forked from baron/baron-sso
feat(i18n): apply ORY bypass whitelist policy and add error-code tests
This commit is contained in:
33
backend/cmd/server/error_handler.go
Normal file
33
backend/cmd/server/error_handler.go
Normal file
@@ -0,0 +1,33 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"baron-sso-backend/internal/response"
|
||||
"errors"
|
||||
"log/slog"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
)
|
||||
|
||||
func newErrorHandler(appEnv string) fiber.ErrorHandler {
|
||||
return func(c *fiber.Ctx, err error) error {
|
||||
code := fiber.StatusInternalServerError
|
||||
|
||||
var e *fiber.Error
|
||||
if errors.As(err, &e) {
|
||||
code = e.Code
|
||||
}
|
||||
|
||||
if appEnv == "production" || appEnv == "stage" {
|
||||
if code >= 500 {
|
||||
slog.Error("Internal Server Error",
|
||||
"error", err.Error(),
|
||||
"path", c.Path(),
|
||||
"method", c.Method(),
|
||||
)
|
||||
return response.Error(c, code, response.StatusCode(code), "Internal Server Error")
|
||||
}
|
||||
}
|
||||
|
||||
return response.Error(c, code, response.StatusCode(code), err.Error())
|
||||
}
|
||||
}
|
||||
118
backend/cmd/server/error_handler_test.go
Normal file
118
backend/cmd/server/error_handler_test.go
Normal file
@@ -0,0 +1,118 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
)
|
||||
|
||||
func decodeJSONBody(t *testing.T, resp *http.Response) map[string]any {
|
||||
t.Helper()
|
||||
|
||||
var body map[string]any
|
||||
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
|
||||
t.Fatalf("failed to decode response body: %v", err)
|
||||
}
|
||||
return body
|
||||
}
|
||||
|
||||
func TestNewErrorHandler_ProductionMasksServerError(t *testing.T) {
|
||||
app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("production")})
|
||||
app.Get("/boom", func(c *fiber.Ctx) error {
|
||||
return errors.New("database connection failed")
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/boom", nil)
|
||||
resp, err := app.Test(req)
|
||||
if err != nil {
|
||||
t.Fatalf("request failed: %v", err)
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusInternalServerError {
|
||||
t.Fatalf("unexpected status code: %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
body := decodeJSONBody(t, resp)
|
||||
if body["error"] != "Internal Server Error" {
|
||||
t.Fatalf("unexpected error message: %v", body["error"])
|
||||
}
|
||||
if body["code"] != "internal_error" {
|
||||
t.Fatalf("unexpected error code: %v", body["code"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewErrorHandler_ProductionPassesClientError(t *testing.T) {
|
||||
app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("production")})
|
||||
app.Get("/bad", func(c *fiber.Ctx) error {
|
||||
return fiber.NewError(fiber.StatusBadRequest, "bad request payload")
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/bad", nil)
|
||||
resp, err := app.Test(req)
|
||||
if err != nil {
|
||||
t.Fatalf("request failed: %v", err)
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusBadRequest {
|
||||
t.Fatalf("unexpected status code: %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
body := decodeJSONBody(t, resp)
|
||||
if body["error"] != "bad request payload" {
|
||||
t.Fatalf("unexpected error message: %v", body["error"])
|
||||
}
|
||||
if body["code"] != "bad_request" {
|
||||
t.Fatalf("unexpected error code: %v", body["code"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewErrorHandler_DevelopmentReturnsOriginalServerError(t *testing.T) {
|
||||
app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("dev")})
|
||||
app.Get("/boom", func(c *fiber.Ctx) error {
|
||||
return errors.New("database connection failed")
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/boom", nil)
|
||||
resp, err := app.Test(req)
|
||||
if err != nil {
|
||||
t.Fatalf("request failed: %v", err)
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusInternalServerError {
|
||||
t.Fatalf("unexpected status code: %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
body := decodeJSONBody(t, resp)
|
||||
if body["error"] != "database connection failed" {
|
||||
t.Fatalf("unexpected error message: %v", body["error"])
|
||||
}
|
||||
if body["code"] != "internal_error" {
|
||||
t.Fatalf("unexpected error code: %v", body["code"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewErrorHandler_MapsUnauthorizedCode(t *testing.T) {
|
||||
app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("production")})
|
||||
app.Get("/unauthorized", func(c *fiber.Ctx) error {
|
||||
return fiber.NewError(fiber.StatusUnauthorized, "missing token")
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/unauthorized", nil)
|
||||
resp, err := app.Test(req)
|
||||
if err != nil {
|
||||
t.Fatalf("request failed: %v", err)
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusUnauthorized {
|
||||
t.Fatalf("unexpected status code: %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
