forked from baron/baron-sso
474 lines
16 KiB
Go
474 lines
16 KiB
Go
package handler
|
|
|
|
import (
|
|
"baron-sso-backend/internal/domain"
|
|
"baron-sso-backend/internal/service"
|
|
"context"
|
|
crand "crypto/rand"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"log"
|
|
"math/rand"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/descope/go-sdk/descope"
|
|
"github.com/descope/go-sdk/descope/client"
|
|
"github.com/gofiber/fiber/v2"
|
|
)
|
|
|
|
const (
|
|
// Redis Key Prefixes
|
|
prefixSession = "enchanted_session:"
|
|
prefixToken = "enchanted_token:"
|
|
|
|
// Session Statuses
|
|
statusPending = "pending"
|
|
statusSuccess = "success"
|
|
|
|
// Durations
|
|
defaultExpiration = 5 * time.Minute
|
|
)
|
|
|
|
type AuthHandler struct {
|
|
ProjectID string
|
|
SmsService domain.SmsService
|
|
RedisService *service.RedisService
|
|
DescopeClient *client.DescopeClient
|
|
}
|
|
|
|
// GenerateSecureToken - Helper to generate secure random strings
|
|
func GenerateSecureToken(length int) string {
|
|
b := make([]byte, length)
|
|
if _, err := crand.Read(b); err != nil {
|
|
return ""
|
|
}
|
|
return hex.EncodeToString(b)
|
|
}
|
|
|
|
func NewAuthHandler() *AuthHandler {
|
|
redisService, err := service.NewRedisService()
|
|
if err != nil {
|
|
log.Fatalf("Failed to connect to Redis: %v", err)
|
|
}
|
|
|
|
projectID := os.Getenv("DESCOPE_PROJECT_ID")
|
|
managementKey := os.Getenv("DESCOPE_MANAGEMENT_KEY")
|
|
|
|
var descopeClient *client.DescopeClient
|
|
if projectID != "" {
|
|
descopeClient, err = client.NewWithConfig(&client.Config{
|
|
ProjectID: projectID,
|
|
ManagementKey: managementKey,
|
|
})
|
|
if err != nil {
|
|
log.Printf("Warning: Failed to initialize Descope Client: %v", err)
|
|
}
|
|
}
|
|
|
|
return &AuthHandler{
|
|
ProjectID: projectID,
|
|
SmsService: service.NewSmsService(),
|
|
RedisService: redisService,
|
|
DescopeClient: descopeClient,
|
|
}
|
|
}
|
|
|
|
// SendSms sends a verification code via SMS. (Restored for completeness)
|
|
func (h *AuthHandler) SendSms(c *fiber.Ctx) error {
|
|
var req domain.SmsRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
log.Printf("[SMS] Sending code to: %s", req.PhoneNumber)
|
|
sanitizedPhone := strings.ReplaceAll(req.PhoneNumber, "-", "")
|
|
|
|
rand.Seed(time.Now().UnixNano())
|
|
code := fmt.Sprintf("%06d", rand.Intn(1000000))
|
|
content := fmt.Sprintf("[Baron SSO] 인증번호: %s", code)
|
|
|
|
h.RedisService.StoreVerificationCode(sanitizedPhone, code)
|
|
if err := h.SmsService.SendSms(sanitizedPhone, content); err != nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{"message": "SMS sent successfully"})
|
|
}
|
|
|
|
// VerifySms verifies the provided SMS code. (Restored)
|
|
func (h *AuthHandler) VerifySms(c *fiber.Ctx) error {
|
|
var req domain.SmsVerifyRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
sanitizedPhone := strings.ReplaceAll(req.PhoneNumber, "-", "")
|
|
storedCode, _ := h.RedisService.GetVerificationCode(sanitizedPhone)
|
|
|
|
if storedCode == "" || storedCode != req.Code {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid or expired code"})
|
|
}
|
|
|
|
h.RedisService.DeleteVerificationCode(sanitizedPhone)
|
|
|
|
// Note: In a real scenario, you might want to generate a Descope JWT here too
|
|
// using the same logic as VerifyMagicLink, but for now returning a placeholder
|
|
// or you can call the Descope logic if needed.
