forked from baron/baron-sso
QR 로그인 구현 완료
This commit is contained in:
Lectom C Han
@@ -37,7 +37,11 @@ const (
|
||||
prefixLoginCodeSmsLookup = "login_code_sms_lookup:"
|
||||
prefixLoginCodeShort = "login_code_short:"
|
||||
prefixLoginCodeSmsOnly = "login_code_sms_only:"
|
||||
prefixLoginCodeQrPending = "login_code_qr_pending:"
|
||||
prefixLoginCodeQr = "login_code_qr:"
|
||||
prefixPollMeta = "poll_meta:"
|
||||
prefixQrRef = "qr_ref:"
|
||||
prefixQrPending = "qr_pending:"
|
||||
prefixSignupEmail = "signup:email:"
|
||||
prefixSignupPhone = "signup:phone:"
|
||||
|
||||
@@ -84,6 +88,21 @@ func GenerateSecureToken(length int) string {
|
||||
return hex.EncodeToString(b)
|
||||
}
|
||||
|
||||
func GenerateSecureAlnumToken(length int) string {
|
||||
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
||||
if length <= 0 {
|
||||
return ""
|
||||
}
|
||||
buf := make([]byte, length)
|
||||
if _, err := crand.Read(buf); err != nil {
|
||||
return ""
|
||||
}
|
||||
for i := range buf {
|
||||
buf[i] = charset[int(buf[i])%len(charset)]
|
||||
}
|
||||
return string(buf)
|
||||
}
|
||||
|
||||
func GenerateUserCode() string {
|
||||
const letters = "ABCDEFGHJKLMNPQRSTUVWXYZ"
|
||||
return fmt.Sprintf("%c%c-%03d",
|
||||
@@ -1358,18 +1377,23 @@ func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
|
||||
// InitQRLogin - Step 1: Web 패널에서 QR 로그인 세션을 생성합니다.
|
||||
func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error {
|
||||
pendingRef := GenerateSecureToken(16)
|
||||
qrRef := GenerateSecureAlnumToken(64)
|
||||
if qrRef == "" {
|
||||
qrRef = GenerateSecureToken(16)
|
||||
}
|
||||
|
||||
// QR 코드 페이로드를 실제 접속 가능한 URL로 변경합니다.
|
||||
userfrontURL := os.Getenv("USERFRONT_URL")
|
||||
if userfrontURL == "" {
|
||||
userfrontURL = "https://sso.hmac.kr"
|
||||
}
|
||||
qrPayload := fmt.Sprintf("%s/approve?ref=%s", userfrontURL, pendingRef)
|
||||
qrPayload := fmt.Sprintf("%s/ql/%s", strings.TrimRight(userfrontURL, "/"), qrRef)
|
||||
|
||||
slog.Info("[QR] Init", "pendingRef", pendingRef, "url", qrPayload)
|
||||
slog.Info("[QR] Init", "pendingRef", pendingRef, "qrRef", qrRef, "url", qrPayload)
|
||||
|
||||
// Redis에 초기 상태 저장 (5분 만료)
|
||||
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute)
|
||||
h.RedisService.Set(prefixQrRef+qrRef, pendingRef, 5*time.Minute)
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"qrCode": qrPayload, // 프론트엔드에서 이 텍스트로 QR을 생성하거나, 이미지를 반환
|
||||
@@ -1430,30 +1454,66 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
||||
}
|
||||
|
||||
slog.Info("[QR] Scan & Approve", "pendingRef", req.PendingRef)
|
||||
|
||||
if req.Token == "" {
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"})
|
||||
rawRef := strings.TrimSpace(req.PendingRef)
|
||||
pendingRef, err := h.resolveQrPendingRef(rawRef)
|
||||
if err != nil || pendingRef == "" {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid pendingRef"})
|
||||
}
|
||||
|
||||
slog.Info("[QR] Scan & Approve", "pendingRef", pendingRef)
|
||||
|
||||
// 1. Redis에서 세션 확인
|
||||
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
||||
val, err := h.RedisService.Get(prefixSession + pendingRef)
|
||||
if err != nil || val == "" {
|
||||
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"})
|
||||
}
|
||||
|
||||
// 2. 모바일 토큰은 승인 검증용으로만 사용하고, 웹 전용 세션을 새로 발급
|
||||
sessionToken, err := h.issueQRWebSession(c, req.Token)
|
||||
if err != nil {
|
||||
slog.Error("[QR] Issue web session failed", "error", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
|
||||
if req.Token == "" {
|
||||
cookie := c.Get(fiber.HeaderCookie)
|
||||
if cookie == "" {
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing session token"})
|
||||
}
|
||||
_, traits, err := h.getKratosIdentityWithCookie(cookie)
|
||||
if err != nil {
|
||||
slog.Warn("[QR] Cookie session invalid", "error", err)
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
||||
}
|
||||
loginID := pickLoginIDFromTraits(traits)
|
||||
if loginID == "" {
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
||||
}
|
||||
if !strings.Contains(loginID, "@") {
|
||||
loginID = normalizePhoneForLoginID(loginID)
