existing trait (namespaced)
if namespaced, ok := traits[tenantID].(map[string]interface{}); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
}
} else if namespaced, ok := traits[tenantID].(map[string]any); ok {
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
loginID = val
}
}
}
if len(allCustomIDs) > 0 {
traits["custom_login_ids"] = allCustomIDs
} else {
delete(traits, "custom_login_ids")
}
if loginID != "" {
slog.Info("Syncing LoginID from custom field", "field", loginIDField, "value", loginID, "tenantID", tenantID)
traits["id"] = loginID
}
// Always remove legacy "id" trait to avoid confusion
delete(traits, "id")
return loginIDRecords
}
func formatTime(value time.Time) string {
@@ -1882,3 +1929,61 @@ func (h *UserHandler) validateMetadataWithAuth(metadata map[string]any, schema [
return nil
}
func (h *UserHandler) GetUserRpHistory(c *fiber.Ctx) error {
userId := c.Params("id")
if userId == "" {
return errorJSON(c, fiber.StatusBadRequest, "user id is required")
}
if h.AuditRepo == nil {
return errorJSON(c, fiber.StatusServiceUnavailable, "Audit service unavailable")
}
logs, err := h.AuditRepo.FindByUserAndEvents(c.Context(), userId, []string{"consent.granted", "consent.revoked"}, 100)
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "Failed to fetch history")
}
type rpHistoryItem struct {
ClientID string `json:"client_id"`
ClientName string `json:"client_name"`
LastLoginAt string `json:"lastLoginAt"`
Status string `json:"status"`
}
historyMap := make(map[string]*rpHistoryItem)
// Logs are DESC (newest first).
for _, log := range logs {
details, _ := utils.ParseAuditDetails(log.Details)
cid, _ := details["client_id"].(string)
if cid == "" {
continue
}
if _, exists := historyMap[cid]; !exists {
cname, _ := details["client_name"].(string)
if cname == "" {
cname = cid
}
historyMap[cid] = &rpHistoryItem{
ClientID: cid,
ClientName: cname,
LastLoginAt: log.Timestamp.Format(time.RFC3339),
Status: "active", // Default based on latest grant
}
if log.EventType == "consent.revoked" {
historyMap[cid].Status = "revoked"
}
}
}
result := make([]*rpHistoryItem, 0, len(historyMap))
for _, item := range historyMap {
result = append(result, item)
}
return c.JSON(result)
}

125
backend/internal/handler/user_handler_test.go
View File

@@ -87,6 +87,14 @@ func (m *MockTenantServiceForUser) GetTenantBySlug(ctx context.Context, slug str
return args.Get(0).(*domain.Tenant), args.Error(1)
}
func (m *MockTenantServiceForUser) GetTenant(ctx context.Context, id string) (*domain.Tenant, error) {
args := m.Called(ctx, id)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*domain.Tenant), args.Error(1)
}
func (m *MockTenantServiceForUser) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
args := m.Called(ctx, userID)
if args.Get(0) == nil {
@@ -117,11 +125,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil).Once()
mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
ID: "t-123",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil)
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
mockOry.On("CreateUser", mock.Anything, mock.Anything).Return("u-1", nil).Twice()
@@ -188,11 +206,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil).Once()
mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
ID: "t-123",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
},
},
}, nil)
payload := map[string]interface{}{
"users": []map[string]interface{}{
{
@@ -391,23 +419,32 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"loginIdField": "emp_no",
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No"},
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil) // Allow multiple calls for validation and sync
}, nil)
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil)
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
// Expect traits to include 'id' synced from 'emp_no'
// Expect traits to include 'custom_login_ids' synced from 'emp_no'
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
return traits["id"] == "E1001"
ids, ok := traits["custom_login_ids"].([]string)
return ok && len(ids) > 0 && ids[0] == "E1001"
}), mock.Anything).Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "E1001",
"email": "user@test.com",
"custom_login_ids": []interface{}{"E1001"},
"email": "user@test.com",
},
}, nil).Once()
@@ -459,7 +496,18 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"loginIdField": "emp_no",
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "isLoginId": true},
},
},
}, nil)
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "isLoginId": true},
},
},
}, nil)
@@ -467,11 +515,12 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
// Even if metadata is empty, it should sync from existing traits
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
return traits["id"] == "E2002"
ids, ok := traits["custom_login_ids"].([]string)
return ok && len(ids) > 0 && ids[0] == "E2002"
}), mock.Anything).Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "E2002",
"custom_login_ids": []interface{}{"E2002"},
},
}, nil).Once()
@@ -508,25 +557,42 @@ func TestUserHandler_UpdateUser_PasswordUsesProvider(t *testing.T) {
mockKratos.On("GetIdentity", mock.Anything, userID).Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "dyddus1210",
"email": "dyddus1210@gmail.com",
"companyCode": "test-tenant",
"custom_login_ids": []interface{}{"dyddus1210"},
"email": "dyddus1210@gmail.com",
"companyCode": "test-tenant",
"tenant_id": "t-1",
"emp_id": "dyddus1210",
},
}, nil).Once()
mockTenant.On("GetTenantBySlug", mock.Anything, "test-tenant").Return(&domain.Tenant{
ID: "t-1",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "isLoginId": true},
},
},
}, nil)
mockTenant.On("GetTenant", mock.Anything, "t-1").Return(&domain.Tenant{
ID: "t-1",
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_id", "isLoginId": true},
},
},
}, nil)
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
return traits["id"] == "dyddus1210"
ids, ok := traits["custom_login_ids"].([]string)
return ok && len(ids) > 0 && ids[0] == "dyddus1210"
}), "").Return(&service.KratosIdentity{
ID: userID,
Traits: map[string]interface{}{
"id": "dyddus1210",
"email": "dyddus1210@gmail.com",
"custom_login_ids": []interface{}{"dyddus1210"},
"email": "dyddus1210@gmail.com",
},
}, nil).Once()
@@ -617,27 +683,36 @@ func TestUserHandler_CreateUser_LoginIDSync(t *testing.T) {
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"loginIdField": "emp_no",
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No"},
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil)
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
ID: tenantID,
Slug: "test-tenant",
Config: domain.JSONMap{
"userSchema": []interface{}{
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
},
},
}, nil)
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
// Expect OryProvider.CreateUser to be called with attributes["id"] synced from metadata
// Expect OryProvider.CreateUser to be called with attributes["custom_login_ids"] synced from metadata
mockOry.On("CreateUser", mock.MatchedBy(func(user *domain.BrokerUser) bool {
return user.LoginID == "E1001" && user.Attributes["id"] == "E1001"
customIDs, ok := user.Attributes["custom_login_ids"].([]string)
return ok && len(customIDs) > 0 && customIDs[0] == "E1001"
}), mock.Anything).Return("u-1", nil).Once()
// Mock GetIdentity after creation
mockKratos.On("GetIdentity", mock.Anything, "u-1").Return(&service.KratosIdentity{
ID: "u-1",
Traits: map[string]interface{}{
"id": "E1001",
"email": "new@test.com",
"companyCode": "test-tenant",
"custom_login_ids": []interface{}{"E1001"},
"email": "new@test.com",
"companyCode": "test-tenant",
},
}, nil).Once()