|
|
token := "sms-verified-placeholder-token"
|
|
|
|
return c.JSON(fiber.Map{"token": token})
|
|
}
|
|
|
|
// InitEnchantedLink - Custom Implementation (Restored)
|
|
func (h *AuthHandler) InitEnchantedLink(c *fiber.Ctx) error {
|
|
var req domain.EnchantedLinkInitRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
log.Printf("[Enchanted] Body parse error: %v", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
loginID := strings.ReplaceAll(req.LoginID, "-", "")
|
|
loginID = strings.ReplaceAll(loginID, " ", "")
|
|
|
|
// Generate secure tokens
|
|
token := GenerateSecureToken(3)
|
|
pendingRef := GenerateSecureToken(3)
|
|
|
|
log.Printf("[Enchanted] Initiating for %s. Token: %s, PendingRef: %s", loginID, token, pendingRef)
|
|
|
|
// Store in Redis
|
|
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), defaultExpiration)
|
|
h.RedisService.Set(prefixToken+token, fmt.Sprintf(`{"pendingRef":"%s","loginId":"%s"}`, pendingRef, loginID), defaultExpiration)
|
|
|
|
// Send SMS
|
|
frontendURL := os.Getenv("FRONTEND_URL")
|
|
if frontendURL == "" {
|
|
frontendURL = "http://ssologin.hmac.kr"
|
|
}
|
|
link := fmt.Sprintf("%s/verify/%s", frontendURL, token)
|
|
content := fmt.Sprintf("[Baron SSO] 로그인 링크: %s", link)
|
|
|
|
log.Printf("[Enchanted] Sending SMS to %s via Naver Cloud", loginID)
|
|
|
|
if err := h.SmsService.SendSms(loginID, content); err != nil {
|
|
log.Printf("[Enchanted] SMS Failed: %v", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
|
|
}
|
|
|
|
log.Printf("[Enchanted] SMS sent successfully to %s", loginID)
|
|
return c.JSON(fiber.Map{
|
|
"linkId": "SMS Sent",
|
|
"pendingRef": pendingRef,
|
|
"maskedEmail": loginID,
|
|
})
|
|
}
|
|
|
|
// PollEnchantedLink - Check status (Restored)
|
|
func (h *AuthHandler) PollEnchantedLink(c *fiber.Ctx) error {
|
|
var req domain.EnchantedLinkPollRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
|
if err != nil || val == "" {
|
|
return c.JSON(fiber.Map{"status": statusPending})
|
|
}
|
|
|
|
var data map[string]string
|
|
json.Unmarshal([]byte(val), &data)
|
|
|
|
if data["status"] == statusSuccess {
|
|
log.Printf("[Poll] Success for ref: %s", req.PendingRef)
|
|
return c.JSON(fiber.Map{
|
|
"sessionJwt": data["jwt"],
|
|
"status": "ok",
|
|
})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{"status": statusPending})
|
|
}
|
|
|
|
// VerifyMagicLink - Validate token and login (Restored)
|
|
func (h *AuthHandler) VerifyMagicLink(c *fiber.Ctx) error {
|
|
var req domain.MagicLinkVerifyRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
log.Printf("[Verify] Body parse error: %v", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
log.Printf("[Verify] Attempting to verify token: %s", req.Token)
|
|
|
|
tokenKey := prefixToken + req.Token
|
|
val, err := h.RedisService.Get(tokenKey)
|
|
if err != nil || val == "" {
|
|
log.Printf("[Verify] Token not found or expired in Redis: %s", req.Token)
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid or expired token"})
|
|
}
|
|
|
|
var tokenData map[string]string
|
|
json.Unmarshal([]byte(val), &tokenData)
|
|
pendingRef := tokenData["pendingRef"]
|
|
loginID := tokenData["loginId"]
|
|
|
|
log.Printf("[Verify] Token valid. LoginID: %s, PendingRef: %s", loginID, pendingRef)
|
|
|
|
// 1. Generate Descope Session Directly (Management SDK)
|
|
if h.DescopeClient == nil {
|
|
log.Printf("[Verify] Descope Client is nil!")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Descope Client not configured"})
|
|
}
|
|
|
|
// [Fix] Search for existing user by phone to prevent fragmentation
|
|
// Normalize Phone Number for Search (E.164)
|
|
searchPhone := loginID
|
|
if !strings.Contains(searchPhone, "@") {
|
|
// If it looks like a KR mobile number (010...), format to +8210...
|
|
if strings.HasPrefix(searchPhone, "010") {
|
|
searchPhone = "+82" + searchPhone[1:]
|
|
} else if strings.HasPrefix(searchPhone, "82") {
|
|
searchPhone = "+" + searchPhone
|
|
}
|
|
}
|
|
|
|
log.Printf("[Verify] Searching for user with phone: %s", searchPhone)
|
|
searchOptions := &descope.UserSearchOptions{
|
|
Phones: []string{searchPhone},
|
|
Limit: 1,
|
|
}
|
|
|
|
var targetLoginID string
|
|
users, _, errSearch := h.DescopeClient.Management.User().SearchAll(context.Background(), searchOptions)
|
|
|
|
if errSearch == nil && len(users) > 0 {
|
|
if len(users[0].LoginIDs) > 0 {
|
|
targetLoginID = users[0].LoginIDs[0]
|
|
log.Printf("[Verify] User found! Existing LoginID: %s", targetLoginID)
|
|
} else {
|
|
// Should not happen for a valid user, but fallback to UserID or searchPhone
|
|
log.Printf("[Verify] User found but no LoginIDs. Using UserID.")