|
||||
}
|
||||
if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil {
|
||||
slog.Error("[QR] Start code login failed", "error", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
|
||||
}
|
||||
return c.JSON(fiber.Map{"message": "QR Login Approved"})
|
||||
}
|
||||
|
||||
sessionData, _ := json.Marshal(map[string]string{
|
||||
"status": statusSuccess,
|
||||
"jwt": sessionToken,
|
||||
})
|
||||
h.RedisService.Set(prefixSession+req.PendingRef, string(sessionData), 5*time.Minute)
|
||||
// 2. 모바일 토큰은 승인 검증용으로만 사용하고, 웹 전용 세션을 새로 발급
|
||||
if sessionToken, err := h.tryIssueDescopeQrSession(c, req.Token); err != nil {
|
||||
slog.Error("[QR] Issue web session failed", "error", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
|
||||
} else if sessionToken != "" {
|
||||
sessionData, _ := json.Marshal(map[string]string{
|
||||
"status": statusSuccess,
|
||||
"jwt": sessionToken,
|
||||
})
|
||||
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), 5*time.Minute)
|
||||
return c.JSON(fiber.Map{"message": "QR Login Approved"})
|
||||
}
|
||||
|
||||
loginID, err := h.resolveKratosLoginID(req.Token)
|
||||
if err != nil {
|
||||
slog.Warn("[QR] Invalid token", "error", err)
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
||||
}
|
||||
if err := h.startQrCodeLoginForQr(loginID, pendingRef, rawRef); err != nil {
|
||||
slog.Error("[QR] Start code login failed", "error", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to issue web session"})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{"message": "QR Login Approved"})
|
||||
}
|
||||
@@ -1484,6 +1544,66 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient"})
|
||||
}
|
||||
|
||||
loginID := req.Recipient
|
||||
if !strings.Contains(loginID, "@") {
|
||||
loginID = normalizePhoneForLoginID(loginID)
|
||||
}
|
||||
if pendingRef, _ := h.RedisService.Get(prefixLoginCodeQrPending + loginID); pendingRef != "" {
|
||||
code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code"))
|
||||
if code == "" {
|
||||
slog.Error("[QR] Missing login code in courier", "loginID", loginID)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"})
|
||||
}
|
||||
flowID, _ := h.RedisService.Get(prefixLoginCode + loginID)
|
||||
if flowID == "" {
|
||||
slog.Error("[QR] Missing login flow for code verify", "loginID", loginID)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"})
|
||||
}
|
||||
authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code)
|
||||
if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
|
||||
slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"})
|
||||
}
|
||||
sessionData, _ := json.Marshal(map[string]string{
|
||||
"status": statusSuccess,
|
||||
"jwt": authInfo.SessionToken.JWT,
|
||||
})
|
||||
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
|
||||
h.RedisService.Delete(prefixLoginCodeQrPending + loginID)
|
||||
h.RedisService.Delete(prefixLoginCode + loginID)
|
||||
h.RedisService.Delete(prefixLoginCodeQr + pendingRef)
|
||||
slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef)
|
||||
return c.JSON(fiber.Map{"status": "ok"})
|
||||
}
|
||||
if pendingRef, _ := h.RedisService.Get(prefixQrPending + loginID); pendingRef != "" {
|
||||
code := normalizeLoginCode(extractFirstString(req.TemplateData, "login_code"))
|
||||
if code == "" {
|
||||
slog.Error("[QR] Missing login code in courier", "loginID", loginID)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Missing login code"})
|
||||
}
|
||||
flowID, _ := h.RedisService.Get(prefixLoginCode + loginID)
|
||||
if flowID == "" {
|
||||
slog.Error("[QR] Missing login flow for code verify", "loginID", loginID)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Login flow expired"})
|
||||
}
|
||||
authInfo, err := h.IdpProvider.VerifyLoginCode(loginID, flowID, code)
|
||||
if err != nil || authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
|
||||
slog.Error("[QR] Code verify failed", "loginID", loginID, "error", err)
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify login code"})
|
||||
}
|
||||
sessionData, _ := json.Marshal(map[string]string{
|
||||
"status": statusSuccess,
|
