@ahhaohho/auth-middleware 2.0.0 → 2.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ahhaohho/auth-middleware",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Shared authentication and authorization middleware for ahhaohho microservices",
   "main": "src/index.js",
   "scripts": {

package/src/constants/permissions.js

@@ -0,0 +1,317 @@
+/**
+ * 역할 및 권한 상수 정의
+ *
+ * 권한 명명 규칙: {서비스}:{리소스}:{액션}[:범위]
+ * - 서비스: challenge, world, gallery, community, membership, auth, ai, search, notification
+ * - 리소스: content, progress, project, user, profile 등
+ * - 액션: read, write, delete, upload, sync 등
+ * - 범위: own (선택적, 본인 리소스만)
+ */
+
+/**
+ * 역할 정의
+ */
+const ROLES = {
+  ADMIN: 'admin',
+  SERVICE: 'service',
+  CREATOR: 'creator',
+  FLC_MEMBER: 'flc-member',
+  USER: 'user'
+};
+
+/**
+ * 접근 범위 정의
+ */
+const ACCESS_SCOPES = {
+  CONTENT: 'Content',
+  COMMUNITY: 'Community',
+  REWARD: 'Reward',
+  PROFILE: 'Profile',
+  ADMIN_PANEL: 'AdminPanel',
+  INTERNAL: 'Internal'
+};
+
+/**
+ * 권한 정의 - 서비스별로 그룹화
+ */
+const PERMISSIONS = {
+  // Challenge 서비스
+  CHALLENGE: {
+    CONTENT_READ: 'challenge:content:read',
+    CONTENT_WRITE: 'challenge:content:write',
+    CONTENT_WRITE_OWN: 'challenge:content:write:own',
+    CONTENT_DELETE: 'challenge:content:delete',
+    CONTENT_DELETE_OWN: 'challenge:content:delete:own',
+    CONTENT_GROUP_READ: 'challenge:content-group:read',
+    CONTENT_GROUP_WRITE: 'challenge:content-group:write',
+    CONTENT_GROUP_DELETE: 'challenge:content-group:delete',
+    PROGRESS_READ: 'challenge:progress:read',
+    PROGRESS_READ_OWN: 'challenge:progress:read:own',
+    PROGRESS_WRITE: 'challenge:progress:write',
+    PROGRESS_WRITE_OWN: 'challenge:progress:write:own'
+  },
+
+  // World 서비스
+  WORLD: {
+    CONTENT_READ: 'world:content:read',
+    CONTENT_WRITE: 'world:content:write',
+    CONTENT_WRITE_OWN: 'world:content:write:own',
+    CONTENT_DELETE: 'world:content:delete',
+    CONTENT_DELETE_OWN: 'world:content:delete:own',
+    CONTENT_GROUP_READ: 'world:content-group:read',
+    CONTENT_GROUP_OWN: 'world:content-group:own',
+    CONTENT_GROUP_WRITE: 'world:content-group:write',
+    CONTENT_GROUP_WRITE_OWN: 'world:content-group:write:own',
+    CONTENT_GROUP_DELETE: 'world:content-group:delete',
+    CONTENT_GROUP_DELETE_OWN: 'world:content-group:delete:own',
+    PROGRESS_READ: 'world:progress:read',
+    PROGRESS_READ_OWN: 'world:progress:read:own',
+    PROGRESS_WRITE: 'world:progress:write',
+    PROGRESS_WRITE_OWN: 'world:progress:write:own'
+  },
+
+  // Gallery 서비스
+  GALLERY: {
+    PROJECT_READ: 'gallery:project:read',
+    PROJECT_WRITE: 'gallery:project:write',
+    PROJECT_WRITE_OWN: 'gallery:project:write:own',
+    PROJECT_DELETE: 'gallery:project:delete',
+    PROJECT_DELETE_OWN: 'gallery:project:delete:own',
+    MEDIA_UPLOAD: 'gallery:media:upload',
+    REPORT_READ: 'gallery:report:read',
+    REPORT_READ_OWN: 'gallery:report:read:own',
+    REPORT_WRITE: 'gallery:report:write',
+    REPORT_WRITE_OWN: 'gallery:report:write:own'
+  },
+
+  // Community 서비스
+  COMMUNITY: {
+    READ: 'community:read',
