forked from baron/baron-sso
feat: implement multi-identifier architecture (Issue #496)
- Database: Add user_login_ids table for 1:N identifier mapping and remove legacy login_id column - Kratos: Update identity schema to use custom_login_ids array instead of a single id trait - Backend: Implement syncCustomLoginIDs to collect isLoginId fields across tenant schemas - Backend: Add backtracking logic to auto-assign session tenant based on used login identifier - Backend: Add 409 Conflict exception handling for Create/Update operations - AdminFront: Refactor UserDetailPage to a tabbed grid layout (Info, Tenants, Security) - AdminFront: Show '로그인 ID' badge on tenant schema fields used for authentication - UserFront: Remove legacy optional 'Login ID' input from signup flow - Tests: Add multi-identifier repository tests and update handler tests
This commit is contained in:
@@ -35,9 +35,10 @@ type UserHandler struct {
|
||||
KetoOutboxRepo repository.KetoOutboxRepository
|
||||
UserRepo repository.UserRepository
|
||||
UserGroupRepo repository.UserGroupRepository
|
||||
AuditRepo domain.AuditRepository
|
||||
}
|
||||
|
||||
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository) *UserHandler {
|
||||
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
|
||||
return &UserHandler{
|
||||
KratosAdmin: kratosAdmin,
|
||||
OryProvider: oryProvider,
|
||||
@@ -46,6 +47,7 @@ func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProvi
|
||||
KetoOutboxRepo: ketoOutboxRepo,
|
||||
UserRepo: userRepo,
|
||||
UserGroupRepo: userGroupRepo,
|
||||
AuditRepo: auditRepo,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -53,6 +55,7 @@ type userSummary struct {
|
||||
ID string `json:"id"`
|
||||
Email string `json:"email"`
|
||||
LoginID string `json:"loginId,omitempty"`
|
||||
CustomLoginIDs []string `json:"customLoginIds,omitempty"` // [New] 다중 로그인 ID 목록
|
||||
Name string `json:"name"`
|
||||
Phone string `json:"phone"`
|
||||
Role string `json:"role"`
|
||||
@@ -325,40 +328,23 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
||||
|
||||
// [Override with explicit LoginID if provided]
|
||||
if req.LoginID != "" {
|
||||
attributes["id"] = req.LoginID
|
||||
if ids, ok := attributes["custom_login_ids"].([]string); ok {
|
||||
attributes["custom_login_ids"] = append(ids, req.LoginID)
|
||||
} else {
|
||||
attributes["custom_login_ids"] = []string{req.LoginID}
|
||||
}
|
||||
}
|
||||
|
||||
// [Resolve TenantID and LoginID before Kratos creation]
|
||||
// [Resolve TenantID and Custom Login IDs before Kratos creation]
|
||||
var tenantID string
|
||||
synced := false
|
||||
if req.CompanyCode != "" && h.TenantService != nil {
|
||||
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode); err == nil && tenant != nil {
|
||||
tenantID = tenant.ID
|
||||
|
||||
// Sync custom field to LoginID if configured
|
||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
||||
syncLoginID(attributes, req.Metadata, tenantID, loginIdField)
|
||||
synced = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Fallback: Try syncing based on the tenant namespaces being updated
|
||||
if !synced && h.TenantService != nil {
|
||||
for k := range req.Metadata {
|
||||
if len(k) >= 32 { // Looks like a UUID (tenant ID)
|
||||
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
|
||||
if tenantID == "" {
|
||||
tenantID = tenant.ID
|
||||
}
|
||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
||||
syncLoginID(attributes, req.Metadata, tenant.ID, loginIdField)
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
// Collect and sync all custom login IDs based on tenant schemas
|
||||
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
|
||||
|
||||
attributes["role"] = role
|
||||
if tenantID != "" {
|
||||
@@ -373,22 +359,25 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
||||
}
|
||||
}
|
||||
|
||||
finalLoginID := extractTraitString(attributes, "id")
|
||||
if err := domain.ValidateLoginID(finalLoginID, email, normalizePhoneNumber(req.Phone)); err != nil {
|
||||
return errorJSON(c, fiber.StatusBadRequest, err.Error())
|
||||
// Validate all collected LoginIDs
|
||||
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
