forked from baron/baron-sso
1495 lines
54 KiB
Go
1495 lines
54 KiB
Go
package handler
|
|
|
|
import (
|
|
"baron-sso-backend/internal/domain"
|
|
"baron-sso-backend/internal/logger"
|
|
"baron-sso-backend/internal/service"
|
|
"context"
|
|
crand "crypto/rand"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"math/rand"
|
|
"os"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/descope/go-sdk/descope"
|
|
"github.com/descope/go-sdk/descope/client"
|
|
"github.com/gofiber/fiber/v2"
|
|
)
|
|
|
|
const (
|
|
// Redis Key Prefixes
|
|
prefixSession = "enchanted_session:"
|
|
prefixToken = "enchanted_token:"
|
|
prefixSignupEmail = "signup:email:"
|
|
prefixSignupPhone = "signup:phone:"
|
|
|
|
// Session Statuses
|
|
statusPending = "pending"
|
|
statusSuccess = "success"
|
|
|
|
// Durations
|
|
defaultExpiration = 5 * time.Minute
|
|
signupStateExpiration = 10 * time.Minute
|
|
signupBlockDuration = 10 * time.Minute
|
|
maxSignupFailures = 5
|
|
emailCodeTTL = 5 * time.Minute
|
|
smsCodeTTL = 3 * time.Minute
|
|
prefixPwdResetToken = "pwdreset_token:"
|
|
pwdResetExpiration = 15 * time.Minute
|
|
)
|
|
|
|
type AuthHandler struct {
|
|
ProjectID string
|
|
SmsService domain.SmsService
|
|
EmailService domain.EmailService
|
|
RedisService *service.RedisService
|
|
DescopeClient *client.DescopeClient
|
|
IdpProvider domain.IdentityProvider
|
|
}
|
|
|
|
type signupState struct {
|
|
Code string `json:"code"`
|
|
Verified bool `json:"verified"`
|
|
FailCount int `json:"fail_count"`
|
|
ExpiresAt int64 `json:"expires_at"` // Unix timestamp
|
|
}
|
|
|
|
// GenerateSecureToken - Helper to generate secure random strings
|
|
func GenerateSecureToken(length int) string {
|
|
b := make([]byte, length)
|
|
if _, err := crand.Read(b); err != nil {
|
|
return ""
|
|
}
|
|
return hex.EncodeToString(b)
|
|
}
|
|
|
|
func NewAuthHandler(redisService *service.RedisService, idpProvider domain.IdentityProvider) *AuthHandler {
|
|
projectID := os.Getenv("DESCOPE_PROJECT_ID")
|
|
managementKey := os.Getenv("DESCOPE_MANAGEMENT_KEY")
|
|
|
|
var descopeClient *client.DescopeClient
|
|
var err error
|
|
if projectID != "" {
|
|
descopeClient, err = client.NewWithConfig(&client.Config{
|
|
ProjectID: projectID,
|
|
ManagementKey: managementKey,
|
|
})
|
|
if err != nil {
|
|
slog.Warn("Failed to initialize Descope Client", "error", err)
|
|
}
|
|
}
|
|
|
|
return &AuthHandler{
|
|
ProjectID: projectID,
|
|
SmsService: service.NewSmsService(),
|
|
EmailService: service.NewEmailService(),
|
|
RedisService: redisService,
|
|
DescopeClient: descopeClient,
|
|
IdpProvider: idpProvider,
|
|
}
|
|
}
|
|
|
|
// --- Signup Flow Handlers ---
|
|
|
|
// CheckEmail - Checks if email is available (not registered in Descope)
|
|
func (h *AuthHandler) CheckEmail(c *fiber.Ctx) error {
|
|
var req domain.CheckEmailRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request"})
|
|
}
|
|
|
|
// Email Format Validation
|
|
if !strings.Contains(req.Email, "@") || !strings.Contains(req.Email, ".") {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid email format"})
|
|
}
|
|
|
|
if h.DescopeClient == nil {
|
|
return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "Identity provider unavailable"})
|
|
}
|
|
|
|
// Search in Descope
|
|
// Note: Descope doesn't have a direct "exists" check, we use Load or Search.
|
|
// Since we are checking availability for signup, we want "User not found".
|
|
exists, err := h.DescopeClient.Management.User().Load(context.Background(), req.Email)
|
|
|
|
// If err is nil and exists is not nil, user exists.
|
|
if err == nil && exists != nil {
|
|
return c.JSON(fiber.Map{"available": false, "message": "Email already registered"})
|
|
}
|
|
|
|
// Check if specific error is "not found" or just assume if Load fails it might be free.
|
|
// Typically Descope Load returns error if not found? Let's assume so or check error message.
|
|
// Actually, strictly speaking, we should handle specific errors, but for MVP:
|
|
return c.JSON(fiber.Map{"available": true})
|
|
}
|
|
|
|
// SendSignupEmailCode - Sends verification code to email
|
|
func (h *AuthHandler) SendSignupEmailCode(c *fiber.Ctx) error {
|
|
var req domain.SendSignupCodeRequest
|
|
if err := c.BodyParser(&req); err != nil || req.Target == "" {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid email"})
|
|
}
|
|
req.Type = "email" // Enforce type
|
|
|
|
key := prefixSignupEmail + req.Target
|
|
|
|
// 1. Check existing state (Rate Limit / Block)
|
|
state, _ := h.getSignupState(key)
|
|
if state != nil && state.FailCount > maxSignupFailures {
|
|
// Check if block expired
|
|
// Simple block implementation: if FailCount > 5, user is blocked until TTL expires
|
|
// Since we refresh TTL on each update, we rely on Redis TTL.
|
|
return c.Status(fiber.StatusTooManyRequests).JSON(fiber.Map{"error": "Too many failed attempts. Try again later."})
|
|
}
|
|
|
|
// 2. Generate Code
|
|
rand.Seed(time.Now().UnixNano())
|
|
code := fmt.Sprintf("%06d", rand.Intn(1000000))
|
|
|
|
// 3. Update State
|
|
newState := &signupState{
|
|
Code: code,
|
|
Verified: false,
|
|
FailCount: 0, // Reset fail count on new code generation? Or keep it?
|
|
// Requirement says "Auth fail > 5 -> block". New code usually resets or continues?
|
|
// Usually getting a new code doesn't reset verify failure count if we want strict blocking.
|
|
// But for simplicity let's say "fail count" applies to verification attempts.
|
|
// If we are issuing a new code, it's a new attempt cycle usually.
|
|
// However, spamming "send code" is also an attack.
|
|
// Let's keep FailCount if exists, or 0.
