forked from baron/baron-sso
feat: implement multi-identifier architecture (Issue #496)
- Database: Add user_login_ids table for 1:N identifier mapping and remove legacy login_id column - Kratos: Update identity schema to use custom_login_ids array instead of a single id trait - Backend: Implement syncCustomLoginIDs to collect isLoginId fields across tenant schemas - Backend: Add backtracking logic to auto-assign session tenant based on used login identifier - Backend: Add 409 Conflict exception handling for Create/Update operations - AdminFront: Refactor UserDetailPage to a tabbed grid layout (Info, Tenants, Security) - AdminFront: Show '로그인 ID' badge on tenant schema fields used for authentication - UserFront: Remove legacy optional 'Login ID' input from signup flow - Tests: Add multi-identifier repository tests and update handler tests
This commit is contained in:
@@ -97,7 +97,6 @@ export function TenantSchemaPage() {
|
|||||||
|
|
||||||
useEffect(() => {
|
useEffect(() => {
|
||||||
const rawSchema = tenantQuery.data?.config?.userSchema;
|
const rawSchema = tenantQuery.data?.config?.userSchema;
|
||||||
const loginIdField = tenantQuery.data?.config?.loginIdField;
|
|
||||||
|
|
||||||
if (Array.isArray(rawSchema)) {
|
if (Array.isArray(rawSchema)) {
|
||||||
setFields(
|
setFields(
|
||||||
@@ -118,7 +117,7 @@ export function TenantSchemaPage() {
|
|||||||
validation:
|
validation:
|
||||||
typeof field?.validation === "string" ? field.validation : "",
|
typeof field?.validation === "string" ? field.validation : "",
|
||||||
unsigned: Boolean(field?.unsigned),
|
unsigned: Boolean(field?.unsigned),
|
||||||
isLoginId: field?.key === loginIdField,
|
isLoginId: Boolean(field?.isLoginId),
|
||||||
})),
|
})),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@@ -126,13 +125,13 @@ export function TenantSchemaPage() {
|
|||||||
|
|
||||||
const updateMutation = useMutation({
|
const updateMutation = useMutation({
|
||||||
mutationFn: (newFields: SchemaField[]) => {
|
mutationFn: (newFields: SchemaField[]) => {
|
||||||
const loginIdField = newFields.find((f) => f.isLoginId)?.key || "";
|
// Remove legacy loginIdField, keep isLoginId natively in userSchema
|
||||||
|
const newConfig = { ...tenantQuery.data?.config };
|
||||||
|
delete newConfig.loginIdField;
|
||||||
|
newConfig.userSchema = newFields;
|
||||||
|
|
||||||
return updateTenant(tenantId, {
|
return updateTenant(tenantId, {
|
||||||
config: {
|
config: newConfig,
|
||||||
...tenantQuery.data?.config,
|
|
||||||
userSchema: newFields,
|
|
||||||
loginIdField: loginIdField,
|
|
||||||
},
|
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
onSuccess: () => {
|
onSuccess: () => {
|
||||||
@@ -344,14 +343,10 @@ export function TenantSchemaPage() {
|
|||||||
<label className="flex items-center gap-2 cursor-pointer">
|
<label className="flex items-center gap-2 cursor-pointer">
|
||||||
<input
|
<input
|
||||||
type="checkbox"
|
type="checkbox"
|
||||||
checked={field.isLoginId}
|
checked={field.isLoginId || false}
|
||||||
onChange={(e) => {
|
onChange={(e) =>
|
||||||
const newFields = fields.map((f, i) => ({
|
updateField(index, { isLoginId: e.target.checked })
|
||||||
...f,
|
}
|
||||||
isLoginId: i === index ? e.target.checked : false,
|
|
||||||
}));
|
|
||||||
setFields(newFields);
|
|
||||||
}}
|
|
||||||
className="w-4 h-4 rounded border-gray-300 text-primary focus:ring-primary"
|
className="w-4 h-4 rounded border-gray-300 text-primary focus:ring-primary"
|
||||||
/>
|
/>
|
||||||
<span className="text-sm font-medium text-blue-600">
|
<span className="text-sm font-medium text-blue-600">
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ type UserSchemaField = {
|
|||||||
required?: boolean;
|
required?: boolean;
|
||||||
adminOnly?: boolean;
|
adminOnly?: boolean;
|
||||||
validation?: string;
|
validation?: string;
|
||||||
|
isLoginId?: boolean;
|
||||||
};
|
};
|
||||||
|
|
||||||
type UserFormValues = UserCreateRequest & { metadata: Record<string, unknown> };
|
type UserFormValues = UserCreateRequest & { metadata: Record<string, unknown> };
|
||||||
@@ -65,7 +66,6 @@ function UserCreatePage() {
|
|||||||
} = useForm<UserFormValues>({
|
} = useForm<UserFormValues>({
|
||||||
defaultValues: {
|
defaultValues: {
|
||||||
email: "",
|
email: "",
|
||||||
loginId: "",
|
|
||||||
password: "",
|
password: "",
|
||||||
name: "",
|
name: "",
|
||||||
phone: "",
|
phone: "",
|
||||||
@@ -274,26 +274,6 @@ function UserCreatePage() {
|
|||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div className="space-y-2">
|
|
||||||
<Label htmlFor="loginId">
|
|
||||||
{t("ui.admin.users.create.form.login_id", "로그인 ID (선택)")}
|
|
||||||
</Label>
|
|
||||||
<Input
|
|
||||||
id="loginId"
|
|
||||||
placeholder={t(
|
|
||||||
"ui.admin.users.create.form.login_id_placeholder",
|
|
||||||
"사번 또는 아이디",
|
|
||||||
)}
|
|
||||||
{...register("loginId")}
|
|
||||||
/>
|
|
||||||
<p className="text-[10px] text-muted-foreground">
|
|
||||||
{t(
|
|
||||||
"msg.admin.users.create.form.login_id_help",
|
|
||||||
"이메일/전화번호 외에 별도의 식별자로 로그인할 때 사용합니다.",
|
|
||||||
)}
|
|
||||||
</p>
|
|
||||||
</div>
|
|
||||||
|
|
||||||
<div className="space-y-2">
|
<div className="space-y-2">
|
||||||
<div className="flex items-center justify-between">
|
<div className="flex items-center justify-between">
|
||||||
<Label htmlFor="password">
|
<Label htmlFor="password">
|
||||||
@@ -470,6 +450,11 @@ function UserCreatePage() {
|
|||||||
Admin Only
|
Admin Only
|
||||||
</span>
|
</span>
|
||||||
)}
|
)}
|
||||||
|
{field.isLoginId && (
|
||||||
|
<span className="ml-2 text-[10px] bg-green-500/10 text-green-600 px-1.5 py-0.5 rounded uppercase font-bold">
|
||||||
|
{t("ui.admin.users.create.form.is_login_id", "로그인 ID")}
|
||||||
|
</span>
|
||||||
|
)}
|
||||||
</Label>
|
</Label>
|
||||||
|
|
||||||
<Input
|
<Input
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -430,9 +430,6 @@ function UserListPage() {
|
|||||||
"NAME / EMAIL",
|
"NAME / EMAIL",
|
||||||
)}
|
)}
|
||||||
</TableHead>
|
</TableHead>
|
||||||
<TableHead>
|
|
||||||
{t("ui.admin.users.list.table.login_id", "LOGIN ID")}
|
|
||||||
</TableHead>
|
|
||||||
<TableHead>
|
<TableHead>
|
||||||
{t("ui.admin.users.list.table.role", "ROLE")}
|
{t("ui.admin.users.list.table.role", "ROLE")}
|
||||||
</TableHead>
|
</TableHead>
|
||||||
@@ -514,11 +511,6 @@ function UserListPage() {
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</TableCell>
|
</TableCell>
|
||||||
<TableCell>
|
|
||||||
<span className="text-sm font-mono">
|
|
||||||
{user.loginId || "-"}
|
|
||||||
</span>
|
|
||||||
</TableCell>
|
|
||||||
<TableCell>
|
<TableCell>
|
||||||
<Badge variant="outline">
|
<Badge variant="outline">
|
||||||
{t(`ui.admin.role.${user.role}`, user.role)}
|
{t(`ui.admin.role.${user.role}`, user.role)}
|
||||||
|
|||||||
@@ -549,6 +549,20 @@ export async function deleteUser(userId: string) {
|
|||||||
await apiClient.delete(`/v1/admin/users/${userId}`);
|
await apiClient.delete(`/v1/admin/users/${userId}`);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export type UserRpHistoryItem = {
|
||||||
|
client_id: string;
|
||||||
|
client_name: string;
|
||||||
|
lastLoginAt: string;
|
||||||
|
status: string;
|
||||||
|
};
|
||||||
|
|
||||||
|
export async function fetchUserRpHistory(userId: string) {
|
||||||
|
const { data } = await apiClient.get<UserRpHistoryItem[]>(
|
||||||
|
`/v1/admin/users/${userId}/rp-history`,
|
||||||
|
);
|
||||||
|
return data;
|
||||||
|
}
|
||||||
|
|
||||||
export type UserProfileResponse = {
|
export type UserProfileResponse = {
|
||||||
id: string;
|
id: string;
|
||||||
email: string;
|
email: string;
|
||||||
|
|||||||
@@ -294,7 +294,7 @@ func main() {
|
|||||||
tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
|
tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
|
||||||
userGroupHandler := handler.NewUserGroupHandler(userGroupService)
|
userGroupHandler := handler.NewUserGroupHandler(userGroupService)
|
||||||
relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService)
|
relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService)
|
||||||
userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo)
|
userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo, auditRepo)
|
||||||
apiKeyHandler := handler.NewApiKeyHandler(db)
|
apiKeyHandler := handler.NewApiKeyHandler(db)
|
||||||
|
|
||||||
orgChartService := service.NewOrgChartService(tenantRepo, userGroupRepo, userRepo, ketoOutboxRepo, kratosAdminService)
|
orgChartService := service.NewOrgChartService(tenantRepo, userGroupRepo, userRepo, ketoOutboxRepo, kratosAdminService)
|
||||||
@@ -669,6 +669,7 @@ func main() {
|
|||||||
admin.Put("/users/bulk", requireAdmin, userHandler.BulkUpdateUsers)
|
admin.Put("/users/bulk", requireAdmin, userHandler.BulkUpdateUsers)
|
||||||
admin.Delete("/users/bulk", requireAdmin, userHandler.BulkDeleteUsers)
|
admin.Delete("/users/bulk", requireAdmin, userHandler.BulkDeleteUsers)
|
||||||
admin.Get("/users/:id", requireAdmin, userHandler.GetUser)
|
admin.Get("/users/:id", requireAdmin, userHandler.GetUser)
|
||||||
|
admin.Get("/users/:id/rp-history", requireAdmin, userHandler.GetUserRpHistory)
|
||||||
admin.Put("/users/:id", requireAdmin, userHandler.UpdateUser)
|
admin.Put("/users/:id", requireAdmin, userHandler.UpdateUser)
|
||||||
admin.Delete("/users/:id", requireAdmin, userHandler.DeleteUser)
|
admin.Delete("/users/:id", requireAdmin, userHandler.DeleteUser)
|
||||||
|
|
||||||
|
|||||||
@@ -34,6 +34,7 @@ func migrateSchemas(db *gorm.DB) error {
|
|||||||
&domain.Tenant{},
|
&domain.Tenant{},
|
||||||
&domain.TenantDomain{},
|
&domain.TenantDomain{},
|
||||||
&domain.User{},
|
&domain.User{},
|
||||||
|
&domain.UserLoginID{},
|
||||||
&domain.UserGroup{},
|
&domain.UserGroup{},
|
||||||
&domain.ApiKey{},
|
&domain.ApiKey{},
|
||||||
&domain.IdentityProviderConfig{},
|
&domain.IdentityProviderConfig{},
|
||||||
|
|||||||
@@ -80,6 +80,7 @@ type UserProfileResponse struct {
|
|||||||
AffiliationType string `json:"affiliationType"`
|
AffiliationType string `json:"affiliationType"`
|
||||||
CompanyCode string `json:"companyCode,omitempty"`
|
CompanyCode string `json:"companyCode,omitempty"`
|
||||||
TenantID *string `json:"tenantId,omitempty"` // 추가
|
TenantID *string `json:"tenantId,omitempty"` // 추가
|
||||||
|
SessionTenantID *string `json:"sessionTenantId,omitempty"` // [New] 로그인에 사용된 식별자 기반 테넌트
|
||||||
RelyingPartyID *string `json:"relyingPartyId,omitempty"` // 추가
|
RelyingPartyID *string `json:"relyingPartyId,omitempty"` // 추가
|
||||||
Metadata map[string]any `json:"metadata,omitempty"`
|
Metadata map[string]any `json:"metadata,omitempty"`
|
||||||
Tenant *Tenant `json:"tenant,omitempty"`
|
Tenant *Tenant `json:"tenant,omitempty"`
|
||||||
|
|||||||
@@ -12,11 +12,12 @@ var ErrNotSupported = errors.New("idp: not supported")
|
|||||||
// BrokerUser is the standard user model used within Baron SSO business logic.
|
// BrokerUser is the standard user model used within Baron SSO business logic.
|
||||||
// It defines the canonical set of fields that must be supported by any underlying IDP.
|
// It defines the canonical set of fields that must be supported by any underlying IDP.
|
||||||
type BrokerUser struct {
|
type BrokerUser struct {
|
||||||
ID string `json:"id" required:"true"`
|
ID string `json:"id" required:"true"`
|
||||||
Email string `json:"email" required:"true"`
|
Email string `json:"email" required:"true"`
|
||||||
LoginID string `json:"login_id"`
|
LoginID string `json:"login_id"`
|
||||||
Name string `json:"name"`
|
CustomLoginIDs []string `json:"custom_login_ids"` // [New] 다중 로그인 ID
|
||||||
PhoneNumber string `json:"phone_number"`
|
Name string `json:"name"`
|
||||||
|
PhoneNumber string `json:"phone_number"`
|
||||||
// Attributes stores custom user attributes.
