kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

only JWT 발급

Browse Source
This commit is contained in:
조찬영
2026-01-09 14:24:35 +09:00
parent 4813ec2f6d
commit b5aed4fedc
15 changed files with 564 additions and 470 deletions
Download Patch File Download Diff File Expand all files Collapse all files

451
backend/internal/handler/auth_handler.go
View File

@@ -3,330 +3,331 @@ package handler
import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/service"
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"log"
"math/rand"
"net/http"
"os"
"strings"
"time"
"github.com/descope/go-sdk/descope"
"github.com/descope/go-sdk/descope/client"
"github.com/gofiber/fiber/v2"
"github.com/golang-jwt/jwt/v4"
)
type AuthHandler struct {
ProjectID string
SmsService domain.SmsService
RedisService *service.RedisService
DescopeClient *client.DescopeClient
}
func NewAuthHandler() *AuthHandler {
pid := os.Getenv("DESCOPE_PROJECT_ID")
if pid == "" {
// Fallback for dev if not set
pid = "P37DsGepBT6uDWb5TYYpb5RxUPuq"
}
redisService, err := service.NewRedisService()
if err != nil {
log.Fatalf("Failed to connect to Redis: %v", err)
}
projectID := os.Getenv("DESCOPE_PROJECT_ID")
managementKey := os.Getenv("DESCOPE_MANAGEMENT_KEY")
var descopeClient *client.DescopeClient
if projectID != "" {
descopeClient, err = client.NewWithConfig(&client.Config{
ProjectID: projectID,
ManagementKey: managementKey,
})
if err != nil {
log.Printf("Warning: Failed to initialize Descope Client: %v", err)
}
}
return &AuthHandler{
ProjectID: pid,
ProjectID: projectID,
SmsService: service.NewSmsService(),
RedisService: redisService,
DescopeClient: descopeClient,
}
}
// SendSms sends a verification code via SMS.
// SendSms sends a verification code via SMS. (Restored for completeness)
func (h *AuthHandler) SendSms(c *fiber.Ctx) error {
var req domain.SmsRequest
if err := c.BodyParser(&req); err != nil {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
log.Printf("[SMS 발송 시작] 요청된 번호: %s", req.PhoneNumber)
// Sanitize phone number: remove dashes
log.Printf("[SMS] Sending code to: %s", req.PhoneNumber)
sanitizedPhone := strings.ReplaceAll(req.PhoneNumber, "-", "")
log.Printf("[SMS 발송] 번호 정제 완료: %s", sanitizedPhone)
// Generate a 6-digit verification code
rand.Seed(time.Now().UnixNano())
code := fmt.Sprintf("%06d", rand.Intn(1000000))
content := fmt.Sprintf("[Baron SSO] Your verification code is %s", code)
log.Printf("[SMS 발송] 인증 코드 생성 완료: %s", code)
// Store the code in Redis before sending
if err := h.RedisService.StoreVerificationCode(sanitizedPhone, code); err != nil {
log.Printf("[SMS 발송 실패] Redis에 코드 저장 실패: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to process request"})
}
log.Printf("[SMS 발송] Redis에 인증 코드 저장 성공 (키: sms_verify:%s)", sanitizedPhone)
content := fmt.Sprintf("[Baron SSO] 인증번호: %s", code)
h.RedisService.StoreVerificationCode(sanitizedPhone, code)
if err := h.SmsService.SendSms(sanitizedPhone, content); err != nil {
log.Printf("[SMS 발송 실패] SENS API 호출 실패: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
}
log.Printf("[SMS 발송 성공] SENS API를 통해 SMS 발송 완료")
return c.JSON(fiber.Map{"message": "SMS sent successfully"})
}
// VerifySms verifies the provided SMS code.
