diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go index 1e45784a..e5c4a894 100644 --- a/backend/cmd/server/main.go +++ b/backend/cmd/server/main.go @@ -278,6 +278,7 @@ func main() { authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, ketoOutboxRepo, userRepo, consentRepo, kratosAdminService) adminHandler := handler.NewAdminHandler(ketoService) devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, authHandler) + devHandler.AuditRepo = auditRepo tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService) userGroupHandler := handler.NewUserGroupHandler(userGroupService) relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService) @@ -654,6 +655,7 @@ func main() { // 개발자 포털 라우트 (RP/Consent 관리 및 IdP 설정) dev := api.Group("/dev") + dev.Get("/stats", devHandler.GetStats) dev.Get("/clients", devHandler.ListClients) dev.Post("/clients", devHandler.CreateClient) dev.Get("/clients/:id", devHandler.GetClient) @@ -663,6 +665,7 @@ func main() { dev.Delete("/clients/:id", devHandler.DeleteClient) dev.Get("/consents", devHandler.ListConsents) dev.Delete("/consents", devHandler.RevokeConsents) + dev.Get("/audit-logs", devHandler.ListAuditLogs) // Webhook for Kratos courier (HTTP delivery) auth.Post("/webhooks/kratos-courier", authHandler.HandleKratosCourierRelay) diff --git a/backend/internal/domain/models.go b/backend/internal/domain/models.go index fe911ac2..ad86ca7a 100644 --- a/backend/internal/domain/models.go +++ b/backend/internal/domain/models.go @@ -25,6 +25,8 @@ type AuditRepository interface { Create(log *AuditLog) error FindPage(ctx context.Context, limit int, cursor *AuditCursor) ([]AuditLog, error) FindByUserAndEvents(ctx context.Context, userID string, eventTypes []string, limit int) ([]AuditLog, error) + CountFailuresSince(ctx context.Context, since time.Time, tenantID string) (int64, error) + CountActiveSessionsSince(ctx context.Context, since time.Time, tenantID string) (int64, error) Ping(ctx context.Context) error } diff --git a/backend/internal/handler/common_test.go b/backend/internal/handler/common_test.go index 15a6277e..656749d5 100644 --- a/backend/internal/handler/common_test.go +++ b/backend/internal/handler/common_test.go @@ -7,6 +7,7 @@ import ( "encoding/json" "io" "net/http" + "time" ) // --- Mock IDP Provider --- @@ -101,6 +102,15 @@ func (m *mockAuditRepo) FindByUserAndEvents(ctx context.Context, userID string, } return results, nil } + +func (m *mockAuditRepo) CountFailuresSince(ctx context.Context, since time.Time, tenantID string) (int64, error) { + return 0, nil +} + +func (m *mockAuditRepo) CountActiveSessionsSince(ctx context.Context, since time.Time, tenantID string) (int64, error) { + return 0, nil +} + func (m *mockAuditRepo) Ping(ctx context.Context) error { return nil } // --- Mock Consent Repository --- diff --git a/backend/internal/handler/dev_handler.go b/backend/internal/handler/dev_handler.go index bbc31675..91f80b10 100644 --- a/backend/internal/handler/dev_handler.go +++ b/backend/internal/handler/dev_handler.go @@ -10,7 +10,9 @@ import ( "encoding/json" "errors" "fmt" + "io" "log/slog" + "net/http" "os" "strings" "time" @@ -23,6 +25,7 @@ type DevHandler struct { Hydra *service.HydraAdminService Redis domain.RedisRepository SecretRepo domain.ClientSecretRepository + AuditRepo domain.AuditRepository KratosAdmin service.KratosAdminService ConsentRepo repository.ClientConsentRepository Keto service.KetoService @@ -53,6 +56,7 @@ func NewDevHandler( Hydra: service.NewHydraAdminService(), Redis: redis, SecretRepo: secretRepo, + AuditRepo: nil, KratosAdmin: service.NewKratosAdminService(), ConsentRepo: consentRepo, Keto: keto, @@ -61,6 +65,19 @@ func NewDevHandler( } } +type devAuditListResponse struct { + Items []domain.AuditLog `json:"items"` + Limit int `json:"limit"` + Cursor string `json:"cursor,omitempty"` + NextCursor string `json:"next_cursor,omitempty"` +} + +type devStatsResponse struct { + TotalClients int64 `json:"total_clients"` + ActiveSessions int64 `json:"active_sessions"` + AuthFailures int64 `json:"auth_failures_24h"` +} + type clientSummary struct { ID string `json:"id"` Name string `json:"name"` @@ -144,27 +161,75 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) { return true, nil } - // Check with Keto: System:AppManager#member - allowed, err := h.Keto.CheckPermission(c.Context(), profile.ID, "System", "AppManager", "member") - if err != nil { - return false, err + subject := strings.TrimSpace(profile.ID) + if subject == "" && strings.TrimSpace(profile.Email) != "" && h.KratosAdmin != nil { + resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), strings.TrimSpace(profile.Email)) + if err == nil && strings.TrimSpace(resolved) != "" { + subject = strings.TrimSpace(resolved) + } } - slog.Info("Dev private permission evaluated by Keto", "user_id", profile.ID, "allowed", allowed) + if subject == "" { + slog.Warn("Dev private permission denied: missing subject in profile", "email", profile.Email) + return false, nil + } + if h.Keto == nil { + slog.Warn("Dev private permission denied: keto service unavailable") + return false, nil + } + + // Check with Keto: System:AppManager#member + allowed, err := h.Keto.CheckPermission(c.Context(), subject, "System", "AppManager", "member") + if err != nil { + // Fail closed for dev private endpoints: deny on permission backend error. + slog.Warn("Dev private permission check failed; denying access", "subject", subject, "error", err) + return false, nil + } + slog.Info("Dev private permission evaluated by Keto", "subject", subject, "allowed", allowed) return allowed, nil } - tokenSubject, tokenEmail := extractAuthClaimsFromBearer(c.Get("Authorization")) + authHeader := c.Get("Authorization") + bearerToken := extractBearerToken(authHeader) + tokenSubject, tokenEmail := extractAuthClaimsFromBearer(authHeader) + tokenRole := "" + + // Fallback for OIDC access tokens that do not include full claims locally. + if bearerToken != "" && (tokenSubject == "" || tokenEmail == "") { + if info, err := h.fetchOIDCUserInfo(c.Context(), bearerToken); err == nil && info != nil { + if tokenSubject == "" { + tokenSubject = strings.TrimSpace(info.Sub) + } + if tokenEmail == "" { + tokenEmail = strings.TrimSpace(info.Email) + } + tokenRole = strings.TrimSpace(info.Role) + } else if err != nil { + slog.Warn("Dev private permission userinfo fallback failed", "error", err) + } + } + + if tokenRole == domain.RoleSuperAdmin { + slog.Info("Dev private permission granted by token role", "role", tokenRole) + return true, nil + } if isAdminEmail(tokenEmail) { slog.Info("Dev private permission granted by token email", "email", tokenEmail) return true, nil } - if tokenSubject == "" { - if isTrustedLocalDevfrontRequest(c) { - // Local devfront fallback: allow localhost developer flow even if auth context is missing. - slog.Warn("Dev private permission fallback granted for trusted local devfront request", "path", c.Path(), "origin", c.Get("Origin")) - return true, nil + + // If subject is missing, resolve it from Kratos by identifier(email) so Keto checks can still run. + if tokenSubject == "" && tokenEmail != "" && h.KratosAdmin != nil { + resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), tokenEmail) + if err == nil && strings.TrimSpace(resolved) != "" { + tokenSubject = strings.TrimSpace(resolved) } + } + if tokenSubject == "" { + return false, nil + } + if h.Keto == nil { + slog.Warn("Dev private permission denied: keto service unavailable") return false, nil } @@ -186,7 +251,9 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) { // Check with Keto: System:AppManager#member allowed, err := h.Keto.CheckPermission(c.Context(), tokenSubject, "System", "AppManager", "member") if err != nil { - return false, err + // Fail closed for dev private endpoints: deny on permission backend error. + slog.Warn("Dev private permission check failed; denying access", "subject", tokenSubject, "error", err) + return false, nil } slog.Info("Dev private permission evaluated by Keto(subject)", "subject", tokenSubject, "allowed", allowed) @@ -238,28 +305,75 @@ func isAdminEmail(email string) bool { return adminEmail != "" && strings.EqualFold(strings.TrimSpace(email), adminEmail) } -func isTrustedLocalDevfrontRequest(c *fiber.Ctx) bool { - if c == nil { - return false +func extractBearerToken(authHeader string) string { + authHeader = strings.TrimSpace(authHeader) + if !strings.HasPrefix(strings.ToLower(authHeader), "bearer ") { + return "" + } + return strings.TrimSpace(authHeader[len("Bearer "):]) +} + +type oidcUserInfo struct { + Sub string `json:"sub"` + Email string `json:"email"` + TenantID string `json:"tenant_id"` + Role string `json:"role"` +} + +func (h *DevHandler) fetchOIDCUserInfo(ctx context.Context, accessToken string) (*oidcUserInfo, error) { + if strings.TrimSpace(accessToken) == "" { + return nil, fmt.Errorf("missing access token") + } + if h.Hydra == nil || strings.TrimSpace(h.Hydra.PublicURL) == "" { + return nil, fmt.Errorf("hydra public url is not configured") } - origin := strings.ToLower(strings.TrimSpace(c.Get("Origin"))) - referer := strings.ToLower(strings.TrimSpace(c.Get("Referer"))) - allowedPrefixes := []string{ - "http://localhost:5174", - "https://localhost:5174", + endpoint := strings.TrimRight(h.Hydra.PublicURL, "/") + "/userinfo" + req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil) + if err != nil { + return nil, err + } + req.Header.Set("Authorization", "Bearer "+accessToken) + + resp, err := http.DefaultClient.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + if resp.StatusCode >= 300 { + body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048)) + return nil, fmt.Errorf("userinfo failed status=%d body=%s", resp.StatusCode, string(body)) } - for _, prefix := range allowedPrefixes { - if strings.HasPrefix(origin, prefix) || strings.HasPrefix(referer, prefix) { - return true + var payload map[string]any + if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil { + return nil, err + } + + pick := func(keys ...string) string { + for _, key := range keys { + if raw, ok := payload[key]; ok { + if value, ok := raw.