|
|
ExpiresAt: time.Now().Add(emailCodeTTL).Unix(),
|
|
}
|
|
if state != nil {
|
|
newState.FailCount = state.FailCount
|
|
}
|
|
|
|
h.saveSignupState(key, newState, signupStateExpiration)
|
|
|
|
// 4. Send Email
|
|
if h.EmailService == nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Email service not configured"})
|
|
}
|
|
|
|
subject := "[Baron SSO] 회원가입 인증코드"
|
|
body := fmt.Sprintf(`
|
|
<div style="padding: 20px; font-family: sans-serif;">
|
|
<h2>이메일 인증</h2>
|
|
<p>아래 인증코드를 입력하여 회원가입을 진행해 주세요.</p>
|
|
<h1 style="color: #1A1F2C; letter-spacing: 5px;">%s</h1>
|
|
<p>이 코드는 5분간 유효합니다.</p>
|
|
</div>
|
|
`, code)
|
|
|
|
go h.EmailService.SendEmail(req.Target, subject, body)
|
|
|
|
return c.JSON(fiber.Map{"message": "Verification code sent"})
|
|
}
|
|
|
|
// SendSignupSmsCode - Sends verification code to phone
|
|
func (h *AuthHandler) SendSignupSmsCode(c *fiber.Ctx) error {
|
|
var req domain.SendSignupCodeRequest
|
|
if err := c.BodyParser(&req); err != nil || req.Target == "" {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid phone number"})
|
|
}
|
|
req.Type = "phone"
|
|
|
|
// Sanitize phone
|
|
phone := strings.ReplaceAll(req.Target, "-", "")
|
|
key := prefixSignupPhone + phone
|
|
|
|
// 1. Check existing state
|
|
state, _ := h.getSignupState(key)
|
|
if state != nil && state.FailCount > maxSignupFailures {
|
|
return c.Status(fiber.StatusTooManyRequests).JSON(fiber.Map{"error": "Too many failed attempts. Try again later."})
|
|
}
|
|
|
|
// 2. Generate Code
|
|
rand.Seed(time.Now().UnixNano())
|
|
code := fmt.Sprintf("%06d", rand.Intn(1000000))
|
|
|
|
// 3. Save State
|
|
newState := &signupState{
|
|
Code: code,
|
|
Verified: false,
|
|
FailCount: 0,
|
|
ExpiresAt: time.Now().Add(smsCodeTTL).Unix(),
|
|
}
|
|
if state != nil {
|
|
newState.FailCount = state.FailCount
|
|
}
|
|
h.saveSignupState(key, newState, signupStateExpiration)
|
|
|
|
// 4. Send SMS
|
|
content := fmt.Sprintf("[Baron SSO] 인증번호 [%s]를 입력해주세요.", code)
|
|
go h.SmsService.SendSms(phone, content)
|
|
|
|
return c.JSON(fiber.Map{"message": "Verification code sent"})
|
|
}
|
|
|
|
// VerifySignupCode - Verifies the code for email or phone
|
|
func (h *AuthHandler) VerifySignupCode(c *fiber.Ctx) error {
|
|
var req domain.VerifySignupCodeRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request"})
|
|
}
|
|
|
|
var key string
|
|
if req.Type == "email" {
|
|
key = prefixSignupEmail + req.Target
|
|
} else if req.Type == "phone" {
|
|
phone := strings.ReplaceAll(req.Target, "-", "")
|
|
key = prefixSignupPhone + phone
|
|
} else {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid type"})
|
|
}
|
|
|
|
state, err := h.getSignupState(key)
|
|
if err != nil || state == nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Verification session expired or not found"})
|
|
}
|
|
|
|
// Check Verified
|
|
if state.Verified {
|
|
return c.JSON(fiber.Map{"success": true, "message": "Already verified"})
|
|
}
|
|
|
|
// Check Attempts
|
|
if state.FailCount > maxSignupFailures {
|
|
return c.Status(fiber.StatusTooManyRequests).JSON(fiber.Map{"error": "Too many failed attempts"})
|
|
}
|
|
|
|
// Check Code match
|
|
if state.Code != req.Code {
|
|
state.FailCount++
|
|
h.saveSignupState(key, state, signupStateExpiration)
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid code", "failCount": state.FailCount})
|
|
}
|
|
|
|
// Check Expiry (Logic time vs stored time)
|
|
if time.Now().Unix() > state.ExpiresAt {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Code expired"})
|
|
}
|
|
|
|
// Success
|
|
state.Verified = true
|
|
h.saveSignupState(key, state, signupStateExpiration)
|
|
|
|
return c.JSON(fiber.Map{"success": true})
|
|
}
|
|
|
|
// Signup - Finalize registration
|
|
func (h *AuthHandler) Signup(c *fiber.Ctx) error {
|
|
var req domain.SignupRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
// 1. Validate Fields (Simple validation)
|
|
if req.Email == "" || req.Password == "" || req.Name == "" || req.Phone == "" {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing required fields"})
|
|
}
|
|
if !req.TermsAccepted {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Terms must be accepted"})
|
|
}
|
|
|
|
// Password Validation
|
|
if len(req.Password) < 12 {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must be at least 12 characters"})
|
|
}
|
|
// Check complexity (at least 2 types: lower, upper, digit, special)
|
|
types := 0
|
|
if strings.ContainsAny(req.Password, "abcdefghijklmnopqrstuvwxyz") {
|
|
types++
|
|
}
|
|
if strings.ContainsAny(req.Password, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") {
|
|
types++
|
|
}
|
|
if strings.ContainsAny(req.Password, "0123456789") {
|
|
types++
|
|
}
|
|
if strings.ContainsAny(req.Password, "!@#$%^&*()_+-=[]{}|;:,.<>?") {
|
|
types++
|
|
}
|
|
if types < 2 {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least 2 types of characters (letters, numbers, symbols)"})
|
|
}
|
|
|
|
// 2. Verify Auth Status (Redis)
|
|
emailKey := prefixSignupEmail + req.Email
|
|
phoneKey := prefixSignupPhone + strings.ReplaceAll(req.Phone, "-", "")
|
|
|
|
emailState, _ := h.getSignupState(emailKey)
|
|
phoneState, _ := h.getSignupState(phoneKey)
|
|
|
|
if emailState == nil || !emailState.Verified {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Email not verified"})
|
|
}
|
|
if phoneState == nil || !phoneState.Verified {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Phone not verified"})
|
|
}
|
|
|
|
if h.IdpProvider == nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Identity provider unavailable"})
|
|
}
|
|
|
|
// Normalize Phone (E.164 형태로 보관)
|
|
normalizedPhone := strings.ReplaceAll(req.Phone, "-", "")
|
|
normalizedPhone = strings.ReplaceAll(normalizedPhone, " ", "")
|
|
if strings.HasPrefix(normalizedPhone, "010") {
|
|
normalizedPhone = "+82" + normalizedPhone[1:]
|
|
} else if strings.HasPrefix(normalizedPhone, "82") {
|
|
normalizedPhone = "+" + normalizedPhone
|
|
}
|
|
|
|
// IDP에 전달할 BrokerUser 스키마 구성
|
|
attributes := map[string]interface{}{
|
|
"department": req.Department,
|
|
"affiliationType": req.AffiliationType,
|
|
"companyCode": req.CompanyCode,
|
|
// grade는 기존 스키마 필수 키이므로 기본값을 설정
|
|
"grade": "member",
|
|
}
|
|
brokerUser := &domain.BrokerUser{
|
|
Email: req.Email,
|
|
Name: req.Name,
|
|
PhoneNumber: normalizedPhone,
|
|
Attributes: attributes,
|
|
}
|
|
|
|
providerID, err := h.IdpProvider.CreateUser(brokerUser, req.Password)
|
|
if err != nil {
|
|
slog.Error("[Signup] Failed to create user via IDP", "provider", h.IdpProvider.Name(), "error", err)
|
|
if strings.Contains(err.Error(), "already exists") {
|
|
return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "User already exists"})
|
|
}
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to create user"})
|
|
}
|
|
|
|
// 4. Cleanup Redis
|
|
h.RedisService.Delete(emailKey)
|
|
h.RedisService.Delete(phoneKey)
|
|
|
|
slog.Info("[Signup] New user registered", "email", req.Email, "type", req.AffiliationType, "provider", h.IdpProvider.Name(), "subject", providerID)
|
|
|
|
return c.JSON(fiber.Map{
|
|
"success": true,
|
|
"message": "User registered successfully",
|
|
"provider": h.IdpProvider.Name(),
|
|
"subject": providerID,
|
|
})
|
|
}
|
|
|
|
// --- Helpers ---
|
|
|
|
func (h *AuthHandler) getBearerToken(c *fiber.Ctx) string {
|
|
authHeader := c.Get("Authorization")
|
|
if authHeader == "" {
|
|
return ""
|
|
}
|
|
parts := strings.Split(authHeader, " ")
|
|
if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
|
|
return ""
|
|
}
|
|
return parts[1]
|
|
}
|
|
|
|
func (h *AuthHandler) getSignupState(key string) (*signupState, error) {
|
|
val, err := h.RedisService.Get(key)
|
|
if err != nil || val == "" {
|
|
return nil, err
|
|
}
|
|
var state signupState
|
|
if err := json.Unmarshal([]byte(val), &state); err != nil {
|
|
return nil, err
|
|
}
|
|
return &state, nil
|
|
}
|
|
|
|
func (h *AuthHandler) saveSignupState(key string, state *signupState, ttl time.Duration) error {
|
|
data, err := json.Marshal(state)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return h.RedisService.Set(key, string(data), ttl)
|
|
}
|
|
|
|
// GetPasswordPolicy exposes the current Descope password policy to the frontend for dynamic validation.