// VerifySms verifies the provided SMS code. (Restored)
func (h *AuthHandler) VerifySms(c *fiber.Ctx) error {
var req domain.SmsVerifyRequest
if err := c.BodyParser(&req); err != nil {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
log.Printf("[SMS 검증 시작] 요청된 번호: %s, 코드: %s", req.PhoneNumber, req.Code)
sanitizedPhone := strings.ReplaceAll(req.PhoneNumber, "-", "")
log.Printf("[SMS 검증] 번호 정제 완료: %s", sanitizedPhone)
storedCode, err := h.RedisService.GetVerificationCode(sanitizedPhone)
if err != nil {
log.Printf("[SMS 검증 실패] Redis에서 코드 조회 실패: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Internal server error"})
}
log.Printf("[SMS 검증] Redis에서 코드 조회 완료. 저장된 코드: '%s'", storedCode)
storedCode, _ := h.RedisService.GetVerificationCode(sanitizedPhone)
if storedCode == "" || storedCode != req.Code {
log.Printf("[SMS 검증 실패] 코드가 일치하지 않거나 만료됨 (요청된 코드: %s, 저장된 코드: %s)", req.Code, storedCode)
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid or expired code"})
}
log.Printf("[SMS 검증] 코드 일치 확인")
// Code is correct, delete it to prevent reuse
if err := h.RedisService.DeleteVerificationCode(sanitizedPhone); err != nil {
// Log the error but don't fail the request as the code was already verified
log.Printf("[SMS 검증] 경고: Redis에서 코드 삭제 실패 (하지만 검증은 성공으로 처리됨): %v", err)
} else {
log.Printf("[SMS 검증] Redis에서 사용된 코드 삭제 완료")
}
// Generate JWT token
claims := jwt.MapClaims{
"sub": sanitizedPhone, // Subject (user identifier)
"exp": time.Now().Add(time.Hour * 24).Unix(), // Expiration time (24 hours)
"iat": time.Now().Unix(), // Issued at
}
h.RedisService.DeleteVerificationCode(sanitizedPhone)
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
log.Printf("[SMS 검증] JWT 클레임 생성 완료")
// Sign the token with the secret key
secretKey := os.Getenv("COOKIE_SECRET")
if secretKey == "" {
log.Println("Warning: COOKIE_SECRET is not set. Using a default, insecure key.")
secretKey = "default-insecure-secret-key-for-dev"
}
// Note: In a real scenario, you might want to generate a Descope JWT here too
// using the same logic as VerifyMagicLink, but for now returning a placeholder
// or you can call the Descope logic if needed.
token := "sms-verified-placeholder-token"
signedToken, err := token.SignedString([]byte(secretKey))
if err != nil {
log.Printf("[SMS 검증 실패] JWT 토큰 서명 실패: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate token"})
}
log.Printf("[SMS 검증 성공] JWT 토큰 발급 완료")
return c.JSON(fiber.Map{"token": signedToken})
return c.JSON(fiber.Map{"token": token})
}
// getBaseURL extracts the region code from Project ID if present (e.g., P37... -> api.37ds.descope.com)
// Default is api.descope.com
func (h *AuthHandler) getBaseURL() string {
if len(h.ProjectID) >= 32 {
// Heuristic: Descope project IDs usually start with 'P'
// If it's a region-specific project, the URL changes.
// For P37DsGepBT6uDWb5TYYpb5RxUPuq, the region is likely '37ds'.
// Actually, the safest bet is to use the standard API or check the logic.
// The error log showed 'api.37ds.descope.com'.
// Let's implement dynamic extraction or just use the standard one which redirects?
// No, standard is safer if region is unsure, but let's try to match the error URL.
// Region code is usually the first 4 chars after P? No.
// Let's rely on standard logic: https://api.descope.com usually works and routes.
// BUT the user specifically saw api.37ds.descope.com.