||||
"jwt": authInfo.SessionToken.JWT,
|
||||
})
|
||||
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), loginCodeExpiration)
|
||||
h.RedisService.Delete(prefixQrPending + loginID)
|
||||
h.RedisService.Delete(prefixLoginCode + loginID)
|
||||
h.RedisService.Delete(prefixLoginCodeSmsTarget + loginID)
|
||||
h.RedisService.Delete(prefixLoginCodeSmsLookup + loginID)
|
||||
slog.Info("[QR] Code verified and session issued", "loginID", loginID, "pendingRef", pendingRef)
|
||||
return c.JSON(fiber.Map{"status": "ok"})
|
||||
}
|
||||
|
||||
subject, body := h.buildKratosCourierMessage(&req)
|
||||
if strings.TrimSpace(body) == "" {
|
||||
slog.Warn("[Kratos Courier] Empty body", "recipient", req.Recipient, "template", req.TemplateType)
|
||||
@@ -1526,16 +1646,16 @@ func (h *AuthHandler) HandleKratosCourierRelay(c *fiber.Ctx) error {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "SMS service not configured"})
|
||||
}
|
||||
phone := sanitizePhoneForSms(req.Recipient)
|
||||
loginID := req.Recipient
|
||||
if !strings.Contains(loginID, "@") {
|
||||
lookup := normalizePhoneForLoginID(loginID)
|
||||
smsLoginID := req.Recipient
|
||||
if !strings.Contains(smsLoginID, "@") {
|
||||
lookup := normalizePhoneForLoginID(smsLoginID)
|
||||
if email, _ := h.RedisService.Get(prefixLoginCodeSmsLookup + lookup); email != "" {
|
||||
loginID = email
|
||||
smsLoginID = email
|
||||
} else {
|
||||
loginID = lookup
|
||||
smsLoginID = lookup
|
||||
}
|
||||
}
|
||||
smsBody := h.buildKratosShortSmsBody(&req, loginID, phone)
|
||||
smsBody := h.buildKratosShortSmsBody(&req, smsLoginID, phone)
|
||||
if smsBody == "" {
|
||||
smsBody = body
|
||||
}
|
||||
@@ -1918,30 +2038,171 @@ func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, err
|
||||
return id, err
|
||||
}
|
||||
|
||||
func (h *AuthHandler) issueQRWebSession(c *fiber.Ctx, token string) (string, error) {
|
||||
if looksLikeJWT(token) && h.DescopeClient != nil {
|
||||
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
|
||||
if err == nil && authorized {
|
||||
loginID, err := h.resolveDescopeLoginID(c.Context(), userToken)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
authInfo, err := h.IdpProvider.IssueSession(loginID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
|
||||
return "", fmt.Errorf("descope issue session returned empty token")
|
||||
}
|
||||
return authInfo.SessionToken.JWT, nil
|
||||
}
|
||||
func (h *AuthHandler) tryIssueDescopeQrSession(c *fiber.Ctx, token string) (string, error) {
|
||||
if !looksLikeJWT(token) || h.DescopeClient == nil {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
identityID, _, err := h.getKratosIdentity(token)
|
||||
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
|
||||
if err != nil || !authorized {
|
||||
return "", nil
|
||||
}
|
||||
loginID, err := h.resolveDescopeLoginID(c.Context(), userToken)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return h.issueKratosSession(c.Context(), identityID)
|
||||
authInfo, err := h.IdpProvider.IssueSession(loginID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if authInfo == nil || authInfo.SessionToken == nil || authInfo.SessionToken.JWT == "" {
|
||||
return "", fmt.Errorf("descope issue session returned empty token")
|
||||
}
|
||||
return authInfo.SessionToken.JWT, nil
|
||||
}
|
||||
|
||||
func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
|
||||
_, traits, err := h.getKratosIdentity(token)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
loginID := pickLoginIDFromTraits(traits)
|
||||
if loginID == "" {
|
||||
return "", fmt.Errorf("kratos login id missing")
|
||||
}
|
||||
if !strings.Contains(loginID, "@") {
|
||||
loginID = normalizePhoneForLoginID(loginID)
|
||||
}
|
||||
return loginID, nil
|
||||
}
|
||||
|
||||
func pickLoginIDFromTraits(traits map[string]interface{}) string {
|
||||
if traits == nil {
|
||||
return ""
|
||||
}
|
||||
keys := []string{"email", "phone", "phone_number", "phoneNumber", "mobile", "mobile_number"}
|
||||
for _, key := range keys {
|
||||
if raw, ok := traits[key]; ok {
|
||||
if value, ok := raw.(string); ok && value != "" {