|
// Attributes stores custom user attributes.
|
||||||
// The "required_keys" tag specifies which keys MUST be present in the IDP's schema support.
|
// The "required_keys" tag specifies which keys MUST be present in the IDP's schema support.
|
||||||
Attributes map[string]interface{} `json:"attributes" required_keys:"grade,department"`
|
Attributes map[string]interface{} `json:"attributes" required_keys:"grade,department"`
|
||||||
|
|||||||
@@ -35,14 +35,13 @@ func NormalizeRole(role string) string {
|
|||||||
type User struct {
|
type User struct {
|
||||||
ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
|
ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
|
||||||
Email string `gorm:"uniqueIndex;not null" json:"email"`
|
Email string `gorm:"uniqueIndex;not null" json:"email"`
|
||||||
LoginID string `gorm:"column:login_id;uniqueIndex:idx_tenant_login_id" json:"loginId"`
|
|
||||||
PasswordHash *string `gorm:"column:password_hash" json:"-"`
|
PasswordHash *string `gorm:"column:password_hash" json:"-"`
|
||||||
Name string `gorm:"column:name;not null" json:"name"`
|
Name string `gorm:"column:name;not null" json:"name"`
|
||||||
Phone string `gorm:"column:phone" json:"phone"`
|
Phone string `gorm:"column:phone" json:"phone"`
|
||||||
Role string `gorm:"column:role;default:'user';not null" json:"role"` // super_admin, tenant_admin, rp_admin, user
|
Role string `gorm:"column:role;default:'user';not null" json:"role"` // super_admin, tenant_admin, rp_admin, user
|
||||||
AffiliationType string `gorm:"column:affiliation_type" json:"affiliationType"`
|
AffiliationType string `gorm:"column:affiliation_type" json:"affiliationType"`
|
||||||
CompanyCode string `gorm:"column:company_code;index" json:"companyCode"`
|
CompanyCode string `gorm:"column:company_code;index" json:"companyCode"`
|
||||||
TenantID *string `gorm:"column:tenant_id;type:uuid;index;uniqueIndex:idx_tenant_login_id" json:"tenantId,omitempty"`
|
TenantID *string `gorm:"column:tenant_id;type:uuid;index" json:"tenantId,omitempty"`
|
||||||
Tenant *Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
|
Tenant *Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
|
||||||
RelyingPartyID *string `gorm:"column:relying_party_id;type:uuid;index" json:"relyingPartyId,omitempty"` // RP Admin용
|
RelyingPartyID *string `gorm:"column:relying_party_id;type:uuid;index" json:"relyingPartyId,omitempty"` // RP Admin용
|
||||||
Department string `gorm:"column:department" json:"department"`
|
Department string `gorm:"column:department" json:"department"`
|
||||||
@@ -53,6 +52,18 @@ type User struct {
|
|||||||
CreatedAt time.Time `gorm:"column:created_at" json:"createdAt"`
|
CreatedAt time.Time `gorm:"column:created_at" json:"createdAt"`
|
||||||
UpdatedAt time.Time `gorm:"column:updated_at" json:"updatedAt"`
|
UpdatedAt time.Time `gorm:"column:updated_at" json:"updatedAt"`
|
||||||
DeletedAt gorm.DeletedAt `gorm:"column:deleted_at;index" json:"-"`
|
DeletedAt gorm.DeletedAt `gorm:"column:deleted_at;index" json:"-"`
|
||||||
|
|
||||||
|
// Multiple identifiers support
|
||||||
|
UserLoginIDs []UserLoginID `gorm:"foreignKey:UserID" json:"userLoginIds,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// UserLoginID represents multiple custom identifiers for a user
|
||||||
|
type UserLoginID struct {
|
||||||
|
ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
|
||||||
|
UserID string `gorm:"type:uuid;not null;index" json:"userId"`
|
||||||
|
TenantID string `gorm:"type:uuid;not null;index" json:"tenantId"` // 발급 테넌트
|
||||||
|
FieldKey string `gorm:"not null" json:"fieldKey"` // 스키마 필드 키 (예: emp_id)
|
||||||
|
LoginID string `gorm:"uniqueIndex;not null" json:"loginId"` // 실제 값 (예: EMP001)
|
||||||
}
|
}
|
||||||
|
|
||||||
// BeforeCreate hook to generate UUID if not present
|
// BeforeCreate hook to generate UUID if not present
|
||||||
|
|||||||
@@ -287,6 +287,16 @@ func (h *AuthHandler) CheckLoginID(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusServiceUnavailable, "Identity provider unavailable")
|
return errorJSON(c, fiber.StatusServiceUnavailable, "Identity provider unavailable")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !exists && h.UserRepo != nil {
|
||||||
|
// [New] Check local DB for custom login IDs (Plan A)
|
||||||
|
taken, err := h.UserRepo.IsLoginIDTaken(c.Context(), req.LoginID)
|
||||||
|
if err != nil {
|
||||||
|
slog.Error("Failed to check login ID in local DB", "error", err)
|
||||||
|
} else if taken {
|
||||||
|
exists = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if exists {
|
if exists {
|
||||||
return c.JSON(fiber.Map{"available": false, "message": "ID already registered"})
|
return c.JSON(fiber.Map{"available": false, "message": "ID already registered"})
|
||||||
}
|
}
|
||||||
@@ -596,27 +606,20 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
|||||||
"grade": "member",
|
"grade": "member",
|
||||||
}
|
}
|
||||||
|
|
||||||
if req.LoginID != "" {
|
// Sync all custom login IDs based on tenant schemas
|
||||||
attributes["id"] = req.LoginID
|
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
|
||||||
}
|
|
||||||
|
|
||||||
// Sync custom field to LoginID if configured
|
// Validate all collected LoginIDs
|
||||||
if tenantID != nil && h.TenantService != nil {
|
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
|
||||||
if tenant, err := h.TenantService.GetTenant(c.Context(), *tenantID); err == nil && tenant != nil {
|
for _, lid := range collectedIDs {
|
||||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
if err := domain.ValidateLoginID(lid, req.Email, normalizedPhone); err != nil {
|
||||||
syncLoginID(attributes, req.Metadata, *tenantID, loginIdField)
|
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
finalLoginID := extractTraitString(attributes, "id")
|
|
||||||
if err := domain.ValidateLoginID(finalLoginID, req.Email, normalizedPhone); err != nil {
|
|
||||||
return errorJSON(c, fiber.StatusBadRequest, err.Error())
|
|
||||||
}
|
|
||||||
|
|
||||||
brokerUser := &domain.BrokerUser{
|
brokerUser := &domain.BrokerUser{
|
||||||
Email: req.Email,
|
Email: req.Email,
|
||||||
LoginID: finalLoginID,
|
|
||||||
Name: req.Name,
|
Name: req.Name,
|
||||||
PhoneNumber: normalizedPhone,
|
PhoneNumber: normalizedPhone,
|
||||||
Attributes: attributes,
|
Attributes: attributes,
|
||||||
@@ -629,7 +632,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
slog.Error("[Signup] Failed to create user via IDP", "provider", h.IdpProvider.Name(), "error", err)
|
slog.Error("[Signup] Failed to create user via IDP", "provider", h.IdpProvider.Name(), "error", err)
|
||||||
if strings.Contains(err.Error(), "already exists") {
|
if strings.Contains(err.Error(), "already exists") {
|
||||||
return errorJSON(c, fiber.StatusConflict, "User already exists")
|
return errorJSON(c, fiber.StatusConflict, "User or login identifier already exists")
|
||||||
}
|
}
|
||||||
// Include the actual error message in the response for debugging
|
// Include the actual error message in the response for debugging
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, fmt.Sprintf("Failed to create user: %v", err))
|
return errorJSON(c, fiber.StatusInternalServerError, fmt.Sprintf("Failed to create user: %v", err))
|
||||||
@@ -644,29 +647,47 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
|||||||
// [SoT Policy] Kratos가 SoT이므로 로컬 DB 저장은 비동기 Read-Model 동기화로 처리합니다.
|
// [SoT Policy] Kratos가 SoT이므로 로컬 DB 저장은 비동기 Read-Model 동기화로 처리합니다.
|
||||||
// 로컬 DB 저장이 실패하더라도 회원가입 프로세스는 성공으로 간주합니다.
|
// 로컬 DB 저장이 실패하더라도 회원가입 프로세스는 성공으로 간주합니다.
|
||||||
localUser := &domain.User{
|
localUser := &domain.User{
|
||||||
ID: providerID, // Match IDP Subject
|
ID: providerID,
|
||||||
Email: req.Email,
|
Email: req.Email,
|
||||||
Name: req.Name,
|
Name: req.Name,
|
||||||
Phone: normalizedPhone,
|
Phone: normalizedPhone,
|
||||||
|
Role: "user",
|
||||||
AffiliationType: req.AffiliationType,
|
AffiliationType: req.AffiliationType,
|
||||||
CompanyCode: companyCode,
|
CompanyCode: companyCode,
|
||||||
TenantID: tenantID,
|
|
||||||
Department: req.Department,
|
Department: req.Department,
|
||||||
Role: "user",
|
|
||||||
Status: "active",
|
Status: "active",
|
||||||
Metadata: req.Metadata,
|
CreatedAt: time.Now(),
|
||||||
|
UpdatedAt: time.Now(),
|
||||||
|
}
|
||||||
|
|
||||||
|
if tenantID != nil {
|
||||||
|
localUser.TenantID = tenantID
|
||||||
|
}
|
||||||
|
|
||||||
|
// Merge metadata
|
||||||
|
localUser.Metadata = make(domain.JSONMap)
|
||||||
|
for k, v := range req.Metadata {
|
||||||
|
localUser.Metadata[k] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
if h.UserRepo != nil {
|
if h.UserRepo != nil {
|
||||||
go func(u *domain.User) {
|
go func(u *domain.User, ids []domain.UserLoginID) {
|
||||||
// 요청 Context가 취소될 수 있으므로 Background Context 사용
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
if err := h.UserRepo.Create(ctx, u); err != nil {
|
if err := h.UserRepo.Update(ctx, u); err != nil {
|
||||||
slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
|
slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
|
||||||
} else {
|
} else {
|
||||||
slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)
|
slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)
|
||||||
|
|
||||||
|
// Update User Login IDs
|
||||||
|
for i := range ids {
|
||||||
|
ids[i].UserID = u.ID
|
||||||
|
}
|
||||||
|
if err := h.UserRepo.UpdateUserLoginIDs(ctx, u.ID, ids); err != nil {
|
||||||
|
slog.Error("[Signup] Failed to update user login IDs", "userID", u.ID, "error", err)
|
||||||
|
}
|
||||||
|
|
||||||
// [Keto] Sync user-tenant relationship via Outbox
|
// [Keto] Sync user-tenant relationship via Outbox
|
||||||
if h.KetoOutboxRepo != nil && u.TenantID != nil {
|
if h.KetoOutboxRepo != nil && u.TenantID != nil {
|
||||||
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
||||||
@@ -678,7 +699,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}(localUser)
|
}(localUser, loginIDRecords)
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.JSON(fiber.Map{
|
return c.JSON(fiber.Map{
|
||||||
@@ -3182,7 +3203,7 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
|
|||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Missing session token")
|
return errorJSON(c, fiber.StatusUnauthorized, "Missing session token")
|
||||||
}
|
}
|
||||||
_, traits, err := h.getKratosIdentityWithCookie(cookie)
|
_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
slog.Warn("[QR] Cookie session invalid", "error", err)
|
slog.Warn("[QR] Cookie session invalid", "error", err)
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
||||||
@@ -4252,7 +4273,7 @@ func (h *AuthHandler) GetAuthTimeline(c *fiber.Ctx) error {
|
|||||||
if strings.Contains(path, "/api/v1/auth/oidc/login/accept") {
|
if strings.Contains(path, "/api/v1/auth/oidc/login/accept") {
|
||||||
appName = "OIDC 로그인"
|
appName = "OIDC 로그인"
|
||||||
// 우선 audit details의 client 정보를 사용하고, 없으면 Hydra 조회로 보강
|
// 우선 audit details의 client 정보를 사용하고, 없으면 Hydra 조회로 보강
|
||||||
if details, err := parseAuditDetails(log.Details); err == nil && details != nil {
|
if details, err := utils.ParseAuditDetails(log.Details); err == nil && details != nil {
|
||||||
if name, ok := details["client_name"].(string); ok && strings.TrimSpace(name) != "" {
|
if name, ok := details["client_name"].(string); ok && strings.TrimSpace(name) != "" {
|
||||||
appName = strings.TrimSpace(name)
|
appName = strings.TrimSpace(name)
|
||||||
}
|
}
|
||||||
@@ -5089,6 +5110,15 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
|
|||||||
profile.Role = domain.RoleUser
|
profile.Role = domain.RoleUser
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// [New] Backtracking Logic for Session Tenant (Plan A)
|
||||||
|
if usedID, ok := profile.Metadata["_used_identifier"].(string); ok && usedID != "" && h.UserRepo != nil {
|
||||||
|
if tid, err := h.UserRepo.FindTenantIDByLoginID(c.Context(), usedID); err == nil && tid != "" {
|
||||||
|
profile.SessionTenantID = &tid
|
||||||
|
slog.Debug("Auto-assigned session tenant via backtracking", "loginID", usedID, "tenantID", tid)
|
||||||
|
}
|
||||||
|
delete(profile.Metadata, "_used_identifier") // Cleanup
|
||||||
|
}
|
||||||
|
|
||||||
// Fetch Tenant Metadata if missing
|
// Fetch Tenant Metadata if missing
|
||||||
if profile.Tenant == nil && profile.TenantID != nil && *profile.TenantID != "" {
|
if profile.Tenant == nil && profile.TenantID != nil && *profile.TenantID != "" {
|
||||||
if tenant, err := h.TenantService.GetTenant(c.Context(), *profile.TenantID); err == nil {
|
if tenant, err := h.TenantService.GetTenant(c.Context(), *profile.TenantID); err == nil {
|
||||||
@@ -5140,7 +5170,7 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
|
|||||||
return identityID, nil
|
return identityID, nil
|
||||||
}
|
}
|
||||||
if cookie := c.Get("Cookie"); cookie != "" {
|
if cookie := c.Get("Cookie"); cookie != "" {
|
||||||
cookieID, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
|
cookieID, _, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
|
||||||
if cookieErr == nil && cookieID != "" {
|
if cookieErr == nil && cookieID != "" {
|
||||||
return cookieID, nil
|
return cookieID, nil
|
||||||
}
|
}
|
||||||
@@ -5151,14 +5181,14 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
|
|||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return "", fmt.Errorf("missing authorization token")
|
return "", fmt.Errorf("missing authorization token")
|
||||||
}
|
}
|
||||||
identityID, _, err := h.getKratosIdentityWithCookie(cookie)
|
identityID, _, _, err := h.getKratosIdentityWithCookie(cookie)
|
||||||
return identityID, err
|
return identityID, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
|
func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
|
||||||
token := h.getBearerToken(c)
|
token := h.getBearerToken(c)
|
||||||
if token != "" {
|
if token != "" {
|
||||||
identityID, traits, err := h.getKratosIdentity(token)
|
identityID, traits, _, err := h.getKratosIdentity(token)
|
||||||
if err == nil && identityID != "" {
|
if err == nil && identityID != "" {
|
||||||
subjects := []string{identityID}
|
subjects := []string{identityID}
|
||||||
subjects = appendLoginIDsFromTraits(subjects, traits)
|
subjects = appendLoginIDsFromTraits(subjects, traits)
|
||||||
@@ -5170,7 +5200,7 @@ func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
|
|||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return nil, fmt.Errorf("missing authorization token")
|
return nil, fmt.Errorf("missing authorization token")
|
||||||
}
|
}