|
||||
for _, lid := range collectedIDs {
|
||||
if err := domain.ValidateLoginID(lid, email, normalizePhoneNumber(req.Phone)); err != nil {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
brokerUser := &domain.BrokerUser{
|
||||
Email: email,
|
||||
LoginID: finalLoginID,
|
||||
Name: name,
|
||||
PhoneNumber: normalizePhoneNumber(req.Phone),
|
||||
Attributes: attributes,
|
||||
}
|
||||
|
||||
// [Validation] Based on Tenant Schema
|
||||
if req.CompanyCode != "" && h.TenantService != nil {
|
||||
tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode)
|
||||
if tenantID != "" && h.TenantService != nil {
|
||||
tenant, err := h.TenantService.GetTenant(c.Context(), tenantID)
|
||||
if err == nil && tenant != nil {
|
||||
if schema, ok := tenant.Config["userSchema"].([]interface{}); ok {
|
||||
if err := h.validateMetadata(req.Metadata, schema, true); err != nil {
|
||||
@@ -400,8 +389,8 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
||||
|
||||
identityID, err := h.OryProvider.CreateUser(brokerUser, password)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "already exists") {
|
||||
return errorJSON(c, fiber.StatusConflict, "email already exists")
|
||||
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
|
||||
return errorJSON(c, fiber.StatusConflict, "이미 사용 중인 식별자(이메일/전화번호/사번 등)입니다.")
|
||||
}
|
||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||
}
|
||||
@@ -424,6 +413,14 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
||||
slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
|
||||
}
|
||||
|
||||
// Update User Login IDs in local DB
|
||||
for i := range loginIDRecords {
|
||||
loginIDRecords[i].UserID = localUser.ID
|
||||
}
|
||||
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
|
||||
slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
|
||||
}
|
||||
|
||||
// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
|
||||
if h.KetoOutboxRepo != nil {
|
||||
// 1. Role based relations
|
||||
@@ -580,15 +577,8 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
||||
"role": role,
|
||||
}
|
||||
|
||||
// Override with explicit LoginID if provided
|
||||
if item.LoginID != "" {
|
||||
attributes["id"] = item.LoginID
|
||||
}
|
||||
|
||||
// Sync LoginID from configured custom field (overrides explicit LoginID)
|
||||
if tItem.LoginIDField != "" {
|
||||
syncLoginID(attributes, item.Metadata, tItem.ID, tItem.LoginIDField)
|
||||
}
|
||||
// Sync all custom login IDs based on tenant schemas
|
||||
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, item.Metadata, "")
|
||||
|
||||
// Merge metadata
|
||||
for k, v := range item.Metadata {
|
||||
@@ -597,28 +587,36 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
||||
}
|
||||
}
|
||||
|
||||
finalLoginID := extractTraitString(attributes, "id")
|
||||
userEmail := email
|
||||
userPhone := normalizePhoneNumber(item.Phone)
|
||||
|
||||
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
|
||||
results = append(results, bulkUserResult{Email: email, Success: false, Message: err.Error()})
|
||||
continue
|
||||
// Validate all collected LoginIDs
|
||||
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
|
||||
valid := true
|
||||
for _, lid := range collectedIDs {
|
||||
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
|
||||
results = append(results, bulkUserResult{Email: email, Success: false, Message: "Invalid LoginID (" + lid + "): " + err.Error()})
|
||||
valid = false
|
||||
break
|
||||
}
|
||||
}
|
||||
if !valid {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
|
||||
Email: userEmail,
|
||||
LoginID: finalLoginID,
|
||||
Name: item.Name,
|
||||
PhoneNumber: userPhone,
|
||||
Attributes: attributes,
|
||||
}, password)
|
||||
if err != nil {
|
||||
// 만약 이미 존재하는 사용자라면 로컬 DB 및 Keto 관계만 업데이트(Sync)를 시도
|
||||
if strings.Contains(err.Error(), "already exists") {
|
||||
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
|
||||
identityID, err = h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email)
|
||||
if err != nil || identityID == "" {
|
||||
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 존재하는 사용자지만 ID를 찾을 수 없습니다."})
|
||||