+    READ_OWN: 'community:read:own',
+    WRITE: 'community:write',
+    WRITE_OWN: 'community:write:own',
+    DELETE: 'community:delete',
+    DELETE_OWN: 'community:delete:own',
+    MESSAGE_WRITE: 'community:message:write',
+    MESSAGE_WRITE_OWN: 'community:message:write:own',
+    NOTICE_READ: 'community:notice:read',
+    NOTICE_READ_OWN: 'community:notice:read:own',
+    NOTICE_WRITE: 'community:notice:write',
+    NOTICE_WRITE_OWN: 'community:notice:write:own',
+    NOTICE_DELETE: 'community:notice:delete',
+    NOTICE_DELETE_OWN: 'community:notice:delete:own',
+    CURATION_READ: 'community:curation:read',
+    CURATION_READ_OWN: 'community:curation:read:own',
+    CURATION_WRITE: 'community:curation:write',
+    CURATION_WRITE_OWN: 'community:curation:write:own',
+    CURATION_DELETE: 'community:curation:delete',
+    CURATION_DELETE_OWN: 'community:curation:delete:own',
+    MEMBER_READ: 'community:member:read',
+    MEMBER_READ_OWN: 'community:member:read:own',
+    MEMBER_WRITE: 'community:member:write',
+    MEMBER_WRITE_OWN: 'community:member:write:own',
+    MEMBER_DELETE: 'community:member:delete',
+    MEMBER_DELETE_COMMUNITY_ADMIN: 'community:member:delete:community-admin',
+    MEMBER_JOIN: 'community:member:join',
+    MEMBER_LEAVE: 'community:member:leave',
+    MEMBER_LEAVE_OWN: 'community:member:leave:own',
+    GALLERY_READ: 'community:gallery:read',
+    GALLERY_READ_OWN: 'community:gallery:read:own',
+    GALLERY_WRITE: 'community:gallery:write',
+    GALLERY_WRITE_OWN: 'community:gallery:write:own',
+    GALLERY_DELETE: 'community:gallery:delete',
+    GALLERY_DELETE_OWN: 'community:gallery:delete:own',
+    GALLERY_COMMENT_READ: 'community:gallery.comment:read',
+    GALLERY_COMMENT_READ_OWN: 'community:gallery.comment:read:own',
+    GALLERY_COMMENT_WRITE: 'community:gallery.comment:write',
+    GALLERY_COMMENT_WRITE_OWN: 'community:gallery.comment:write:own',
+    GALLERY_COMMENT_DELETE: 'community:gallery.comment:delete',
+    GALLERY_COMMENT_DELETE_OWN: 'community:gallery.comment:delete:own',
+    GALLERY_COMMENT_HIDE: 'community:gallery.comment:hide',
+    GALLERY_COMMENT_HIDE_OWN: 'community:gallery.comment:hide:own',
+    GALLERY_COMMENT_REPORT: 'community:gallery.comment:report',
+    GALLERY_COMMENT_REPORT_OWN: 'community:gallery.comment:report:own',
+    INVITE_READ: 'community:invite:read',
+    INVITE_READ_OWN: 'community:invite:read:own',
+    INVITE_WRITE: 'community:invite:write',
+    INVITE_WRITE_OWN: 'community:invite:write:own',
+    INVITE_DELETE: 'community:invite:delete',
+    INVITE_DELETE_OWN: 'community:invite:delete:own',
+    USER_BLOCK_READ: 'community:user-block:read',
+    USER_BLOCK_READ_OWN: 'community:user-block:read:own',
+    USER_BLOCK_WRITE: 'community:user-block:write',
+    USER_BLOCK_WRITE_OWN: 'community:user-block:write:own',
+    USER_BLOCK_DELETE: 'community:user-block:delete',
+    USER_BLOCK_DELETE_OWN: 'community:user-block:delete:own'
+  },
+
+  // Auth 서비스
+  AUTH: {
+    OTP_WRITE: 'auth:otp:write',
+    LOGIN_WRITE: 'auth:login:write',
+    LOGOUT_WRITE: 'auth:logout:write'
+  },
+