|
||||||
identityID, traits, err := h.getKratosIdentityWithCookie(cookie)
|
identityID, traits, _, err := h.getKratosIdentityWithCookie(cookie)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@@ -5250,7 +5280,7 @@ func isAuthEventType(eventType string) bool {
|
|||||||
|
|
||||||
func extractAuditPath(log domain.AuditLog) string {
|
func extractAuditPath(log domain.AuditLog) string {
|
||||||
if log.Details != "" {
|
if log.Details != "" {
|
||||||
if payload, err := parseAuditDetails(log.Details); err == nil {
|
if payload, err := utils.ParseAuditDetails(log.Details); err == nil {
|
||||||
if path, ok := payload["path"].(string); ok && path != "" {
|
if path, ok := payload["path"].(string); ok && path != "" {
|
||||||
return path
|
return path
|
||||||
}
|
}
|
||||||
@@ -5263,17 +5293,6 @@ func extractAuditPath(log domain.AuditLog) string {
|
|||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseAuditDetails(details string) (map[string]any, error) {
|
|
||||||
var payload map[string]any
|
|
||||||
if details == "" {
|
|
||||||
return nil, fmt.Errorf("empty details")
|
|
||||||
}
|
|
||||||
if err := json.Unmarshal([]byte(details), &payload); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return payload, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func extractRequestBody(details map[string]any) map[string]any {
|
func extractRequestBody(details map[string]any) map[string]any {
|
||||||
if details == nil {
|
if details == nil {
|
||||||
return nil
|
return nil
|
||||||
@@ -5290,7 +5309,7 @@ func extractRequestBody(details map[string]any) map[string]any {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func shouldSkipAuthTimeline(log domain.AuditLog) bool {
|
func shouldSkipAuthTimeline(log domain.AuditLog) bool {
|
||||||
details, _ := parseAuditDetails(log.Details)
|
details, _ := utils.ParseAuditDetails(log.Details)
|
||||||
path := strings.ToLower(extractAuditPath(log))
|
path := strings.ToLower(extractAuditPath(log))
|
||||||
if path != "" && strings.Contains(path, "/api/v1/auth/enchanted-link/init") {
|
if path != "" && strings.Contains(path, "/api/v1/auth/enchanted-link/init") {
|
||||||
return true
|
return true
|
||||||
@@ -5384,7 +5403,7 @@ func deriveAuthMethod(log domain.AuditLog) string {
|
|||||||
|
|
||||||
loginID := extractLoginIDFromAuditDetails(log.Details)
|
loginID := extractLoginIDFromAuditDetails(log.Details)
|
||||||
kind := loginIDKind(loginID)
|
kind := loginIDKind(loginID)
|
||||||
details, _ := parseAuditDetails(log.Details)
|
details, _ := utils.ParseAuditDetails(log.Details)
|
||||||
requestBody := extractRequestBody(details)
|
requestBody := extractRequestBody(details)
|
||||||
if details != nil {
|
if details != nil {
|
||||||
if raw, ok := details["auth_timeline_skip"]; ok {
|
if raw, ok := details["auth_timeline_skip"]; ok {
|
||||||
@@ -5603,7 +5622,7 @@ func extractLoginChallengeFromAuditDetails(details string) string {
|
|||||||
if details == "" {
|
if details == "" {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
payload, err := parseAuditDetails(details)
|
payload, err := utils.ParseAuditDetails(details)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
@@ -5750,12 +5769,12 @@ func extractApprovedSessionIDFromAuditDetails(details string) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, error) {
|
func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, error) {
|
||||||
id, _, err := h.getKratosIdentity(token)
|
id, _, _, err := h.getKratosIdentity(token)
|
||||||
return id, err
|
return id, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
|
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
|
||||||
_, traits, err := h.getKratosIdentity(token)
|
_, traits, _, err := h.getKratosIdentity(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
@@ -5943,44 +5962,56 @@ func extractLoginIDFromClaims(claims map[string]any) string {
|
|||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, error) {
|
func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, string, error) {
|
||||||
identityID, traits, _, err := h.getKratosIdentityWithSession(sessionToken)
|
identityID, traits, _, usedID, err := h.getKratosIdentityWithSession(sessionToken)
|
||||||
return identityID, traits, err
|
return identityID, traits, usedID, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, error) {
|
func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, string, error) {
|
||||||
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
|
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
|
||||||
if kratosURL == "" {
|
if kratosURL == "" {
|
||||||
kratosURL = "http://kratos:4433"
|
kratosURL = "http://kratos:4433"
|
||||||
}
|
}
|
||||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
|
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, "", err
|
return "", nil, "", "", err
|
||||||
}
|
}
|
||||||
req.Header.Set("X-Session-Token", sessionToken)
|
req.Header.Set("X-Session-Token", sessionToken)
|
||||||
|
|
||||||
resp, err := http.DefaultClient.Do(req)
|
resp, err := http.DefaultClient.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, "", err
|
return "", nil, "", "", err
|
||||||
}
|
}
|
||||||
defer resp.Body.Close()
|
defer resp.Body.Close()
|
||||||
if resp.StatusCode >= 300 {
|
if resp.StatusCode >= 300 {
|
||||||
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
|
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
|
||||||
return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
|
return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
|
||||||
}
|
}
|
||||||
|
|
||||||
var result struct {
|
var result struct {
|
||||||
AuthenticatedAt string `json:"authenticated_at"`
|
AuthenticatedAt string `json:"authenticated_at"`
|
||||||
Identity struct {
|
AuthenticationMethods []struct {
|
||||||
|
Method string `json:"method"`
|
||||||
|
Identifier string `json:"identifier"`
|
||||||
|
} `json:"authentication_methods"`
|
||||||
|
Identity struct {
|
||||||
ID string `json:"id"`
|
ID string `json:"id"`
|
||||||
Traits map[string]interface{} `json:"traits"`
|
Traits map[string]interface{} `json:"traits"`
|
||||||
} `json:"identity"`
|
} `json:"identity"`
|
||||||
}
|
}
|
||||||
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
||||||
return "", nil, "", err
|
return "", nil, "", "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
|
usedIdentifier := ""
|
||||||
|
for _, m := range result.AuthenticationMethods {
|
||||||
|
if m.Identifier != "" {
|
||||||
|
usedIdentifier = m.Identifier
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
|
func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
|
||||||
@@ -6056,44 +6087,56 @@ func (h *AuthHandler) issueKratosSession(ctx context.Context, identityID string)
|
|||||||
return parsed.SessionToken, nil
|
return parsed.SessionToken, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, error) {
|
func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, string, error) {
|
||||||
identityID, traits, _, err := h.getKratosIdentityWithCookieAndSession(cookie)
|
identityID, traits, _, usedID, err := h.getKratosIdentityWithCookieAndSession(cookie)
|
||||||
return identityID, traits, err
|
return identityID, traits, usedID, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, error) {
|
func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, string, error) {
|
||||||
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
|
kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
|
||||||
if kratosURL == "" {
|
if kratosURL == "" {
|
||||||
kratosURL = "http://kratos:4433"
|
kratosURL = "http://kratos:4433"
|
||||||
}
|
}
|
||||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
|
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, "", err
|
return "", nil, "", "", err
|
||||||
}
|
}
|
||||||
req.Header.Set("Cookie", cookie)
|
req.Header.Set("Cookie", cookie)
|
||||||
|
|
||||||
resp, err := http.DefaultClient.Do(req)
|
resp, err := http.DefaultClient.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, "", err
|
return "", nil, "", "", err
|
||||||
}
|
}
|
||||||
defer resp.Body.Close()
|
defer resp.Body.Close()
|
||||||
if resp.StatusCode >= 300 {
|
if resp.StatusCode >= 300 {
|
||||||
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
|
body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
|
||||||
return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
|
return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
|
||||||
}
|
}
|
||||||
|
|
||||||
var result struct {
|
var result struct {
|
||||||
AuthenticatedAt string `json:"authenticated_at"`
|
AuthenticatedAt string `json:"authenticated_at"`
|
||||||
Identity struct {
|
AuthenticationMethods []struct {
|
||||||
|
Method string `json:"method"`
|
||||||
|
Identifier string `json:"identifier"`
|
||||||
|
} `json:"authentication_methods"`
|
||||||
|
Identity struct {
|
||||||
ID string `json:"id"`
|
ID string `json:"id"`
|
||||||
Traits map[string]interface{} `json:"traits"`
|
Traits map[string]interface{} `json:"traits"`
|
||||||
} `json:"identity"`
|
} `json:"identity"`
|
||||||
}
|
}
|
||||||
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
||||||
return "", nil, "", err
|
return "", nil, "", "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
|
usedIdentifier := ""
|
||||||
|
for _, m := range result.AuthenticationMethods {
|
||||||
|
if m.Identifier != "" {
|
||||||
|
usedIdentifier = m.Identifier
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosSessionIDWithCookie(cookie string) (string, error) {
|
func (h *AuthHandler) getKratosSessionIDWithCookie(cookie string) (string, error) {
|
||||||
@@ -6228,33 +6271,41 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
|
|||||||
return profile
|
return profile
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) applySessionAuthenticatedAtFromWhoami(profile *domain.UserProfileResponse, authenticatedAt string) *domain.UserProfileResponse {
|
func (h *AuthHandler) applySessionInfoFromWhoami(profile *domain.UserProfileResponse, authenticatedAt, usedIdentifier string) *domain.UserProfileResponse {
|
||||||
if profile == nil {
|
if profile == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
profile.SessionAuthenticatedAt = strings.TrimSpace(authenticatedAt)
|
profile.SessionAuthenticatedAt = strings.TrimSpace(authenticatedAt)
|
||||||
|
if usedIdentifier != "" {
|
||||||
|
if profile.Metadata == nil {
|
||||||
|
profile.Metadata = make(map[string]any)
|
||||||
|
}
|
||||||
|
profile.Metadata["_used_identifier"] = usedIdentifier
|
||||||
|
}
|
||||||
return profile
|
return profile
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosProfile(sessionToken string) (*domain.UserProfileResponse, error) {
|
func (h *AuthHandler) getKratosProfile(sessionToken string) (*domain.UserProfileResponse, error) {
|
||||||
identityID, traits, authenticatedAt, err := h.getKratosIdentityWithSession(sessionToken)
|
identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithSession(sessionToken)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return h.applySessionAuthenticatedAtFromWhoami(
|
return h.applySessionInfoFromWhoami(
|
||||||
h.mapKratosIdentityToProfile(identityID, traits),
|
h.mapKratosIdentityToProfile(identityID, traits),
|
||||||
authenticatedAt,
|
authenticatedAt,
|
||||||
|
usedIdentifier,
|
||||||
), nil
|
), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *AuthHandler) getKratosProfileWithCookie(cookie string) (*domain.UserProfileResponse, error) {
|
func (h *AuthHandler) getKratosProfileWithCookie(cookie string) (*domain.UserProfileResponse, error) {
|
||||||
identityID, traits, authenticatedAt, err := h.getKratosIdentityWithCookieAndSession(cookie)
|
identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithCookieAndSession(cookie)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return h.applySessionAuthenticatedAtFromWhoami(
|
return h.applySessionInfoFromWhoami(
|
||||||
h.mapKratosIdentityToProfile(identityID, traits),
|
h.mapKratosIdentityToProfile(identityID, traits),
|
||||||
authenticatedAt,
|
authenticatedAt,
|
||||||
|
usedIdentifier,
|
||||||
), nil
|
), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -6272,13 +6323,13 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
|
|||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
if token != "" {
|
if token != "" {
|
||||||
identityID, traits, err = h.getKratosIdentity(token)
|
identityID, traits, _, err = h.getKratosIdentity(token)
|
||||||
} else {
|
} else {
|
||||||
cookie := c.Get("Cookie")
|
cookie := c.Get("Cookie")
|
||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
|
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
|
||||||
}
|
}
|
||||||
identityID, traits, err = h.getKratosIdentityWithCookie(cookie)
|
identityID, traits, _, err = h.getKratosIdentityWithCookie(cookie)
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
||||||
@@ -6331,27 +6382,35 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
// [LoginID Sync based on Tenant Settings]
|
// [LoginID Sync based on Tenant Settings]
|
||||||
// Perform sync AFTER metadata merge to ensure traits contains current values
|
// Perform sync AFTER metadata merge to ensure traits contains current values
|
||||||
syncCompCode := extractTraitString(traits, "companyCode")
|
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, identityID)
|
||||||
if syncCompCode != "" && h.TenantService != nil {
|
|
||||||
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
|
// Validate all collected LoginIDs
|
||||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
userEmail := extractTraitString(traits, "email")
|
||||||
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
|
userPhone := extractTraitString(traits, "phone_number")
|
||||||
|
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
|
||||||
|
for _, lid := range collectedIDs {
|
||||||
|
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
finalLoginID := extractTraitString(traits, "id")
|
|
||||||
userEmail := extractTraitString(traits, "email")
|
|
||||||
userPhone := extractTraitString(traits, "phone")
|
|
||||||
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
|
|
||||||
return errorJSON(c, fiber.StatusBadRequest, err.Error())
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := h.updateKratosIdentity(identityID, traits); err != nil {
|
if err := h.updateKratosIdentity(identityID, traits); err != nil {
|
||||||
slog.Error("Failed to update profile in Kratos", "error", err)
|
slog.Error("Failed to update profile in Kratos", "error", err)
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, "프로필 업데이트에 실패했습니다.")