|
|
func (h *AuthHandler) GetPasswordPolicy(c *fiber.Ctx) error {
|
|
if h.DescopeClient == nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Descope client not configured"})
|
|
}
|
|
|
|
policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
|
|
if err != nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{
|
|
"minLength": policy.MinLength,
|
|
"lowercase": policy.Lowercase,
|
|
"uppercase": policy.Uppercase,
|
|
"number": policy.Number,
|
|
"nonAlphanumeric": policy.NonAlphanumeric,
|
|
})
|
|
}
|
|
|
|
// SendSms sends a verification code via SMS. (Restored for completeness)
|
|
func (h *AuthHandler) SendSms(c *fiber.Ctx) error {
|
|
var req domain.SmsRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
slog.Info("[SMS] Sending code", "phoneNumber", req.PhoneNumber)
|
|
sanitizedPhone := strings.ReplaceAll(req.PhoneNumber, "-", "")
|
|
rand.Seed(time.Now().UnixNano())
|
|
code := fmt.Sprintf("%06d", rand.Intn(1000000))
|
|
content := fmt.Sprintf("[Baron SSO] 인증번호: %s", code)
|
|
|
|
h.RedisService.StoreVerificationCode(sanitizedPhone, code)
|
|
if err := h.SmsService.SendSms(sanitizedPhone, content); err != nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{"message": "SMS sent successfully"})
|
|
}
|
|
|
|
// VerifySms verifies the provided SMS code. (Restored)
|
|
func (h *AuthHandler) VerifySms(c *fiber.Ctx) error {
|
|
var req domain.SmsVerifyRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
sanitizedPhone := strings.ReplaceAll(req.PhoneNumber, "-", "")
|
|
storedCode, _ := h.RedisService.GetVerificationCode(sanitizedPhone)
|
|
|
|
if storedCode == "" || storedCode != req.Code {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid or expired code"})
|
|
}
|
|
|
|
h.RedisService.DeleteVerificationCode(sanitizedPhone)
|
|
|
|
// Note: In a real scenario, you might want to generate a Descope JWT here too
|
|
// using the same logic as VerifyMagicLink, but for now returning a placeholder
|
|
// or you can call the Descope logic if needed.
|
|
token := "sms-verified-placeholder-token"
|
|
|
|
return c.JSON(fiber.Map{"token": token})
|
|
}
|
|
|
|
// InitEnchantedLink - Custom Implementation (Restored)
|
|
func (h *AuthHandler) InitEnchantedLink(c *fiber.Ctx) error {
|
|
var req domain.EnchantedLinkInitRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
slog.Error("[Enchanted] Body parse error", "error", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
loginID := strings.ReplaceAll(req.LoginID, "-", "")
|
|
loginID = strings.ReplaceAll(loginID, " ", "")
|
|
|
|
// [New] Check if user exists before sending link
|
|
if h.DescopeClient != nil {
|
|
user, err := h.DescopeClient.Management.User().Load(context.Background(), loginID)
|
|
if err != nil || user == nil {
|
|
// Try searching by phone if not found by LoginID
|
|
searchPhone := loginID
|
|
if !strings.Contains(searchPhone, "@") {
|
|
if strings.HasPrefix(searchPhone, "010") {
|
|
searchPhone = "+82" + searchPhone[1:]
|
|
} else if strings.HasPrefix(searchPhone, "82") {
|
|
searchPhone = "+" + searchPhone
|
|
}
|
|
}
|
|
searchOptions := &descope.UserSearchOptions{
|
|
Phones: []string{searchPhone},
|
|
Limit: 1,
|
|
}
|
|
users, _, errSearch := h.DescopeClient.Management.User().SearchAll(context.Background(), searchOptions)
|
|
if errSearch != nil || len(users) == 0 {
|
|
slog.Warn("[Enchanted] User not found", "loginID", loginID)
|
|
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "User not registered"})
|
|
}
|
|
// 검색 결과가 있더라도 loginID는 사용자가 입력한 원래 값을 유지 (발송 수단 결정을 위해)
|
|
}
|
|
}
|
|
|
|
// [Changed] 토큰 길이를 사용자의 요청에 맞춰 6글자(3바이트)로, pendingRef를 8글자(4바이트)로 조정
|
|
token := GenerateSecureToken(3)
|
|
pendingRef := GenerateSecureToken(3)
|
|
|
|
slog.Info("[Enchanted] Initiating enchanted link", "loginID", loginID, "token", token, "pendingRef", pendingRef)
|
|
|
|
// Store in Redis
|
|
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), defaultExpiration)
|
|
h.RedisService.Set(prefixToken+token, fmt.Sprintf(`{"pendingRef":"%s","loginId":"%s"}`, pendingRef, loginID), defaultExpiration)
|
|
|
|
// Generate Link
|
|
frontendURL := os.Getenv("FRONTEND_URL")
|
|
slog.Info("[Enchanted] Read FRONTEND_URL", "url", frontendURL)
|
|
if frontendURL == "" {
|
|
frontendURL = "http://sso.hmac.kr"
|
|
}
|
|
link := fmt.Sprintf("%s/verify/%s", frontendURL, token)
|
|
|
|
// Route based on LoginID type
|
|
if strings.Contains(loginID, "@") {
|
|
// Send Email
|
|
if h.EmailService == nil {
|
|
slog.Error("[Enchanted] Email Service not configured")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Email service not configured"})
|
|
}
|
|
|
|
subject := "[Baron SSO] 로그인 링크"
|
|
body := fmt.Sprintf(`
|
|
<div style="font-family: sans-serif; padding: 20px; border: 1px solid #eee; border-radius: 10px; max-width: 500px;">
|
|
<h2 style="color: #1A1F2C;">Baron SSO 로그인</h2>
|
|
<p>안녕하세요,</p>
|
|
<p>아래 버튼을 클릭하여 로그인을 완료해 주세요. 이 링크는 5분 동안 유효합니다.</p>
|
|
<div style="margin: 30px 0;">
|
|
<a href="%s" style="background-color: #1A1F2C; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px; font-weight: bold;">로그인 완료하기</a>
|
|
</div>
|
|
<p style="font-size: 12px; color: #888;">만약 본인이 요청하지 않았다면 이 메일을 무시하셔도 됩니다.</p>
|
|
</div>
|
|
`, link)
|
|
|
|
slog.Info("[Enchanted] Sending Email via AWS SES", "loginID", loginID)
|
|
if err := h.EmailService.SendEmail(loginID, subject, body); err != nil {
|
|
slog.Error("[Enchanted] Email Failed", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send Email"})
|
|
}
|
|
} else {
|
|
// Send SMS
|
|
content := fmt.Sprintf("[Baron SSO] 로그인 링크: %s", link)
|
|
slog.Info("[Enchanted] Sending SMS via Naver Cloud", "loginID", loginID)
|
|
|
|
if err := h.SmsService.SendSms(loginID, content); err != nil {
|
|
slog.Error("[Enchanted] SMS Failed", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
|
|
}
|
|
}
|
|
|
|
return c.JSON(fiber.Map{
|
|
"linkId": "Sent",
|
|
"pendingRef": pendingRef,
|
|
"maskedEmail": loginID,
|
|
})
|
|
}
|
|
|
|
// PollEnchantedLink - Check status (Restored)
|
|
func (h *AuthHandler) PollEnchantedLink(c *fiber.Ctx) error {
|
|
var req domain.EnchantedLinkPollRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
|
if err != nil || val == "" {
|
|
return c.JSON(fiber.Map{"status": statusPending})
|
|
}
|
|
|
|
var data map[string]string
|
|