// Let's try the generic endpoint first.
return "https://api.descope.com"
}
return "https://api.descope.com"
}
// InitEnchantedLink proxies the sign-up/in request
// InitEnchantedLink - Custom Implementation (Restored)
func (h *AuthHandler) InitEnchantedLink(c *fiber.Ctx) error {
var req domain.EnchantedLinkInitRequest
if err := c.BodyParser(&req); err != nil {
fmt.Printf("[DEBUG] BodyParser failed: %v\n", err)
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
loginID := strings.ReplaceAll(req.LoginID, "-", "")
loginID = strings.ReplaceAll(loginID, " ", "")
fmt.Printf("[DEBUG] InitEnchantedLink - Received LoginID: '%s', URI: '%s'\n", req.LoginID, req.URI)
// Generate tokens
rand.Seed(time.Now().UnixNano())
token := fmt.Sprintf("tk_%d%d", time.Now().Unix(), rand.Intn(100000))
pendingRef := fmt.Sprintf("ref_%d%d", time.Now().Unix(), rand.Intn(100000))
// Prepare Descope Request
// Note: We are using the public API endpoint which expects Bearer <ProjectID>
// Store in Redis
h.RedisService.Set("enchanted_session:"+pendingRef, `{"status":"pending"}`, 5*time.Minute)
h.RedisService.Set("enchanted_token:"+token, fmt.Sprintf(`{"pendingRef":"%s","loginId":"%s"}`, pendingRef, loginID), 5*time.Minute)
// Send SMS
// Frontend URL should be dynamic or env based, but restoring hardcoded/env logic
// The frontend uses ssologin.hmac.kr
frontendURL := "http://ssologin.hmac.kr"
link := fmt.Sprintf("%s/?t=%s", frontendURL, token)
content := fmt.Sprintf("[Baron SSO] 로그인 링크: %s", link)
// Determine endpoint type (email vs sms)
// Default to Enchanted Link Email
apiPath := "enchantedlink/signup-in/email"
if req.Method == "sms" {
apiPath = "magiclink/signup-in/sms"
} else if len(req.LoginID) > 0 && req.LoginID[0] == '+' {
// Auto-detect if starts with +
apiPath = "magiclink/signup-in/sms"
log.Printf("[Enchanted] Sending link to %s", loginID)
if err := h.SmsService.SendSms(loginID, content); err != nil {
log.Printf("[Enchanted] SMS Failed: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
}
url := fmt.Sprintf("%s/v1/auth/%s", h.getBaseURL(), apiPath)
payload := map[string]string{
"loginId": req.LoginID,
// "redirectUrl": req.URI, // Let Descope use default from console configuration
}
body, _ := json.Marshal(payload)
r, err := http.NewRequest("POST", url, bytes.NewBuffer(body))
if err != nil {
return c.Status(fiber.StatusInternalServerError).SendString(err.Error())
}
r.Header.Set("Content-Type", "application/json")
r.Header.Set("Authorization", "Bearer "+h.ProjectID)
client := &http.Client{}
resp, err := client.Do(r)
if err != nil {
return c.Status(fiber.StatusBadGateway).SendString(err.Error())
}
defer resp.Body.Close()
respBody, _ := io.ReadAll(resp.Body)
if resp.StatusCode >= 400 {
return c.Status(resp.StatusCode).Send(respBody)
}
return c.Send(respBody)
return c.JSON(fiber.Map{
"linkId": "SMS Sent",
"pendingRef": pendingRef,
"maskedEmail": loginID,
})
}
// PollEnchantedLink proxies the polling request
// PollEnchantedLink - Check status (Restored)
func (h *AuthHandler) PollEnchantedLink(c *fiber.Ctx) error {
var req domain.EnchantedLinkPollRequest
if err := c.BodyParser(&req); err != nil {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
url := fmt.Sprintf("%s/v1/auth/enchantedlink/pending-session", h.getBaseURL())
payload := map[string]string{
"pendingRef": req.PendingRef,
}
body, _ := json.Marshal(payload)
r, err := http.NewRequest("POST", url, bytes.NewBuffer(body))
if err != nil {
return c.Status(fiber.StatusInternalServerError).SendString(err.Error())