|
return errorJSON(c, fiber.StatusInternalServerError, "프로필 업데이트에 실패했습니다.")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// [New] Local DB Sync - Sync synchronously to ensure immediate consistency
|
||||||
|
if h.UserRepo != nil {
|
||||||
|
ctx := context.Background()
|
||||||
|
// Also update local User record (read-model)
|
||||||
|
// We can fetch updated identity or just map current traits
|
||||||
|
// Since mapKratosIdentityToProfile is for UI, let's just use UpdateUserLoginIDs first
|
||||||
|
if err := h.UserRepo.UpdateUserLoginIDs(ctx, identityID, loginIDRecords); err != nil {
|
||||||
|
slog.Error("[UpdateMe] Failed to update user login IDs", "userID", identityID, "error", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Invalidate token-based profile cache so refreshed /user/me returns latest traits.
|
// Invalidate token-based profile cache so refreshed /user/me returns latest traits.
|
||||||
if h.RedisService != nil && token != "" {
|
if h.RedisService != nil && token != "" {
|
||||||
cacheKey := "cache:profile:token:" + token
|
cacheKey := "cache:profile:token:" + token
|
||||||
@@ -6396,7 +6455,7 @@ func (h *AuthHandler) ChangeMyPassword(c *fiber.Ctx) error {
|
|||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
|
return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
|
||||||
}
|
}
|
||||||
_, traits, err := h.getKratosIdentityWithCookie(cookie)
|
_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
||||||
}
|
}
|
||||||
@@ -6434,7 +6493,7 @@ func (h *AuthHandler) SendUpdateCode(c *fiber.Ctx) error {
|
|||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Unauthorized")
|
return errorJSON(c, fiber.StatusUnauthorized, "Unauthorized")
|
||||||
}
|
}
|
||||||
userID, _, err = h.getKratosIdentityWithCookie(cookie)
|
userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
|
||||||
}
|
}
|
||||||
if err != nil || userID == "" {
|
if err != nil || userID == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
||||||
@@ -6475,7 +6534,7 @@ func (h *AuthHandler) VerifyUpdateCode(c *fiber.Ctx) error {
|
|||||||
if cookie == "" {
|
if cookie == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
||||||
}
|
}
|
||||||
userID, _, err = h.getKratosIdentityWithCookie(cookie)
|
userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
|
||||||
}
|
}
|
||||||
if err != nil || userID == "" {
|
if err != nil || userID == "" {
|
||||||
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
|
||||||
@@ -6625,7 +6684,7 @@ func (h *AuthHandler) ListRpHistory(c *fiber.Ctx) error {
|
|||||||
// Logs are DESC (newest first). Iterate in reverse (oldest first) to build state.
|
// Logs are DESC (newest first). Iterate in reverse (oldest first) to build state.
|
||||||
for i := len(logs) - 1; i >= 0; i-- {
|
for i := len(logs) - 1; i >= 0; i-- {
|
||||||
log := logs[i]
|
log := logs[i]
|
||||||
details, _ := parseAuditDetails(log.Details)
|
details, _ := utils.ParseAuditDetails(log.Details)
|
||||||
clientID, _ := details["client_id"].(string)
|
clientID, _ := details["client_id"].(string)
|
||||||
if clientID == "" {
|
if clientID == "" {
|
||||||
continue
|
continue
|
||||||
|
|||||||
@@ -80,7 +80,13 @@ func (m *AsyncMockUserRepo) Create(ctx context.Context, user *domain.User) error
|
|||||||
}
|
}
|
||||||
return args.Error(0)
|
return args.Error(0)
|
||||||
}
|
}
|
||||||
func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error { return nil }
|
func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error {
|
||||||
|
args := m.Called(ctx, user)
|
||||||
|
if m.createCalled != nil {
|
||||||
|
m.createCalled <- true
|
||||||
|
}
|
||||||
|
return args.Error(0)
|
||||||
|
}
|
||||||
func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error { return nil }
|
func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error { return nil }
|
||||||
func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
|
func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
@@ -114,6 +120,22 @@ func (m *AsyncMockUserRepo) CountByCompanyCodes(ctx context.Context, codes []str
|
|||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (m *AsyncMockUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *AsyncMockUserRepo) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *AsyncMockUserRepo) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *AsyncMockUserRepo) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
|
||||||
type AsyncMockRedisRepo struct {
|
type AsyncMockRedisRepo struct {
|
||||||
mock.Mock
|
mock.Mock
|
||||||
}
|
}
|
||||||
@@ -254,7 +276,7 @@ func TestSignup_AsyncDB_Isolation(t *testing.T) {
|
|||||||
|
|
||||||
// UserRepo Mocks (Async & Failure)
|
// UserRepo Mocks (Async & Failure)
|
||||||
mockUserRepo.createCalled = make(chan bool, 1)
|
mockUserRepo.createCalled = make(chan bool, 1)
|
||||||
mockUserRepo.On("Create", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
|
mockUserRepo.On("Update", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
|
||||||
return u.Email == email
|
return u.Email == email
|
||||||
})).Return(errors.New("db connection error"))
|
})).Return(errors.New("db connection error"))
|
||||||
|
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ import (
|
|||||||
"baron-sso-backend/internal/domain"
|
"baron-sso-backend/internal/domain"
|
||||||
"baron-sso-backend/internal/repository"
|
"baron-sso-backend/internal/repository"
|
||||||
"baron-sso-backend/internal/service"
|
"baron-sso-backend/internal/service"
|
||||||
|
"baron-sso-backend/internal/utils"
|
||||||
"context"
|
"context"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
@@ -2106,7 +2107,7 @@ func (h *DevHandler) matchesDevAuditFilter(
|
|||||||
if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
|
if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
details, _ := parseAuditDetails(logItem.Details)
|
details, _ := utils.ParseAuditDetails(logItem.Details)
|
||||||
if statusFilter != "" && statusFilter != "all" && strings.ToLower(logItem.Status) != statusFilter {
|
if statusFilter != "" && statusFilter != "all" && strings.ToLower(logItem.Status) != statusFilter {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -131,6 +131,22 @@ func (m *MockUserRepoForHandler) CountByCompanyCodes(ctx context.Context, codes
|
|||||||
return args.Get(0).(map[string]int64), args.Error(1)
|
return args.Get(0).(map[string]int64), args.Error(1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (m *MockUserRepoForHandler) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *MockUserRepoForHandler) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *MockUserRepoForHandler) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *MockUserRepoForHandler) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
|
||||||
func TestTenantHandler_CreateTenant(t *testing.T) {
|
func TestTenantHandler_CreateTenant(t *testing.T) {
|
||||||
app := fiber.New()
|
app := fiber.New()
|
||||||
mockSvc := new(MockTenantService)
|
mockSvc := new(MockTenantService)
|
||||||
|
|||||||
@@ -35,9 +35,10 @@ type UserHandler struct {
|
|||||||
KetoOutboxRepo repository.KetoOutboxRepository
|
KetoOutboxRepo repository.KetoOutboxRepository
|
||||||
UserRepo repository.UserRepository
|
UserRepo repository.UserRepository
|
||||||
UserGroupRepo repository.UserGroupRepository
|
UserGroupRepo repository.UserGroupRepository
|
||||||
|
AuditRepo domain.AuditRepository
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository) *UserHandler {
|
func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
|
||||||
return &UserHandler{
|
return &UserHandler{
|
||||||
KratosAdmin: kratosAdmin,
|
KratosAdmin: kratosAdmin,
|
||||||
OryProvider: oryProvider,
|
OryProvider: oryProvider,
|
||||||
@@ -46,6 +47,7 @@ func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProvi
|
|||||||
KetoOutboxRepo: ketoOutboxRepo,
|
KetoOutboxRepo: ketoOutboxRepo,
|
||||||
UserRepo: userRepo,
|
UserRepo: userRepo,
|
||||||
UserGroupRepo: userGroupRepo,
|
UserGroupRepo: userGroupRepo,
|
||||||
|
AuditRepo: auditRepo,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -53,6 +55,7 @@ type userSummary struct {
|
|||||||
ID string `json:"id"`
|
ID string `json:"id"`
|
||||||
Email string `json:"email"`
|
Email string `json:"email"`
|
||||||
LoginID string `json:"loginId,omitempty"`
|
LoginID string `json:"loginId,omitempty"`
|
||||||
|
CustomLoginIDs []string `json:"customLoginIds,omitempty"` // [New] 다중 로그인 ID 목록
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
Phone string `json:"phone"`
|
Phone string `json:"phone"`
|
||||||
Role string `json:"role"`
|
Role string `json:"role"`
|
||||||
@@ -325,40 +328,23 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
// [Override with explicit LoginID if provided]
|
// [Override with explicit LoginID if provided]
|
||||||
if req.LoginID != "" {
|
if req.LoginID != "" {
|
||||||
attributes["id"] = req.LoginID
|
if ids, ok := attributes["custom_login_ids"].([]string); ok {
|
||||||
|
attributes["custom_login_ids"] = append(ids, req.LoginID)
|
||||||
|
} else {
|
||||||
|
attributes["custom_login_ids"] = []string{req.LoginID}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// [Resolve TenantID and LoginID before Kratos creation]
|
// [Resolve TenantID and Custom Login IDs before Kratos creation]
|
||||||
var tenantID string
|
var tenantID string
|
||||||
synced := false
|
|
||||||
if req.CompanyCode != "" && h.TenantService != nil {
|
if req.CompanyCode != "" && h.TenantService != nil {
|
||||||
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode); err == nil && tenant != nil {
|
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode); err == nil && tenant != nil {
|
||||||
tenantID = tenant.ID
|
tenantID = tenant.ID
|
||||||
|
|
||||||
// Sync custom field to LoginID if configured
|
|
||||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
|
||||||
syncLoginID(attributes, req.Metadata, tenantID, loginIdField)
|
|
||||||
synced = true
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fallback: Try syncing based on the tenant namespaces being updated
|
// Collect and sync all custom login IDs based on tenant schemas
|
||||||
if !synced && h.TenantService != nil {
|
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
|
||||||
for k := range req.Metadata {
|
|
||||||
if len(k) >= 32 { // Looks like a UUID (tenant ID)
|
|
||||||
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
|
|
||||||
if tenantID == "" {
|
|
||||||
tenantID = tenant.ID
|
|
||||||
}
|
|
||||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
|
||||||
syncLoginID(attributes, req.Metadata, tenant.ID, loginIdField)
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
attributes["role"] = role
|
attributes["role"] = role
|
||||||
if tenantID != "" {
|
if tenantID != "" {
|
||||||
@@ -373,22 +359,25 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
finalLoginID := extractTraitString(attributes, "id")
|
// Validate all collected LoginIDs
|
||||||
if err := domain.ValidateLoginID(finalLoginID, email, normalizePhoneNumber(req.Phone)); err != nil {
|
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
|
||||||
return errorJSON(c, fiber.StatusBadRequest, err.Error())
|
for _, lid := range collectedIDs {
|
||||||
|
if err := domain.ValidateLoginID(lid, email, normalizePhoneNumber(req.Phone)); err != nil {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
brokerUser := &domain.BrokerUser{
|
brokerUser := &domain.BrokerUser{
|
||||||
Email: email,
|
Email: email,
|
||||||
LoginID: finalLoginID,
|
|
||||||
Name: name,
|
Name: name,
|
||||||
PhoneNumber: normalizePhoneNumber(req.Phone),
|
PhoneNumber: normalizePhoneNumber(req.Phone),
|
||||||
Attributes: attributes,
|
Attributes: attributes,
|
||||||
}
|
}
|
||||||
|
|
||||||
// [Validation] Based on Tenant Schema
|
// [Validation] Based on Tenant Schema
|
||||||
if req.CompanyCode != "" && h.TenantService != nil {
|
if tenantID != "" && h.TenantService != nil {
|
||||||
tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode)
|
tenant, err := h.TenantService.GetTenant(c.Context(), tenantID)
|
||||||
if err == nil && tenant != nil {
|
if err == nil && tenant != nil {
|
||||||
if schema, ok := tenant.Config["userSchema"].([]interface{}); ok {
|
if schema, ok := tenant.Config["userSchema"].([]interface{}); ok {
|
||||||
if err := h.validateMetadata(req.Metadata, schema, true); err != nil {
|
if err := h.validateMetadata(req.Metadata, schema, true); err != nil {
|
||||||
@@ -400,8 +389,8 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
identityID, err := h.OryProvider.CreateUser(brokerUser, password)
|
identityID, err := h.OryProvider.CreateUser(brokerUser, password)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if strings.Contains(err.Error(), "already exists") {
|
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
|
||||||
return errorJSON(c, fiber.StatusConflict, "email already exists")
|
return errorJSON(c, fiber.StatusConflict, "이미 사용 중인 식별자(이메일/전화번호/사번 등)입니다.")