|
|
targetLoginID = users[0].UserID
|
|
}
|
|
} else {
|
|
// Not found, or search error. Fallback to using the phone as LoginID.
|
|
// Use the normalized phone number to ensure consistency (+82...)
|
|
targetLoginID = searchPhone
|
|
log.Printf("[Verify] User not found by phone. Will use/create: %s", targetLoginID)
|
|
}
|
|
|
|
log.Printf("[Verify] Generating embedded link for %s", targetLoginID)
|
|
embeddedToken, err := h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), targetLoginID, nil, 0)
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "User not found") || strings.Contains(err.Error(), "E062108") {
|
|
log.Printf("[Verify] User %s not found. Creating...", targetLoginID)
|
|
|
|
// Create User with Explicit Phone Attribute
|
|
userObj := &descope.UserRequest{}
|
|
if strings.Contains(targetLoginID, "@") {
|
|
userObj.Email = targetLoginID
|
|
} else {
|
|
userObj.Phone = targetLoginID // Must be E.164
|
|
}
|
|
|
|
_, errCreate := h.DescopeClient.Management.User().Create(context.Background(), targetLoginID, userObj)
|
|
if errCreate != nil {
|
|
log.Printf("[Verify] Failed to create user: %v", errCreate)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to create new user"})
|
|
}
|
|
|
|
embeddedToken, err = h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), targetLoginID, nil, 0)
|
|
if err != nil {
|
|
log.Printf("[Verify] Failed to generate token after creation: %v", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate upstream token"})
|
|
}
|
|
} else {
|
|
log.Printf("[Verify] Descope Error: %v", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate upstream token"})
|
|
}
|
|
}
|
|
|
|
log.Printf("[Verify] Exchanging embedded token for session JWT")
|
|
authInfo, err := h.DescopeClient.Auth.MagicLink().Verify(context.Background(), embeddedToken, nil)
|
|
if err != nil {
|
|
log.Printf("[Verify] Final verification failed: %v", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify upstream token"})
|
|
}
|
|
sessionToken := authInfo.SessionToken.JWT
|
|
|
|
log.Printf("[Verify] Success! Updating Redis session: %s", pendingRef)
|
|
sessionData, _ := json.Marshal(map[string]string{
|
|
"status": statusSuccess,
|
|
"jwt": sessionToken,
|
|
})
|
|
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), defaultExpiration)
|
|
|
|
return c.JSON(fiber.Map{
|
|
"token": sessionToken,
|
|
"message": "Login successful",
|
|
})
|
|
}
|
|
|
|
// InitQRLogin - Step 1: Web 패널에서 QR 로그인 세션을 생성합니다.
|
|
func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error {
|
|
pendingRef := GenerateSecureToken(16)
|
|
|
|
// QR 코드 페이로드를 실제 접속 가능한 URL로 변경합니다.
|
|
frontendURL := os.Getenv("FRONTEND_URL")
|
|
if frontendURL == "" {
|
|
frontendURL = "https://ssologin.hmac.kr"
|
|
}
|
|
qrPayload := fmt.Sprintf("%s/approve?ref=%s", frontendURL, pendingRef)
|
|
|
|
log.Printf("[QR] Init: PendingRef=%s, URL=%s", pendingRef, qrPayload)
|
|
|
|
// Redis에 초기 상태 저장 (5분 만료)
|
|
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute)
|
|
|
|
return c.JSON(fiber.Map{
|
|
"qrCode": qrPayload, // 프론트엔드에서 이 텍스트로 QR을 생성하거나, 이미지를 반환
|
|
"pendingRef": pendingRef,
|
|
"expiresIn": 300,
|
|
})
|
|
}
|
|
|
|
// PollQRLogin - Step 2: 웹에서 승인 여부를 폴링합니다.
|
|
func (h *AuthHandler) PollQRLogin(c *fiber.Ctx) error {
|
|
var req struct {
|
|
PendingRef string `json:"pendingRef"`
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
|
}
|
|
|
|
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
|
if err != nil || val == "" {
|
|
return c.JSON(fiber.Map{"status": "expired"})
|
|
}
|
|
|
|
var data map[string]string
|
|
json.Unmarshal([]byte(val), &data)
|
|
|
|
if data["status"] == statusSuccess {
|
|
return c.JSON(fiber.Map{
|
|
"status": "ok",
|
|
"sessionJwt": data["jwt"],
|
|
})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{"status": statusPending})
|
|
}
|
|
|
|
// ScanQRLogin - Step 3: 모바일 앱에서 QR 스캔 후 승인할 때 호출합니다.