+  // Membership 서비스
+  MEMBERSHIP: {
+    USER_READ: 'membership:user:read',
+    USER_READ_OWN: 'membership:user:read:own',
+    USER_WRITE: 'membership:user:write',
+    USER_WRITE_OWN: 'membership:user:write:own',
+    USER_DELETE: 'membership:user:delete',
+    USER_DELETE_OWN: 'membership:user:delete:own',
+    PROFILE_READ: 'membership:profile:read',
+    PROFILE_READ_OWN: 'membership:profile:read:own',
+    PROFILE_WRITE: 'membership:profile:write',
+    PROFILE_WRITE_OWN: 'membership:profile:write:own',
+    PROFILE_DELETE: 'membership:profile:delete',
+    PROFILE_DELETE_OWN: 'membership:profile:delete:own',
+    INVENTORY_READ: 'membership:inventory:read',
+    INVENTORY_READ_OWN: 'membership:inventory:read:own',
+    INVENTORY_WRITE: 'membership:inventory:write',
+    INVENTORY_WRITE_OWN: 'membership:inventory:write:own',
+    INVENTORY_DELETE: 'membership:inventory:delete',
+    INVENTORY_DELETE_OWN: 'membership:inventory:delete:own',
+    STORAGE_READ: 'membership:storage:read',
+    STORAGE_READ_OWN: 'membership:storage:read:own',
+    STORAGE_WRITE: 'membership:storage:write',
+    STORAGE_WRITE_OWN: 'membership:storage:write:own',
+    STORAGE_DELETE: 'membership:storage:delete',
+    STORAGE_DELETE_OWN: 'membership:storage:delete:own',
+    STORAGE_BOOKMARK_READ: 'membership:storage.bookmark:read',
+    STORAGE_BOOKMARK_READ_OWN: 'membership:storage.bookmark:read:own',
+    STORAGE_BOOKMARK_WRITE: 'membership:storage.bookmark:write',
+    STORAGE_BOOKMARK_WRITE_OWN: 'membership:storage.bookmark:write:own',
+    STORAGE_BOOKMARK_DELETE: 'membership:storage.bookmark:delete',
+    STORAGE_BOOKMARK_DELETE_OWN: 'membership:storage.bookmark:delete:own',
+    STORAGE_POST_READ: 'membership:storage.post:read',
+    STORAGE_POST_READ_OWN: 'membership:storage.post:read:own',
+    STORAGE_POST_WRITE: 'membership:storage.post:write',
+    STORAGE_POST_WRITE_OWN: 'membership:storage.post:write:own',
+    STORAGE_POST_DELETE: 'membership:storage.post:delete',
+    STORAGE_POST_DELETE_OWN: 'membership:storage.post:delete:own',
+    STORAGE_HISTORY_READ: 'membership:storage.history:read',
+    STORAGE_HISTORY_READ_OWN: 'membership:storage.history:read:own',
+    STORAGE_HISTORY_WRITE: 'membership:storage.history:write',
+    STORAGE_HISTORY_WRITE_OWN: 'membership:storage.history:write:own',
+    STORAGE_HISTORY_DELETE: 'membership:storage.history:delete',
+    STORAGE_HISTORY_DELETE_OWN: 'membership:storage.history:delete:own',
+    REPORT_READ: 'membership:report:read',
+    REPORT_READ_OWN: 'membership:report:read:own',
+    REPORT_WRITE: 'membership:report:write',
+    REPORT_WRITE_OWN: 'membership:report:write:own',
+    REPORT_MANAGE: 'membership:report:manage',
+    POLICY_READ: 'membership:policy:read',
+    POLICY_MANAGE: 'membership:policy:manage',
+    NOTICE_READ: 'membership:notice:read',
+    NOTICE_MANAGE: 'membership:notice:manage',
+    INQUIRY_WRITE: 'membership:inquiry:write',
+    INQUIRY_WRITE_OWN: 'membership:inquiry:write:own',
+    FLC_READ: 'membership:flc:read',
+    FLC_READ_OWN: 'membership:flc:read:own',
+    FLC_SYNC: 'membership:flc:sync',