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 다른 사용자가 해당 식별자(이메일/사번 등)를 사용 중입니다."})
|
||||
continue
|
||||
}
|
||||
slog.Info("BulkCreate: User already exists, syncing local DB and Keto", "email", email, "identityID", identityID)
|
||||
@@ -634,7 +632,6 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
||||
localUser := &domain.User{
|
||||
ID: identityID,
|
||||
Email: email,
|
||||
LoginID: extractTraitString(attributes, "id"),
|
||||
Name: name,
|
||||
Phone: normalizePhoneNumber(item.Phone),
|
||||
Role: role,
|
||||
@@ -660,6 +657,14 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
||||
slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
|
||||
}
|
||||
|
||||
// Update User Login IDs in local DB
|
||||
for i := range loginIDRecords {
|
||||
loginIDRecords[i].UserID = localUser.ID
|
||||
}
|
||||
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
|
||||
slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
|
||||
}
|
||||
|
||||
if h.KetoOutboxRepo != nil {
|
||||
// 1. Sync Role based relationship
|
||||
h.syncKetoRole(c.Context(), localUser.ID, role, "", "", localUser.TenantID)
|
||||
@@ -961,10 +966,6 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
|
||||
}
|
||||
}
|
||||
|
||||
if localUser.LoginID == "" {
|
||||
localUser.LoginID = localUser.ID
|
||||
}
|
||||
|
||||
_ = h.UserRepo.Update(c.Context(), localUser)
|
||||
|
||||
// [Keto Sync]
|
||||
@@ -1184,20 +1185,12 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
||||
traits["role"] = role
|
||||
}
|
||||
|
||||
// [Override with explicit LoginID if provided]
|
||||
// This is done FIRST so that if a custom loginIdField is configured in the tenant,
|
||||
// the metadata sync below will override this explicit value, preventing the UI's
|
||||
// pre-filled explicit loginId from clobbering the updated custom field.
|
||||
if req.LoginID != nil && *req.LoginID != "" {
|
||||
traits["id"] = *req.LoginID
|
||||
}
|
||||
|
||||
// [Namespaced Metadata Sync]
|
||||
coreTraits := map[string]bool{
|
||||
"email": true, "name": true, "phone_number": true,
|
||||
"grade": true, "companyCode": true, "department": true,
|
||||
"affiliationType": true, "role": true, "tenant_id": true,
|
||||
"id": true,
|
||||
"custom_login_ids": true, "id": true,
|
||||
}
|
||||
|
||||
// For namespaced metadata, we don't delete everything, we merge.
|
||||
@@ -1221,51 +1214,29 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
||||
|
||||
// [LoginID Sync based on Tenant Settings]
|
||||
// Perform sync AFTER metadata merge to ensure traits contains current values
|
||||
syncCompCode := extractTraitString(traits, "companyCode")
|
||||
synced := false
|
||||
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, userID)
|
||||
|
||||
if syncCompCode != "" && h.TenantService != nil {
|
||||
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
|
||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
||||
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
|
||||
synced = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Fallback: If companyCode is empty or didn't sync, try syncing based on the tenant namespaces being updated
|
||||
if !synced && h.TenantService != nil {
|
||||
for k := range req.Metadata {
|
||||
if len(k) >= 32 { // Looks like a UUID (tenant ID)
|
||||
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
|
||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
||||
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
|
||||
synced = true
|
||||
break // Apply first matched tenant config
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
finalLoginID := extractTraitString(traits, "id")
|
||||
// Validate all collected LoginIDs
|
||||
userEmail := extractTraitString(traits, "email")
|
||||
userPhone := extractTraitString(traits, "phone_number")
|
||||
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
|
||||
return errorJSON(c, fiber.StatusBadRequest, err.Error())
|
||||
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
|
||||
for _, lid := range collectedIDs {
|
||||
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// resolvePasswordLoginID might be doing something else but we already have finalLoginID.