json.Unmarshal([]byte(val), &data)
|
|
|
|
if data["status"] == statusSuccess {
|
|
slog.Info("[Poll] Success", "pendingRef", req.PendingRef)
|
|
return c.JSON(fiber.Map{
|
|
"sessionJwt": data["jwt"],
|
|
"status": "ok",
|
|
})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{"status": statusPending})
|
|
}
|
|
|
|
// VerifyMagicLink - Validate token and login (Restored)
|
|
func (h *AuthHandler) VerifyMagicLink(c *fiber.Ctx) error {
|
|
var req domain.MagicLinkVerifyRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
slog.Error("[Verify] Body parse error", "error", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
slog.Info("[Verify] Attempting to verify token", "token", req.Token)
|
|
|
|
tokenKey := prefixToken + req.Token
|
|
val, err := h.RedisService.Get(tokenKey)
|
|
if err != nil || val == "" {
|
|
slog.Warn("[Verify] Token not found or expired in Redis", "token", req.Token)
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid or expired token"})
|
|
}
|
|
|
|
var tokenData map[string]string
|
|
json.Unmarshal([]byte(val), &tokenData)
|
|
pendingRef := tokenData["pendingRef"]
|
|
loginID := tokenData["loginId"]
|
|
|
|
slog.Info("[Verify] Token valid", "loginID", loginID, "pendingRef", pendingRef)
|
|
|
|
// 1. Generate Descope Session Directly (Management SDK)
|
|
if h.DescopeClient == nil {
|
|
slog.Error("[Verify] Descope Client is nil!")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Descope Client not configured"})
|
|
}
|
|
|
|
// [Fix] Search for existing user by phone to prevent fragmentation
|
|
// Normalize Phone Number for Search (E.164)
|
|
searchPhone := loginID
|
|
if !strings.Contains(searchPhone, "@") {
|
|
// If it looks like a KR mobile number (010...), format to +8210...
|
|
if strings.HasPrefix(searchPhone, "010") {
|
|
searchPhone = "+82" + searchPhone[1:]
|
|
} else if strings.HasPrefix(searchPhone, "82") {
|
|
searchPhone = "+" + searchPhone
|
|
}
|
|
}
|
|
|
|
slog.Info("[Verify] Searching for user", "phone", searchPhone)
|
|
searchOptions := &descope.UserSearchOptions{
|
|
Phones: []string{searchPhone},
|
|
Limit: 1,
|
|
}
|
|
|
|
var targetLoginID string
|
|
users, _, errSearch := h.DescopeClient.Management.User().SearchAll(context.Background(), searchOptions)
|
|
|
|
if errSearch == nil && len(users) > 0 {
|
|
if len(users[0].LoginIDs) > 0 {
|
|
targetLoginID = users[0].LoginIDs[0]
|
|
slog.Info("[Verify] User found", "existingLoginID", targetLoginID)
|
|
} else {
|
|
// Should not happen for a valid user, but fallback to UserID or searchPhone
|
|
slog.Warn("[Verify] User found but no LoginIDs, using UserID")
|
|
targetLoginID = users[0].UserID
|
|
}
|
|
} else {
|
|
// [Changed] If not found, do NOT auto-create. Return error.
|
|
slog.Warn("[Verify] User not found by phone", "loginID", searchPhone)
|
|
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "User not registered"})
|
|
}
|
|
|
|
slog.Info("[Verify] Generating embedded link", "loginID", targetLoginID)
|
|
embeddedToken, err := h.DescopeClient.Management.User().GenerateEmbeddedLink(context.Background(), targetLoginID, nil, 0)
|
|
if err != nil {
|
|
slog.Error("[Verify] Descope Error", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate upstream token"})
|
|
}
|
|
|
|
slog.Info("[Verify] Exchanging embedded token for session JWT")
|
|
authInfo, err := h.DescopeClient.Auth.MagicLink().Verify(context.Background(), embeddedToken, nil)
|
|
if err != nil {
|
|
slog.Error("[Verify] Final verification failed", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to verify upstream token"})
|
|
}
|
|
sessionToken := authInfo.SessionToken.JWT
|
|
|
|
slog.Info("[Verify] Success! Updating Redis session", "pendingRef", pendingRef)
|
|
sessionData, _ := json.Marshal(map[string]string{
|
|
"status": statusSuccess,
|
|
"jwt": sessionToken,
|
|
})
|
|
h.RedisService.Set(prefixSession+pendingRef, string(sessionData), defaultExpiration)
|
|
|
|
return c.JSON(fiber.Map{
|
|
"token": sessionToken,
|
|
"message": "Login successful",
|
|
})
|
|
}
|
|
|
|
// PasswordLogin - Authenticate a user with login ID and password.
|
|
func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
|
|
startTime := time.Now()
|
|
ale := logger.NewAuditLogEntry(c, "login")
|
|
ale.Operation = "Auth.Password().SignIn"
|
|
|
|
var req struct {
|
|
LoginID string `json:"loginId"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
if err := c.BodyParser(&req); err != nil {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Body parse error")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
loginID := strings.TrimSpace(req.LoginID)
|
|
ale.LoginIDs["loginId"] = req.LoginID // 원문
|
|
ale.LoginIDs["loginId_normalized"] = loginID
|
|
ale.NewPassword = req.Password // For test only, logging password (sensitive)
|
|
|
|
ale.Log(slog.LevelInfo, "Attempting to login")
|
|
|
|
if h.IdpProvider == nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "IDP Provider is nil"
|
|
ale.Log(slog.LevelError, "IDP Provider is nil")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Authentication service not configured"})
|
|
}
|
|
|
|
authInfo, err := h.IdpProvider.SignIn(loginID, req.Password)
|
|
if err != nil {
|
|
ale.Status = fiber.StatusUnauthorized
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelWarn, "IDP sign-in failed", slog.String("provider", h.IdpProvider.Name()))
|
|
if strings.Contains(err.Error(), "not found") || strings.Contains(err.Error(), "identity") {
|
|
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "User not registered"})
|
|
}
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid credentials"})
|
|
}
|
|
|
|
ale.Status = fiber.StatusOK
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.SessionJwt = authInfo.SessionToken.JWT
|
|
ale.Log(slog.LevelInfo, "Login successful", slog.String("provider", h.IdpProvider.Name()), slog.String("subject", authInfo.Subject))
|
|
|
|
resp := fiber.Map{
|
|
"sessionJwt": authInfo.SessionToken.JWT,
|
|
"status": "ok",
|
|
"provider": h.IdpProvider.Name(),
|
|
}
|
|
if authInfo.RefreshToken != nil {
|
|
resp["refreshJwt"] = authInfo.RefreshToken.JWT
|
|
}
|
|
if authInfo.Subject != "" {
|
|
resp["subject"] = authInfo.Subject
|
|
}
|
|
return c.JSON(resp)
|
|
}
|
|
|
|
// InitiatePasswordReset - 사용자가 비밀번호 재설정을 시작하면, loginID 유형에 따라 Descope를 통해 이메일 또는 SMS를 보냅니다.