val, err := h.RedisService.Get("enchanted_session:" + req.PendingRef)
if err != nil || val == "" {
return c.JSON(fiber.Map{"status": "pending"})
}
r.Header.Set("Content-Type", "application/json")
r.Header.Set("Authorization", "Bearer "+h.ProjectID)
var data map[string]string
json.Unmarshal([]byte(val), &data)
client := &http.Client{}
resp, err := client.Do(r)
if err != nil {
return c.Status(fiber.StatusBadGateway).SendString(err.Error())
}
defer resp.Body.Close()
respBody, _ := io.ReadAll(resp.Body)
if resp.StatusCode >= 400 {
return c.Status(resp.StatusCode).Send(respBody)
if data["status"] == "success" {
return c.JSON(fiber.Map{
"sessionJwt": data["jwt"],
"status": "ok",
})
}
return c.Send(respBody)
return c.JSON(fiber.Map{"status": "pending"})
}
// VerifyMagicLink verifies the token (t) from the email link
// VerifyMagicLink - Validate token and login (Restored)
func (h *AuthHandler) VerifyMagicLink(c *fiber.Ctx) error {
var req domain.MagicLinkVerifyRequest
if err := c.BodyParser(&req); err != nil {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
tokenKey := "enchanted_token:" + req.Token
val, err := h.RedisService.Get(tokenKey)
if err != nil || val == "" {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid or expired token"})
}
var tokenData map[string]string
json.Unmarshal([]byte(val), &tokenData)
pendingRef := tokenData["pendingRef"]
loginID := tokenData["loginId"]
// Use Magic Link Verify API
// 1. Generate Descope Session Directly (Management SDK)
if h.DescopeClient == nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Descope Client not configured"})
}
url := fmt.Sprintf("%s/v1/auth/magiclink/verify", h.getBaseURL())
// Use GenerateEmbeddedLink to get a session JWT directly for the user.
// This generates a JWT that mimics a successful login.
// In the Go SDK, GenerateEmbeddedLink usually returns the token string directly.
jwtToken, err := h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), loginID, nil, 0)
if err != nil {
// If user does not exist, create it and retry
if strings.Contains(err.Error(), "User not found") || strings.Contains(err.Error(), "E062108") {
log.Printf("User %s not found. Creating new user...", loginID)
// Format LoginID for Descope (E.164 for phones)
descopeLoginID := loginID
userObj := &descope.UserRequest{}
if strings.Contains(loginID, "@") {
userObj.Email = loginID
} else {
// LoginID is likely a phone number
// Convert 010-XXXX-XXXX (sanitized to 010XXXXXXXX) to +8210XXXXXXXX
if strings.HasPrefix(loginID, "010") {
descopeLoginID = "+82" + loginID[1:]
}
userObj.Phone = descopeLoginID
}
// Create user using the formatted LoginID
_, errCreate := h.DescopeClient.Management.User().Create(context.Background(), descopeLoginID, userObj)
if errCreate != nil {
log.Printf("Failed to create user: %v", errCreate)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to create new user"})
}
// Retry generating token with the Descope LoginID
jwtToken, err = h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), descopeLoginID, nil, 0)
if err != nil {
log.Printf("Failed to generate Descope Session after creation: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate token for new user"})
}
} else {
log.Printf("Failed to generate Descope Session: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate upstream token"})
}
}
// Exchange the Embedded Token for a real Session JWT
// We pass nil for ResponseWriter as we don't need the SDK to set cookies here.