+    WITHDRAWAL_READ: 'membership:withdrawal:read',
+    WITHDRAWAL_READ_OWN: 'membership:withdrawal:read:own',
+    WITHDRAWAL_WRITE: 'membership:withdrawal:write',
+    WITHDRAWAL_WRITE_OWN: 'membership:withdrawal:write:own',
+    WITHDRAWAL_DELETE: 'membership:withdrawal:delete',
+    WITHDRAWAL_DELETE_OWN: 'membership:withdrawal:delete:own',
+    SIGNUP_WRITE: 'membership:signup:write',
+    INTERNAL_READ: 'membership:internal:read'
+  },
+
+  // AI 서비스
+  AI: {
+    FEEDBACK_WRITE: 'ai:feedback:write',
+    FEEDBACK_WRITE_OWN: 'ai:feedback:write:own'
+  },
+
+  // Search 서비스
+  SEARCH: {
+    CHALLENGE_READ: 'search:challenge:read',
+    HISTORY_READ: 'search:history:read',
+    HISTORY_READ_OWN: 'search:history:read:own',
+    HISTORY_DELETE: 'search:history:delete',
+    HISTORY_DELETE_OWN: 'search:history:delete:own',
+    CATEGORY_READ: 'search:category:read',
+    SUGGESTION_READ: 'search:suggestion:read',
+    TOPLINK_READ: 'search:toplink:read'
+  },
+
+  // Notification 서비스
+  NOTIFICATION: {
+    READ: 'notification:read',
+    READ_OWN: 'notification:read:own',
+    WRITE: 'notification:write',
+    UPDATE: 'notification:update',
+    UPDATE_OWN: 'notification:update:own',
+    DELETE: 'notification:delete',
+    DELETE_OWN: 'notification:delete:own',
+    DEVICE_READ: 'notification:device:read',
+    DEVICE_READ_OWN: 'notification:device:read:own',
+    DEVICE_WRITE: 'notification:device:write',
+    DEVICE_WRITE_OWN: 'notification:device:write:own',
+    DEVICE_UPDATE: 'notification:device:update',
+    DEVICE_UPDATE_OWN: 'notification:device:update:own',
+    DEVICE_DELETE: 'notification:device:delete',
+    DEVICE_DELETE_OWN: 'notification:device:delete:own'
+  }
+};
+
+/**
+ * 와일드카드 권한
+ */
+const WILDCARD = '*';
+
+/**
+ * 권한이 요구된 권한과 일치하는지 확인
+ * @param {string[]} userPermissions - 사용자가 가진 권한 목록
+ * @param {string} requiredPermission - 필요한 권한
+ * @returns {boolean}
+ */
+function hasPermission(userPermissions, requiredPermission) {
+  if (!userPermissions || !Array.isArray(userPermissions)) {
+    return false;
+  }
+
+  // 와일드카드 체크
+  if (userPermissions.includes(WILDCARD)) {
+    return true;
+  }
+
+  // 정확히 일치
+  if (userPermissions.includes(requiredPermission)) {
+    return true;
+  }
+
+  // 와일드카드 패턴 매칭 (예: 'challenge:*' → 'challenge:content:write' 허용)
+  const hasWildcardMatch = userPermissions.some(perm => {
+    if (perm.endsWith(':*')) {
+      const prefix = perm.slice(0, -1);
+      return requiredPermission.startsWith(prefix);
+    }
+    return false;
+  });
+
+  return hasWildcardMatch;
+}
+
+/**
+ * :own 권한 체크 (본인 리소스 권한이 있는지 확인)
+ * @param {string[]} userPermissions - 사용자가 가진 권한 목록
+ * @param {string} basePermission - 기본 권한 (예: 'challenge:content:write')
+ * @returns {boolean}
+ */
+function hasOwnPermission(userPermissions, basePermission) {
+  const ownPermission = `${basePermission}:own`;
+  return hasPermission(userPermissions, basePermission) || hasPermission(userPermissions, ownPermission);
+}
+
+module.exports = {
+  ROLES,
+  ACCESS_SCOPES,
+  PERMISSIONS,
+  WILDCARD,
+  hasPermission,
+  hasOwnPermission
+};