|
|
func (h *AuthHandler) InitiatePasswordReset(c *fiber.Ctx) error {
|
|
startTime := time.Now()
|
|
ale := logger.NewAuditLogEntry(c, "initiate")
|
|
|
|
var req domain.PasswordResetInitiateRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Body parse error")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
loginID := strings.TrimSpace(req.LoginID)
|
|
ale.LoginIDs["loginId"] = req.LoginID // 원문
|
|
ale.LoginIDs["loginId_normalized"] = loginID
|
|
|
|
if loginID == "" {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Login ID is required"
|
|
ale.Log(slog.LevelWarn, "Login ID missing")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Login ID is required"})
|
|
}
|
|
|
|
if h.IdpProvider == nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "IDP Provider is not initialized"
|
|
ale.Log(slog.LevelError, "IDP Provider is not initialized")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Authentication service not configured"})
|
|
}
|
|
|
|
frontendURL := os.Getenv("FRONTEND_URL")
|
|
if frontendURL == "" {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "FRONTEND_URL is not set"
|
|
ale.Log(slog.LevelError, "FRONTEND_URL is not set")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "FRONTEND_URL environment variable is not set"})
|
|
}
|
|
// [Changed] Point to Backend API for verification (which then redirects to Frontend)
|
|
redirectURL := fmt.Sprintf("%s/api/v1/auth/password/reset/verify", frontendURL)
|
|
ale.RedirectTo = redirectURL
|
|
|
|
// 내부 토큰 발급 + 우리 채널로 전송
|
|
resetToken := GenerateSecureToken(32)
|
|
if resetToken == "" {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Failed to generate reset token"
|
|
ale.Log(slog.LevelError, "Failed to generate reset token")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to generate reset token"})
|
|
}
|
|
|
|
if err := h.RedisService.Set(prefixPwdResetToken+resetToken, loginID, pwdResetExpiration); err != nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Failed to store reset token in Redis")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to store reset token"})
|
|
}
|
|
|
|
resetLink := fmt.Sprintf("%s/reset-password?token=%s", frontendURL, resetToken)
|
|
ale.RedirectTo = resetLink
|
|
ale.Operation = "SendPasswordReset"
|
|
ale.Log(slog.LevelInfo, "Initiating password reset via internal token")
|
|
|
|
if strings.Contains(loginID, "@") {
|
|
if h.EmailService == nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Email service not configured"
|
|
ale.Log(slog.LevelError, "Email service not configured")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Email service not configured"})
|
|
}
|
|
subject := "[Baron SSO] 비밀번호 재설정"
|
|
body := fmt.Sprintf(`
|
|
<div style="font-family: sans-serif; padding: 20px; border: 1px solid #eee; border-radius: 10px; max-width: 500px;">
|
|
<h2 style="color: #1A1F2C;">Baron SSO 비밀번호 재설정</h2>
|
|
<p>아래 버튼을 클릭해 비밀번호 재설정을 진행해 주세요. 링크는 15분간 유효합니다.</p>
|
|
<div style="margin: 30px 0;">
|
|
<a href="%s" style="background-color: #1A1F2C; color: white; padding: 12px 24px; text-decoration: none; border-radius: 5px; font-weight: bold;">비밀번호 재설정</a>
|
|
</div>
|
|
<p style="font-size: 12px; color: #888;">요청하지 않았다면 이 메일을 무시하세요.</p>
|
|
</div>
|
|
`, resetLink)
|
|
if err := h.EmailService.SendEmail(loginID, subject, body); err != nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Failed to send reset email", slog.String("loginId", loginID))
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send reset email"})
|
|
}
|
|
} else {
|
|
if err := h.SmsService.SendSms(loginID, fmt.Sprintf("[Baron SSO] 비밀번호 재설정 링크: %s", resetLink)); err != nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Failed to send reset SMS", slog.String("loginId", loginID))
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send reset SMS"})
|
|
}
|
|
}
|
|
|
|
ale.Status = fiber.StatusOK
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.Log(slog.LevelInfo, "Password reset link sent successfully (internal token)")
|
|
return c.JSON(fiber.Map{"message": "If an account with that login ID exists, a reset link has been sent."})
|
|
}
|
|
|
|
// VerifyPasswordResetPage - Serves an interstitial page to prevent link scanners from consuming the token.
|
|
func (h *AuthHandler) VerifyPasswordResetPage(c *fiber.Ctx) error {
|
|
token := c.Query("token")
|
|
if token == "" {
|
|
token = c.Query("t")
|
|
}
|
|
|
|
if token == "" {
|
|
return c.Status(fiber.StatusBadRequest).SendString("Missing token")
|
|
}
|
|
|
|
// Simple HTML page with a form to trigger the POST request
|
|
html := fmt.Sprintf(`
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Baron SSO - 비밀번호 재설정</title>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<style>
|
|
body { font-family: sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background-color: #f5f5f5; }
|
|
.container { background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 2px 4px rgba(0,0,0,0.1); text-align: center; max-width: 400px; width: 100%%; }
|
|
h2 { color: #1A1F2C; margin-bottom: 1rem; }
|
|
p { color: #666; margin-bottom: 2rem; }
|
|
button { background-color: #1A1F2C; color: white; padding: 12px 24px; border: none; border-radius: 4px; font-size: 16px; cursor: pointer; width: 100%%; transition: background 0.2s; }
|
|
button:hover { background-color: #333; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<h2>비밀번호 재설정</h2>
|
|
<p>아래 버튼을 클릭하여 비밀번호 재설정을 계속해 주세요.</p>
|
|
<form action="/api/v1/auth/password/reset/verify" method="POST">
|
|
<input type="hidden" name="token" value="%s">
|
|
<button type="submit">계속하기</button>
|
|
</form>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
`, token)
|
|
|
|
c.Set("Content-Type", "text/html; charset=utf-8")
|
|
return c.SendString(html)
|
|
}
|
|
|
|
// ProcessPasswordResetToken - Handles the POST request from the interstitial page.
|
|
// Verifies the token, sets the refresh token cookie, and redirects to the frontend.