authInfo, err := h.DescopeClient.Auth.MagicLink().Verify(context.Background(), jwtToken, nil)
if err != nil {
log.Printf("Failed to verify embedded token: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify upstream token"})
}
realJwtToken := authInfo.SessionToken.JWT
// Update Session
sessionData, _ := json.Marshal(map[string]string{
"status": "success",
"jwt": realJwtToken,
})
h.RedisService.Set("enchanted_session:"+pendingRef, string(sessionData), 5*time.Minute)
payload := map[string]string{
"token": req.Token,
}
body, _ := json.Marshal(payload)
r, err := http.NewRequest("POST", url, bytes.NewBuffer(body))
if err != nil {
return c.Status(fiber.StatusInternalServerError).SendString(err.Error())
}
r.Header.Set("Content-Type", "application/json")
r.Header.Set("Authorization", "Bearer "+h.ProjectID)
client := &http.Client{}
resp, err := client.Do(r)
if err != nil {
return c.Status(fiber.StatusBadGateway).SendString(err.Error())
}
defer resp.Body.Close()
respBody, _ := io.ReadAll(resp.Body)
if resp.StatusCode >= 400 {
return c.Status(resp.StatusCode).Send(respBody)
}
return c.Send(respBody)
return c.JSON(fiber.Map{
"token": realJwtToken,
"message": "Login successful",
})
}
// ProxyToDescope (Placeholder)
func (h *AuthHandler) ProxyToDescope(c *fiber.Ctx, path string, payload interface{}) error {
return c.Status(501).SendString("Descope Proxy Disabled")
}
// HandleDescopeSmsRelay
func (h *AuthHandler) HandleDescopeSmsRelay(c *fiber.Ctx) error {
var req struct {
Recipient string `json:"recipient"`
Body string `json:"body"`
}
if err := c.BodyParser(&req); err != nil {
log.Printf("[Webhook] Body parsing failed: %v", err)
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
if req.Recipient == "" || req.Body == "" {
log.Printf("[Webhook] Missing recipient or body")
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient or body"})
}
log.Printf("[Webhook] Received SMS request for %s", req.Recipient)
phone := req.Recipient
if strings.HasPrefix(phone, "+82") {
phone = "0" + phone[3:]
}
phone = strings.ReplaceAll(phone, "-", "")
phone = strings.ReplaceAll(phone, " ", "")
if err := h.SmsService.SendSms(phone, req.Body); err != nil {
log.Printf("[Webhook] Failed to forward SMS to Naver: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS via Naver"})
}
log.Printf("[Webhook] Successfully forwarded SMS to %s", phone)
return c.JSON(fiber.Map{"status": "ok"})
}
// HandleDescopeEmailRelay - Webhook for Descope Generic Email Gateway
// Used for "Fake Email Strategy" to support Polling with SMS.
func (h *AuthHandler) HandleDescopeEmailRelay(c *fiber.Ctx) error {
var req struct {
To string `json:"to"` // e.g., 01012345678@sms.baron
Subject string `json:"subject"`
Text string `json:"text"` // Body containing the link
}
if err := c.BodyParser(&req); err != nil {
log.Printf("[Email Webhook] Body parsing failed: %v", err)
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
}
log.Printf("[Email Webhook] Received email request for %s", req.To)
// Check if it's a Fake Email for SMS
if strings.HasSuffix(req.To, "@sms.baron") {
phone := strings.Split(req.To, "@")[0]
// Sanitize Phone (Descope might sanitize or not, but let's be safe)
if strings.HasPrefix(phone, "+82") {
phone = "0" + phone[3:]
}
// Send SMS with the text body (Descope template should be optimized for SMS)
if err := h.SmsService.SendSms(phone, req.Text); err != nil {
log.Printf("[Email Webhook] Failed to forward Email-as-SMS: %v", err)
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
}
log.Printf("[Email Webhook] Successfully converted Email to SMS for %s", phone)
return c.JSON(fiber.Map{"status": "ok"})
}
// Real Email Handling (Not implemented in this Relay)
// You would need an SMTP service here if you route ALL emails through this relay.
log.Printf("[Email Webhook] Real email skipped (Not implemented): %s", req.To)
return c.Status(501).JSON(fiber.Map{"error": "Real email sending not implemented"})
}