|
|
// (이미 로그인된 세션이 필요함)
|
|
func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
|
|
var req struct {
|
|
PendingRef string `json:"pendingRef"`
|
|
Token string `json:"token"` // 모바일 사용자의 세션 토큰 (검증용)
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
|
}
|
|
|
|
log.Printf("[QR] Scan & Approve: PendingRef=%s", req.PendingRef)
|
|
|
|
// 1. Redis에서 세션 확인
|
|
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
|
if err != nil || val == "" {
|
|
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"})
|
|
}
|
|
|
|
// 2. 모바일 유저의 토큰으로 새 세션 토큰(웹용)을 발행하거나 그대로 전달
|
|
|
|
sessionData, _ := json.Marshal(map[string]string{
|
|
"status": statusSuccess,
|
|
"jwt": req.Token,
|
|
})
|
|
h.RedisService.Set(prefixSession+req.PendingRef, string(sessionData), 5*time.Minute)
|
|
|
|
return c.JSON(fiber.Map{"message": "QR Login Approved"})
|
|
}
|
|
|
|
// ProxyToDescope (Placeholder)
|
|
func (h *AuthHandler) ProxyToDescope(c *fiber.Ctx, path string, payload interface{}) error {
|
|
return c.Status(501).SendString("Descope Proxy Disabled")
|
|
}
|
|
|
|
// HandleDescopeSmsRelay
|
|
func (h *AuthHandler) HandleDescopeSmsRelay(c *fiber.Ctx) error {
|
|
var req struct {
|
|
Recipient string `json:"recipient"`
|
|
Body string `json:"body"`
|
|
}
|
|
|
|
if err := c.BodyParser(&req); err != nil {
|
|
log.Printf("[Webhook] Body parsing failed: %v", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
if req.Recipient == "" || req.Body == "" {
|
|
log.Printf("[Webhook] Missing recipient or body")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient or body"})
|
|
}
|
|
|
|
log.Printf("[Webhook] Received SMS request for %s", req.Recipient)
|
|
|
|
phone := req.Recipient
|
|
if strings.HasPrefix(phone, "+82") {
|
|
phone = "0" + phone[3:]
|
|
}
|
|
phone = strings.ReplaceAll(phone, "-", "")
|
|
phone = strings.ReplaceAll(phone, " ", "")
|
|
|
|
if err := h.SmsService.SendSms(phone, req.Body); err != nil {
|
|
log.Printf("[Webhook] Failed to forward SMS to Naver: %v", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS via Naver"})
|
|
}
|
|
|
|
log.Printf("[Webhook] Successfully forwarded SMS to %s", phone)
|
|
return c.JSON(fiber.Map{"status": "ok"})
|
|
}
|
|
|
|
// HandleDescopeEmailRelay - Webhook for Descope Generic Email Gateway
|
|
// Used for "Fake Email Strategy" to support Polling with SMS.
|
|
func (h *AuthHandler) HandleDescopeEmailRelay(c *fiber.Ctx) error {
|
|
var req struct {
|
|
To string `json:"to"` // e.g., 01012345678@sms.baron
|
|
Subject string `json:"subject"`
|
|
Text string `json:"text"` // Body containing the link
|
|
}
|
|
|
|
if err := c.BodyParser(&req); err != nil {
|
|
log.Printf("[Email Webhook] Body parsing failed: %v", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
log.Printf("[Email Webhook] Received email request for %s", req.To)
|
|
|
|
// Check if it's a Fake Email for SMS
|
|
if strings.HasSuffix(req.To, "@sms.baron") {
|
|
phone := strings.Split(req.To, "@")[0]
|
|
|
|
// Sanitize Phone (Descope might sanitize or not, but let's be safe)
|
|
if strings.HasPrefix(phone, "+82") {
|
|
phone = "0" + phone[3:]
|
|
}
|
|
|
|
// Send SMS with the text body (Descope template should be optimized for SMS)
|
|
if err := h.SmsService.SendSms(phone, req.Text); err != nil {
|
|
log.Printf("[Email Webhook] Failed to forward Email-as-SMS: %v", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
|
|
}
|
|
|
|
log.Printf("[Email Webhook] Successfully converted Email to SMS for %s", phone)
|
|
return c.JSON(fiber.Map{"status": "ok"})
|
|
}
|
|
|
|
// Real Email Handling (Not implemented in this Relay)
|
|
// You would need an SMTP service here if you route ALL emails through this relay.
|
|
log.Printf("[Email Webhook] Real email skipped (Not implemented): %s", req.To)
|
|
return c.Status(501).JSON(fiber.Map{"error": "Real email sending not implemented"})
|
|
}
|