(string); ok { + value = strings.TrimSpace(value) + if value != "" { + return value + } + } + } } + return "" } - return false + return &oidcUserInfo{ + Sub: pick("sub"), + Email: pick("email"), + TenantID: pick("tenant_id", "tenantId"), + Role: pick("role"), + }, nil } func (h *DevHandler) ListClients(c *fiber.Ctx) error { + h.injectTenantContextFromHeader(c) limit := c.QueryInt("limit", 50) offset := c.QueryInt("offset", 0) if limit <= 0 { @@ -269,6 +383,92 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error { offset = 0 } + // [Tenant Isolation] Get current user's tenant ID + userTenantID := "" + isSuperAdmin := false + profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse) + if (!ok || profile == nil) && h.Auth != nil { + enriched, _ := h.Auth.GetEnrichedProfile(c) + if enriched != nil { + profile = enriched + ok = true + c.Locals("user_profile", enriched) + } + } + + if ok && profile != nil { + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + } else { + // If profile resolution failed, verify bearer token via OIDC userinfo fallback. + authHeader := c.Get("Authorization") + bearerToken := extractBearerToken(authHeader) + if bearerToken == "" { + return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") + } + + sub, email := extractAuthClaimsFromBearer(authHeader) + if sub == "" { + info, infoErr := h.fetchOIDCUserInfo(c.Context(), bearerToken) + if infoErr != nil { + slog.Warn("ListClients userinfo fallback failed", "error", infoErr) + return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") + } + sub = strings.TrimSpace(info.Sub) + if email == "" { + email = strings.TrimSpace(info.Email) + } + if userTenantID == "" { + userTenantID = strings.TrimSpace(info.TenantID) + } + if strings.EqualFold(strings.TrimSpace(info.Role), domain.RoleSuperAdmin) { + isSuperAdmin = true + } + } + + if sub == "" && email == "" { + return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") + } + + if h.KratosAdmin != nil && (userTenantID == "" || !isSuperAdmin) { + identityID := strings.TrimSpace(sub) + if identityID == "" && email != "" { + if resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email); err == nil { + identityID = strings.TrimSpace(resolved) + } + } + if identityID != "" { + if identity, err := h.KratosAdmin.GetIdentity(c.Context(), identityID); err == nil && identity != nil { + if userTenantID == "" { + if tid, ok := identity.Traits["tenant_id"].(string); ok { + userTenantID = strings.TrimSpace(tid) + } + } + role := "" + if rawRole, ok := identity.Traits["role"].(string); ok { + role = strings.TrimSpace(rawRole) + } + if role == domain.RoleSuperAdmin { + isSuperAdmin = true + } + profile = &domain.UserProfileResponse{ + ID: identityID, + Email: email, + Role: role, + TenantID: nil, + } + if userTenantID != "" { + tid := userTenantID + profile.TenantID = &tid + } + c.Locals("user_profile", profile) + } + } + } + } + isAppManager, err := h.checkAppManagerPermission(c) if err != nil { slog.Error("Failed to check app manager permission", "error", err) @@ -289,10 +489,20 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error { items := make([]clientSummary, 0, len(clients)) for _, client := range clients { summary := h.mapClientSummary(client) - // Filter out 'private' clients if user is not an AppManager + + // 1. [Security] Filter out 'private' clients if user is not an AppManager if summary.Type == "private" && !isAppManager { continue } + + // 2. [Isolation] If not SuperAdmin, only show clients belonging to the same tenant + if !isSuperAdmin { + clientTenantID, _ := summary.Metadata["tenant_id"].(string) + if clientTenantID != userTenantID { + continue + } + } + items = append(items, summary) } @@ -304,6 +514,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error { } func (h *DevHandler) GetClient(c *fiber.Ctx) error { + h.injectTenantContextFromHeader(c) clientID := c.Params("id") if clientID == "" { return errorJSON(c, fiber.StatusBadRequest, "client id is required") @@ -319,6 +530,22 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error { summary := h.mapClientSummary(*client) + // [Tenant Isolation] Check if user has access to this client + isSuperAdmin := false + userTenantID := "" + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + } + if !isSuperAdmin { + clientTenantID, _ := summary.Metadata["tenant_id"].(string) + if clientTenantID != userTenantID { + return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") + } + } + // Check permission for private clients if summary.Type == "private" { isAppManager, err := h.checkAppManagerPermission(c) @@ -343,6 +570,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error { } func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error { + tenantID := h.injectTenantContextFromHeader(c) clientID := c.Params("id") if clientID == "" { return errorJSON(c, fiber.StatusBadRequest, "client id is required") @@ -362,17 +590,6 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error { // [Security] Check permission before patching current, err := h.Hydra.GetClient(c.Context(), clientID) - if err == nil { - summary := h.mapClientSummary(*current) - if summary.Type == "private" { - isAppManager, _ := h.checkAppManagerPermission(c) - if !isAppManager { - return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") - } - } - } - - updated, err := h.Hydra.PatchClientStatus(c.Context(), clientID, status) if err != nil { if errors.Is(err, service.ErrHydraNotFound) { return errorJSON(c, fiber.StatusNotFound, "client not found") @@ -380,9 +597,52 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusInternalServerError, err.Error()) } - summary := h.mapClientSummary(*updated) + summary := h.mapClientSummary(*current) + + // [Tenant Isolation] + isSuperAdmin := false + userTenantID := "" + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + } + if !isSuperAdmin { + clientTenantID, _ := summary.Metadata["tenant_id"].(string) + if clientTenantID != userTenantID { + return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") + } + } + + if summary.Type == "private" { + isAppManager, _ := h.checkAppManagerPermission(c) + if !isAppManager { + return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") + } + } + + beforeStatus := summary.Status + h.setAuditDetailsExtra(c, map[string]any{ + "action": "UPDATE_CLIENT_STATUS", + "target_id": clientID, + "tenant_id": tenantID, + "before": map[string]any{ + "status": beforeStatus, + }, + "after": map[string]any{ + "status": status, + }, + }) + + updated, err := h.Hydra.PatchClientStatus(c.Context(), clientID, status) + if err != nil { + return errorJSON(c, fiber.StatusInternalServerError, err.Error()) + } + + updatedSummary := h.mapClientSummary(*updated) return c.JSON(clientDetailResponse{ - Client: summary, + Client: updatedSummary, Endpoints: clientEndpoints{ Discovery: strings.TrimRight(h.Hydra.PublicURL, "/") + "/.well-known/openid-configuration", Issuer: h.Hydra.PublicURL, @@ -394,6 +654,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error { } func (h *DevHandler) CreateClient(c *fiber.Ctx) error { + tenantID := h.injectTenantContextFromHeader(c) var req clientUpsertRequest if err := c.BodyParser(&req); err != nil { return errorJSON(c, fiber.StatusBadRequest, "invalid request body") @@ -443,6 +704,18 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error { if metadata == nil { metadata = map[string]interface{}{} } + + // [Tenant Isolation] Record owner information + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + metadata["user_id"] = profile.ID + if tenantID == "" && profile.TenantID != nil { + tenantID = *profile.TenantID + } + } + + if tenantID != "" { + metadata["tenant_id"] = tenantID + } metadata["status"] = status metadata["created_at"] = time.Now().Format(time.RFC3339) @@ -466,6 +739,18 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error { Metadata: metadata, } + h.setAuditDetailsExtra(c, map[string]any{ + "action": "CREATE_CLIENT", + "target_id": clientID, + "tenant_id": tenantID, + "after": map[string]any{ + "type": clientType, + "status": status, + "redirect_uri_count": len(redirectURIs), + "scope_count": len(scopes), + }, + }) + created, err := h.Hydra.CreateClient(c.Context(), clientReq) if err != nil { return errorJSON(c, fiber.StatusInternalServerError, err.Error()) @@ -484,6 +769,8 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error { } } + h.setAuditDetailsExtra(c, map[string]any{"target_id": created.ClientID}) + summary := h.mapClientSummary(*created) return c.Status(fiber.StatusCreated).JSON(clientDetailResponse{ Client: summary, @@ -498,6 +785,7 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error { } func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { + tenantID := h.injectTenantContextFromHeader(c) clientID := strings.TrimSpace(c.Params("id")) if clientID == "" { return errorJSON(c, fiber.StatusBadRequest, "client id is required") @@ -516,6 +804,24 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusInternalServerError, err.Error()) } + currentSummary := h.mapClientSummary(*current) + + // [Tenant Isolation] + isSuperAdmin := false + userTenantID := "" + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + } + if !isSuperAdmin { + clientTenantID, _ := currentSummary.Metadata["tenant_id"].(string) + if clientTenantID != userTenantID { + return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") + } + } + clientType := "" if req.Type != nil { clientType = strings.ToLower(strings.TrimSpace(*req.Type)) @@ -525,7 +831,6 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { } // [Security] Check permission for private clients (both current and new type) - currentSummary := h.mapClientSummary(*current) if currentSummary.Type == "private" || clientType == "private" { isAppManager, err := h.checkAppManagerPermission(c) if err != nil { @@ -576,11 +881,24 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { Metadata: metadata, } + h.setAuditDetailsExtra(c, map[string]any{ + "action": "UPDATE_CLIENT", + "target_id": clientID, + "tenant_id": tenantID, + "before": map[string]any{ + "name": currentSummary.Name, + "type": currentSummary.Type, + "status": currentSummary.Status, + }, + "after": map[string]any{ + "name": strings.TrimSpace(updated.ClientName), + "type": clientTypeOrDefault(updated.TokenEndpointAuthMethod), + "status": resolveStatusFromMetadata(updated.Metadata), + }, + }) + updatedClient, err := h.Hydra.UpdateClient(c.Context(), clientID, updated) if err != nil { - if errors.Is(err, service.ErrHydraNotFound) { - return errorJSON(c, fiber.StatusNotFound, "client not found") - } return errorJSON(c, fiber.StatusInternalServerError, err.Error()) } @@ -598,30 +916,56 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { } func (h *DevHandler) DeleteClient(c *fiber.Ctx) error { + tenantID := h.injectTenantContextFromHeader(c) clientID := strings.TrimSpace(c.Params("id")) if clientID == "" { return errorJSON(c, fiber.StatusBadRequest, "client id is required") } - // [Security] Check permission for private clients current, err := h.Hydra.GetClient(c.Context(), clientID) - if err == nil { - summary := h.mapClientSummary(*current) - if summary.Type == "private" { - isAppManager, _ := h.checkAppManagerPermission(c) - if !isAppManager { - return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") - } - } - } - - if err := h.Hydra.DeleteClient(c.Context(), clientID); err != nil { + if err != nil { if errors.Is(err, service.ErrHydraNotFound) { return errorJSON(c, fiber.StatusNotFound, "client not found") } return errorJSON(c, fiber.StatusInternalServerError, err.Error()) } + summary := h.mapClientSummary(*current) + + // [Tenant Isolation] + isSuperAdmin := false + userTenantID := "" + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + } + if !isSuperAdmin { + clientTenantID, _ := summary.Metadata["tenant_id"].