|
||||||
}
|
}
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||||
}
|
}
|
||||||
@@ -424,6 +413,14 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
|
|||||||
slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
|
slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Update User Login IDs in local DB
|
||||||
|
for i := range loginIDRecords {
|
||||||
|
loginIDRecords[i].UserID = localUser.ID
|
||||||
|
}
|
||||||
|
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
|
||||||
|
slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
|
||||||
|
}
|
||||||
|
|
||||||
// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
|
// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
|
||||||
if h.KetoOutboxRepo != nil {
|
if h.KetoOutboxRepo != nil {
|
||||||
// 1. Role based relations
|
// 1. Role based relations
|
||||||
@@ -580,15 +577,8 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
|||||||
"role": role,
|
"role": role,
|
||||||
}
|
}
|
||||||
|
|
||||||
// Override with explicit LoginID if provided
|
// Sync all custom login IDs based on tenant schemas
|
||||||
if item.LoginID != "" {
|
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, item.Metadata, "")
|
||||||
attributes["id"] = item.LoginID
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sync LoginID from configured custom field (overrides explicit LoginID)
|
|
||||||
if tItem.LoginIDField != "" {
|
|
||||||
syncLoginID(attributes, item.Metadata, tItem.ID, tItem.LoginIDField)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Merge metadata
|
// Merge metadata
|
||||||
for k, v := range item.Metadata {
|
for k, v := range item.Metadata {
|
||||||
@@ -597,28 +587,36 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
finalLoginID := extractTraitString(attributes, "id")
|
|
||||||
userEmail := email
|
userEmail := email
|
||||||
userPhone := normalizePhoneNumber(item.Phone)
|
userPhone := normalizePhoneNumber(item.Phone)
|
||||||
|
|
||||||
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
|
// Validate all collected LoginIDs
|
||||||
results = append(results, bulkUserResult{Email: email, Success: false, Message: err.Error()})
|
if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
|
||||||
continue
|
valid := true
|
||||||
|
for _, lid := range collectedIDs {
|
||||||
|
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
|
||||||
|
results = append(results, bulkUserResult{Email: email, Success: false, Message: "Invalid LoginID (" + lid + "): " + err.Error()})
|
||||||
|
valid = false
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !valid {
|
||||||
|
continue
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
|
identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
|
||||||
Email: userEmail,
|
Email: userEmail,
|
||||||
LoginID: finalLoginID,
|
|
||||||
Name: item.Name,
|
Name: item.Name,
|
||||||
PhoneNumber: userPhone,
|
PhoneNumber: userPhone,
|
||||||
Attributes: attributes,
|
Attributes: attributes,
|
||||||
}, password)
|
}, password)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// 만약 이미 존재하는 사용자라면 로컬 DB 및 Keto 관계만 업데이트(Sync)를 시도
|
// 만약 이미 존재하는 사용자라면 로컬 DB 및 Keto 관계만 업데이트(Sync)를 시도
|
||||||
if strings.Contains(err.Error(), "already exists") {
|
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
|
||||||
identityID, err = h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email)
|
identityID, err = h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email)
|
||||||
if err != nil || identityID == "" {
|
if err != nil || identityID == "" {
|
||||||
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 존재하는 사용자지만 ID를 찾을 수 없습니다."})
|
results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 다른 사용자가 해당 식별자(이메일/사번 등)를 사용 중입니다."})
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
slog.Info("BulkCreate: User already exists, syncing local DB and Keto", "email", email, "identityID", identityID)
|
slog.Info("BulkCreate: User already exists, syncing local DB and Keto", "email", email, "identityID", identityID)
|
||||||
@@ -634,7 +632,6 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
|||||||
localUser := &domain.User{
|
localUser := &domain.User{
|
||||||
ID: identityID,
|
ID: identityID,
|
||||||
Email: email,
|
Email: email,
|
||||||
LoginID: extractTraitString(attributes, "id"),
|
|
||||||
Name: name,
|
Name: name,
|
||||||
Phone: normalizePhoneNumber(item.Phone),
|
Phone: normalizePhoneNumber(item.Phone),
|
||||||
Role: role,
|
Role: role,
|
||||||
@@ -660,6 +657,14 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
|
|||||||
slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
|
slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Update User Login IDs in local DB
|
||||||
|
for i := range loginIDRecords {
|
||||||
|
loginIDRecords[i].UserID = localUser.ID
|
||||||
|
}
|
||||||
|
if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
|
||||||
|
slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
|
||||||
|
}
|
||||||
|
|
||||||
if h.KetoOutboxRepo != nil {
|
if h.KetoOutboxRepo != nil {
|
||||||
// 1. Sync Role based relationship
|
// 1. Sync Role based relationship
|
||||||
h.syncKetoRole(c.Context(), localUser.ID, role, "", "", localUser.TenantID)
|
h.syncKetoRole(c.Context(), localUser.ID, role, "", "", localUser.TenantID)
|
||||||
@@ -961,10 +966,6 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if localUser.LoginID == "" {
|
|
||||||
localUser.LoginID = localUser.ID
|
|
||||||
}
|
|
||||||
|
|
||||||
_ = h.UserRepo.Update(c.Context(), localUser)
|
_ = h.UserRepo.Update(c.Context(), localUser)
|
||||||
|
|
||||||
// [Keto Sync]
|
// [Keto Sync]
|
||||||
@@ -1184,20 +1185,12 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
|||||||
traits["role"] = role
|
traits["role"] = role
|
||||||
}
|
}
|
||||||
|
|
||||||
// [Override with explicit LoginID if provided]
|
|
||||||
// This is done FIRST so that if a custom loginIdField is configured in the tenant,
|
|
||||||
// the metadata sync below will override this explicit value, preventing the UI's
|
|
||||||
// pre-filled explicit loginId from clobbering the updated custom field.
|
|
||||||
if req.LoginID != nil && *req.LoginID != "" {
|
|
||||||
traits["id"] = *req.LoginID
|
|
||||||
}
|
|
||||||
|
|
||||||
// [Namespaced Metadata Sync]
|
// [Namespaced Metadata Sync]
|
||||||
coreTraits := map[string]bool{
|
coreTraits := map[string]bool{
|
||||||
"email": true, "name": true, "phone_number": true,
|
"email": true, "name": true, "phone_number": true,
|
||||||
"grade": true, "companyCode": true, "department": true,
|
"grade": true, "companyCode": true, "department": true,
|
||||||
"affiliationType": true, "role": true, "tenant_id": true,
|
"affiliationType": true, "role": true, "tenant_id": true,
|
||||||
"id": true,
|
"custom_login_ids": true, "id": true,
|
||||||
}
|
}
|
||||||
|
|
||||||
// For namespaced metadata, we don't delete everything, we merge.
|
// For namespaced metadata, we don't delete everything, we merge.
|
||||||
@@ -1221,51 +1214,29 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
// [LoginID Sync based on Tenant Settings]
|
// [LoginID Sync based on Tenant Settings]
|
||||||
// Perform sync AFTER metadata merge to ensure traits contains current values
|
// Perform sync AFTER metadata merge to ensure traits contains current values
|
||||||
syncCompCode := extractTraitString(traits, "companyCode")
|
loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, userID)
|
||||||
synced := false
|
|
||||||
|
|
||||||
if syncCompCode != "" && h.TenantService != nil {
|
// Validate all collected LoginIDs
|
||||||
if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
|
|
||||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
|
||||||
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
|
|
||||||
synced = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Fallback: If companyCode is empty or didn't sync, try syncing based on the tenant namespaces being updated
|
|
||||||
if !synced && h.TenantService != nil {
|
|
||||||
for k := range req.Metadata {
|
|
||||||
if len(k) >= 32 { // Looks like a UUID (tenant ID)
|
|
||||||
if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
|
|
||||||
if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
|
|
||||||
syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
|
|
||||||
synced = true
|
|
||||||
break // Apply first matched tenant config
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
finalLoginID := extractTraitString(traits, "id")
|
|
||||||
userEmail := extractTraitString(traits, "email")
|
userEmail := extractTraitString(traits, "email")
|
||||||
userPhone := extractTraitString(traits, "phone_number")
|
userPhone := extractTraitString(traits, "phone_number")
|
||||||
if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
|
if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
|
||||||
return errorJSON(c, fiber.StatusBadRequest, err.Error())
|
for _, lid := range collectedIDs {
|
||||||
|
if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// resolvePasswordLoginID might be doing something else but we already have finalLoginID.
|
|
||||||
// We should just use finalLoginID if it's the intended identifier.
|
|
||||||
// But let's check if resolvePasswordLoginID exists and what it returns. Assuming it returns a string.
|
|
||||||
// If it overrides, we assign it. Let's just use finalLoginID for now.
|
|
||||||
finalLoginID = resolvePasswordLoginID(traits)
|
|
||||||
|
|
||||||
state := normalizeKratosState(req.Status)
|
state := normalizeKratosState(req.Status)
|
||||||
|
|
||||||
slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)
|
slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)
|
||||||
|
|
||||||
updated, err := h.KratosAdmin.UpdateIdentity(c.Context(), userID, traits, state)
|
updated, err := h.KratosAdmin.UpdateIdentity(c.Context(), userID, traits, state)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
// [Exception Handling] Check for 409 Conflict (Duplicate Identifier)
|
||||||
|
if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "exists already") {
|
||||||
|
return errorJSON(c, fiber.StatusConflict, "이미 다른 사용자가 사용 중인 식별자(이메일/전화번호/사번 등)가 포함되어 있습니다.")
|
||||||
|
}
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1273,15 +1244,16 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
|||||||
if h.UserRepo != nil {
|
if h.UserRepo != nil {
|
||||||
updatedLocalUser := h.mapToLocalUser(*updated)
|
updatedLocalUser := h.mapToLocalUser(*updated)
|
||||||
|
|
||||||
if updatedLocalUser.LoginID == "" {
|
|
||||||
updatedLocalUser.LoginID = updatedLocalUser.ID
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx := context.Background() // Use request context if appropriate, but sync must finish
|
ctx := context.Background() // Use request context if appropriate, but sync must finish
|
||||||
if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
|
if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
|
||||||
slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
|
slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Update User Login IDs in local DB
|
||||||
|
if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
|
||||||
|
slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
|
||||||
|
}
|
||||||
|
|
||||||
// [Keto Sync] asynchronously as it's less critical for immediate UI count
|
// [Keto Sync] asynchronously as it's less critical for immediate UI count
|
||||||
go func() {
|
go func() {
|
||||||
bgCtx := context.Background()
|
bgCtx := context.Background()
|
||||||
@@ -1345,7 +1317,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
|
|||||||
if h.OryProvider == nil {
|
if h.OryProvider == nil {
|
||||||
return errorJSON(c, fiber.StatusServiceUnavailable, "password provider not available")
|
return errorJSON(c, fiber.StatusServiceUnavailable, "password provider not available")
|
||||||
}
|
}
|
||||||
if err := h.OryProvider.UpdateUserPassword(finalLoginID, *req.Password, nil); err != nil {
|
// [New] Resolve a representative LoginID for the password update call
|
||||||
|
updateLoginID := resolvePasswordLoginID(updated.Traits)
|
||||||
|
if err := h.OryProvider.UpdateUserPassword(updateLoginID, *req.Password, nil); err != nil {
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1408,19 +1382,34 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
|
|||||||
|
|
||||||
compCode := extractTraitString(traits, "companyCode")
|
compCode := extractTraitString(traits, "companyCode")
|
||||||
slog.Debug("Mapping identity", "email", extractTraitString(traits, "email"), "compCode", compCode)
|
slog.Debug("Mapping identity", "email", extractTraitString(traits, "email"), "compCode", compCode)
|
||||||
|
|
||||||
|
var customLoginIDs []string
|
||||||
|
if raw, ok := traits["custom_login_ids"]; ok {
|
||||||
|
if ids, ok := raw.([]interface{}); ok {
|
||||||
|
for _, id := range ids {
|
||||||
|
if s, ok := id.(string); ok {
|
||||||
|
customLoginIDs = append(customLoginIDs, s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if ids, ok := raw.([]string); ok {
|
||||||
|
customLoginIDs = ids
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
summary := userSummary{
|
summary := userSummary{
|
||||||
ID: identity.ID,
|
ID: identity.ID,
|
||||||
Email: extractTraitString(traits, "email"),
|
Email: extractTraitString(traits, "email"),
|
||||||
LoginID: extractTraitString(traits, "id"), // id in Kratos traits maps to LoginID
|
LoginID: resolvePasswordLoginID(traits),
|
||||||
Name: extractTraitString(traits, "name"),
|
CustomLoginIDs: customLoginIDs,
|
||||||
Phone: extractTraitString(traits, "phone_number"),
|
Name: extractTraitString(traits, "name"),
|
||||||
Role: role,
|
Phone: extractTraitString(traits, "phone_number"),
|
||||||
Status: normalizeStatus(identity.State),
|
Role: role,
|
||||||
CompanyCode: compCode,
|
Status: normalizeStatus(identity.State),
|
||||||
Department: extractTraitString(traits, "department"),
|
CompanyCode: compCode,
|
||||||
Metadata: make(domain.JSONMap),
|
Department: extractTraitString(traits, "department"),
|
||||||
CreatedAt: formatTime(identity.CreatedAt),
|
Metadata: make(domain.JSONMap),
|
||||||
UpdatedAt: formatTime(identity.UpdatedAt),
|
CreatedAt: formatTime(identity.CreatedAt),
|
||||||
|
UpdatedAt: formatTime(identity.UpdatedAt),
|
||||||
}
|
}
|
||||||
|
|
||||||
// [New] Fetch all manageable tenants (for Multi-tenancy support)
|
// [New] Fetch all manageable tenants (for Multi-tenancy support)
|
||||||
@@ -1438,6 +1427,7 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
|
|||||||
"email": true, "name": true, "phone_number": true,
|
"email": true, "name": true, "phone_number": true,
|
||||||
"grade": true, "companyCode": true, "department": true,
|
"grade": true, "companyCode": true, "department": true,
|
||||||
"affiliationType": true, "role": true, "tenant_id": true,
|
"affiliationType": true, "role": true, "tenant_id": true,
|
||||||
|
"custom_login_ids": true, "id": true,
|
||||||
}
|
}
|
||||||
|
|
||||||
for k, v := range traits {
|
for k, v := range traits {
|
||||||
@@ -1477,17 +1467,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
|
|||||||
compCode = extractTraitString(traits, "company_code")
|
compCode = extractTraitString(traits, "company_code")
|
||||||
}
|
}
|
||||||
|
|
||||||
loginID := extractTraitString(traits, "id")
|
|
||||||
if loginID == "" {
|
|
||||||
// Fallback to UUID to prevent unique constraint violations on idx_tenant_login_id
|
|
||||||
// for users that use email/phone exclusively and don't have a specific loginId trait.
