audit 로그 개선. kratos 코드발급 링크로 전송까지 진행 완료 #104

2026-01-29 01:20:19 +09:00
parent ff17259117
commit b88de7ec91
46 changed files with 2843 additions and 585 deletions
--- a/backend/internal/idp/factory.go
+++ b/backend/internal/idp/factory.go
@@ -124,43 +124,144 @@ func (c *chainedProvider) GetMetadata() (*domain.IDPMetadata, error) {
 }

 func (c *chainedProvider) CreateUser(user *domain.BrokerUser, password string) (string, error) {
-	var errs []error
-	for idx, p := range c.providers {
+	for _, p := range c.providers {
 		id, err := p.CreateUser(user, password)
 		if err != nil {
-			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
 			slog.Warn("IDP provider failed", "provider", p.Name(), "operation", "CreateUser", "error", err)
-			continue
-		}
-		if idx > 0 {
-			slog.Info("IDP fallback succeeded", "operation", "CreateUser", "provider", p.Name())
+			return "", err
 		}
 		return id, nil
 	}
-	if len(errs) == 0 {
-		return "", fmt.Errorf("no IDP providers available for CreateUser")
-	}
-	return "", fmt.Errorf("all IDP providers failed for CreateUser: %w", errors.Join(errs...))
+	return "", domain.ErrNotSupported
 }

 func (c *chainedProvider) SignIn(loginID, password string) (*domain.AuthInfo, error) {
-	var errs []error
-	for idx, p := range c.providers {
+	for _, p := range c.providers {
 		info, err := p.SignIn(loginID, password)
 		if err != nil {
-			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
 			slog.Warn("IDP provider failed", "provider", p.Name(), "operation", "SignIn", "error", err)
+			return nil, err
+		}
+		return info, nil
+	}
+	return nil, domain.ErrNotSupported
+}
+
+func (c *chainedProvider) UserExists(loginID string) (bool, error) {
+	var errs []error
+	for _, p := range c.providers {
+		exists, err := p.UserExists(loginID)
+		if err != nil {
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
+			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			continue
+		}
+		if exists {
+			return true, nil
+		}
+	}
+	if len(errs) == 0 {
+		return false, nil
+	}
+	return false, fmt.Errorf("all IDP providers failed for UserExists: %w", errors.Join(errs...))
+}
+
+func (c *chainedProvider) IssueSession(loginID string) (*domain.AuthInfo, error) {
+	var errs []error
+	for idx, p := range c.providers {
+		info, err := p.IssueSession(loginID)
+		if err != nil {
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
+			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			slog.Warn("IDP provider failed", "provider", p.Name(), "operation", "IssueSession", "error", err)
 			continue
 		}
 		if idx > 0 {
-			slog.Info("IDP fallback succeeded", "operation", "SignIn", "provider", p.Name())
+			slog.Info("IDP fallback succeeded", "operation", "IssueSession", "provider", p.Name())
 		}
 		return info, nil
 	}
 	if len(errs) == 0 {
-		return nil, fmt.Errorf("no IDP providers available for SignIn")
+		return nil, domain.ErrNotSupported
 	}
-	return nil, fmt.Errorf("all IDP providers failed for SignIn: %w", errors.Join(errs...))
+	return nil, fmt.Errorf("all IDP providers failed for IssueSession: %w", errors.Join(errs...))
+}
+
+func (c *chainedProvider) InitiateLinkLogin(loginID, returnTo string) (*domain.LinkLoginInit, error) {
+	var errs []error
+	for idx, p := range c.providers {
+		info, err := p.InitiateLinkLogin(loginID, returnTo)
+		if err != nil {
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
+			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			slog.Warn("IDP provider failed", "provider", p.Name(), "operation", "InitiateLinkLogin", "error", err)
+			continue
+		}
+		if idx > 0 {
+			slog.Info("IDP fallback succeeded", "operation", "InitiateLinkLogin", "provider", p.Name())
+		}
+		return info, nil
+	}
+	if len(errs) == 0 {
+		return nil, domain.ErrNotSupported
+	}
+	return nil, fmt.Errorf("all IDP providers failed for InitiateLinkLogin: %w", errors.Join(errs...))
+}
+
+func (c *chainedProvider) VerifyLoginCode(loginID, flowID, code string) (*domain.AuthInfo, error) {
+	var errs []error
+	for idx, p := range c.providers {
+		info, err := p.VerifyLoginCode(loginID, flowID, code)
+		if err != nil {
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
+			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			slog.Warn("IDP provider failed", "provider", p.Name(), "operation", "VerifyLoginCode", "error", err)
+			continue
+		}
+		if idx > 0 {
+			slog.Info("IDP fallback succeeded", "operation", "VerifyLoginCode", "provider", p.Name())
+		}
+		return info, nil
+	}
+	if len(errs) == 0 {
+		return nil, domain.ErrNotSupported
+	}
+	return nil, fmt.Errorf("all IDP providers failed for VerifyLoginCode: %w", errors.Join(errs...))
+}
+
+func (c *chainedProvider) GetPasswordPolicy() (*domain.PasswordPolicy, error) {
+	var errs []error
+	for _, p := range c.providers {
+		policy, err := p.GetPasswordPolicy()
+		if err != nil {
+			if errors.Is(err, domain.ErrNotSupported) {
+				continue
+			}
+			errs = append(errs, fmt.Errorf("%s: %w", p.Name(), err))
+			continue
+		}
+		if policy != nil {
+			return policy, nil
+		}
+	}
+	if len(errs) == 0 {
+		return nil, domain.ErrNotSupported
+	}
+	return nil, fmt.Errorf("all IDP providers failed for GetPasswordPolicy: %w", errors.Join(errs...))
 }