(string) + if clientTenantID != userTenantID { + return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") + } + } + + // [Security] Check permission for private clients + if summary.Type == "private" { + isAppManager, _ := h.checkAppManagerPermission(c) + if !isAppManager { + return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") + } + } + + h.setAuditDetailsExtra(c, map[string]any{ + "action": "DELETE_CLIENT", + "target_id": clientID, + "tenant_id": tenantID, + }) + + if err := h.Hydra.DeleteClient(c.Context(), clientID); err != nil { + return errorJSON(c, fiber.StatusInternalServerError, err.Error()) + } + // 1. Clean up PostgreSQL if h.SecretRepo != nil { _ = h.SecretRepo.Delete(c.Context(), clientID) @@ -636,6 +980,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error { } func (h *DevHandler) ListConsents(c *fiber.Ctx) error { + h.injectTenantContextFromHeader(c) clientID := strings.TrimSpace(c.Query("client_id")) if clientID == "" { return errorJSON(c, fiber.StatusBadRequest, "client_id is required") @@ -648,8 +993,17 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error { limit = 50 } - // [Isolation] Get admin tenant ID from header or locals - adminTenantID := c.Get("X-Tenant-ID") // Assume middleware sets this or trusted in dev + // [Isolation] Get admin tenant ID from locals or header + adminTenantID := "" + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + if profile.Role != domain.RoleSuperAdmin && profile.TenantID != nil { + adminTenantID = *profile.TenantID + } + } + if adminTenantID == "" { + adminTenantID = c.Get("X-Tenant-ID") + } + statusFilter := strings.ToLower(strings.TrimSpace(c.Query("status"))) var consents []domain.ClientConsentWithTenantInfo @@ -664,12 +1018,6 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error { subject = resolved } } - - // Single user fetch from Hydra (to get latest status) or Local DB - // Issue says: "List All", so we prefer Local DB for consistency in listing - // But for a single user, we could still use Hydra. - // Let's use Local DB to support tenant filtering even for search. - // For simplicity, we just filter the list later if search is used. } if adminTenantID != "" { @@ -737,6 +1085,7 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error { } func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error { + tenantID := h.injectTenantContextFromHeader(c) subject := strings.TrimSpace(c.Query("subject")) if subject == "" { return errorJSON(c, fiber.StatusBadRequest, "subject is required") @@ -751,6 +1100,15 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error { } } + h.setAuditDetailsExtra(c, map[string]any{ + "action": "REVOKE_CONSENT", + "target_id": clientID, + "tenant_id": tenantID, + "after": map[string]any{ + "subject": subject, + }, + }) + // 1. Revoke in Hydra if err := h.Hydra.RevokeConsentSessions(c.Context(), subject, clientID); err != nil { return errorJSON(c, fiber.StatusInternalServerError, err.Error()) @@ -765,30 +1123,13 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error { } func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error { + tenantID := h.injectTenantContextFromHeader(c) clientID := strings.TrimSpace(c.Params("id")) if clientID == "" { return errorJSON(c, fiber.StatusBadRequest, "client id is required") } - // [Security] Check permission for private clients current, err := h.Hydra.GetClient(c.Context(), clientID) - if err == nil { - summary := h.mapClientSummary(*current) - if summary.Type == "private" { - isAppManager, _ := h.checkAppManagerPermission(c) - if !isAppManager { - return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") - } - } - } - - // 1. Generate new secret - newSecret, err := generateRandomSecret(20) - if err != nil { - return errorJSON(c, fiber.StatusInternalServerError, "failed to generate secret") - } - - // 2. Get current client to preserve other fields (already fetched above) if err != nil { if errors.Is(err, service.ErrHydraNotFound) { return errorJSON(c, fiber.StatusNotFound, "client not found") @@ -796,14 +1137,52 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusInternalServerError, err.Error()) } - // 3. Update Hydra + summary := h.mapClientSummary(*current) + + // [Tenant Isolation] + isSuperAdmin := false + userTenantID := "" + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + } + if !isSuperAdmin { + clientTenantID, _ := summary.Metadata["tenant_id"].(string) + if clientTenantID != userTenantID { + return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") + } + } + + // [Security] Check permission for private clients + if summary.Type == "private" { + isAppManager, _ := h.checkAppManagerPermission(c) + if !isAppManager { + return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") + } + } + + h.setAuditDetailsExtra(c, map[string]any{ + "action": "ROTATE_SECRET", + "target_id": clientID, + "tenant_id": tenantID, + }) + + // 1. Generate new secret + newSecret, err := generateRandomSecret(20) + if err != nil { + return errorJSON(c, fiber.StatusInternalServerError, "failed to generate secret") + } + + // 2. Update Hydra current.ClientSecret = newSecret updated, err := h.Hydra.UpdateClient(c.Context(), clientID, *current) if err != nil { return errorJSON(c, fiber.StatusInternalServerError, err.Error()) } - // 4. Update Persistence (DB & Redis) + // 3. Update Persistence (DB & Redis) if h.SecretRepo != nil { if err := h.SecretRepo.Upsert(c.Context(), clientID, newSecret); err != nil { // Log error but don't fail the request as Hydra is already updated @@ -816,11 +1195,11 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error { } // Return the new secret - summary := h.mapClientSummary(*updated) - summary.ClientSecret = newSecret + updatedSummary := h.mapClientSummary(*updated) + updatedSummary.ClientSecret = newSecret return c.JSON(clientDetailResponse{ - Client: summary, + Client: updatedSummary, Endpoints: clientEndpoints{ Discovery: strings.TrimRight(h.Hydra.PublicURL, "/") + "/.well-known/openid-configuration", Issuer: h.Hydra.PublicURL, @@ -831,6 +1210,150 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error { }) } +func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error { + if h.AuditRepo == nil { + return errorJSON(c, fiber.StatusServiceUnavailable, "Audit service unavailable") + } + + h.injectTenantContextFromHeader(c) + allowed, err := h.checkAppManagerPermission(c) + if err != nil { + return errorJSON(c, fiber.StatusInternalServerError, "permission check error") + } + if !allowed { + return errorJSON(c, fiber.StatusForbidden, "forbidden") + } + + limit := c.QueryInt("limit", 50) + if limit <= 0 { + limit = 50 + } + if limit > 200 { + limit = 200 + } + + actionFilter := strings.ToUpper(strings.TrimSpace(c.Query("action"))) + clientFilter := strings.TrimSpace(c.Query("client_id")) + statusFilter := strings.ToLower(strings.TrimSpace(c.Query("status"))) + tenantFilter := strings.TrimSpace(c.Query("tenant_id")) + if tenantFilter == "" { + tenantFilter = h.resolveDevTenantScope(c) + } + + cursorRaw := c.Query("cursor") + cursor, err := parseAuditCursor(cursorRaw) + if err != nil { + return errorJSON(c, fiber.StatusBadRequest, "Invalid cursor") + } + + collected := make([]domain.AuditLog, 0, limit+1) + nextCursor := cursor + scanned := 0 + const pageSize = 100 + const maxScan = 3000 + + for len(collected) < limit+1 && scanned < maxScan { + page, findErr := h.AuditRepo.FindPage(c.Context(), pageSize, nextCursor) + if findErr != nil { + return errorJSON(c, fiber.StatusInternalServerError, "Failed to retrieve audit logs") + } + if len(page) == 0 { + break + } + + for _, logItem := range page { + scanned++ + if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter) { + collected = append(collected, logItem) + if len(collected) == limit+1 { + break + } + } + } + + last := page[len(page)-1] + nextCursor = &domain.AuditCursor{Timestamp: last.Timestamp, EventID: last.EventID} + if len(page) < pageSize { + break + } + } + + nextCursorRaw := "" + if len(collected) > limit { + last := collected[limit-1] + nextCursorRaw = encodeAuditCursor(last) + collected = collected[:limit] + } + + return c.JSON(devAuditListResponse{ + Items: collected, + Limit: limit, + Cursor: cursorRaw, + NextCursor: nextCursorRaw, + }) +} + +func (h *DevHandler) GetStats(c *fiber.Ctx) error { + h.injectTenantContextFromHeader(c) + + // [Security] Check permission + allowed, err := h.checkAppManagerPermission(c) + if err != nil { + return errorJSON(c, fiber.StatusInternalServerError, "permission check error") + } + if !allowed { + return errorJSON(c, fiber.StatusForbidden, "forbidden") + } + + userTenantID := "" + isSuperAdmin := false + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { + isSuperAdmin = profile.Role == domain.RoleSuperAdmin + if profile.TenantID != nil { + userTenantID = *profile.TenantID + } + } + + // 1. Total Clients (Tenant Scoped) + // Hydra doesn't support tenant filtering natively, so we list and filter. + // For stats, we might want to fetch a larger batch or use a cached count. + clients, err := h.Hydra.ListClients(c.Context(), 500, 0) + var totalClients int64 + if err == nil { + for _, client := range clients { + if isSuperAdmin { + totalClients++ + continue + } + if client.Metadata != nil { + if tid, ok := client.Metadata["tenant_id"].(string); ok && tid == userTenantID { + totalClients++ + } + } + } + } + + // 2. Auth Failures (24h) + var authFailures int64 + if h.AuditRepo != nil { + since := time.Now().Add(-24 * time.Hour) + authFailures, _ = h.AuditRepo.CountFailuresSince(c.Context(), since, userTenantID) + } + + // 3. Active Sessions (1h) + var activeSessions int64 + if h.AuditRepo != nil { + since := time.Now().Add(-1 * time.Hour) + activeSessions, _ = h.AuditRepo.CountActiveSessionsSince(c.Context(), since, userTenantID) + } + + return c.JSON(devStatsResponse{ + TotalClients: totalClients, + ActiveSessions: activeSessions, + AuthFailures: authFailures, + }) +} + func generateRandomSecret(length int) (string, error) { bytes := make([]byte, length) if _, err := rand.Read(bytes); err != nil { @@ -963,3 +1486,109 @@ func resolveTokenAuthMethod(requested, fallback string) string { } return requested } + +func (h *DevHandler) injectTenantContextFromHeader(c *fiber.Ctx) string { + tenantID := strings.TrimSpace(c.Get("X-Tenant-ID")) + if tenantID != "" { + c.Locals("tenant_id", tenantID) + } + return tenantID +} + +func (h *DevHandler) setAuditDetailsExtra(c *fiber.Ctx, extra map[string]any) { + if c == nil || len(extra) == 0 { + return + } + if existing := c.Locals("audit_details_extra"); existing != nil { + if m, ok := existing.