|
|
func (h *AuthHandler) ProcessPasswordResetToken(c *fiber.Ctx) error {
|
|
startTime := time.Now()
|
|
ale := logger.NewAuditLogEntry(c, "verify")
|
|
ale.Operation = "Verify"
|
|
|
|
// Token comes from Form Body in POST or query
|
|
token := c.FormValue("token")
|
|
if token == "" {
|
|
token = c.Query("token")
|
|
if token == "" {
|
|
token = c.Query("t")
|
|
}
|
|
}
|
|
ale.Token = token
|
|
|
|
if token == "" {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Missing token"
|
|
ale.Log(slog.LevelWarn, "Missing token in request")
|
|
return c.Status(fiber.StatusBadRequest).SendString("Missing token")
|
|
}
|
|
|
|
loginID, err := h.RedisService.Get(prefixPwdResetToken + token)
|
|
if err != nil || loginID == "" {
|
|
ale.Status = fiber.StatusUnauthorized
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Invalid or expired reset token"
|
|
ale.Log(slog.LevelWarn, "Reset token invalid or expired")
|
|
return c.Status(fiber.StatusUnauthorized).SendString("Invalid or expired token")
|
|
}
|
|
|
|
ale.LoginIDs["loginId"] = loginID
|
|
ale.LoginIDs["loginId_normalized"] = loginID
|
|
|
|
redirectURL := fmt.Sprintf("%s/reset-password?loginId=%s&token=%s",
|
|
os.Getenv("FRONTEND_URL"),
|
|
loginID,
|
|
token,
|
|
)
|
|
|
|
ale.RedirectTo = redirectURL
|
|
ale.Status = fiber.StatusFound
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.Log(slog.LevelInfo, "Token verified, redirecting to frontend")
|
|
|
|
return c.Redirect(redirectURL)
|
|
}
|
|
|
|
// CompletePasswordReset - 제공된 loginID와 새 비밀번호로 Descope에 비밀번호를 업데이트합니다.
|
|
// 리프레시 토큰은 요청 쿠키에 포함되어 있어야 합니다.
|
|
func (h *AuthHandler) CompletePasswordReset(c *fiber.Ctx) error {
|
|
startTime := time.Now()
|
|
ale := logger.NewAuditLogEntry(c, "complete")
|
|
ale.Operation = "UpdateUserPassword"
|
|
|
|
providerName := "unknown"
|
|
if h.IdpProvider != nil {
|
|
providerName = h.IdpProvider.Name()
|
|
}
|
|
isDescopeProvider := strings.Contains(strings.ToLower(providerName), "descope")
|
|
|
|
var req struct {
|
|
NewPassword string `json:"newPassword"`
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Body parse error")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
// loginID는 URL 쿼리 파라미터 또는 토큰 조회로 받습니다.
|
|
loginID := c.Query("loginId")
|
|
resetToken := c.Query("token")
|
|
if loginID == "" && resetToken != "" {
|
|
if val, err := h.RedisService.Get(prefixPwdResetToken + resetToken); err == nil && val != "" {
|
|
loginID = val
|
|
ale.Token = resetToken
|
|
}
|
|
}
|
|
|
|
ale.LoginIDs["loginId"] = loginID
|
|
ale.RequestBody = fmt.Sprintf("{\"newPassword\": \"%s\"}", req.NewPassword) // Log request body (for test only)
|
|
ale.NewPassword = req.NewPassword // Log new password (for test only)
|
|
|
|
// Request cookie logging (minimal)
|
|
if cookieHeader := c.Get(fiber.HeaderCookie); cookieHeader != "" {
|
|
ale.Headers["Request-Cookie-Header"] = cookieHeader
|
|
if dsrfCookie := c.Cookies("DSRF"); dsrfCookie != "" {
|
|
ale.ParsedCookieDSRF = dsrfCookie
|
|
ale.HasCookieDSRF = true
|
|
} else {
|
|
ale.HasCookieDSRF = false
|
|
}
|
|
}
|
|
|
|
if loginID == "" || req.NewPassword == "" {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Login ID and new password are required"
|
|
ale.Log(slog.LevelWarn, "Login ID or new password missing")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Login ID and new password are required"})
|
|
}
|
|
|
|
// 디버깅을 위해 요청된 새 비밀번호를 로그로 출력
|
|
ale.Log(slog.LevelInfo, "Received new password for reset")
|
|
|
|
if len(req.NewPassword) < 8 {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Password must be at least 8 characters long"
|
|
ale.Log(slog.LevelWarn, "Validation failed: password too short (fallback policy)")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": ale.DescopeError})
|
|
}
|
|
|
|
if isDescopeProvider && h.DescopeClient != nil {
|
|
// Validate password complexity (Descope only)
|
|
policy, err := h.DescopeClient.Auth.Password().GetPasswordPolicy(context.Background())
|
|
if err != nil {
|
|
ale.Log(slog.LevelWarn, "Failed to fetch password policy, skipping dynamic validation: "+err.Error())
|
|
} else {
|
|
if len(req.NewPassword) < int(policy.MinLength) {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = fmt.Sprintf("Password must be at least %d characters long", policy.MinLength)
|
|
ale.Log(slog.LevelWarn, "Validation failed: password too short")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": ale.DescopeError})
|
|
}
|
|
if policy.Lowercase {
|
|
if ok, _ := regexp.MatchString(`[a-z]`, req.NewPassword); !ok {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Password must contain at least one lowercase letter"
|
|
ale.Log(slog.LevelWarn, "Validation failed: no lowercase letter")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one lowercase letter"})
|
|
}
|
|
}
|
|
if policy.Uppercase {
|
|
if ok, _ := regexp.MatchString(`[A-Z]`, req.NewPassword); !ok {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Password must contain at least one uppercase letter"
|
|
ale.Log(slog.LevelWarn, "Validation failed: no uppercase letter")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one uppercase letter"})
|
|
}
|
|
}
|
|
if policy.Number {
|
|
if ok, _ := regexp.MatchString(`[0-9]`, req.NewPassword); !ok {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Password must contain at least one number"
|
|
ale.Log(slog.LevelWarn, "Validation failed: no number")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one number"})
|
|
}
|
|
}
|
|
if policy.NonAlphanumeric {
|
|
if ok, _ := regexp.MatchString(`[\W_]`, req.NewPassword); !ok {
|
|
ale.Status = fiber.StatusBadRequest
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "Password must contain at least one special character"
|
|
ale.Log(slog.LevelWarn, "Validation failed: no special character")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Password must contain at least one special character"})
|
|
}
|
|
}
|
|
}
|
|
} else if isDescopeProvider && h.DescopeClient == nil {
|
|
ale.Log(slog.LevelWarn, "Descope selected but client is nil; skipping policy validation")
|
|
}
|
|
|
|
ale.Log(slog.LevelInfo, "Attempting to update password via IDP", slog.String("idp", providerName))
|
|
|
|
if h.IdpProvider == nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = "IDP Provider is nil"
|
|
ale.Log(slog.LevelError, "IDP Provider is nil")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Authentication service not configured"})
|
|
}
|
|
|
|
if err := h.IdpProvider.UpdateUserPassword(loginID, req.NewPassword, nil); err != nil {
|
|
ale.Status = fiber.StatusInternalServerError
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.DescopeError = err.Error()
|
|
ale.Log(slog.LevelError, "Failed to update password via IDP")
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to update password"})
|
|
}
|
|
|
|
ale.Status = fiber.StatusOK
|
|
ale.LatencyMs = time.Since(startTime)
|
|
ale.Log(slog.LevelInfo, "Password updated successfully", slog.String("login_id", loginID))
|
|
if resetToken != "" {
|
|
_ = h.RedisService.Delete(prefixPwdResetToken + resetToken)
|
|
}
|
|
return c.JSON(fiber.Map{"message": "Password has been reset successfully."})
|
|
}
|
|
|
|
// InitQRLogin - Step 1: Web 패널에서 QR 로그인 세션을 생성합니다.
|
|
func (h *AuthHandler) InitQRLogin(c *fiber.Ctx) error {
|
|
pendingRef := GenerateSecureToken(16)
|
|
|
|
// QR 코드 페이로드를 실제 접속 가능한 URL로 변경합니다.