body := decodeJSONBody(t, resp)
|
||||
if body["code"] != "invalid_session" {
|
||||
t.Fatalf("unexpected error code: %v", body["code"])
|
||||
}
|
||||
}
|
||||
@@ -7,11 +7,9 @@ import (
|
||||
"baron-sso-backend/internal/idp"
|
||||
"baron-sso-backend/internal/logger"
|
||||
"baron-sso-backend/internal/middleware"
|
||||
"baron-sso-backend/internal/response"
|
||||
"baron-sso-backend/internal/repository"
|
||||
"baron-sso-backend/internal/service"
|
||||
"baron-sso-backend/internal/validator"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"log/slog"
|
||||
@@ -272,34 +270,7 @@ func main() {
|
||||
AppName: "Baron SSO Backend",
|
||||
DisableStartupMessage: true, // Clean logs
|
||||
ReadBufferSize: 32768, // 32KB로 증가 (긴 OIDC 챌린지 대응)
|
||||
// Global Error Handler for Production Masking
|
||||
ErrorHandler: func(c *fiber.Ctx, err error) error {
|
||||
// Default status code
|
||||
code := fiber.StatusInternalServerError
|
||||
|
||||
// Check if it's a known fiber.Error
|
||||
var e *fiber.Error
|
||||
if errors.As(err, &e) {
|
||||
code = e.Code
|
||||
}
|
||||
|
||||
// In production or stage, mask detailed 500+ errors
|
||||
if appEnv == "production" || appEnv == "stage" {
|
||||
if code >= 500 {
|
||||
// Log the actual error for developers
|
||||
slog.Error("Internal Server Error",
|
||||
"error", err.Error(),
|
||||
"path", c.Path(),
|
||||
"method", c.Method(),
|
||||
)
|
||||
// Return masked message
|
||||
return response.Error(c, code, response.StatusCode(code), "Internal Server Error")
|
||||
}
|
||||
}
|
||||
|
||||
// For development or non-500 errors, return the actual error message
|
||||
return response.Error(c, code, response.StatusCode(code), err.Error())
|
||||
},
|
||||
ErrorHandler: newErrorHandler(appEnv),
|
||||
})
|
||||
|
||||
// Middleware
|
||||
|
||||
@@ -849,6 +849,11 @@ components:
|
||||
properties:
|
||||
error:
|
||||
type: string
|
||||
code:
|
||||
type: string
|
||||
details:
|
||||
type: object
|
||||
additionalProperties: true
|
||||
|
||||
MessageResponse:
|
||||
type: object
|
||||
|
||||
85
backend/internal/response/error_response_test.go
Normal file
85
backend/internal/response/error_response_test.go
Normal file
@@ -0,0 +1,85 @@
|
||||
package response
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
)
|
||||
|
||||
func parseBody(t *testing.T, resp *http.Response) map[string]any {
|
||||
t.Helper()
|
||||
|
||||
var body map[string]any
|
||||
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
|
||||
t.Fatalf("failed to parse response body: %v", err)
|
||||
}
|
||||
return body
|
||||
}
|
||||
|
||||
func TestErrorWithDetailsResponseShape(t *testing.T) {
|
||||
app := fiber.New()
|
||||
app.Get("/test", func(c *fiber.Ctx) error {
|
||||
return ErrorWithDetails(
|
||||
c,
|
||||
fiber.StatusConflict,
|
||||
"conflict",
|
||||
"resource already exists",
|
||||
map[string]any{"field": "email"},
|
||||
)
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/test", nil)
|
||||
resp, err := app.Test(req)
|
||||
if err != nil {
|
||||
t.Fatalf("request failed: %v", err)
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusConflict {
|
||||
t.Fatalf("unexpected status code: %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
body := parseBody(t, resp)
|
||||
if body["error"] != "resource already exists" {
|
||||
t.Fatalf("unexpected error value: %v", body["error"])
|
||||
}
|
||||
if body["code"] != "conflict" {
|
||||
t.Fatalf("unexpected code value: %v", body["code"])
|
||||
}
|
||||
|
||||
details, ok := body["details"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatalf("details should be map, got: %T", body["details"])
|
||||
}
|
||||
if details["field"] != "email" {
|
||||
t.Fatalf("unexpected details value: %v", details["field"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestStatusCodeMapping(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
status int
|
||||
expected string
|
||||
}{
|
||||
{name: "bad request", status: fiber.StatusBadRequest, expected: "bad_request"},
|
||||
{name: "unauthorized", status: fiber.StatusUnauthorized, expected: "invalid_session"},
|
||||
{name: "forbidden", status: fiber.StatusForbidden, expected: "forbidden"},
|
||||
{name: "not found", status: fiber.StatusNotFound, expected: "not_found"},
|
||||
{name: "conflict", status: fiber.StatusConflict, expected: "conflict"},
|
||||
{name: "too many requests", status: fiber.StatusTooManyRequests, expected: "rate_limited"},
|
||||
{name: "service unavailable", status: fiber.StatusServiceUnavailable, expected: "service_unavailable"},
|
||||
{name: "fallback", status: fiber.StatusInternalServerError, expected: "internal_error"},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
got := StatusCode(tc.status)
|
||||
if got != tc.expected {
|
||||
t.Fatalf("unexpected code: got=%s expected=%s", got, tc.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user