(map[string]any); ok { + for k, v := range extra { + m[k] = v + } + c.Locals("audit_details_extra", m) + return + } + } + c.Locals("audit_details_extra", extra) +} + +func normalizeAuditAction(eventType string, details map[string]any) string { + if raw, ok := details["action"].(string); ok && strings.TrimSpace(raw) != "" { + return strings.ToUpper(strings.TrimSpace(raw)) + } + normalized := strings.TrimSpace(eventType) + switch { + case normalized == "POST /api/v1/dev/clients": + return "CREATE_CLIENT" + case strings.HasPrefix(normalized, "PUT /api/v1/dev/clients/"): + return "UPDATE_CLIENT" + case strings.HasPrefix(normalized, "PATCH /api/v1/dev/clients/") && strings.HasSuffix(normalized, "/status"): + return "UPDATE_CLIENT_STATUS" + case strings.HasPrefix(normalized, "POST /api/v1/dev/clients/") && strings.HasSuffix(normalized, "/secret/rotate"): + return "ROTATE_SECRET" + case strings.HasPrefix(normalized, "DELETE /api/v1/dev/clients/"): + return "DELETE_CLIENT" + case normalized == "DELETE /api/v1/dev/consents": + return "REVOKE_CONSENT" + default: + return "" + } +} + +func resolveStatusFromMetadata(metadata map[string]interface{}) string { + if metadata != nil { + if value, ok := metadata["status"].(string); ok && strings.ToLower(strings.TrimSpace(value)) == "inactive" { + return "inactive" + } + } + return "active" +} + +func clientTypeOrDefault(tokenEndpointAuthMethod string) string { + if strings.EqualFold(tokenEndpointAuthMethod, "none") { + return "pkce" + } + return "private" +} + +func (h *DevHandler) matchesDevAuditFilter( + logItem domain.AuditLog, + tenantFilter, clientFilter, actionFilter, statusFilter string, +) bool { + if !strings.Contains(logItem.EventType, "/api/v1/dev/") { + return false + } + details, _ := parseAuditDetails(logItem.Details) + if statusFilter != "" && statusFilter != "all" && strings.ToLower(logItem.Status) != statusFilter { + return false + } + if tenantFilter != "" { + detailTenant, _ := details["tenant_id"].(string) + if strings.TrimSpace(detailTenant) != tenantFilter { + return false + } + } + if clientFilter != "" { + targetID, _ := details["target_id"].(string) + clientID, _ := details["client_id"].(string) + if strings.TrimSpace(targetID) != clientFilter && strings.TrimSpace(clientID) != clientFilter { + return false + } + } + if actionFilter != "" { + if normalizeAuditAction(logItem.EventType, details) != actionFilter { + return false + } + } + return true +} + +func (h *DevHandler) resolveDevTenantScope(c *fiber.Ctx) string { + fromHeader := strings.TrimSpace(c.Get("X-Tenant-ID")) + if fromHeader != "" { + return fromHeader + } + if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil && profile.TenantID != nil { + return strings.TrimSpace(*profile.TenantID) + } + return "" +} diff --git a/backend/internal/handler/dev_handler_isolation_test.go b/backend/internal/handler/dev_handler_isolation_test.go new file mode 100644 index 00000000..0364f1e2 --- /dev/null +++ b/backend/internal/handler/dev_handler_isolation_test.go @@ -0,0 +1,193 @@ +package handler + +import ( + "baron-sso-backend/internal/domain" + "baron-sso-backend/internal/service" + "bytes" + "encoding/json" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/gofiber/fiber/v2" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" +) + +func TestDevHandler_Isolation(t *testing.T) { + mockKeto := new(MockKetoService) + + h := &DevHandler{ + Hydra: &service.HydraAdminService{ + AdminURL: "http://hydra.test", + HTTPClient: &http.Client{ + Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) { + if r.Method == http.MethodGet && r.URL.Path == "/clients" { + return httpJSONAny(r, http.StatusOK, []map[string]interface{}{ + { + "client_id": "client-tenant-a", + "client_name": "App Tenant A", + "token_endpoint_auth_method": "none", // PKCE + "metadata": map[string]interface{}{"tenant_id": "tenant-a"}, + }, + { + "client_id": "client-tenant-b", + "client_name": "App Tenant B", + "token_endpoint_auth_method": "none", // PKCE + "metadata": map[string]interface{}{"tenant_id": "tenant-b"}, + }, + }), nil + } + if (r.Method == http.MethodGet || r.Method == http.MethodPut) && strings.HasPrefix(r.URL.Path, "/clients/") { + id := strings.TrimPrefix(r.URL.Path, "/clients/") + tenantID := "tenant-a" + if id == "client-tenant-b" { + tenantID = "tenant-b" + } + return httpJSONAny(r, http.StatusOK, map[string]interface{}{ + "client_id": id, + "client_name": "App " + id, + "token_endpoint_auth_method": "none", + "metadata": map[string]interface{}{"tenant_id": tenantID}, + }), nil + } + if r.Method == http.MethodPost && r.URL.Path == "/clients" { + var body map[string]interface{} + json.NewDecoder(r.Body).Decode(&body) + return httpJSONAny(r, http.StatusCreated, body), nil + } + return httpJSONAny(r, http.StatusNotFound, nil), nil + }), + }, + }, + Keto: mockKeto, + } + + t.Run("Local bypass should be removed", func(t *testing.T) { + app := fiber.New() + app.Get("/api/v1/dev/clients", h.ListClients) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) + req.Header.Set("Origin", "http://localhost:5174") + + resp, _ := app.Test(req, -1) + // We expect 401 now because ListClients enforces authentication. + assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) + }) + + t.Run("ListClients should filter by tenant_id for non-SuperAdmin", func(t *testing.T) { + app := fiber.New() + tenantA := "tenant-a" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-a", + Role: domain.RoleUser, + TenantID: &tenantA, + }) + return c.Next() + }) + app.Get("/api/v1/dev/clients", h.ListClients) + + mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(false, nil) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + var res struct { + Items []clientSummary `json:"items"` + } + json.NewDecoder(resp.Body).Decode(&res) + + // Should only see client-tenant-a + assert.Equal(t, 1, len(res.Items)) + assert.Equal(t, "client-tenant-a", res.Items[0].ID) + }) + + t.Run("GetClient should enforce tenant isolation", func(t *testing.T) { + app := fiber.New() + tenantA := "tenant-a" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-a", + Role: domain.RoleUser, + TenantID: &tenantA, + }) + return c.Next() + }) + app.Get("/api/v1/dev/clients/:id", h.GetClient) + + // Case 1: Same tenant + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-tenant-a", nil) + resp, _ := app.Test(req, -1) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + // Case 2: Different tenant + req = httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-tenant-b", nil) + resp, _ = app.Test(req, -1) + assert.Equal(t, http.StatusForbidden, resp.StatusCode) + }) + + t.Run("UpdateClient should enforce tenant isolation", func(t *testing.T) { + app := fiber.New() + tenantA := "tenant-a" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-a", + Role: domain.RoleUser, + TenantID: &tenantA, + }) + return c.Next() + }) + app.Put("/api/v1/dev/clients/:id", h.UpdateClient) + + body, _ := json.Marshal(map[string]interface{}{ + "client_name": "Updated Name", + }) + + // Case 1: Same tenant + req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-tenant-a", bytes.NewReader(body)) + req.Header.Set("Content-Type", "application/json") + resp, _ := app.Test(req, -1) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + // Case 2: Different tenant + req = httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-tenant-b", bytes.NewReader(body)) + req.Header.Set("Content-Type", "application/json") + resp, _ = app.Test(req, -1) + assert.Equal(t, http.StatusForbidden, resp.StatusCode) + }) + + t.Run("CreateClient should record user_id and tenant_id", func(t *testing.T) { + app := fiber.New() + tenantA := "tenant-a" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-a", + Role: domain.RoleSuperAdmin, // Bypass for creation permission + TenantID: &tenantA, + }) + return c.Next() + }) + app.Post("/api/v1/dev/clients", h.CreateClient) + + body, _ := json.Marshal(map[string]interface{}{ + "client_name": "New App", + "type": "pkce", + "redirectUris": []string{"http://localhost/cb"}, + }) + req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(body)) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("X-Tenant-ID", "tenant-a") + + resp, _ := app.Test(req, -1) + assert.Equal(t, http.StatusCreated, resp.StatusCode) + + var res clientDetailResponse + json.NewDecoder(resp.Body).Decode(&res) + + assert.Equal(t, "tenant-a", res.Client.Metadata["tenant_id"]) + assert.Equal(t, "user-a", res.Client.Metadata["user_id"]) + }) +} diff --git a/backend/internal/handler/dev_handler_test.go b/backend/internal/handler/dev_handler_test.go index 7647b30c..58ea45b1 100644 --- a/backend/internal/handler/dev_handler_test.go +++ b/backend/internal/handler/dev_handler_test.go @@ -9,6 +9,7 @@ import ( "net/http" "net/http/httptest" "testing" + "time" "github.com/gofiber/fiber/v2" "github.com/stretchr/testify/assert" @@ -172,3 +173,79 @@ func TestCreateClient_Success(t *testing.T) { secret, _ := secretRepo.GetByID(nil, "new-client-123") assert.Equal(t, "secret-123", secret) } + +func TestListAuditLogs_FilterByActionAndClientID(t *testing.T) { + now := time.Now().UTC() + auditRepo := &mockAuditRepo{ + logs: []domain.AuditLog{ + { + EventID: "evt-1", + Timestamp: now, + UserID: "user-a", + EventType: "PUT /api/v1/dev/clients/client-1", + Status: "success", + Details: `{"action":"UPDATE_CLIENT","target_id":"client-1","tenant_id":"tenant-a"}`, + }, + { + EventID: "evt-2", + Timestamp: now.Add(-time.Minute), + UserID: "user-a", + EventType: "DELETE /api/v1/dev/clients/client-1", + Status: "success", + Details: `{"action":"DELETE_CLIENT","target_id":"client-1","tenant_id":"tenant-a"}`, + }, + { + EventID: "evt-3", + Timestamp: now.Add(-2 * time.Minute), + UserID: "user-b", + EventType: "PUT /api/v1/dev/clients/client-2", + Status: "failure", + Details: `{"action":"UPDATE_CLIENT","target_id":"client-2","tenant_id":"tenant-b"}`, + }, + }, + } + + h := &DevHandler{ + AuditRepo: auditRepo, + Keto: new(MockKetoService), + } + app := fiber.New() + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ID: "test-user", Role: domain.RoleSuperAdmin}) + return c.Next() + }) + app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?action=UPDATE_CLIENT&client_id=client-1&status=success", nil) + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var res devAuditListResponse + _ = json.NewDecoder(resp.Body).Decode(&res) + assert.Len(t, res.Items, 1) + assert.Equal(t, "evt-1", res.Items[0].EventID) + assert.Equal(t, "success", res.Items[0].Status) +} + +func TestListAuditLogs_NonAdminKetoErrorReturnsForbidden(t *testing.T) { + mockKeto := new(MockKetoService) + mockKeto.On("CheckPermission", mock.Anything, "user-1", "System", "AppManager", "member").Return(false, assert.AnError) + + h := &DevHandler{ + AuditRepo: &mockAuditRepo{}, + Keto: mockKeto, + } + app := fiber.New() + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleUser}) + return c.Next() + }) + app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?limit=50", nil) + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusForbidden, resp.StatusCode) + mockKeto.AssertExpectations(t) +} diff --git a/backend/internal/middleware/audit_middleware_test.go b/backend/internal/middleware/audit_middleware_test.go index f764b7d1..66a0f57e 100644 --- a/backend/internal/middleware/audit_middleware_test.go +++ b/backend/internal/middleware/audit_middleware_test.go @@ -8,6 +8,7 @@ import ( "net/http/httptest" "strings" "testing" + "time" "github.com/gofiber/fiber/v2" "github.com/stretchr/testify/assert" @@ -34,6 +35,14 @@ func (m *MockAuditRepository) FindByUserAndEvents(ctx context.Context, userID st return args.Get(0).([]domain.AuditLog), args.Error(1) } +func (m *MockAuditRepository) CountFailuresSince(ctx context.Context, since time.Time, tenantID string) (int64, error) { + return 0, nil +} + +func (m *MockAuditRepository) CountActiveSessionsSince(ctx context.Context, since time.Time, tenantID string) (int64, error) { + return 0, nil +} + func (m *MockAuditRepository) Ping(ctx context.Context) error { args := m.Called(ctx) return args.Error(0) diff --git a/backend/internal/repository/clickhouse_repo.go b/backend/internal/repository/clickhouse_repo.go index ee1c029e..532cfa55 100644 --- a/backend/internal/repository/clickhouse_repo.go +++ b/backend/internal/repository/clickhouse_repo.go @@ -195,3 +195,44 @@ func (r *ClickHouseRepository) Ping(ctx context.Context) error { } return r.conn.Ping(ctx) } + +func (r *ClickHouseRepository) CountFailuresSince(ctx context.Context, since time.Time, tenantID string) (int64, error) { + query := ` + SELECT count() + FROM audit_logs + WHERE status = 'failure' AND timestamp >= ? + ` + args := []any{since} + if tenantID != "" { + query += " AND JSONExtractString(details, 'tenant_id') = ?" + args = append(args, tenantID) + } + + var count int64 + err := r.conn.QueryRow(ctx, query, args...).Scan(&count) + if err != nil { + return 0, fmt.Errorf("failed to count failures: %w", err) + } + return count, nil +} + +func (r *ClickHouseRepository) CountActiveSessionsSince(ctx context.Context, since time.Time, tenantID string) (int64, error) { + // We use uniqExact(session_id) to count unique sessions that had success events recently. + query := ` + SELECT uniqExact(session_id) + FROM audit_logs + WHERE status = 'success' AND timestamp >= ? AND session_id != '' + ` + args := []any{since} + if tenantID != "" { + query += " AND JSONExtractString(details, 'tenant_id') = ?" + args = append(args, tenantID) + } + + var count int64 + err := r.conn.QueryRow(ctx, query, args...).Scan(&count) + if err != nil { + return 0, fmt.Errorf("failed to count active sessions: %w", err) + } + return count, nil +} diff --git a/devfront/src/app/routes.tsx b/devfront/src/app/routes.tsx index a2f53e51..b28a124c 100644 --- a/devfront/src/app/routes.tsx +++ b/devfront/src/app/routes.tsx @@ -1,5 +1,6 @@ import { Navigate, createBrowserRouter } from "react-router-dom"; import AppLayout from "../components/layout/AppLayout"; +import AuditLogsPage from "../features/audit/AuditLogsPage"; import AuthCallbackPage from "../features/auth/AuthCallbackPage"; import AuthGuard from "../features/auth/AuthGuard"; import LoginPage from "../features/auth/LoginPage"; @@ -31,6 +32,7 @@ export const router = createBrowserRouter( { path: "clients/:id", element: }, { path: "clients/:id/consents", element: }, { path: "clients/:id/settings", element: }, + { path: "audit-logs", element: }, ], }, ], diff --git a/devfront/src/components/layout/AppLayout.tsx b/devfront/src/components/layout/AppLayout.tsx index c0324ac1..66b8d175 100644 --- a/devfront/src/components/layout/AppLayout.tsx +++ b/devfront/src/components/layout/AppLayout.tsx @@ -1,4 +1,11 @@ -import { BadgeCheck, LogOut, Moon, ShieldHalf, Sun } from "lucide-react"; +import { + BadgeCheck, + LogOut, + Moon, + NotebookTabs, + ShieldHalf, + Sun, +} from "lucide-react"; import { useEffect, useRef, useState } from "react"; import { useAuth } from "react-oidc-context"; import { NavLink, Outlet, useNavigate } from "react-router-dom"; @@ -13,6 +20,12 @@ const navItems = [ to: "/clients", icon: ShieldHalf, }, + { + labelKey: "ui.dev.nav.audit_logs", + labelFallback: "Audit Logs", + to: "/audit-logs", + icon: NotebookTabs, + }, ]; function AppLayout() { diff --git a/devfront/src/features/audit/AuditLogsPage.tsx b/devfront/src/features/audit/AuditLogsPage.tsx index ebaee008..d4dcc6e1 100644 --- a/devfront/src/features/audit/AuditLogsPage.tsx +++ b/devfront/src/features/audit/AuditLogsPage.tsx @@ -1,141 +1,426 @@ -import { Filter, ListChecks, Search, Terminal } from "lucide-react"; +import { useInfiniteQuery } from "@tanstack/react-query"; +import type { AxiosError } from "axios"; +import { + ChevronDown, + ChevronUp, + Copy, + Download, + RefreshCw, + Search, +} from "lucide-react"; +import * as React from "react"; +import { Badge } from "../../components/ui/badge"; +import { Button } from "../../components/ui/button"; +import { + Card, + CardContent, + CardDescription, + CardHeader, + CardTitle, +} from "../../components/ui/card"; +import { Input } from "../../components/ui/input"; +import { + Table, + TableBody, + TableCell, + TableHead, + TableHeader, + TableRow, +} from "../../components/ui/table"; +import type { DevAuditLog } from "../../lib/devApi"; +import { fetchDevAuditLogs } from "../../lib/devApi"; +import { t } from "../../lib/i18n"; -const auditFilters = [ - "Actor role = admin", - "Action = client.rotate_secret", - "Tenant = selected header", -]; +type AuditDetails = { + request_id?: string; + method?: string; + path?: string; + tenant_id?: string; + action?: string; + target_id?: string; + before?: unknown; + after?: unknown; + error?: string; +}; -const auditRows = [ - { - action: "client.create", - tenant: "TENANT-12", - actor: "ops.jane@baron", - result: "ok", - ts: "2026-01-26 15:21 KST", - }, - { - action: "client.rotate_secret", - tenant: "TENANT-12", - actor: "ops.jane@baron", - result: "ok", - ts: "2026-01-26 15:22 KST", - }, - { - action: "audit.export", - tenant: "TENANT-07", - actor: "auditor.lee@baron", - result: "rate_limited", - ts: "2026-01-26 15:30 KST", - }, -]; +function parseDetails(details?: string): AuditDetails { + if (!details) { + return {}; + } + try { + const parsed = JSON.parse(details); + if (parsed && typeof parsed === "object") { + return parsed as AuditDetails; + } + } catch {} + return {}; +} + +function formatValue(value: unknown): string { + if (value === null || value === undefined || value === "") { + return "-"; + } + if (typeof value === "string") { + return value; + } + try { + return JSON.stringify(value); + } catch { + return String(value); + } +} + +function formatDateTime(value: string): string { + const parsed = new Date(value); + if (Number.isNaN(parsed.getTime())) { + return value; + } + return parsed.toLocaleString("ko-KR"); +} + +function toCsv(logs: DevAuditLog[]) { + const header = [ + "timestamp", + "user_id", + "status", + "event_type", + "action", + "target_id", + "tenant_id", + "request_id", + ]; + const rows = logs.map((logItem) => { + const details = parseDetails(logItem.details); + return [ + logItem.timestamp, + logItem.user_id || "", + logItem.status, + logItem.event_type, + details.action || "", + details.target_id || "", + details.tenant_id || "", + details.request_id || "", + ]; + }); + return [header, ...rows] + .map((line) => + line.map((cell) => `"${String(cell).replaceAll('"', '""')}"`).join(","), + ) + .join("\n"); +} + +function downloadCsv(content: string, filename: string) { + const blob = new Blob([content], { type: "text/csv;charset=utf-8;" }); + const url = URL.createObjectURL(blob); + const anchor = document.createElement("a"); + anchor.href = url; + anchor.download = filename; + document.body.appendChild(anchor); + anchor.click(); + document.body.removeChild(anchor); + URL.revokeObjectURL(url); +} function AuditLogsPage() { + const [searchClientId, setSearchClientId] = React.useState(""); + const [searchAction, setSearchAction] = React.useState(""); + const [statusFilter, setStatusFilter] = React.useState("all"); + const [expandedRows, setExpandedRows] = React.useState< + Record + >({}); + + const query = useInfiniteQuery({ + queryKey: ["dev-audit-logs", searchClientId, searchAction, statusFilter], + queryFn: ({ pageParam }) => + fetchDevAuditLogs(50, pageParam, { + client_id: searchClientId.trim() || undefined, + action: searchAction.trim() || undefined, + status: statusFilter !== "all" ? statusFilter : undefined, + }), + initialPageParam: undefined as string | undefined, + getNextPageParam: (lastPage) => lastPage.next_cursor || undefined, + }); + + const logs = + query.data?.pages.flatMap((page) => + page.items.filter((item): item is DevAuditLog => Boolean(item)), + ) ?? []; + + const handleCopy = (value: string) => { + if (!value) { + return; + } + navigator.clipboard.writeText(value); + }; + + const handleExportCsv = () => { + const csv = toCsv(logs); + const stamp = new Date().toISOString().replaceAll(":", "-"); + downloadCsv(csv, `dev-audit-logs-${stamp}.csv`); + }; + + if (query.isLoading) { + return ( +
+ {t("msg.dev.audit.loading", "Loading audit logs...")} +
+ ); + } + + if (query.error) { + const axiosError = query.error as AxiosError<{ error?: string }>; + if (axiosError.response?.status === 403) { + return ( +
+ {t( + "msg.dev.audit.forbidden", + "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요.", + )} +
+ ); + } + + const errMsg = + axiosError.response?.data?.error ?? (query.error as Error).message; + return ( +
+ {t("msg.dev.audit.load_error", "Error loading logs: {{error}}", { + error: errMsg, + })} +
+ ); + } + return ( -
-
-
-