|
||||
// We should just use finalLoginID if it's the intended identifier.
|
||||
// But let's check if resolvePasswordLoginID exists and what it returns. Assuming it returns a string.
|
||||
// If it overrides, we assign it. Let's just use finalLoginID for now.
|
||||
finalLoginID = resolvePasswordLoginID(traits)
|
||||
|
||||
state := normalizeKratosState(req.Status)
|
||||
|
||||
slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)
|
||||
|
||||
updated, err := h.KratosAdmin.UpdateIdentity(c.Context(), userID, traits, state)
|
||||
if err != nil {
|
||||
// [Exception Handling] Check for 409 Conflict (Duplicate Identifier)
|
||||
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "exists already") {
|
||||
return errorJSON(c, fiber.StatusConflict, "이미 다른 사용자가 사용 중인 식별자(이메일/전화번호/사번 등)가 포함되어 있습니다.")
|
||||
}
|
||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||
}
|
||||
|
||||
@@ -1273,15 +1244,16 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
||||
if h.UserRepo != nil {
|
||||
updatedLocalUser := h.mapToLocalUser(*updated)
|
||||
|
||||
if updatedLocalUser.LoginID == "" {
|
||||
updatedLocalUser.LoginID = updatedLocalUser.ID
|
||||
}
|
||||
|
||||
ctx := context.Background() // Use request context if appropriate, but sync must finish
|
||||
if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
|
||||
slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
|
||||
}
|
||||
|
||||
// Update User Login IDs in local DB
|
||||
if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
|
||||
slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
|
||||
}
|
||||
|
||||
// [Keto Sync] asynchronously as it's less critical for immediate UI count
|
||||
go func() {
|
||||
bgCtx := context.Background()
|
||||
@@ -1345,7 +1317,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
||||
if h.OryProvider == nil {
|
||||
return errorJSON(c, fiber.StatusServiceUnavailable, "password provider not available")
|
||||
}
|
||||
if err := h.OryProvider.UpdateUserPassword(finalLoginID, *req.Password, nil); err != nil {
|
||||
// [New] Resolve a representative LoginID for the password update call
|
||||
updateLoginID := resolvePasswordLoginID(updated.Traits)
|
||||
if err := h.OryProvider.UpdateUserPassword(updateLoginID, *req.Password, nil); err != nil {
|
||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||
}
|
||||
}
|
||||
@@ -1408,19 +1382,34 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
|
||||
|
||||
compCode := extractTraitString(traits, "companyCode")
|
||||
slog.Debug("Mapping identity", "email", extractTraitString(traits, "email"), "compCode", compCode)
|
||||
|
||||
var customLoginIDs []string
|
||||
if raw, ok := traits["custom_login_ids"]; ok {
|
||||
if ids, ok := raw.([]interface{}); ok {
|
||||
for _, id := range ids {
|
||||
if s, ok := id.(string); ok {
|
||||
customLoginIDs = append(customLoginIDs, s)
|
||||
}
|
||||
}
|
||||
} else if ids, ok := raw.([]string); ok {
|
||||
customLoginIDs = ids
|
||||
}
|
||||
}
|
||||
|
||||
summary := userSummary{
|
||||
ID: identity.ID,
|
||||
Email: extractTraitString(traits, "email"),
|
||||
LoginID: extractTraitString(traits, "id"), // id in Kratos traits maps to LoginID
|
||||
Name: extractTraitString(traits, "name"),
|
||||
Phone: extractTraitString(traits, "phone_number"),
|
||||
Role: role,
|
||||
Status: normalizeStatus(identity.State),
|
||||
CompanyCode: compCode,