|
|
frontendURL := os.Getenv("FRONTEND_URL")
|
|
if frontendURL == "" {
|
|
frontendURL = "https://sso.hmac.kr"
|
|
}
|
|
qrPayload := fmt.Sprintf("%s/approve?ref=%s", frontendURL, pendingRef)
|
|
|
|
slog.Info("[QR] Init", "pendingRef", pendingRef, "url", qrPayload)
|
|
|
|
// Redis에 초기 상태 저장 (5분 만료)
|
|
h.RedisService.Set(prefixSession+pendingRef, fmt.Sprintf(`{"status":"%s"}`, statusPending), 5*time.Minute)
|
|
|
|
return c.JSON(fiber.Map{
|
|
"qrCode": qrPayload, // 프론트엔드에서 이 텍스트로 QR을 생성하거나, 이미지를 반환
|
|
"pendingRef": pendingRef,
|
|
"expiresIn": 300,
|
|
})
|
|
}
|
|
|
|
// PollQRLogin - Step 2: 웹에서 승인 여부를 폴링합니다.
|
|
func (h *AuthHandler) PollQRLogin(c *fiber.Ctx) error {
|
|
var req struct {
|
|
PendingRef string `json:"pendingRef"`
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
|
}
|
|
|
|
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
|
if err != nil || val == "" {
|
|
return c.JSON(fiber.Map{"status": "expired"})
|
|
}
|
|
|
|
var data map[string]string
|
|
json.Unmarshal([]byte(val), &data)
|
|
|
|
if data["status"] == statusSuccess {
|
|
slog.Info("[QR] Poll Success", "pendingRef", req.PendingRef)
|
|
return c.JSON(fiber.Map{
|
|
"status": "ok",
|
|
"sessionJwt": data["jwt"],
|
|
})
|
|
}
|
|
|
|
return c.JSON(fiber.Map{"status": statusPending})
|
|
}
|
|
|
|
// ScanQRLogin - Step 3: 모바일 앱에서 QR 스캔 후 승인할 때 호출합니다.
|
|
// (이미 로그인된 세션이 필요함)
|
|
func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
|
|
var req struct {
|
|
PendingRef string `json:"pendingRef"`
|
|
Token string `json:"token"` // 모바일 사용자의 세션 토큰 (검증용)
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
slog.Error("[QR] Scan body parse error", "error", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid body"})
|
|
}
|
|
|
|
slog.Info("[QR] Scan & Approve", "pendingRef", req.PendingRef)
|
|
|
|
// 1. Redis에서 세션 확인
|
|
val, err := h.RedisService.Get(prefixSession + req.PendingRef)
|
|
if err != nil || val == "" {
|
|
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "Session expired or not found"})
|
|
}
|
|
|
|
// 2. 모바일 유저의 토큰으로 새 세션 토큰(웹용)을 발행하거나 그대로 전달
|
|
|
|
sessionData, _ := json.Marshal(map[string]string{
|
|
"status": statusSuccess,
|
|
"jwt": req.Token,
|
|
})
|
|
h.RedisService.Set(prefixSession+req.PendingRef, string(sessionData), 5*time.Minute)
|
|
|
|
return c.JSON(fiber.Map{"message": "QR Login Approved"})
|
|
}
|
|
|
|
// ProxyToDescope (Placeholder)
|
|
func (h *AuthHandler) ProxyToDescope(c *fiber.Ctx, path string, payload interface{}) error {
|
|
return c.Status(501).SendString("Descope Proxy Disabled")
|
|
}
|
|
|
|
// HandleDescopeSmsRelay
|
|
func (h *AuthHandler) HandleDescopeSmsRelay(c *fiber.Ctx) error {
|
|
var req struct {
|
|
Recipient string `json:"recipient"`
|
|
Body string `json:"body"`
|
|
}
|
|
|
|
if err := c.BodyParser(&req); err != nil {
|
|
slog.Error("Webhook Body parsing failed", "error", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
if req.Recipient == "" || req.Body == "" {
|
|
slog.Warn("Webhook missing recipient or body")
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Missing recipient or body"})
|
|
}
|
|
|
|
slog.Info("Received SMS request", "recipient", req.Recipient)
|
|
|
|
phone := req.Recipient
|
|
if strings.HasPrefix(phone, "+82") {
|
|
phone = "0" + phone[3:]
|
|
}
|
|
phone = strings.ReplaceAll(phone, "-", "")
|
|
phone = strings.ReplaceAll(phone, " ", "")
|
|
|
|
if err := h.SmsService.SendSms(phone, req.Body); err != nil {
|
|
slog.Error("Failed to forward SMS to Naver", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS via Naver"})
|
|
}
|
|
|
|
slog.Info("Successfully forwarded SMS", "phone", phone)
|
|
return c.JSON(fiber.Map{"status": "ok"})
|
|
}
|
|
|
|
// HandleDescopeEmailRelay - Webhook for Descope Generic Email Gateway
|
|
// Used for "Fake Email Strategy" to support Polling with SMS.
|
|
func (h *AuthHandler) HandleDescopeEmailRelay(c *fiber.Ctx) error {
|
|
var req struct {
|
|
To string `json:"to"` // e.g., 01012345678@sms.baron
|
|
Subject string `json:"subject"`
|
|
Text string `json:"text"` // Body containing the link
|
|
}
|
|
|
|
if err := c.BodyParser(&req); err != nil {
|
|
slog.Error("[Email Webhook] Body parsing failed", "error", err)
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
slog.Info("[Email Webhook] Received email request", "to", req.To)
|
|
|
|
// Check if it's a Fake Email for SMS
|
|
if strings.HasSuffix(req.To, "@sms.baron") {
|
|
phone := strings.Split(req.To, "@")[0]
|
|
|
|
// Sanitize Phone (Descope might sanitize or not, but let's be safe)
|
|
if strings.HasPrefix(phone, "+82") {
|
|
phone = "0" + phone[3:]
|
|
}
|
|
|
|
// Send SMS with the text body (Descope template should be optimized for SMS)
|
|
if err := h.SmsService.SendSms(phone, req.Text); err != nil {
|
|
slog.Error("[Email Webhook] Failed to forward Email-as-SMS", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to send SMS"})
|
|
}
|
|
|
|
slog.Info("[Email Webhook] Successfully converted Email to SMS", "phone", phone)
|
|
return c.JSON(fiber.Map{"status": "ok"})
|
|
}
|
|
|
|
// Real Email Handling (Not implemented in this Relay)
|
|
// You would need an SMTP service here if you route ALL emails through this relay.