|
|
||||||
loginID = identity.ID
|
|
||||||
}
|
|
||||||
|
|
||||||
user := &domain.User{
|
user := &domain.User{
|
||||||
ID: identity.ID,
|
ID: identity.ID,
|
||||||
Email: extractTraitString(traits, "email"),
|
Email: extractTraitString(traits, "email"),
|
||||||
LoginID: loginID,
|
|
||||||
Name: extractTraitString(traits, "name"),
|
Name: extractTraitString(traits, "name"),
|
||||||
Phone: extractTraitString(traits, "phone_number"),
|
Phone: extractTraitString(traits, "phone_number"),
|
||||||
Role: role,
|
Role: role,
|
||||||
@@ -1520,6 +1502,7 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
|
|||||||
"email": true, "name": true, "phone_number": true,
|
"email": true, "name": true, "phone_number": true,
|
||||||
"grade": true, "companyCode": true, "department": true,
|
"grade": true, "companyCode": true, "department": true,
|
||||||
"affiliationType": true, "role": true, "tenant_id": true, "company_code": true,
|
"affiliationType": true, "role": true, "tenant_id": true, "company_code": true,
|
||||||
|
"custom_login_ids": true, "id": true,
|
||||||
}
|
}
|
||||||
for k, v := range traits {
|
for k, v := range traits {
|
||||||
if !coreTraits[k] {
|
if !coreTraits[k] {
|
||||||
@@ -1628,6 +1611,17 @@ func extractTraitString(traits map[string]interface{}, key string) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func resolvePasswordLoginID(traits map[string]interface{}) string {
|
func resolvePasswordLoginID(traits map[string]interface{}) string {
|
||||||
|
// First check custom_login_ids (array)
|
||||||
|
if raw, ok := traits["custom_login_ids"]; ok {
|
||||||
|
if ids, ok := raw.([]interface{}); ok && len(ids) > 0 {
|
||||||
|
if first, ok := ids[0].(string); ok {
|
||||||
|
return first
|
||||||
|
}
|
||||||
|
} else if ids, ok := raw.([]string); ok && len(ids) > 0 {
|
||||||
|
return ids[0]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Fallback to legacy id (if still exists in some old identities)
|
||||||
if loginID := strings.TrimSpace(extractTraitString(traits, "id")); loginID != "" {
|
if loginID := strings.TrimSpace(extractTraitString(traits, "id")); loginID != "" {
|
||||||
return loginID
|
return loginID
|
||||||
}
|
}
|
||||||
@@ -1637,57 +1631,110 @@ func resolvePasswordLoginID(traits map[string]interface{}) string {
|
|||||||
return strings.TrimSpace(extractTraitString(traits, "phone_number"))
|
return strings.TrimSpace(extractTraitString(traits, "phone_number"))
|
||||||
}
|
}
|
||||||
|
|
||||||
// syncLoginID ensures that the 'id' trait (used as Kratos identifier) is in sync with the configured custom field.
|
// syncCustomLoginIDs collects all fields marked as isLoginId: true from tenant schemas
|
||||||
func syncLoginID(traits map[string]interface{}, metadata map[string]any, tenantID string, loginIDField string) {
|
// and populates traits["custom_login_ids"] and returns domain.UserLoginID records for DB.
|
||||||
if loginIDField == "" {
|
func syncCustomLoginIDs(ctx context.Context, tenantService service.TenantService, traits map[string]interface{}, metadata map[string]any, userID string) []domain.UserLoginID {
|
||||||
return
|
if tenantService == nil {
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var loginID string
|
var loginIDRecords []domain.UserLoginID
|
||||||
|
var allCustomIDs []string
|
||||||
|
idSet := make(map[string]bool)
|
||||||
|
|
||||||
// 1. Check incoming metadata (flat)
|
// Collect tenant IDs to check schemas for
|
||||||
if val, ok := metadata[loginIDField].(string); ok && val != "" {
|
tenantIDsToCheck := make(map[string]bool)
|
||||||
loginID = val
|
for k, v := range metadata {
|
||||||
|
// Heuristic: if it's a map, it's likely namespaced metadata for a tenant
|
||||||
|
if _, ok := v.(map[string]any); ok {
|
||||||
|
tenantIDsToCheck[k] = true
|
||||||
|
} else if _, ok := v.(map[string]interface{}); ok {
|
||||||
|
tenantIDsToCheck[k] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Also check primary tenant if available
|
||||||
|
if tid := extractTraitString(traits, "tenant_id"); tid != "" {
|
||||||
|
tenantIDsToCheck[tid] = true
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Check incoming metadata (namespaced by tenant ID)
|
for tid := range tenantIDsToCheck {
|
||||||
if loginID == "" && tenantID != "" {
|
tenant, err := tenantService.GetTenant(ctx, tid)
|
||||||
if namespaced, ok := metadata[tenantID].(map[string]any); ok {
|
if err != nil || tenant == nil {
|
||||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
continue
|
||||||
loginID = val
|
}
|
||||||
|
|
||||||
|
schema, ok := tenant.Config["userSchema"].([]interface{})
|
||||||
|
if !ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, fieldRaw := range schema {
|
||||||
|
field, ok := fieldRaw.(map[string]interface{})
|
||||||
|
if !ok {
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
} else if namespaced, ok := metadata[tenantID].(map[string]interface{}); ok {
|
|
||||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
isLoginId, _ := field["isLoginId"].(bool)
|
||||||
loginID = val
|
if !isLoginId {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
fieldKey, ok := field["key"].(string)
|
||||||
|
if !ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to find value in namespaced metadata first, then flat metadata, then existing traits
|
||||||
|
var val string
|
||||||
|
if namespaced, ok := metadata[tid].(map[string]any); ok {
|
||||||
|
val, _ = namespaced[fieldKey].(string)
|
||||||
|
} else if namespaced, ok := metadata[tid].(map[string]interface{}); ok {
|
||||||
|
val, _ = namespaced[fieldKey].(string)
|
||||||
|
}
|
||||||
|
|
||||||
|
if val == "" {
|
||||||
|
val, _ = metadata[fieldKey].(string)
|
||||||
|
}
|
||||||
|
|
||||||
|
if val == "" {
|
||||||
|
// Check existing trait (namespaced)
|
||||||
|
if namespaced, ok := traits[tid].(map[string]interface{}); ok {
|
||||||
|
val, _ = namespaced[fieldKey].(string)
|
||||||
|
} else if namespaced, ok := traits[tid].(map[string]any); ok {
|
||||||
|
val, _ = namespaced[fieldKey].(string)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if val == "" {
|
||||||
|
// Fallback: Check flat traits
|
||||||
|
val = extractTraitString(traits, fieldKey)
|
||||||
|
}
|
||||||
|
|
||||||
|
if val != "" {
|
||||||
|
if !idSet[val] {
|
||||||
|
idSet[val] = true
|
||||||
|
allCustomIDs = append(allCustomIDs, val)
|
||||||
|
}
|
||||||
|
loginIDRecords = append(loginIDRecords, domain.UserLoginID{
|
||||||
|
UserID: userID,
|
||||||
|
TenantID: tid,
|
||||||
|
FieldKey: fieldKey,
|
||||||
|
LoginID: val,
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Check merged traits (which includes existing metadata)
|
if len(allCustomIDs) > 0 {
|
||||||
// Important: Skip this if loginIDField is "id" because traits["id"] is the TARGET,
|
traits["custom_login_ids"] = allCustomIDs
|
||||||
// and we don't want to sync "id" to "id" if we already checked metadata.
|
} else {
|
||||||
if loginID == "" && loginIDField != "id" {
|
delete(traits, "custom_login_ids")
|
||||||
// Existing trait (flat)
|
|
||||||
if val, ok := traits[loginIDField].(string); ok && val != "" {
|
|
||||||
loginID = val
|
|
||||||
} else if tenantID != "" {
|
|
||||||
// Existing trait (namespaced)
|
|
||||||
if namespaced, ok := traits[tenantID].(map[string]interface{}); ok {
|
|
||||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
|
||||||
loginID = val
|
|
||||||
}
|
|
||||||
} else if namespaced, ok := traits[tenantID].(map[string]any); ok {
|
|
||||||
if val, ok := namespaced[loginIDField].(string); ok && val != "" {
|
|
||||||
loginID = val
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if loginID != "" {
|
// Always remove legacy "id" trait to avoid confusion
|
||||||
slog.Info("Syncing LoginID from custom field", "field", loginIDField, "value", loginID, "tenantID", tenantID)
|
delete(traits, "id")
|
||||||
traits["id"] = loginID
|
|
||||||
}
|
return loginIDRecords
|
||||||
}
|
}
|
||||||
|
|
||||||
func formatTime(value time.Time) string {
|
func formatTime(value time.Time) string {
|
||||||
@@ -1882,3 +1929,61 @@ func (h *UserHandler) validateMetadataWithAuth(metadata map[string]any, schema [
|
|||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *UserHandler) GetUserRpHistory(c *fiber.Ctx) error {
|
||||||
|
userId := c.Params("id")
|
||||||
|
if userId == "" {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "user id is required")
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.AuditRepo == nil {
|
||||||
|
return errorJSON(c, fiber.StatusServiceUnavailable, "Audit service unavailable")
|
||||||
|
}
|
||||||
|
|
||||||
|
logs, err := h.AuditRepo.FindByUserAndEvents(c.Context(), userId, []string{"consent.granted", "consent.revoked"}, 100)
|
||||||
|
if err != nil {
|
||||||
|
return errorJSON(c, fiber.StatusInternalServerError, "Failed to fetch history")
|
||||||
|
}
|
||||||
|
|
||||||
|
type rpHistoryItem struct {
|
||||||
|
ClientID string `json:"client_id"`
|
||||||
|
ClientName string `json:"client_name"`
|
||||||
|
LastLoginAt string `json:"lastLoginAt"`
|
||||||
|
Status string `json:"status"`
|
||||||
|
}
|
||||||
|
|
||||||
|
historyMap := make(map[string]*rpHistoryItem)
|
||||||
|
|
||||||
|
// Logs are DESC (newest first).
