forked from baron/baron-sso
4단계 역할 정규화 및 dev 권한 스코프 검증 강화
This commit is contained in:
@@ -4004,17 +4004,19 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
|
||||
// 2. Role Override for real profile or fallback to Mock Profile
|
||||
if profile != nil {
|
||||
if isDev && mockRole != "" {
|
||||
normalizedMockRole := domain.NormalizeRole(mockRole)
|
||||
slog.Info("🔑 [AUTH] Overriding real profile role",
|
||||
"email", profile.Email, "originalRole", profile.Role, "overriddenRole", mockRole)
|
||||
profile.Role = mockRole
|
||||
"email", profile.Email, "originalRole", profile.Role, "overriddenRole", normalizedMockRole)
|
||||
profile.Role = normalizedMockRole
|
||||
}
|
||||
} else if isDev && mockRole != "" && token == "" && cookie == "" {
|
||||
normalizedMockRole := domain.NormalizeRole(mockRole)
|
||||
slog.Info("🔑 [AUTH] Using full Mock Auth (no session)", "role", mockRole)
|
||||
profile = &domain.UserProfileResponse{
|
||||
ID: "00000000-0000-0000-0000-000000000000",
|
||||
Email: "mock@hmac.kr",
|
||||
Name: "Dev Mock User",
|
||||
Role: mockRole,
|
||||
Role: normalizedMockRole,
|
||||
}
|
||||
if tid := c.Get("X-Tenant-ID"); tid != "" {
|
||||
profile.TenantID = &tid
|
||||
@@ -4027,6 +4029,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
|
||||
}
|
||||
|
||||
// 3. Post-Process (Defaults & Metadata Enrichment)
|
||||
profile.Role = domain.NormalizeRole(profile.Role)
|
||||
if profile.Role == "" {
|
||||
profile.Role = domain.RoleUser
|
||||
}
|
||||
@@ -5115,6 +5118,7 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
|
||||
compCode, _ := traits["companyCode"].(string)
|
||||
role, _ := traits["role"].(string)
|
||||
tenantID, _ := traits["tenant_id"].(string)
|
||||
relyingPartyID, _ := traits["relying_party_id"].(string)
|
||||
|
||||
profile := &domain.UserProfileResponse{
|
||||
ID: identityID,
|
||||
@@ -5124,18 +5128,22 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
|
||||
Department: dept,
|
||||
AffiliationType: affType,
|
||||
CompanyCode: compCode,
|
||||
Role: role,
|
||||
Role: domain.NormalizeRole(role),
|
||||
Metadata: make(map[string]any),
|
||||
}
|
||||
|
||||
if tenantID != "" {
|
||||
profile.TenantID = &tenantID
|
||||
}
|
||||
if strings.TrimSpace(relyingPartyID) != "" {
|
||||
rpID := strings.TrimSpace(relyingPartyID)
|
||||
profile.RelyingPartyID = &rpID
|
||||
}
|
||||
|
||||
coreTraits := map[string]bool{
|
||||
"email": true, "name": true, "phone_number": true,
|
||||
"grade": true, "companyCode": true, "department": true,
|
||||
"affiliationType": true, "role": true, "tenant_id": true,
|
||||
"affiliationType": true, "role": true, "tenant_id": true, "relying_party_id": true,
|
||||
}
|
||||
for k, v := range traits {
|
||||
if !coreTraits[k] {
|
||||
|
||||
Reference in New Issue
Block a user