|
||||
Department: extractTraitString(traits, "department"),
|
||||
Metadata: make(domain.JSONMap),
|
||||
CreatedAt: formatTime(identity.CreatedAt),
|
||||
UpdatedAt: formatTime(identity.UpdatedAt),
|
||||
ID: identity.ID,
|
||||
Email: extractTraitString(traits, "email"),
|
||||
LoginID: resolvePasswordLoginID(traits),
|
||||
CustomLoginIDs: customLoginIDs,
|
||||
Name: extractTraitString(traits, "name"),
|
||||
Phone: extractTraitString(traits, "phone_number"),
|
||||
Role: role,
|
||||
Status: normalizeStatus(identity.State),
|
||||
CompanyCode: compCode,
|
||||
Department: extractTraitString(traits, "department"),
|
||||
Metadata: make(domain.JSONMap),
|
||||
CreatedAt: formatTime(identity.CreatedAt),
|
||||
UpdatedAt: formatTime(identity.UpdatedAt),
|
||||
}
|
||||
|
||||
// [New] Fetch all manageable tenants (for Multi-tenancy support)
|
||||
@@ -1438,6 +1427,7 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
|
||||
"email": true, "name": true, "phone_number": true,
|
||||
"grade": true, "companyCode": true, "department": true,
|
||||
"affiliationType": true, "role": true, "tenant_id": true,
|
||||
"custom_login_ids": true, "id": true,
|
||||
}
|
||||
|
||||
for k, v := range traits {
|
||||
@@ -1477,17 +1467,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
|
||||
compCode = extractTraitString(traits, "company_code")
|
||||
}
|
||||
|
||||
loginID := extractTraitString(traits, "id")
|
||||
if loginID == "" {
|
||||
// Fallback to UUID to prevent unique constraint violations on idx_tenant_login_id
|
||||
// for users that use email/phone exclusively and don't have a specific loginId trait.
|
||||
loginID = identity.ID
|
||||
}
|
||||
|
||||
user := &domain.User{
|
||||
ID: identity.ID,
|
||||
Email: extractTraitString(traits, "email"),
|
||||
LoginID: loginID,
|
||||
Name: extractTraitString(traits, "name"),
|
||||
Phone: extractTraitString(traits, "phone_number"),
|
||||
Role: role,
|
||||
@@ -1520,6 +1502,7 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
|
||||
"email": true, "name": true, "phone_number": true,
|
||||
"grade": true, "companyCode": true, "department": true,
|
||||
"affiliationType": true, "role": true, "tenant_id": true, "company_code": true,
|
||||
"custom_login_ids": true, "id": true,
|
||||
}
|
||||
for k, v := range traits {
|
||||
if !coreTraits[k] {
|
||||
@@ -1628,6 +1611,17 @@ func extractTraitString(traits map[string]interface{}, key string) string {
|
||||
}
|
||||
|
||||
func resolvePasswordLoginID(traits map[string]interface{}) string {
|
||||
// First check custom_login_ids (array)
|
||||
if raw, ok := traits["custom_login_ids"]; ok {
|
||||
if ids, ok := raw.([]interface{}); ok && len(ids) > 0 {
|
||||
if first, ok := ids[0].(string); ok {
|
||||
return first
|
||||
}
|
||||
} else if ids, ok := raw.([]string); ok && len(ids) > 0 {
|
||||
return ids[0]
|
||||
}
|
||||
}
|
||||
// Fallback to legacy id (if still exists in some old identities)
|
||||
if loginID := strings.TrimSpace(extractTraitString(traits, "id")); loginID != "" {
|
||||
return loginID
|
||||
}
|
||||
@@ -1637,57 +1631,110 @@ func resolvePasswordLoginID(traits map[string]interface{}) string {
|
||||
return strings.TrimSpace(extractTraitString(traits, "phone_number"))
|
||||
}
|
||||
|
||||
// syncLoginID ensures that the 'id' trait (used as Kratos identifier) is in sync with the configured custom field.