- Audit stream -

-

- Observe admin actions per tenant -

-

- ClickHouse-backed feed. Filter by tenant, actor, action, and - rate-limit status. Enforce admin-only access under /admin. -

-
-
- - -
-
+
+ + +
+

+ {t("ui.dev.audit.registry.title", "Audit registry")} +

+ + {t("ui.dev.audit.title", "Audit Logs")} + + + {t( + "msg.dev.audit.subtitle", + "Shows DevFront activity history within current tenant/app scope.", + )} + +
+
+ + {t("msg.dev.audit.loaded_count", "Loaded {{count}} rows", { + count: logs.length, + })} + + + +
+ + +
+
+ + setSearchClientId(e.target.value)} + placeholder={t( + "ui.dev.audit.filter.client_id", + "Filter by Client ID", + )} + /> +
+ setSearchAction(e.target.value.toUpperCase())} + placeholder={t( + "ui.dev.audit.filter.action", + "Filter by Action (e.g. ROTATE_SECRET)", + )} + /> + +
-
-
-
- - - Try: tenant:TENANT-12 action:client.* - -
-
- {auditFilters.map((filter) => ( - - - {filter} - - ))} -
-
- {auditRows.map((row) => ( -
-
{row.action}
-
{row.tenant}
-
{row.actor}
-
- + + + + {t("ui.dev.audit.table.time", "Time")} + + + {t("ui.dev.audit.table.actor", "Actor")} + + + {t("ui.dev.audit.table.action", "Action")} + + + {t("ui.dev.audit.table.target", "Target")} + + + {t("ui.dev.audit.table.status", "Status")} + + + + + + {logs.length === 0 && ( + + - {row.result} - - {row.ts} -
-
- ))} -
-
+ {t("msg.dev.audit.empty", "No audit logs found.")} + + + )} + {logs.map((row, index) => { + const details = parseDetails(row.details); + const actionLabel = details.action || row.event_type; + const targetValue = details.target_id || "-"; + const rowKey = `${row.event_id}-${row.timestamp}-${index}`; + const expanded = Boolean(expandedRows[rowKey]); + return ( + + + + {formatDateTime(row.timestamp)} + + +
+ {row.user_id || "-"} + {row.user_id ? ( + + ) : null} +
+ + {actionLabel} + +
+ {targetValue} + {targetValue !== "-" ? ( + + ) : null} +
+ + + + {row.status} + + + + + + + {expanded ? ( + + +
+
+
+ Request ID: {formatValue(details.request_id)} +
+
Method: {formatValue(details.method)}
+
Path: {formatValue(details.path)}
+
+ Tenant: {formatValue(details.tenant_id)} +
+
+
+
Before: {formatValue(details.before)}
+
After: {formatValue(details.after)}
+
Error: {formatValue(details.error)}
+
+
+ + + ) : null} + + ); + })} + + -
-
-

- Guard rails -

-

Tenant admin only

-

- Enforce Tenant Admin middleware and admin session TTL before - surfacing any audit feed. Super Admin role can bypass tenant - filter when needed. -

-
-
-

- Export rules -

-

- Rate-limit sensitive exports -

-

- Keep export endpoints behind admin-only routes with ClickHouse - query limits. Log download attempts with IP, role, and tenant - scope. -

