feat(i18n): apply ORY bypass whitelist policy and add error-code tests

backend/cmd/server/error_handler.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"baron-sso-backend/internal/response"
+	"errors"
+	"log/slog"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func newErrorHandler(appEnv string) fiber.ErrorHandler {
+	return func(c *fiber.Ctx, err error) error {
+		code := fiber.StatusInternalServerError
+
+		var e *fiber.Error
+		if errors.As(err, &e) {
+			code = e.Code
+		}
+
+		if appEnv == "production" || appEnv == "stage" {
+			if code >= 500 {
+				slog.Error("Internal Server Error",
+					"error", err.Error(),
+					"path", c.Path(),
+					"method", c.Method(),
+				)
+				return response.Error(c, code, response.StatusCode(code), "Internal Server Error")
+			}
+		}
+
+		return response.Error(c, code, response.StatusCode(code), err.Error())
+	}
+}

backend/cmd/server/error_handler_test.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func decodeJSONBody(t *testing.T, resp *http.Response) map[string]any {
+	t.Helper()
+
+	var body map[string]any
+	if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
+		t.Fatalf("failed to decode response body: %v", err)
+	}
+	return body
+}
+
+func TestNewErrorHandler_ProductionMasksServerError(t *testing.T) {
+	app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("production")})
+	app.Get("/boom", func(c *fiber.Ctx) error {
+		return errors.New("database connection failed")
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/boom", nil)
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusInternalServerError {
+		t.Fatalf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	body := decodeJSONBody(t, resp)
+	if body["error"] != "Internal Server Error" {
+		t.Fatalf("unexpected error message: %v", body["error"])
+	}
+	if body["code"] != "internal_error" {
+		t.Fatalf("unexpected error code: %v", body["code"])
+	}
+}
+
+func TestNewErrorHandler_ProductionPassesClientError(t *testing.T) {
+	app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("production")})
+	app.Get("/bad", func(c *fiber.Ctx) error {
+		return fiber.NewError(fiber.StatusBadRequest, "bad request payload")
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/bad", nil)
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusBadRequest {
+		t.Fatalf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	body := decodeJSONBody(t, resp)
+	if body["error"] != "bad request payload" {
+		t.Fatalf("unexpected error message: %v", body["error"])
+	}
+	if body["code"] != "bad_request" {
+		t.Fatalf("unexpected error code: %v", body["code"])
+	}
+}
+
+func TestNewErrorHandler_DevelopmentReturnsOriginalServerError(t *testing.T) {
+	app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("dev")})
+	app.Get("/boom", func(c *fiber.Ctx) error {
+		return errors.New("database connection failed")
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/boom", nil)
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusInternalServerError {
+		t.Fatalf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	body := decodeJSONBody(t, resp)
+	if body["error"] != "database connection failed" {
+		t.Fatalf("unexpected error message: %v", body["error"])
+	}
+	if body["code"] != "internal_error" {
+		t.Fatalf("unexpected error code: %v", body["code"])
+	}
+}
+
+func TestNewErrorHandler_MapsUnauthorizedCode(t *testing.T) {
+	app := fiber.New(fiber.Config{ErrorHandler: newErrorHandler("production")})
+	app.Get("/unauthorized", func(c *fiber.Ctx) error {
+		return fiber.NewError(fiber.StatusUnauthorized, "missing token")
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/unauthorized", nil)
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Fatalf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	body := decodeJSONBody(t, resp)
+	if body["code"] != "invalid_session" {
+		t.Fatalf("unexpected error code: %v", body["code"])
+	}
+}

backend/cmd/server/main.go

@@ -7,11 +7,9 @@ import (
 	"baron-sso-backend/internal/idp"
 	"baron-sso-backend/internal/logger"
 	"baron-sso-backend/internal/middleware"
-	"baron-sso-backend/internal/response"
 	"baron-sso-backend/internal/repository"
 	"baron-sso-backend/internal/service"
 	"baron-sso-backend/internal/validator"
-	"errors"
 	"fmt"
 	"log"
 	"log/slog"
@@ -272,34 +270,7 @@ func main() {
 		AppName:               "Baron SSO Backend",
 		DisableStartupMessage: true,  // Clean logs
 		ReadBufferSize:        32768, // 32KB로 증가 (긴 OIDC 챌린지 대응)
-		// Global Error Handler for Production Masking
-		ErrorHandler: func(c *fiber.Ctx, err error) error {
-			// Default status code
-			code := fiber.StatusInternalServerError
-
-			// Check if it's a known fiber.Error
-			var e *fiber.Error
-			if errors.As(err, &e) {
-				code = e.Code
-			}
-
-			// In production or stage, mask detailed 500+ errors
-			if appEnv == "production" || appEnv == "stage" {
-				if code >= 500 {
-					// Log the actual error for developers
-					slog.Error("Internal Server Error",
-						"error", err.Error(),
-						"path", c.Path(),
-						"method", c.Method(),
-					)
-					// Return masked message
-					return response.Error(c, code, response.StatusCode(code), "Internal Server Error")
-				}
-			}
-
-			// For development or non-500 errors, return the actual error message
-			return response.Error(c, code, response.StatusCode(code), err.Error())
-		},
+		ErrorHandler:          newErrorHandler(appEnv),
 	})
 
 	// Middleware