|
||||||
|
for _, log := range logs {
|
||||||
|
details, _ := utils.ParseAuditDetails(log.Details)
|
||||||
|
cid, _ := details["client_id"].(string)
|
||||||
|
if cid == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, exists := historyMap[cid]; !exists {
|
||||||
|
cname, _ := details["client_name"].(string)
|
||||||
|
if cname == "" {
|
||||||
|
cname = cid
|
||||||
|
}
|
||||||
|
|
||||||
|
historyMap[cid] = &rpHistoryItem{
|
||||||
|
ClientID: cid,
|
||||||
|
ClientName: cname,
|
||||||
|
LastLoginAt: log.Timestamp.Format(time.RFC3339),
|
||||||
|
Status: "active", // Default based on latest grant
|
||||||
|
}
|
||||||
|
if log.EventType == "consent.revoked" {
|
||||||
|
historyMap[cid].Status = "revoked"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
result := make([]*rpHistoryItem, 0, len(historyMap))
|
||||||
|
for _, item := range historyMap {
|
||||||
|
result = append(result, item)
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JSON(result)
|
||||||
|
}
|
||||||
|
|||||||
@@ -87,6 +87,14 @@ func (m *MockTenantServiceForUser) GetTenantBySlug(ctx context.Context, slug str
|
|||||||
return args.Get(0).(*domain.Tenant), args.Error(1)
|
return args.Get(0).(*domain.Tenant), args.Error(1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (m *MockTenantServiceForUser) GetTenant(ctx context.Context, id string) (*domain.Tenant, error) {
|
||||||
|
args := m.Called(ctx, id)
|
||||||
|
if args.Get(0) == nil {
|
||||||
|
return nil, args.Error(1)
|
||||||
|
}
|
||||||
|
return args.Get(0).(*domain.Tenant), args.Error(1)
|
||||||
|
}
|
||||||
|
|
||||||
func (m *MockTenantServiceForUser) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
|
func (m *MockTenantServiceForUser) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
|
||||||
args := m.Called(ctx, userID)
|
args := m.Called(ctx, userID)
|
||||||
if args.Get(0) == nil {
|
if args.Get(0) == nil {
|
||||||
@@ -117,11 +125,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
|
|||||||
Slug: "test-tenant",
|
Slug: "test-tenant",
|
||||||
Config: domain.JSONMap{
|
Config: domain.JSONMap{
|
||||||
"userSchema": []interface{}{
|
"userSchema": []interface{}{
|
||||||
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
|
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
|
mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
|
||||||
|
ID: "t-123",
|
||||||
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
|
||||||
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
|
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
|
||||||
mockOry.On("CreateUser", mock.Anything, mock.Anything).Return("u-1", nil).Twice()
|
mockOry.On("CreateUser", mock.Anything, mock.Anything).Return("u-1", nil).Twice()
|
||||||
|
|
||||||
@@ -188,11 +206,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
|
|||||||
Slug: "test-tenant",
|
Slug: "test-tenant",
|
||||||
Config: domain.JSONMap{
|
Config: domain.JSONMap{
|
||||||
"userSchema": []interface{}{
|
"userSchema": []interface{}{
|
||||||
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
|
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
|
mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
|
||||||
|
ID: "t-123",
|
||||||
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
|
||||||
payload := map[string]interface{}{
|
payload := map[string]interface{}{
|
||||||
"users": []map[string]interface{}{
|
"users": []map[string]interface{}{
|
||||||
{
|
{
|
||||||
@@ -391,23 +419,32 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
|
|||||||
ID: tenantID,
|
ID: tenantID,
|
||||||
Slug: "test-tenant",
|
Slug: "test-tenant",
|
||||||
Config: domain.JSONMap{
|
Config: domain.JSONMap{
|
||||||
"loginIdField": "emp_no",
|
|
||||||
"userSchema": []interface{}{
|
"userSchema": []interface{}{
|
||||||
map[string]interface{}{"key": "emp_no", "label": "Employee No"},
|
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}, nil) // Allow multiple calls for validation and sync
|
}, nil)
|
||||||
|
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
|
||||||
|
ID: tenantID,
|
||||||
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
|
||||||
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
|
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
|
||||||
|
|
||||||
// Expect traits to include 'id' synced from 'emp_no'
|
// Expect traits to include 'custom_login_ids' synced from 'emp_no'
|
||||||
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
|
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
|
||||||
return traits["id"] == "E1001"
|
ids, ok := traits["custom_login_ids"].([]string)
|
||||||
|
return ok && len(ids) > 0 && ids[0] == "E1001"
|
||||||
}), mock.Anything).Return(&service.KratosIdentity{
|
}), mock.Anything).Return(&service.KratosIdentity{
|
||||||
ID: userID,
|
ID: userID,
|
||||||
Traits: map[string]interface{}{
|
Traits: map[string]interface{}{
|
||||||
"id": "E1001",
|
"custom_login_ids": []interface{}{"E1001"},
|
||||||
"email": "user@test.com",
|
"email": "user@test.com",
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
@@ -459,7 +496,18 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
|
|||||||
ID: tenantID,
|
ID: tenantID,
|
||||||
Slug: "test-tenant",
|
Slug: "test-tenant",
|
||||||
Config: domain.JSONMap{
|
Config: domain.JSONMap{
|
||||||
"loginIdField": "emp_no",
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_no", "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
|
||||||
|
ID: tenantID,
|
||||||
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_no", "isLoginId": true},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}, nil)
|
}, nil)
|
||||||
|
|
||||||
@@ -467,11 +515,12 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
|
|||||||
|
|
||||||
// Even if metadata is empty, it should sync from existing traits
|
// Even if metadata is empty, it should sync from existing traits
|
||||||
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
|
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
|
||||||
return traits["id"] == "E2002"
|
ids, ok := traits["custom_login_ids"].([]string)
|
||||||
|
return ok && len(ids) > 0 && ids[0] == "E2002"
|
||||||
}), mock.Anything).Return(&service.KratosIdentity{
|
}), mock.Anything).Return(&service.KratosIdentity{
|
||||||
ID: userID,
|
ID: userID,
|
||||||
Traits: map[string]interface{}{
|
Traits: map[string]interface{}{
|
||||||
"id": "E2002",
|
"custom_login_ids": []interface{}{"E2002"},
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
@@ -508,25 +557,42 @@ func TestUserHandler_UpdateUser_PasswordUsesProvider(t *testing.T) {
|
|||||||
mockKratos.On("GetIdentity", mock.Anything, userID).Return(&service.KratosIdentity{
|
mockKratos.On("GetIdentity", mock.Anything, userID).Return(&service.KratosIdentity{
|
||||||
ID: userID,
|
ID: userID,
|
||||||
Traits: map[string]interface{}{
|
Traits: map[string]interface{}{
|
||||||
"id": "dyddus1210",
|
"custom_login_ids": []interface{}{"dyddus1210"},
|
||||||
"email": "dyddus1210@gmail.com",
|
"email": "dyddus1210@gmail.com",
|
||||||
"companyCode": "test-tenant",
|
"companyCode": "test-tenant",
|
||||||
|
"tenant_id": "t-1",
|
||||||
|
"emp_id": "dyddus1210",
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
mockTenant.On("GetTenantBySlug", mock.Anything, "test-tenant").Return(&domain.Tenant{
|
mockTenant.On("GetTenantBySlug", mock.Anything, "test-tenant").Return(&domain.Tenant{
|
||||||
ID: "t-1",
|
ID: "t-1",
|
||||||
Slug: "test-tenant",
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_id", "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
mockTenant.On("GetTenant", mock.Anything, "t-1").Return(&domain.Tenant{
|
||||||
|
ID: "t-1",
|
||||||
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_id", "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
}, nil)
|
}, nil)
|
||||||
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
|
mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
|
||||||
|
|
||||||
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
|
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
|
||||||
return traits["id"] == "dyddus1210"
|
ids, ok := traits["custom_login_ids"].([]string)
|
||||||
|
return ok && len(ids) > 0 && ids[0] == "dyddus1210"
|
||||||
}), "").Return(&service.KratosIdentity{
|
}), "").Return(&service.KratosIdentity{
|
||||||
ID: userID,
|
ID: userID,
|
||||||
Traits: map[string]interface{}{
|
Traits: map[string]interface{}{
|
||||||
"id": "dyddus1210",
|
"custom_login_ids": []interface{}{"dyddus1210"},
|
||||||
"email": "dyddus1210@gmail.com",
|
"email": "dyddus1210@gmail.com",
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
@@ -617,27 +683,36 @@ func TestUserHandler_CreateUser_LoginIDSync(t *testing.T) {
|
|||||||
ID: tenantID,
|
ID: tenantID,
|
||||||
Slug: "test-tenant",
|
Slug: "test-tenant",
|
||||||
Config: domain.JSONMap{
|
Config: domain.JSONMap{
|
||||||
"loginIdField": "emp_no",
|
|
||||||
"userSchema": []interface{}{
|
"userSchema": []interface{}{
|
||||||
map[string]interface{}{"key": "emp_no", "label": "Employee No"},
|
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
|
||||||
|
ID: tenantID,
|
||||||
|
Slug: "test-tenant",
|
||||||
|
Config: domain.JSONMap{
|
||||||
|
"userSchema": []interface{}{
|
||||||
|
map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}, nil)
|
}, nil)
|
||||||
|
|
||||||
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
|
mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
|
||||||
|
|
||||||
// Expect OryProvider.CreateUser to be called with attributes["id"] synced from metadata
|
// Expect OryProvider.CreateUser to be called with attributes["custom_login_ids"] synced from metadata
|
||||||
mockOry.On("CreateUser", mock.MatchedBy(func(user *domain.BrokerUser) bool {
|
mockOry.On("CreateUser", mock.MatchedBy(func(user *domain.BrokerUser) bool {
|
||||||
return user.LoginID == "E1001" && user.Attributes["id"] == "E1001"
|
customIDs, ok := user.Attributes["custom_login_ids"].([]string)
|
||||||
|
return ok && len(customIDs) > 0 && customIDs[0] == "E1001"
|
||||||
}), mock.Anything).Return("u-1", nil).Once()
|
}), mock.Anything).Return("u-1", nil).Once()
|
||||||
|
|
||||||
// Mock GetIdentity after creation
|
// Mock GetIdentity after creation
|
||||||
mockKratos.On("GetIdentity", mock.Anything, "u-1").Return(&service.KratosIdentity{
|
mockKratos.On("GetIdentity", mock.Anything, "u-1").Return(&service.KratosIdentity{
|
||||||
ID: "u-1",
|
ID: "u-1",
|
||||||
Traits: map[string]interface{}{
|
Traits: map[string]interface{}{
|
||||||
"id": "E1001",
|
"custom_login_ids": []interface{}{"E1001"},
|
||||||
"email": "new@test.com",
|
"email": "new@test.com",
|
||||||
"companyCode": "test-tenant",
|
"companyCode": "test-tenant",
|
||||||
},
|
},
|
||||||
}, nil).Once()
|
}, nil).Once()
|
||||||
|
|
||||||
|
|||||||
@@ -21,6 +21,12 @@ type UserRepository interface {
|
|||||||
CountByTenantIDs(ctx context.Context, tenantIDs []string) (map[string]int64, error)
|
CountByTenantIDs(ctx context.Context, tenantIDs []string) (map[string]int64, error)
|
||||||
CountByCompanyCodes(ctx context.Context, codes []string) (map[string]int64, error)
|
CountByCompanyCodes(ctx context.Context, codes []string) (map[string]int64, error)
|
||||||
Delete(ctx context.Context, id string) error
|
Delete(ctx context.Context, id string) error
|
||||||
|
|
||||||
|
// Multiple identifiers support
|
||||||
|
UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error
|
||||||
|
GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error)
|
||||||
|
IsLoginIDTaken(ctx context.Context, loginID string) (bool, error)
|
||||||
|
FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
type userRepository struct {
|
type userRepository struct {
|
||||||
@@ -193,3 +199,45 @@ func (r *userRepository) List(ctx context.Context, offset, limit int, search str
|
|||||||
func (r *userRepository) Delete(ctx context.Context, id string) error {
|
func (r *userRepository) Delete(ctx context.Context, id string) error {
|
||||||
return r.db.WithContext(ctx).Delete(&domain.User{}, "id = ?", id).Error
|
return r.db.WithContext(ctx).Delete(&domain.User{}, "id = ?", id).Error
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *userRepository) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
|
||||||
|
return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
|
||||||
|
// Delete existing login IDs for this user
|
||||||
|
if err := tx.Where("user_id = ?", userID).Delete(&domain.UserLoginID{}).Error; err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Insert new login IDs if any
|
||||||
|
if len(loginIDs) > 0 {
|
||||||
|
if err := tx.Create(&loginIDs).Error; err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *userRepository) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
|
||||||
|
var results []domain.UserLoginID
|
||||||
|
if err := r.db.WithContext(ctx).Where("user_id = ?", userID).Find(&results).Error; err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return results, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *userRepository) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
|
||||||
|
var count int64
|
||||||
|
if err := r.db.WithContext(ctx).Model(&domain.UserLoginID{}).Where("login_id = ?", loginID).Count(&count).Error; err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
return count > 0, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *userRepository) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
|
||||||
|
var record domain.UserLoginID
|
||||||
|
if err := r.db.WithContext(ctx).Where("login_id = ?", loginID).First(&record).Error; err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return record.TenantID, nil
|
||||||
|
}
|
||||||
|
|||||||
@@ -94,4 +94,54 @@ func TestUserRepository(t *testing.T) {
|
|||||||
assert.Equal(t, int64(1), counts["tenant-b"])
|
assert.Equal(t, int64(1), counts["tenant-b"])
|
||||||
assert.Equal(t, int64(0), counts["tenant-c"])
|
assert.Equal(t, int64(0), counts["tenant-c"])
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("Multi-Identifier Support", func(t *testing.T) {