 func (c *chainedProvider) InitiatePasswordReset(loginID, redirectUrl string) error {
--- a/backend/internal/idp/factory_test.go
+++ b/backend/internal/idp/factory_test.go
@@ -10,19 +10,31 @@ import (
 )

 type stubProvider struct {
-	name           string
-	metadata       []string
-	createErr      error
-	initiateErr    error
-	verifyErr      error
-	updateErr      error
-	signInErr      error
-	initiateCalls  int
-	verifyCalls    int
-	updateCalls    int
-	signInCalls    int
-	createCalls    int
-	verifyResponse *domain.AuthInfo
+	name            string
+	metadata        []string
+	createErr       error
+	initiateErr     error
+	verifyErr       error
+	updateErr       error
+	signInErr       error
+	userExistsErr   error
+	issueErr        error
+	linkInitErr     error
+	verifyCodeErr   error
+	policyErr       error
+	initiateCalls   int
+	verifyCalls     int
+	updateCalls     int
+	signInCalls     int
+	createCalls     int
+	userExistsCalls int
+	issueCalls      int
+	linkInitCalls   int
+	verifyCodeCalls int
+	policyCalls     int
+	verifyResponse  *domain.AuthInfo
+	userExists      bool
+	policy          *domain.PasswordPolicy
 }

 func (s *stubProvider) Name() string { return s.name }
@@ -47,6 +59,46 @@ func (s *stubProvider) SignIn(loginID, password string) (*domain.AuthInfo, error
 	return &domain.AuthInfo{Subject: "subject-123"}, nil
 }

+func (s *stubProvider) UserExists(loginID string) (bool, error) {
+	s.userExistsCalls++
+	if s.userExistsErr != nil {
+		return false, s.userExistsErr
+	}
+	return s.userExists, nil
+}
+
+func (s *stubProvider) IssueSession(loginID string) (*domain.AuthInfo, error) {
+	s.issueCalls++
+	if s.issueErr != nil {
+		return nil, s.issueErr
+	}
+	return &domain.AuthInfo{Subject: "issue-subject"}, nil
+}
+
+func (s *stubProvider) InitiateLinkLogin(loginID, returnTo string) (*domain.LinkLoginInit, error) {
+	s.linkInitCalls++
+	if s.linkInitErr != nil {
+		return nil, s.linkInitErr
+	}
+	return &domain.LinkLoginInit{FlowID: "flow-123", Mode: "cookie"}, nil
+}
+
+func (s *stubProvider) VerifyLoginCode(loginID, flowID, code string) (*domain.AuthInfo, error) {
+	s.verifyCodeCalls++
+	if s.verifyCodeErr != nil {
+		return nil, s.verifyCodeErr
+	}
+	return &domain.AuthInfo{Subject: "verify-code-subject"}, nil
+}
+
+func (s *stubProvider) GetPasswordPolicy() (*domain.PasswordPolicy, error) {
+	s.policyCalls++
+	if s.policyErr != nil {
+		return nil, s.policyErr
+	}
+	return s.policy, nil
+}
+
 func (s *stubProvider) InitiatePasswordReset(loginID, redirectUrl string) error {
 	s.initiateCalls++
 	return s.initiateErr