|
||||
return value
|
||||
}
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (h *AuthHandler) resolveQrPendingRef(raw string) (string, error) {
|
||||
ref := strings.TrimSpace(raw)
|
||||
if ref == "" {
|
||||
return "", fmt.Errorf("empty ref")
|
||||
}
|
||||
if strings.HasPrefix(ref, "http") {
|
||||
if parsed, err := url.Parse(ref); err == nil {
|
||||
if value := parsed.Query().Get("ref"); value != "" {
|
||||
ref = value
|
||||
} else if len(parsed.Path) > 0 {
|
||||
segments := strings.Split(strings.Trim(parsed.Path, "/"), "/")
|
||||
if len(segments) >= 2 && segments[0] == "ql" {
|
||||
ref = segments[1]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if ref == "" {
|
||||
return "", fmt.Errorf("invalid ref")
|
||||
}
|
||||
if mapped, _ := h.RedisService.Get(prefixQrRef + ref); mapped != "" {
|
||||
return mapped, nil
|
||||
}
|
||||
return ref, nil
|
||||
}
|
||||
|
||||
func (h *AuthHandler) resolveQrRef(raw string) string {
|
||||
ref := strings.TrimSpace(raw)
|
||||
if ref == "" {
|
||||
return ""
|
||||
}
|
||||
if strings.HasPrefix(ref, "http") {
|
||||
if parsed, err := url.Parse(ref); err == nil {
|
||||
if value := parsed.Query().Get("ref"); value != "" {
|
||||
return value
|
||||
}
|
||||
if len(parsed.Path) > 0 {
|
||||
segments := strings.Split(strings.Trim(parsed.Path, "/"), "/")
|
||||
if len(segments) >= 2 && segments[0] == "ql" {
|
||||
return segments[1]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return ref
|
||||
}
|
||||
|
||||
func (h *AuthHandler) startQrCodeLogin(loginID, pendingRef string) error {
|
||||
if h.IdpProvider == nil {
|
||||
return fmt.Errorf("identity provider unavailable")
|
||||
}
|
||||
userfrontURL := os.Getenv("USERFRONT_URL")
|
||||
if userfrontURL == "" {
|
||||
userfrontURL = "http://sso.hmac.kr"
|
||||
}
|
||||
_ = h.RedisService.Set(prefixQrPending+loginID, pendingRef, loginCodeExpiration)
|
||||
init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL)
|
||||
if err != nil {
|
||||
h.RedisService.Delete(prefixQrPending + loginID)
|
||||
if errors.Is(err, domain.ErrNotSupported) {
|
||||
return fmt.Errorf("login method not supported")
|
||||
}
|
||||
return err
|
||||
}
|
||||
effectiveLoginID := loginID
|
||||
if init != nil && init.LoginID != "" {
|
||||
effectiveLoginID = init.LoginID
|
||||
}
|
||||
if effectiveLoginID != loginID {
|
||||
_ = h.RedisService.Set(prefixQrPending+effectiveLoginID, pendingRef, loginCodeExpiration)
|
||||
}
|
||||
if init != nil && init.FlowID != "" {
|
||||
_ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *AuthHandler) startQrCodeLoginForQr(loginID, pendingRef, rawRef string) error {
|
||||
if h.IdpProvider == nil {
|
||||
return fmt.Errorf("identity provider unavailable")
|
||||
}
|
||||
userfrontURL := os.Getenv("USERFRONT_URL")
|
||||
if userfrontURL == "" {
|
||||
userfrontURL = "http://sso.hmac.kr"
|
||||
}
|
||||
|
||||
init, err := h.IdpProvider.InitiateLinkLogin(loginID, userfrontURL)
|
||||
if err != nil {
|
||||
if errors.Is(err, domain.ErrNotSupported) {
|
||||
return fmt.Errorf("login method not supported")
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
effectiveLoginID := loginID
|
||||
if init != nil && init.LoginID != "" {
|
||||
effectiveLoginID = init.LoginID
|
||||
}
|
||||
if init == nil || init.FlowID == "" {
|
||||
return fmt.Errorf("login flow missing")
|
||||
}
|
||||
|
||||
qrRef := h.resolveQrRef(rawRef)
|
||||
qrPayload, _ := json.Marshal(map[string]string{
|
||||
"pendingRef": pendingRef,
|
||||
"qrRef": qrRef,
|
||||
"loginId": effectiveLoginID,
|
||||
"approvedAt": time.Now().UTC().Format(time.RFC3339),
|
||||
})
|
||||
_ = h.RedisService.Set(prefixLoginCodeQr+pendingRef, string(qrPayload), loginCodeExpiration)
|
||||
_ = h.RedisService.Set(prefixLoginCodeQrPending+effectiveLoginID, pendingRef, loginCodeExpiration)
|
||||
_ = h.RedisService.Set(prefixLoginCode+effectiveLoginID, init.FlowID, loginCodeExpiration)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (h *AuthHandler) resolveDescopeLoginID(ctx context.Context, token *descope.Token) (string, error) {
|
||||
|
||||
Reference in New Issue
Block a user