|
||||||
|
_ = testDB.AutoMigrate(&domain.UserLoginID{})
|
||||||
|
testDB.Exec("DELETE FROM user_login_ids")
|
||||||
|
testDB.Exec("DELETE FROM users")
|
||||||
|
|
||||||
|
user := &domain.User{Email: "multi@test.com", Name: "Multi"}
|
||||||
|
_ = repo.Create(ctx, user)
|
||||||
|
|
||||||
|
t1 := "00000000-0000-0000-0000-000000000001"
|
||||||
|
t2 := "00000000-0000-0000-0000-000000000002"
|
||||||
|
|
||||||
|
loginIDs := []domain.UserLoginID{
|
||||||
|
{UserID: user.ID, TenantID: t1, FieldKey: "emp_id", LoginID: "E001"},
|
||||||
|
{UserID: user.ID, TenantID: t2, FieldKey: "student_id", LoginID: "S001"},
|
||||||
|
}
|
||||||
|
|
||||||
|
err := repo.UpdateUserLoginIDs(ctx, user.ID, loginIDs)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
// Get and Verify
|
||||||
|
saved, err := repo.GetUserLoginIDs(ctx, user.ID)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Len(t, saved, 2)
|
||||||
|
|
||||||
|
// IsLoginIDTaken
|
||||||
|
taken, err := repo.IsLoginIDTaken(ctx, "E001")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.True(t, taken)
|
||||||
|
|
||||||
|
taken, err = repo.IsLoginIDTaken(ctx, "UNKNOWN")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.False(t, taken)
|
||||||
|
|
||||||
|
// FindTenantIDByLoginID
|
||||||
|
tid, err := repo.FindTenantIDByLoginID(ctx, "S001")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Equal(t, t2, tid)
|
||||||
|
|
||||||
|
// Update (Replace)
|
||||||
|
newList := []domain.UserLoginID{
|
||||||
|
{UserID: user.ID, TenantID: t1, FieldKey: "emp_id", LoginID: "E002"},
|
||||||
|
}
|
||||||
|
err = repo.UpdateUserLoginIDs(ctx, user.ID, newList)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
saved, _ = repo.GetUserLoginIDs(ctx, user.ID)
|
||||||
|
assert.Len(t, saved, 1)
|
||||||
|
assert.Equal(t, "E002", saved[0].LoginID)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -97,10 +97,13 @@ func (d *DescopeProvider) CreateUser(user *domain.BrokerUser, password string) (
|
|||||||
return "", fmt.Errorf("descope provider: user already exists")
|
return "", fmt.Errorf("descope provider: user already exists")
|
||||||
}
|
}
|
||||||
|
|
||||||
descopeUser := &descope.UserRequest{}
|
descopeUser := &descope.UserRequest{
|
||||||
descopeUser.Email = user.Email
|
User: descope.User{
|
||||||
descopeUser.Phone = normalizedPhone
|
Email: user.Email,
|
||||||
descopeUser.Name = user.Name
|
Name: user.Name,
|
||||||
|
Phone: normalizedPhone,
|
||||||
|
},
|
||||||
|
}
|
||||||
descopeUser.CustomAttributes = map[string]any{}
|
descopeUser.CustomAttributes = map[string]any{}
|
||||||
for k, v := range user.Attributes {
|
for k, v := range user.Attributes {
|
||||||
descopeUser.CustomAttributes[k] = v
|
descopeUser.CustomAttributes[k] = v
|
||||||
|
|||||||
@@ -43,7 +43,7 @@ func (o *OryProvider) Name() string {
|
|||||||
func (o *OryProvider) GetMetadata() (*domain.IDPMetadata, error) {
|
func (o *OryProvider) GetMetadata() (*domain.IDPMetadata, error) {
|
||||||
return &domain.IDPMetadata{
|
return &domain.IDPMetadata{
|
||||||
SupportedFields: []string{
|
SupportedFields: []string{
|
||||||
"id", "login_id", "email", "name", "phone_number",
|
"id", "custom_login_ids", "login_id", "email", "name", "phone_number",
|
||||||
"grade", "department", "affiliationType", "companyCode",
|
"grade", "department", "affiliationType", "companyCode",
|
||||||
},
|
},
|
||||||
}, nil
|
}, nil
|
||||||
@@ -67,6 +67,21 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
|
|||||||
return "", fmt.Errorf("ory provider: identity already exists for email=%s", user.Email)
|
return "", fmt.Errorf("ory provider: identity already exists for email=%s", user.Email)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// [New] Check all custom login IDs for collisions
|
||||||
|
for _, lid := range user.CustomLoginIDs {
|
||||||
|
if lid == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
existing, err := o.findIdentityID(lid)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("ory provider: search identity failed for %s: %w", lid, err)
|
||||||
|
}
|
||||||
|
if existing != "" {
|
||||||
|
return "", fmt.Errorf("ory provider: identifier %s already exists", lid)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// [Legacy] check single LoginID
|
||||||
if user.LoginID != "" {
|
if user.LoginID != "" {
|
||||||
existingLoginID, err := o.findIdentityID(user.LoginID)
|
existingLoginID, err := o.findIdentityID(user.LoginID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -91,13 +106,20 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
|
|||||||
"email": user.Email,
|
"email": user.Email,
|
||||||
"name": user.Name,
|
"name": user.Name,
|
||||||
}
|
}
|
||||||
if user.LoginID != "" {
|
if len(user.CustomLoginIDs) > 0 {
|
||||||
traits["id"] = user.LoginID
|
traits["custom_login_ids"] = user.CustomLoginIDs
|
||||||
|
} else if user.LoginID != "" {
|
||||||
|
traits["custom_login_ids"] = []string{user.LoginID}
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.PhoneNumber != "" {
|
if user.PhoneNumber != "" {
|
||||||
traits["phone_number"] = user.PhoneNumber
|
traits["phone_number"] = user.PhoneNumber
|
||||||
}
|
}
|
||||||
for k, v := range user.Attributes {
|
for k, v := range user.Attributes {
|
||||||
|
// [SoT Fix] Don't let attributes overwrite core traits or use old 'id' trait
|
||||||
|
if k == "id" || k == "email" || k == "custom_login_ids" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
traits[k] = v
|
traits[k] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -243,9 +243,6 @@ func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string
|
|||||||
localUser.CompanyCode = tenant.Slug
|
localUser.CompanyCode = tenant.Slug
|
||||||
localUser.TenantID = &tenant.ID
|
localUser.TenantID = &tenant.ID
|
||||||
localUser.Department = group.Name
|
localUser.Department = group.Name
|
||||||
if localUser.LoginID == "" {
|
|
||||||
localUser.LoginID = localUser.ID
|
|
||||||
}
|
|
||||||
_ = s.userRepo.Update(ctx, localUser)
|
_ = s.userRepo.Update(ctx, localUser)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
17
backend/internal/utils/audit.go
Normal file
17
backend/internal/utils/audit.go
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
package utils
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
func ParseAuditDetails(details string) (map[string]any, error) {
|
||||||
|
var payload map[string]any
|
||||||
|
if details == "" {
|
||||||
|
return nil, fmt.Errorf("empty details")
|
||||||
|
}
|
||||||
|
if err := json.Unmarshal([]byte(details), &payload); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return payload, nil
|
||||||
|
}
|
||||||
@@ -7,13 +7,16 @@
|
|||||||
"traits": {
|
"traits": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"id": {
|
"custom_login_ids": {
|
||||||
"type": "string",
|
"type": "array",
|
||||||
"title": "ID",
|
"title": "Custom Login IDs",
|
||||||
"ory.sh/kratos": {
|
"items": {
|
||||||
"credentials": {
|
"type": "string",
|
||||||
"password": {
|
"ory.sh/kratos": {
|
||||||
"identifier": true
|
"credentials": {
|
||||||
|
"password": {
|
||||||
|
"identifier": true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -964,7 +964,6 @@ class AuthProxyService {
|
|||||||
|
|
||||||
static Future<void> signup({
|
static Future<void> signup({
|
||||||
required String email,
|
required String email,
|
||||||
String? loginId,
|
|
||||||
required String password,
|
required String password,
|
||||||
required String name,
|
required String name,
|
||||||
required String phone,
|
required String phone,
|
||||||
@@ -980,12 +979,11 @@ class AuthProxyService {
|
|||||||
headers: {'Content-Type': 'application/json'},
|
headers: {'Content-Type': 'application/json'},
|
||||||
body: jsonEncode({
|
body: jsonEncode({
|
||||||
'email': email,
|
'email': email,
|
||||||
if (loginId != null && loginId.isNotEmpty) 'loginId': loginId,
|
|
||||||
'password': password,
|
'password': password,
|
||||||
'name': name,
|
'name': name,
|
||||||
'phone': phone,
|
'phone': phone,
|
||||||
'affiliationType': affiliationType,
|
'affiliationType': affiliationType,
|
||||||
'companyCode': ?companyCode,
|
'companyCode': companyCode,
|
||||||
'department': department,
|
'department': department,
|
||||||
'termsAccepted': termsAccepted,
|
'termsAccepted': termsAccepted,
|
||||||
}),
|
}),
|
||||||
|
|||||||
@@ -32,13 +32,12 @@ class _SignupScreenState extends State<SignupScreen> {
|
|||||||
|
|
||||||
// Controllers
|
// Controllers
|
||||||
final _emailController = TextEditingController();
|
final _emailController = TextEditingController();
|
||||||
final _loginIdController = TextEditingController();
|
final _emailCodeController = TextEditingController(); // [Restore]
|
||||||
final _emailCodeController = TextEditingController();
|
|
||||||
final _phoneController = TextEditingController();
|
|
||||||
final _phoneCodeController = TextEditingController();
|
|
||||||
final _nameController = TextEditingController();
|
final _nameController = TextEditingController();
|
||||||
final _passwordController = TextEditingController();
|
final _passwordController = TextEditingController();
|
||||||
final _confirmPasswordController = TextEditingController();
|
final _confirmPasswordController = TextEditingController();
|
||||||
|
final _phoneController = TextEditingController();
|
||||||
|
final _phoneCodeController = TextEditingController(); // [Restore]
|
||||||
final _deptController = TextEditingController();
|
final _deptController = TextEditingController();
|
||||||
|
|
||||||
// State
|
// State
|
||||||
@@ -60,8 +59,6 @@ class _SignupScreenState extends State<SignupScreen> {
|
|||||||
String? _phoneError;
|
String? _phoneError;
|
||||||
String? _passwordError;
|
String? _passwordError;
|
||||||
String? _confirmPasswordError;
|
String? _confirmPasswordError;
|
||||||
String? _loginIdError;
|
|
||||||
String? _loginIdSuccess;
|
|
||||||
|
|
||||||
// Timers
|
// Timers
|
||||||
Timer? _emailTimer;
|
Timer? _emailTimer;
|
||||||
@@ -102,7 +99,6 @@ class _SignupScreenState extends State<SignupScreen> {
|
|||||||
_emailTimer?.cancel();
|
_emailTimer?.cancel();
|
||||||
_phoneTimer?.cancel();
|
_phoneTimer?.cancel();
|
||||||
_emailController.dispose();
|
_emailController.dispose();
|
||||||
_loginIdController.dispose();
|
|
||||||
_emailCodeController.dispose();
|
_emailCodeController.dispose();
|
||||||
_phoneController.dispose();
|
_phoneController.dispose();
|
||||||
_phoneCodeController.dispose();
|
_phoneCodeController.dispose();
|
||||||
@@ -316,7 +312,6 @@ class _SignupScreenState extends State<SignupScreen> {
|
|||||||
try {
|
try {
|
||||||
await AuthProxyService.signup(
|
await AuthProxyService.signup(
|
||||||
email: _emailController.text.trim(),
|
email: _emailController.text.trim(),
|
||||||
loginId: _loginIdController.text.trim(),
|
|
||||||
password: _passwordController.text,
|
password: _passwordController.text,
|
||||||
name: _nameController.text.trim(),
|
name: _nameController.text.trim(),
|
||||||
phone: _phoneController.text.trim(),
|
phone: _phoneController.text.trim(),
|
||||||
@@ -1437,95 +1432,6 @@ class _SignupScreenState extends State<SignupScreen> {
|
|||||||
),
|
),
|
||||||
),
|
),
|
||||||
const SizedBox(height: 18),
|
const SizedBox(height: 18),
|
||||||
_buildProfileFieldGroup(
|
|
||||||
title: '로그인 ID (선택)',
|
|
||||||
description: '이메일/전화번호 외에 별도의 식별자로 로그인할 때 사용합니다.',
|
|
||||||
isDesktop: isDesktop,
|
|
||||||
child: Column(
|
|
||||||
crossAxisAlignment: CrossAxisAlignment.stretch,
|
|
||||||
children: [
|
|
||||||
TextFormField(
|
|
||||||
controller: _loginIdController,
|
|
||||||
onChanged: (val) {
|
|
||||||
setState(() {
|
|
||||||
_loginIdError = null;
|
|
||||||
_loginIdSuccess = null;
|
|
||||||
});
|
|
||||||
},
|
|
||||||
decoration: InputDecoration(
|
|
||||||
labelText: '사번 또는 아이디',
|
|
||||||
border: const OutlineInputBorder(),
|
|
||||||
errorText: _loginIdError,
|
|
||||||
suffixIcon: TextButton(
|
|
||||||
onPressed: _isLoading
|
|
||||||
? null
|
|
||||||
: () async {
|
|
||||||
final loginId = _loginIdController.text
|
|
||||||
.trim();
|
|
||||||
if (loginId.isEmpty) {
|
|
||||||
setState(
|
|
||||||
() => _loginIdError = 'ID를 입력해주세요.',
|
|
||||||
);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
setState(() {
|
|
||||||
_isLoading = true;
|
|
||||||
_loginIdError = null;
|
|
||||||
_loginIdSuccess = null;
|
|
||||||
});
|
|
||||||
try {
|
|
||||||
final result =
|
|
||||||
await AuthProxyService.checkLoginIDAvailability(
|
|
||||||
loginId,
|
|
||||||
companyCode:
|
|
||||||
_affiliationType ==
|
|
||||||
'AFFILIATE'
|
|
||||||
? _companyCode
|
|
||||||
: null,
|
|
||||||
);
|
|
||||||
setState(() {
|
|
||||||
if (result['available'] == true) {
|
|
||||||
_loginIdSuccess = '사용 가능한 ID입니다.';
|
|
||||||
} else {
|
|
||||||
_loginIdError =
|
|
||||||
result['message'] ??
|
|
||||||
'사용할 수 없는 ID입니다.';
|
|
||||||
}
|
|
||||||
});
|
|
||||||
} catch (e) {
|
|
||||||
setState(
|
|
||||||
() => _loginIdError = e
|
|
||||||
.toString()
|
|
||||||
.replaceAll('Exception: ', ''),
|
|
||||||
);
|
|
||||||
} finally {
|
|
||||||
if (mounted) {
|
|
||||||
setState(() => _isLoading = false);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
child: const Text('중복 확인'),
|
|
||||||
),
|
|
||||||
),
|
|
||||||
),
|
|
||||||
if (_loginIdSuccess != null)
|
|
||||||
Padding(
|
|
||||||
padding: const EdgeInsets.only(
|
|
||||||
top: 8.0,
|
|
||||||
left: 12.0,
|
|
||||||
),
|
|
||||||
child: Text(
|
|
||||||
_loginIdSuccess!,
|
|
||||||
style: const TextStyle(
|
|
||||||
color: Colors.green,
|
|
||||||
fontSize: 12,
|
|
||||||
),
|
|
||||||
),
|
|
||||||
),
|
|
||||||
],
|
|
||||||
),
|
|
||||||
),
|
|
||||||
const SizedBox(height: 18),
|
|
||||||
_buildProfileFieldGroup(
|
_buildProfileFieldGroup(
|
||||||
title: tr('ui.userfront.signup.profile.affiliation_type'),
|
title: tr('ui.userfront.signup.profile.affiliation_type'),
|
||||||
description: _isAffiliateEmail
|
description: _isAffiliateEmail
|
||||||
|
|||||||
Reference in New Issue
Block a user