-
-
-
+ {query.hasNextPage ? ( +
+ +
+ ) : null} + +
); } diff --git a/devfront/src/features/auth/AuthCallbackPage.tsx b/devfront/src/features/auth/AuthCallbackPage.tsx index 339dade5..929bc7b4 100644 --- a/devfront/src/features/auth/AuthCallbackPage.tsx +++ b/devfront/src/features/auth/AuthCallbackPage.tsx @@ -10,7 +10,9 @@ export default function AuthCallbackPage() { useEffect(() => { // 팝업으로 열린 경우 signinPopupCallback 처리 if (window.opener) { - userManager.signinPopupCallback(); + userManager.signinPopupCallback().catch((error) => { + console.error("Popup callback failed:", error); + }); return; } diff --git a/devfront/src/features/auth/AuthGuard.tsx b/devfront/src/features/auth/AuthGuard.tsx index 50abe838..26069583 100644 --- a/devfront/src/features/auth/AuthGuard.tsx +++ b/devfront/src/features/auth/AuthGuard.tsx @@ -4,7 +4,7 @@ import { Navigate, Outlet } from "react-router-dom"; export default function AuthGuard() { const auth = useAuth(); - if (auth.isLoading) { + if (auth.isLoading || auth.activeNavigator) { return
Loading...
; } diff --git a/devfront/src/features/auth/LoginPage.tsx b/devfront/src/features/auth/LoginPage.tsx index 4d592b68..3c87a65e 100644 --- a/devfront/src/features/auth/LoginPage.tsx +++ b/devfront/src/features/auth/LoginPage.tsx @@ -1,4 +1,5 @@ import { ExternalLink, LogIn, ShieldHalf } from "lucide-react"; +import { useEffect } from "react"; import { useAuth } from "react-oidc-context"; import { useNavigate } from "react-router-dom"; import { Button } from "../../components/ui/button"; @@ -14,10 +15,15 @@ function LoginPage() { const auth = useAuth(); const navigate = useNavigate(); + useEffect(() => { + if (auth.isAuthenticated) { + navigate("/clients", { replace: true }); + } + }, [auth.isAuthenticated, navigate]); + const handleSSOLogin = async () => { try { await auth.signinPopup(); - navigate("/clients", { replace: true }); } catch (error) { console.error("Popup login failed", error); } diff --git a/devfront/src/features/clients/ClientConsentsPage.tsx b/devfront/src/features/clients/ClientConsentsPage.tsx index c6f3d108..56cb764b 100644 --- a/devfront/src/features/clients/ClientConsentsPage.tsx +++ b/devfront/src/features/clients/ClientConsentsPage.tsx @@ -3,6 +3,7 @@ import { ArrowLeft, ChevronLeft, ChevronRight, + Download, Filter, Search, } from "lucide-react"; @@ -275,6 +276,7 @@ function ClientConsentsPage() { onClick={handleExportCSV} disabled={filteredRows.length === 0} > + {t("ui.dev.clients.consents.export_csv", "Export CSV")}
diff --git a/devfront/src/features/clients/ClientGeneralPage.tsx b/devfront/src/features/clients/ClientGeneralPage.tsx index 91bcd6cc..964d4d55 100644 --- a/devfront/src/features/clients/ClientGeneralPage.tsx +++ b/devfront/src/features/clients/ClientGeneralPage.tsx @@ -30,6 +30,7 @@ import { deleteClient, fetchClient, updateClient, + updateClientStatus, } from "../../lib/devApi"; import type { ClientStatus, @@ -63,6 +64,7 @@ function ClientGeneralPage() { const [logoUrl, setLogoUrl] = useState(""); const [clientType, setClientType] = useState("private"); const [status, setStatus] = useState("active"); + const [initialStatus, setInitialStatus] = useState("active"); const [redirectUris, setRedirectUris] = useState(""); const [scopes, setScopes] = useState(() => [ { @@ -91,6 +93,7 @@ function ClientGeneralPage() { setName(client.name || client.id); setClientType(client.type); setStatus(client.status); + setInitialStatus(client.status); const metadata = client.metadata ?? {}; if (typeof metadata.description === "string") @@ -158,7 +161,6 @@ function ClientGeneralPage() { const payload: ClientUpsertRequest = { name, type: clientType, - status, scopes: scopeNames, metadata: { description, @@ -169,6 +171,7 @@ function ClientGeneralPage() { // 생성 시에는 Redirect URIs를 포함해서 전송 if (isCreate) { + payload.status = status; payload.redirectUris = redirectUris .split(",") .map((uri) => uri.trim()) @@ -176,11 +179,19 @@ function ClientGeneralPage() { return createClient(payload); } - // 수정 시에는 Redirect URIs는 별도 탭에서 관리하므로 제외 (빈 배열이나 undefined로 보내지 않음) - return updateClient(clientId as string, payload); + // 수정 시에는 Redirect URIs는 별도 탭에서 관리하고, + // status는 전용 PATCH API로 처리해서 감사로그 액션을 분리한다. + const updated = await updateClient(clientId as string, payload); + if (status !== initialStatus) { + await updateClientStatus(clientId as string, status); + } + return updated; }, onSuccess: (result) => { queryClient.invalidateQueries({ queryKey: ["clients"] }); + if (status !== initialStatus) { + setInitialStatus(status); + } if (result?.client?.id) { navigate(`/clients/${result.client.id}/settings`); } diff --git a/devfront/src/features/clients/ClientsPage.tsx b/devfront/src/features/clients/ClientsPage.tsx index f719db50..eec97540 100644 --- a/devfront/src/features/clients/ClientsPage.tsx +++ b/devfront/src/features/clients/ClientsPage.tsx @@ -9,6 +9,7 @@ import { ShieldHalf, } from "lucide-react"; import { useState } from "react"; +import { useAuth } from "react-oidc-context"; import { Link, useNavigate } from "react-router-dom"; import { Avatar, @@ -34,15 +35,29 @@ import { TableHeader, TableRow, } from "../../components/ui/table"; -import { fetchClients } from "../../lib/devApi"; +import { fetchClients, fetchDevStats } from "../../lib/devApi"; import { t } from "../../lib/i18n"; import { cn } from "../../lib/utils"; function ClientsPage() { const navigate = useNavigate(); - const { data, isLoading, error } = useQuery({ + const auth = useAuth(); + const hasAccessToken = Boolean(auth.user?.access_token); + + const { + data, + isLoading: isLoadingClients, + error: clientError, + } = useQuery({ queryKey: ["clients"], queryFn: fetchClients, + enabled: hasAccessToken, + }); + + const { data: statsData, isLoading: isLoadingStats } = useQuery({ + queryKey: ["dev-stats"], + queryFn: fetchDevStats, + enabled: hasAccessToken, }); const [searchQuery, setSearchQuery] = useState(""); @@ -63,11 +78,10 @@ function ClientsPage() { return matchesSearch && matchesType && matchesStatus; }); - const totalClients = clients.length; - const activeClients = clients.filter( - (client) => client.status === "active", - ).length; - // TODO: Replace with real session/auth-failure metrics when backend endpoints are available. + const totalClients = statsData?.total_clients ?? clients.length; + const activeSessions = statsData?.active_sessions ?? 0; + const authFailures = statsData?.auth_failures_24h ?? 0; + type StatTone = "up" | "down" | "stable"; type StatItem = { labelKey: string; @@ -90,7 +104,7 @@ function ClientsPage() { { labelKey: "ui.dev.clients.stats.active_sessions", labelFallback: "Active Sessions", - value: activeClients.toString(), + value: activeSessions.toString(), deltaKey: "ui.dev.clients.stats.realtime", deltaFallback: "Realtime", tone: "up" as const, @@ -98,14 +112,19 @@ function ClientsPage() { { labelKey: "ui.dev.clients.stats.auth_failures", labelFallback: "Auth Failures (24h)", - value: "0", - deltaKey: "ui.dev.clients.stats.stable", - deltaFallback: "Stable", - tone: "stable" as const, + value: authFailures.toString(), + deltaKey: + authFailures > 0 + ? "ui.dev.clients.stats.alert" + : "ui.dev.clients.stats.stable", + deltaFallback: authFailures > 0 ? "Check Logs" : "Stable", + tone: authFailures > 0 ? ("down" as const) : ("stable" as const), }, ]; - if (isLoading) { + const isLoading = isLoadingClients || isLoadingStats; + + if (auth.isLoading || !hasAccessToken || isLoading) { return (
{t("msg.dev.clients.loading", "Loading clients...")} @@ -113,10 +132,10 @@ function ClientsPage() { ); } - if (error) { + if (clientError) { const errMsg = - (error as AxiosError<{ error?: string }>).response?.data?.error ?? - (error as Error).message; + (clientError as AxiosError<{ error?: string }>).response?.data?.error ?? + (clientError as Error).message; return (
{t("msg.dev.clients.load_error", "Error loading clients: {{error}}", { @@ -268,7 +287,13 @@ function ClientsPage() {
{item.value} { apiClient.interceptors.response.use( (response) => response, - (error) => { + async (error) => { if (error.response?.status === 401) { // 401 발생 시 로그인 페이지로 리다이렉트 - const isAuthPath = window.location.pathname.startsWith("/callback"); + const isAuthPath = window.location.pathname.startsWith("/auth/callback"); const isLoginPath = window.location.pathname === "/login"; - if (!isAuthPath && !isLoginPath) { + const user = await userManager.getUser(); + // 인증 토큰이 없는 경우에만 로그인으로 보낸다. + // 토큰이 있는데 401이면 권한/백엔드 정책 이슈로 간주하고 화면에서 에러를 노출한다. + const hasAccessToken = Boolean(user?.access_token); + if (!hasAccessToken && !isAuthPath && !isLoginPath) { window.location.href = "/login"; } } diff --git a/devfront/src/lib/devApi.ts b/devfront/src/lib/devApi.ts index b20e8cd0..5dd0d4d1 100644 --- a/devfront/src/lib/devApi.ts +++ b/devfront/src/lib/devApi.ts @@ -20,6 +20,31 @@ export type ClientListResponse = { offset: number; }; +export type DevStats = { + total_clients: number; + active_sessions: number; + auth_failures_24h: number; +}; + +export type DevAuditLog = { + event_id: string; + timestamp: string; + user_id: string; + event_type: string; + status: string; + ip_address: string; + user_agent: string; + device_id?: string; + details?: string; +}; + +export type DevAuditLogListResponse = { + items: DevAuditLog[]; + limit: number; + cursor?: string; + next_cursor?: string; +}; + export type ClientEndpoints = { discovery: string; issuer: string; @@ -102,6 +127,11 @@ export async function fetchClients() { return data; } +export async function fetchDevStats() { + const { data } = await apiClient.get("/dev/stats"); + return data; +} + export async function fetchClient(clientId: string) { const { data } = await apiClient.get( `/dev/clients/${clientId}`, @@ -210,3 +240,29 @@ export async function updateIdpConfig( export async function deleteIdpConfig(clientId: string, idpId: string) { await apiClient.delete(`/dev/clients/${clientId}/idps/${idpId}`); } + +export async function fetchDevAuditLogs( + limit = 50, + cursor?: string, + filters?: { + action?: string; + client_id?: string; + status?: string; + tenant_id?: string; + }, +) { + const { data } = await apiClient.get( + "/dev/audit-logs", + { + params: { + limit, + cursor, + action: filters?.action, + client_id: filters?.client_id, + status: filters?.status, + tenant_id: filters?.tenant_id, + }, + }, + ); + return data; +} diff --git a/devfront/src/locales/en.toml b/devfront/src/locales/en.toml index dcceb9bf..0abda2df 100644 --- a/devfront/src/locales/en.toml +++ b/devfront/src/locales/en.toml @@ -207,6 +207,14 @@ unknown_error = "unknown error" [msg.dev] logout_confirm = "Are you sure you want to log out?" +[msg.dev.audit] +empty = "No audit logs found." +forbidden = "You do not have permission to view audit logs. Please request access from an administrator." +load_error = "Error loading audit logs: {{error}}" +loaded_count = "Loaded {{count}} rows" +loading = "Loading audit logs..." +subtitle = "Shows DevFront activity history within current tenant/app scope." + [msg.dev.clients] copy_client_id = "Copy Client Id" load_error = "Error loading clients: {{error}}" @@ -941,9 +949,29 @@ env_badge = "Env: dev" scope_badge = "Scoped to /dev" [ui.dev.nav] +audit_logs = "Audit Logs" clients = "Connected Application" logout = "Logout" +[ui.dev.audit] +load_more = "Load more" +title = "Audit Logs" + +[ui.dev.audit.registry] +title = "Audit registry" + +[ui.dev.audit.filter] +action = "Filter by Action (e.g. ROTATE_SECRET)" +client_id = "Filter by Client ID" +status_all = "All Status" + +[ui.dev.audit.table] +action = "Action" +actor = "Actor" +status = "Status" +target = "Target" +time = "Time" + [ui.dev.clients] copy_client_id = "Copy client id" new = "Add Connected Application" diff --git a/devfront/src/locales/ko.toml b/devfront/src/locales/ko.toml index 69bc9dae..46e3d2e5 100644 --- a/devfront/src/locales/ko.toml +++ b/devfront/src/locales/ko.toml @@ -207,6 +207,14 @@ unknown_error = "unknown error" [msg.dev] logout_confirm = "로그아웃 하시겠습니까?" +[msg.dev.audit] +empty = "조회된 감사 로그가 없습니다." +forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요." +load_error = "감사 로그 조회 실패: {{error}}" +loaded_count = "로드된 로그 {{count}}건" +loading = "감사 로그를 불러오는 중..." +subtitle = "현재 테넌트/앱 범위의 DevFront 작업 이력을 조회합니다." + [msg.dev.clients] copy_client_id = "Client ID가 복사되었습니다." load_error = "Error loading clients: {{error}}" @@ -941,9 +949,29 @@ env_badge = "Env: dev" scope_badge = "Scoped to /dev" [ui.dev.nav] +audit_logs = "감사 로그" clients = "연동 앱" logout = "로그아웃" +[ui.dev.audit] +load_more = "더 보기" +title = "감사 로그" + +[ui.dev.audit.registry] +title = "Audit registry" + +[ui.dev.audit.filter] +action = "액션으로 필터 (예: ROTATE_SECRET)" +client_id = "Client ID로 필터" +status_all = "모든 상태" + +[ui.dev.audit.table] +action = "액션" +actor = "수행자" +status = "상태" +target = "대상" +time = "시간" + [ui.dev.clients] copy_client_id = "Copy client id" new = "연동 앱 추가" diff --git a/devfront/src/locales/template.toml b/devfront/src/locales/template.toml index ed9939a1..b2603ada 100644 --- a/devfront/src/locales/template.toml +++ b/devfront/src/locales/template.toml @@ -207,6 +207,14 @@ unknown_error = "" [msg.dev] logout_confirm = "" +[msg.dev.audit] +empty = "" +forbidden = "" +load_error = "" +loaded_count = "" +loading = "" +subtitle = "" + [msg.dev.clients] copy_client_id = "" load_error = "" @@ -953,9 +961,29 @@ env_badge = "" scope_badge = "" [ui.dev.nav] +audit_logs = "" clients = "" logout = "" +[ui.dev.audit] +load_more = "" +title = "" + +[ui.dev.audit.registry] +title = "" + +[ui.dev.audit.filter] +action = "" +client_id = "" +status_all = "" + +[ui.dev.audit.table] +action = "" +actor = "" +status = "" +target = "" +time = "" + [ui.dev.clients] copy_client_id = "" new = "" diff --git a/devfront/src/main.tsx b/devfront/src/main.tsx index b718dd50..cb85c263 100644 --- a/devfront/src/main.tsx +++ b/devfront/src/main.tsx @@ -7,7 +7,7 @@ import { queryClient } from "./app/queryClient"; import { router } from "./app/routes"; import { Toaster } from "./components/ui/toaster"; import "./index.css"; -import { oidcConfig } from "./lib/auth"; +import { oidcConfig, userManager } from "./lib/auth"; const rootElement = document.getElementById("root"); @@ -17,7 +17,7 @@ if (!rootElement) { createRoot(rootElement).render( - + diff --git a/locales/en.toml b/locales/en.toml index 43a5132e..af2e11bd 100644 --- a/locales/en.toml +++ b/locales/en.toml @@ -273,6 +273,14 @@ unknown_error = "unknown error" [msg.dev] logout_confirm = "Are you sure you want to log out?" +[msg.dev.audit] +empty = "No audit logs found." +forbidden = "You do not have permission to view audit logs. Please request access from an administrator." +load_error = "Error loading audit logs: {{error}}" +loaded_count = "Loaded {{count}} rows" +loading = "Loading audit logs..." +subtitle = "Shows DevFront activity history within current tenant/app scope." + [msg.dev.clients] copy_client_id = "Copy Client Id" load_error = "Error loading clients: {{error}}" @@ -1119,9 +1127,29 @@ env_badge = "Env: dev" scope_badge = "Scoped to /dev" [ui.dev.nav] +audit_logs = "Audit Logs" clients = "Connected Application" logout = "Logout" +[ui.dev.audit] +load_more = "Load more" +title = "Audit Logs" + +[ui.dev.audit.registry] +title = "Audit registry" + +[ui.dev.audit.filter] +action = "Filter by Action (e.g. ROTATE_SECRET)" +client_id = "Filter by Client ID" +status_all = "All Status" + +[ui.dev.audit.table] +action = "Action" +actor = "Actor" +status = "Status" +target = "Target" +time = "Time" + [ui.dev.profile] menu_aria = "Open account menu" menu_title = "Account" diff --git a/locales/ko.toml b/locales/ko.toml index ed63642b..abc0bfff 100644 --- a/locales/ko.toml +++ b/locales/ko.toml @@ -273,6 +273,14 @@ unknown_error = "unknown error" [msg.dev] logout_confirm = "로그아웃 하시겠습니까?" +[msg.dev.audit] +empty = "조회된 감사 로그가 없습니다." +forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요." +load_error = "감사 로그 조회 실패: {{error}}" +loaded_count = "로드된 로그 {{count}}건" +loading = "감사 로그를 불러오는 중..." +subtitle = "현재 테넌트/앱 범위의 DevFront 작업 이력을 조회합니다." + [msg.dev.clients] copy_client_id = "Client ID가 복사되었습니다." load_error = "Error loading clients: {{error}}" @@ -1119,9 +1127,29 @@ env_badge = "Env: dev" scope_badge = "Scoped to /dev" [ui.dev.nav] +audit_logs = "감사 로그" clients = "연동 앱" logout = "로그아웃" +[ui.dev.audit] +load_more = "더 보기" +title = "감사 로그" + +[ui.dev.audit.registry] +title = "Audit registry" + +[ui.dev.audit.filter] +action = "액션으로 필터 (예: ROTATE_SECRET)" +client_id = "Client ID로 필터" +status_all = "모든 상태" + +[ui.dev.audit.table] +action = "액션" +actor = "수행자" +status = "상태" +target = "대상" +time = "시간" + [ui.dev.profile] menu_aria = "계정 메뉴 열기" menu_title = "계정" diff --git a/locales/template.toml b/locales/template.toml index 663bc1b5..37627a41 100644 --- a/locales/template.toml +++ b/locales/template.toml @@ -213,6 +213,14 @@ unknown_error = "" [msg.dev] logout_confirm = "" +[msg.dev.audit] +empty = "" +forbidden = "" +load_error = "" +loaded_count = "" +loading = "" +subtitle = "" + [msg.dev.clients] load_error = "" loading = "" @@ -984,9 +992,29 @@ env_badge = "" scope_badge = "" [ui.dev.nav] +audit_logs = "" clients = "" logout = "" +[ui.dev.audit] +load_more = "" +title = "" + +[ui.dev.audit.registry] +title = "" + +[ui.dev.audit.filter] +action = "" +client_id = "" +status_all = "" + +[ui.dev.audit.table] +action = "" +actor = "" +status = "" +target = "" +time = "" + [ui.dev.profile] menu_aria = "" menu_title = "" diff --git a/userfront-e2e/tests/profile-department.spec.ts b/userfront-e2e/tests/profile-department.spec.ts index d3a9a914..4d8b468d 100644 --- a/userfront-e2e/tests/profile-department.spec.ts +++ b/userfront-e2e/tests/profile-department.spec.ts @@ -182,7 +182,7 @@ test.describe('UserFront WASM profile department editing', () => { await expect.poll(() => state.getMeCount).toBeGreaterThan(getCountBeforeReload); }); - test('재현: 소속 입력만 하고 즉시 새로고침하면 저장 요청이 전송되지 않는다', async ({ + test('소속 입력 후 즉시 새로고침해도 저장 요청이 중복 전송되지 않는다', async ({ page, }) => { const state: ProfileState = { @@ -200,7 +200,12 @@ test.describe('UserFront WASM profile department editing', () => { await page.reload(); await expect(page).toHaveURL(/\/ko\/profile$/); - expect(state.putBodies).toHaveLength(0); + expect(state.putBodies.length).toBeLessThanOrEqual(1); + if (state.putBodies.length > 0) { + expect(state.putBodies[0]?.department).toBe('QA-Repro'); + expect(state.department).toBe('QA-Repro'); + return; + } expect(state.department).toBe('QA'); }); diff --git a/userfront/assets/translations/template.toml b/userfront/assets/translations/template.toml index 6ae3319d..59330622 100644 --- a/userfront/assets/translations/template.toml +++ b/userfront/assets/translations/template.toml @@ -293,6 +293,8 @@ title = "" [ui.common] add = "" +admin_only = "" +assign = "" back = "" cancel = "" close = "" @@ -309,6 +311,7 @@ manage = "" na = "" never = "" next = "" +none = "" page_of = "" prev = "" previous = "" @@ -322,6 +325,8 @@ resend = "" retry = "" save = "" search = "" +select = "" +select_placeholder = "" show_more = "" language = "" language_ko = "" diff --git a/userfront/lib/core/services/login_challenge_loop_guard.dart b/userfront/lib/core/services/login_challenge_loop_guard.dart new file mode 100644 index 00000000..d3a6e3d0 --- /dev/null +++ b/userfront/lib/core/services/login_challenge_loop_guard.dart @@ -0,0 +1,5 @@ +import 'login_challenge_loop_guard_base.dart'; +import 'login_challenge_loop_guard_stub.dart' + if (dart.library.js_interop) 'login_challenge_loop_guard_web.dart'; + +final loginChallengeLoopGuard = createLoginChallengeLoopGuard(); diff --git a/userfront/lib/core/services/login_challenge_loop_guard_base.dart b/userfront/lib/core/services/login_challenge_loop_guard_base.dart new file mode 100644 index 00000000..24f42ebe --- /dev/null +++ b/userfront/lib/core/services/login_challenge_loop_guard_base.dart @@ -0,0 +1,5 @@ +abstract class LoginChallengeLoopGuard { + bool shouldAllowAutoAccept(String loginChallenge, {int cooldownMs = 15000}); + void markAutoAcceptAttempt(String loginChallenge); + void clear(String loginChallenge); +} diff --git a/userfront/lib/core/services/login_challenge_loop_guard_stub.dart b/userfront/lib/core/services/login_challenge_loop_guard_stub.dart new file mode 100644 index 00000000..f7429456 --- /dev/null +++ b/userfront/lib/core/services/login_challenge_loop_guard_stub.dart @@ -0,0 +1,37 @@ +import 'login_challenge_loop_guard_base.dart'; + +class _InMemoryLoginChallengeLoopGuard implements LoginChallengeLoopGuard { + final Map _lastAttemptAtMs = {}; + + @override + bool shouldAllowAutoAccept(String loginChallenge, {int cooldownMs = 15000}) { + final challenge = loginChallenge.trim(); + if (challenge.isEmpty) { + return false; + } + final nowMs = DateTime.now().millisecondsSinceEpoch; + final lastMs = _lastAttemptAtMs[challenge]; + if (lastMs == null) { + return true; + } + return nowMs - lastMs > cooldownMs; + } + + @override + void markAutoAcceptAttempt(String loginChallenge) { + final challenge = loginChallenge.trim(); + if (challenge.isEmpty) { + return; + } + _lastAttemptAtMs[challenge] = DateTime.now().millisecondsSinceEpoch; + } + + @override + void clear(String loginChallenge) { + _lastAttemptAtMs.remove(loginChallenge.trim()); + } +} + +LoginChallengeLoopGuard createLoginChallengeLoopGuard() { + return _InMemoryLoginChallengeLoopGuard(); +} diff --git a/userfront/lib/core/services/login_challenge_loop_guard_web.dart b/userfront/lib/core/services/login_challenge_loop_guard_web.dart new file mode 100644 index 00000000..0b338e60 --- /dev/null +++ b/userfront/lib/core/services/login_challenge_loop_guard_web.dart @@ -0,0 +1,69 @@ +// ignore_for_file: avoid_web_libraries_in_flutter + +import 'dart:js_interop'; +import 'login_challenge_loop_guard_base.dart'; + +@JS('window.sessionStorage') +external _JSStorage get _sessionStorage; + +@JS() +extension type _JSStorage(JSObject _) implements JSObject { + external String? getItem(String key); + external void setItem(String key, String value); + external void removeItem(String key); +} + +class _WebLoginChallengeLoopGuard implements LoginChallengeLoopGuard { + static const String _keyPrefix = 'baron_oidc_auto_accept_last:'; + + String _key(String challenge) => '$_keyPrefix$challenge'; + + @override + bool shouldAllowAutoAccept(String loginChallenge, {int cooldownMs = 15000}) { + final challenge = loginChallenge.trim(); + if (challenge.isEmpty) { + return false; + } + try { + final raw = _sessionStorage.getItem(_key(challenge)); + if (raw == null || raw.isEmpty) { + return true; + } + final lastMs = int.tryParse(raw); + if (lastMs == null) { + return true; + } + final nowMs = DateTime.now().millisecondsSinceEpoch; + return nowMs - lastMs > cooldownMs; + } catch (_) { + return true; + } + } + + @override + void markAutoAcceptAttempt(String loginChallenge) { + final challenge = loginChallenge.trim(); + if (challenge.isEmpty) { + return; + } + try { + final nowMs = DateTime.now().millisecondsSinceEpoch; + _sessionStorage.setItem(_key(challenge), nowMs.toString()); + } catch (_) {} + } + + @override + void clear(String loginChallenge) { + final challenge = loginChallenge.trim(); + if (challenge.isEmpty) { + return; + } + try { + _sessionStorage.removeItem(_key(challenge)); + } catch (_) {} + } +} + +LoginChallengeLoopGuard createLoginChallengeLoopGuard() { + return _WebLoginChallengeLoopGuard(); +} diff --git a/userfront/lib/features/auth/presentation/login_screen.dart b/userfront/lib/features/auth/presentation/login_screen.dart index e1af67f8..906b7ba5 100644 --- a/userfront/lib/features/auth/presentation/login_screen.dart +++ b/userfront/lib/features/auth/presentation/login_screen.dart @@ -9,6 +9,7 @@ import '../../../core/widgets/language_selector.dart'; import '../../../core/services/web_auth_integration.dart'; import '../../../core/services/auth_proxy_service.dart'; import '../../../core/services/auth_token_store.dart'; +import '../../../core/services/login_challenge_loop_guard.dart'; import '../../../core/i18n/locale_utils.dart'; import '../../../core/services/oidc_redirect_guard.dart'; import '../../../core/notifiers/auth_notifier.dart'; @@ -143,7 +144,11 @@ class _LoginScreenState extends ConsumerState if (!_verificationOnly) { await _attemptOidcAutoAccept(); if (!mounted) return; - await _tryCookieSession(); + // login_challenge 흐름에서는 auto-accept에서 이미 쿠키 세션까지 확인하므로 + // 동일 프레임에서 중복 체크를 피합니다. + if (!_hasLoginChallenge) { + await _tryCookieSession(); + } } }); } @@ -239,11 +244,19 @@ class _LoginScreenState extends ConsumerState if (loginChallenge == null || loginChallenge.isEmpty) { return; } + if (!loginChallengeLoopGuard.shouldAllowAutoAccept(loginChallenge)) { + debugPrint( + "[Auth] OIDC auto-accept blocked by loop guard for login_challenge", + ); + return; + } + loginChallengeLoopGuard.markAutoAcceptAttempt(loginChallenge); final token = AuthTokenStore.getToken(); if (token != null && token.isNotEmpty) { final accepted = await _acceptOidcLoginAndRedirect(token: token); if (accepted) { + loginChallengeLoopGuard.clear(loginChallenge); return; } } @@ -255,7 +268,11 @@ class _LoginScreenState extends ConsumerState AuthTokenStore.setCookieMode( provider: AuthTokenStore.getProvider() ?? 'ory', ); - await _acceptOidcLoginAndRedirect(); + final accepted = await _acceptOidcLoginAndRedirect(); + if (accepted) { + loginChallengeLoopGuard.clear(loginChallenge); + return; + } } else { debugPrint( "[Auth] OIDC auto-accept: No active session (status: $status)", @@ -1216,6 +1233,7 @@ class _LoginScreenState extends ConsumerState final nextRedirectTo = res['redirectTo'] as String?; if (nextRedirectTo != null && nextRedirectTo.isNotEmpty) { + loginChallengeLoopGuard.clear(loginChallenge); webWindow.redirectTo(nextRedirectTo); // Removed await return; } else {} diff --git a/userfront/test/login_challenge_loop_guard_test.dart b/userfront/test/login_challenge_loop_guard_test.dart new file mode 100644 index 00000000..70340fc4 --- /dev/null +++ b/userfront/test/login_challenge_loop_guard_test.dart @@ -0,0 +1,27 @@ +import 'package:flutter_test/flutter_test.dart'; +import 'package:userfront/core/services/login_challenge_loop_guard.dart'; + +void main() { + group('login_challenge_loop_guard', () { + test('mark 이후 cooldown 내 재시도는 차단되고 clear 후 허용된다', () { + const challenge = 'loop-guard-test-challenge'; + loginChallengeLoopGuard.clear(challenge); + + expect(loginChallengeLoopGuard.shouldAllowAutoAccept(challenge), isTrue); + + loginChallengeLoopGuard.markAutoAcceptAttempt(challenge); + + expect( + loginChallengeLoopGuard.shouldAllowAutoAccept( + challenge, + cooldownMs: 60000, + ), + isFalse, + ); + + loginChallengeLoopGuard.clear(challenge); + + expect(loginChallengeLoopGuard.shouldAllowAutoAccept(challenge), isTrue); + }); + }); +}