|
|
slog.Warn("[Email Webhook] Real email skipped (Not implemented)", "to", req.To)
|
|
return c.Status(501).JSON(fiber.Map{"error": "Real email sending not implemented"})
|
|
}
|
|
|
|
// --- User Profile Handlers ---
|
|
|
|
func (h *AuthHandler) formatPhoneForDisplay(phone string) string {
|
|
if strings.HasPrefix(phone, "+8210") {
|
|
return "010" + phone[5:]
|
|
}
|
|
return phone
|
|
}
|
|
|
|
func (h *AuthHandler) formatPhoneForStorage(phone string) string {
|
|
phone = strings.ReplaceAll(phone, "-", "")
|
|
if strings.HasPrefix(phone, "010") && len(phone) == 11 {
|
|
return "+8210" + phone[3:]
|
|
}
|
|
return phone
|
|
}
|
|
|
|
// GetMe - Returns current user's profile with 010 phone format
|
|
func (h *AuthHandler) GetMe(c *fiber.Ctx) error {
|
|
token := h.getBearerToken(c)
|
|
if token == "" {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing authorization token"})
|
|
}
|
|
|
|
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
|
|
if err != nil || !authorized {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
|
}
|
|
|
|
userResponse, err := h.DescopeClient.Management.User().Load(c.Context(), userToken.ID)
|
|
if err != nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to load user profile"})
|
|
}
|
|
|
|
dept, _ := userResponse.CustomAttributes["department"].(string)
|
|
affType, _ := userResponse.CustomAttributes["affiliationType"].(string)
|
|
compCode, _ := userResponse.CustomAttributes["companyCode"].(string)
|
|
|
|
resp := domain.UserProfileResponse{
|
|
ID: userResponse.UserID,
|
|
Email: userResponse.Email,
|
|
Name: userResponse.Name,
|
|
Phone: h.formatPhoneForDisplay(userResponse.Phone),
|
|
Department: dept,
|
|
AffiliationType: affType,
|
|
CompanyCode: compCode,
|
|
}
|
|
|
|
return c.JSON(resp)
|
|
}
|
|
|
|
// UpdateMe - Updates current user's profile with phone verification check
|
|
func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
|
|
token := h.getBearerToken(c)
|
|
if token == "" {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Missing authorization token"})
|
|
}
|
|
|
|
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
|
|
if err != nil || !authorized {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
|
}
|
|
|
|
var req domain.UpdateUserRequest
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request body"})
|
|
}
|
|
|
|
// 1. Load current user to check changes
|
|
currentUser, err := h.DescopeClient.Management.User().Load(c.Context(), userToken.ID)
|
|
if err != nil {
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to load current user"})
|
|
}
|
|
|
|
newPhoneStorage := h.formatPhoneForStorage(req.Phone)
|
|
oldPhoneStorage := currentUser.Phone
|
|
|
|
slog.Info("[UpdateMe] Checking changes", "userID", userToken.ID, "oldPhone", oldPhoneStorage, "newPhone", newPhoneStorage, "newName", req.Name)
|
|
|
|
// 2. Handle Phone Number Change
|
|
if newPhoneStorage != "" && newPhoneStorage != oldPhoneStorage {
|
|
// Check verification status in Redis
|
|
verifyKey := "verify_update_phone:" + userToken.ID + ":" + newPhoneStorage
|
|
val, _ := h.RedisService.Get(verifyKey)
|
|
if val != "verified" {
|
|
slog.Warn("[UpdateMe] Phone verification missing", "key", verifyKey)
|
|
return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "휴대폰 번호 변경을 위해 SMS 인증이 필요합니다."})
|
|
}
|
|
|
|
// Update Phone in Descope and mark as verified
|
|
slog.Info("[UpdateMe] Updating phone number", "userID", userToken.ID, "newPhone", newPhoneStorage)
|
|
_, err = h.DescopeClient.Management.User().UpdatePhone(c.Context(), userToken.ID, newPhoneStorage, true, false)
|
|
if err != nil {
|
|
slog.Error("Failed to update phone in Descope", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "전화번호 업데이트에 실패했습니다."})
|
|
}
|
|
|
|
// If the old phone was used as a LoginID, replace it with the new one
|
|
for _, loginID := range currentUser.LoginIDs {
|
|
// Normalize for comparison
|
|
normID := strings.ReplaceAll(loginID, "+82", "0")
|
|
normOld := strings.ReplaceAll(oldPhoneStorage, "+82", "0")
|
|
|
|
if loginID == oldPhoneStorage || (normOld != "" && normID == normOld) {
|
|
slog.Info("[UpdateMe] Updating LoginID", "old", loginID, "new", newPhoneStorage)
|
|
_, err = h.DescopeClient.Management.User().UpdateLoginID(c.Context(), loginID, newPhoneStorage)
|
|
if err != nil {
|
|
slog.Warn("Failed to update LoginID", "error", err)
|
|
}
|
|
break
|
|
}
|
|
}
|
|
|
|
// Clear verification after successful update
|
|
h.RedisService.Delete(verifyKey)
|
|
}
|
|
|
|
// 3. Update Name if changed
|
|
if req.Name != "" && req.Name != currentUser.Name {
|
|
slog.Info("[UpdateMe] Updating display name", "userID", userToken.ID, "newName", req.Name)
|
|
_, err = h.DescopeClient.Management.User().UpdateDisplayName(c.Context(), userToken.ID, req.Name)
|
|
if err != nil {
|
|
slog.Error("Failed to update user name", "error", err)
|
|
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "이름 업데이트에 실패했습니다."})
|
|
}
|
|
}
|
|
|
|
// 4. Update Custom Attributes (Department)
|
|
if req.Department != "" {
|
|
slog.Info("[UpdateMe] Updating department", "userID", userToken.ID, "dept", req.Department)
|
|
if _, err := h.DescopeClient.Management.User().UpdateCustomAttribute(c.Context(), userToken.ID, "department", req.Department); err != nil {
|
|
slog.Error("Failed to update department", "error", err)
|
|
}
|
|
}
|
|
|
|
slog.Info("[UpdateMe] Profile update completed successfully", "userID", userToken.ID)
|
|
|
|
return c.JSON(fiber.Map{
|
|
"status": "success",
|
|
"updatedAt": time.Now().Format(time.RFC3339),
|
|
})
|
|
}
|
|
|
|
// SendUpdateCode - Sends OTP for phone number change
|
|
func (h *AuthHandler) SendUpdateCode(c *fiber.Ctx) error {
|
|
token := h.getBearerToken(c)
|
|
if token == "" {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
|
|
}
|
|
|
|
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
|
|
if err != nil || !authorized {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
|
}
|
|
|
|
var req struct {
|
|
Phone string `json:"phone"`
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid phone"})
|
|
}
|
|
|
|
phone := h.formatPhoneForStorage(req.Phone)
|
|
code := fmt.Sprintf("%06d", rand.Intn(1000000))
|
|
|
|
// Store code in Redis
|
|
key := "otp_update_phone:" + userToken.ID + ":" + phone
|
|
h.RedisService.Set(key, code, 5*time.Minute)
|
|
|
|
// Send SMS
|
|
content := fmt.Sprintf("[Baron SSO] 정보 수정 인증번호: [%s]", code)
|
|
go h.SmsService.SendSms(phone, content)
|
|
|
|
return c.JSON(fiber.Map{"message": "인증번호가 전송되었습니다."})
|
|
}
|
|
|
|
// VerifyUpdateCode - Verifies OTP for phone number change
|
|
func (h *AuthHandler) VerifyUpdateCode(c *fiber.Ctx) error {
|
|
token := h.getBearerToken(c)
|
|
authorized, userToken, err := h.DescopeClient.Auth.ValidateSessionWithToken(c.Context(), token)
|
|
if err != nil || !authorized {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Invalid session"})
|
|
}
|
|
|
|
var req struct {
|
|
Phone string `json:"phone"`
|
|
Code string `json:"code"`
|
|
}
|
|
if err := c.BodyParser(&req); err != nil {
|
|
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "Invalid request"})
|
|
}
|
|
|
|
phone := h.formatPhoneForStorage(req.Phone)
|
|
key := "otp_update_phone:" + userToken.ID + ":" + phone
|
|
storedCode, _ := h.RedisService.Get(key)
|
|
|
|
if storedCode == "" || storedCode != req.Code {
|
|
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "인증번호가 일치하지 않거나 만료되었습니다."})
|
|
}
|
|
|
|
// Mark as verified for 10 minutes
|
|
verifyKey := "verify_update_phone:" + userToken.ID + ":" + phone
|
|
h.RedisService.Set(verifyKey, "verified", 10*time.Minute)
|
|
h.RedisService.Delete(key)
|
|
|
|
return c.JSON(fiber.Map{"success": true})
|
|
}
|