|
||||
func syncLoginID(traits map[string]interface{}, metadata map[string]any, tenantID string, loginIDField string) {
|
||||
if loginIDField == "" {
|
||||
return
|
||||
// syncCustomLoginIDs collects all fields marked as isLoginId: true from tenant schemas
|
||||
// and populates traits["custom_login_ids"] and returns domain.UserLoginID records for DB.
|
||||
func syncCustomLoginIDs(ctx context.Context, tenantService service.TenantService, traits map[string]interface{}, metadata map[string]any, userID string) []domain.UserLoginID {
|
||||
if tenantService == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var loginID string
|
||||
var loginIDRecords []domain.UserLoginID
|
||||
var allCustomIDs []string
|
||||
idSet := make(map[string]bool)
|
||||
|
||||
// 1. Check incoming metadata (flat)
|
||||
if val, ok := metadata[loginIDField].(string); ok && val != "" {
|
||||
loginID = val
|
||||
// Collect tenant IDs to check schemas for
|
||||
tenantIDsToCheck := make(map[string]bool)
|
||||
for k, v := range metadata {
|
||||
// Heuristic: if it's a map, it's likely namespaced metadata for a tenant
|
||||
if _, ok := v.(map[string]any); ok {
|
||||
tenantIDsToCheck[k] = true
|
||||
} else if _, ok := v.(map[string]interface{}); ok {
|
||||
tenantIDsToCheck[k] = true
|
||||
}
|
||||
}
|
||||
// Also check primary tenant if available
|
||||
if tid := extractTraitString(traits, "tenant_id"); tid != "" {
|
||||
tenantIDsToCheck[tid] = true
|
||||
}
|
||||
|
||||
// 2. Check incoming metadata (namespaced by tenant ID)
|
||||
if loginID == "" && tenantID != "" {
|
||||
if namespaced, ok := metadata[tenantID].(map[string]any); ok {
|
||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
||||
loginID = val
|
||||
for tid := range tenantIDsToCheck {
|
||||
tenant, err := tenantService.GetTenant(ctx, tid)
|
||||
if err != nil || tenant == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
schema, ok := tenant.Config["userSchema"].([]interface{})
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
|
||||
for _, fieldRaw := range schema {
|
||||
field, ok := fieldRaw.(map[string]interface{})
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
} else if namespaced, ok := metadata[tenantID].(map[string]interface{}); ok {
|
||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
||||
loginID = val
|
||||
|
||||
isLoginId, _ := field["isLoginId"].(bool)
|
||||
if !isLoginId {
|
||||
continue
|
||||
}
|
||||
|
||||
fieldKey, ok := field["key"].(string)
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
|
||||
// Try to find value in namespaced metadata first, then flat metadata, then existing traits
|
||||
var val string
|
||||
if namespaced, ok := metadata[tid].(map[string]any); ok {
|
||||
val, _ = namespaced[fieldKey].(string)
|
||||
} else if namespaced, ok := metadata[tid].(map[string]interface{}); ok {
|
||||
val, _ = namespaced[fieldKey].(string)
|
||||
}
|
||||
|
||||
if val == "" {
|
||||
val, _ = metadata[fieldKey].(string)
|
||||
}
|
||||
|
||||
if val == "" {
|
||||
// Check existing trait (namespaced)
|
||||
if namespaced, ok := traits[tid].(map[string]interface{}); ok {
|
||||
val, _ = namespaced[fieldKey].(string)
|
||||
} else if namespaced, ok := traits[tid].(map[string]any); ok {
|
||||
val, _ = namespaced[fieldKey].(string)
|
||||
}
|
||||
}
|
||||
|
||||
if val == "" {
|
||||
// Fallback: Check flat traits
|
||||
val = extractTraitString(traits, fieldKey)
|
||||
}
|
||||
|
||||
if val != "" {
|
||||
if !idSet[val] {
|
||||
idSet[val] = true
|
||||
allCustomIDs = append(allCustomIDs, val)
|
||||
}
|
||||
loginIDRecords = append(loginIDRecords, domain.UserLoginID{
|
||||
UserID: userID,
|
||||
TenantID: tid,
|
||||
FieldKey: fieldKey,
|
||||
LoginID: val,
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// 3. Check merged traits (which includes existing metadata)
|
||||
// Important: Skip this if loginIDField is "id" because traits["id"] is the TARGET,
|
||||
// and we don't want to sync "id" to "id" if we already checked metadata.
|
||||
if loginID == "" && loginIDField != "id" {
|
||||
// Existing trait (flat)
|
||||
if val, ok := traits[loginIDField].(string); ok && val != "" {
|
||||
loginID = val
|
||||
} else if tenantID != "" {
|
||||
// Existing trait (namespaced)
|
||||
if namespaced, ok := traits[tenantID].(map[string]interface{}); ok {
|
||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
||||
loginID = val
|
||||
}
|
||||
} else if namespaced, ok := traits[tenantID].(map[string]any); ok {
|
||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
||||
loginID = val
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(allCustomIDs) > 0 {
|
||||
traits["custom_login_ids"] = allCustomIDs
|
||||
} else {
|
||||
delete(traits, "custom_login_ids")
|
||||
}
|
||||
|
||||
if loginID != "" {
|
||||
slog.Info("Syncing LoginID from custom field", "field", loginIDField, "value", loginID, "tenantID", tenantID)
|
||||
traits["id"] = loginID
|
||||
}
|
||||
// Always remove legacy "id" trait to avoid confusion
|
||||
delete(traits, "id")
|
||||
|
||||
return loginIDRecords
|
||||
}
|
||||
|
||||
func formatTime(value time.Time) string {
|
||||
@@ -1882,3 +1929,61 @@ func (h *UserHandler) validateMetadataWithAuth(metadata map[string]any, schema [
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *UserHandler) GetUserRpHistory(c *fiber.Ctx) error {
|
||||
userId := c.Params("id")
|
||||
if userId == "" {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "user id is required")
|
||||
}
|
||||
|
||||
if h.AuditRepo == nil {
|
||||
return errorJSON(c, fiber.StatusServiceUnavailable, "Audit service unavailable")
|
||||
}
|
||||
|
||||
logs, err := h.AuditRepo.FindByUserAndEvents(c.Context(), userId, []string{"consent.granted", "consent.revoked"}, 100)
|
||||
if err != nil {
|
||||
return errorJSON(c, fiber.StatusInternalServerError, "Failed to fetch history")
|
||||
}
|
||||
|
||||
type rpHistoryItem struct {
|
||||
ClientID string `json:"client_id"`
|
||||
ClientName string `json:"client_name"`
|
||||
LastLoginAt string `json:"lastLoginAt"`
|
||||
Status string `json:"status"`
|
||||
}
|
||||
|
||||
historyMap := make(map[string]*rpHistoryItem)
|
||||
|
||||
// Logs are DESC (newest first).
|
||||
for _, log := range logs {
|
||||
details, _ := utils.ParseAuditDetails(log.Details)
|
||||
cid, _ := details["client_id"].(string)
|
||||
if cid == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
if _, exists := historyMap[cid]; !exists {
|
||||
cname, _ := details["client_name"].(string)
|
||||
if cname == "" {
|
||||
cname = cid
|
||||
}
|
||||
|
||||
historyMap[cid] = &rpHistoryItem{
|
||||
ClientID: cid,
|
||||
ClientName: cname,
|
||||
LastLoginAt: log.Timestamp.Format(time.RFC3339),
|
||||
Status: "active", // Default based on latest grant
|
||||
}
|
||||
if log.EventType == "consent.revoked" {
|
||||
historyMap[cid].Status = "revoked"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
result := make([]*rpHistoryItem, 0, len(historyMap))
|
||||
for _, item := range historyMap {
|
||||
result = append(result, item)
|
||||
}
|
||||
|
||||
return c.JSON(result)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user