package/src/index.js

@@ -31,6 +31,16 @@ const { getJwtKeys, invalidateCache } = require('./utils/secretManager');
 const { verifyApiKey, getApiKeyTTL } = require('./utils/apiKeyValidator');
 const redisManager = require('./config/redis');
 
+// 상수
+const {
+  ROLES,
+  ACCESS_SCOPES,
+  PERMISSIONS,
+  WILDCARD,
+  hasPermission,
+  hasOwnPermission
+} = require('./constants/permissions');
+
 module.exports = {
   // ===== JWT 인증 미들웨어 =====
   authenticateJWT,       // JWT Access Token 필수 인증
@@ -75,5 +85,13 @@ module.exports = {
   },
 
   // Redis 관리자
-  redisManager
+  redisManager,
+
+  // ===== 상수 =====
+  ROLES,                 // 역할 상수: admin, service, creator, flc-member, user
+  ACCESS_SCOPES,         // 접근 범위 상수: Content, Community, etc.
+  PERMISSIONS,           // 권한 상수: PERMISSIONS.CHALLENGE.CONTENT_READ 등
+  WILDCARD,              // 와일드카드 권한: '*'
+  hasPermission,         // 권한 체크 유틸: hasPermission(permissions, required)
+  hasOwnPermission       // 본인 권한 체크 유틸: hasOwnPermission(permissions, base)
 };

package/src/middleware/apiKey.js

@@ -3,6 +3,9 @@ const { verifyApiKey } = require('../utils/apiKeyValidator');
 /**
  * API 키 인증 미들웨어
  * Redis에서 로컬 검증 수행
+ *
+ * API 키로 인증된 요청은 'service' 역할로 처리되며,
+ * 해당 역할에 정의된 권한만 사용 가능합니다.
  */
 
 /**
@@ -34,10 +37,17 @@ async function authenticateApiKey(req, res, next) {
     });
   }
 
-  // 인증 성공: 플래그 및 정보 설정
+  // 인증 성공: service 역할로 설정
   req.apiKeyVerified = true;
-  req.skipAuthorization = true;  // 하위 호환성
   req.deviceId = deviceId;
+  req.userRole = 'service';
+
+  // user 객체 설정 (권한 체크 미들웨어와 호환)
+  req.user = {
+    userId: `service:${deviceId}`,
+    userRole: 'service',
+    isServiceAccount: true
+  };
 
   console.log('[@ahhaohho/auth-middleware] API key verified for device:', deviceId);
   next();
@@ -62,8 +72,15 @@ async function optionalApiKey(req, res, next) {
 
   if (result.valid) {
     req.apiKeyVerified = true;
-    req.skipAuthorization = true;
     req.deviceId = deviceId;
+    req.userRole = 'service';
+
+    req.user = {
+      userId: `service:${deviceId}`,
+      userRole: 'service',
+      isServiceAccount: true
+    };
+
     console.log('[@ahhaohho/auth-middleware] Optional API key verified for device:', deviceId);
   }
 
@@ -87,12 +104,17 @@ async function combinedAuth(req, res, next) {
 
     if (result.valid) {
       req.apiKeyVerified = true;
-      req.skipAuthorization = true;
       req.deviceId = deviceId;
+      req.userRole = 'service';
+
+      req.user = {
+        userId: `service:${deviceId}`,
+        userRole: 'service',
+        isServiceAccount: true
+      };
 
-      // 하위 호환성: req.userId, req.userRole 설정
-      req.userId = null;
-      req.userRole = 'api_client';
+      // 하위 호환성
+      req.userId = req.user.userId;
 
       console.log('[@ahhaohho/auth-middleware] Combined auth: API key verified');
       return next();
@@ -147,11 +169,17 @@ async function combinedAuthHybrid(req, res, next) {
 
     if (result.valid) {
       req.apiKeyVerified = true;
-      req.skipAuthorization = true;
       req.deviceId = deviceId;
+      req.userRole = 'service';
+
+      req.user = {
+        userId: `service:${deviceId}`,
+        userRole: 'service',
+        isServiceAccount: true
+      };
 
-      req.userId = null;
-      req.userRole = 'api_client';
+      // 하위 호환성
+      req.userId = req.user.userId;
 
       console.log('[@ahhaohho/auth-middleware] Combined hybrid auth: API key verified');
       return next();

package/src/middleware/authorization.js

@@ -62,11 +62,6 @@ function clearPermissionCache() {
  */
 function requireRoles(allowedRoles) {
   return async (req, res, next) => {
-    // API 키 인증인 경우 스킵
-    if (req.skipAuthorization || req.apiKeyVerified) {
-      return next();
-    }
-
     // 사용자 역할 확인 (req.user 또는 req.userRole)
     const userRole = req.user?.userRole || req.userRole;
 
@@ -102,11 +97,6 @@ function requireRoles(allowedRoles) {
  */
 function requirePermission(requiredPermission) {
   return async (req, res, next) => {
-    // API 키 인증인 경우 스킵
-    if (req.skipAuthorization || req.apiKeyVerified) {
-      return next();
-    }
-
     const userRole = req.user?.userRole || req.userRole;
 
     if (!userRole) {
@@ -182,11 +172,6 @@ function requirePermission(requiredPermission) {
  */
 function requireAccess(requiredAccess) {
   return async (req, res, next) => {
-    // API 키 인증인 경우 스킵
-    if (req.skipAuthorization || req.apiKeyVerified) {
-      return next();
-    }
-
     const userRole = req.user?.userRole || req.userRole;
 
     if (!userRole) {
@@ -223,6 +208,7 @@ function requireAccess(requiredAccess) {
  * 리소스 소유자 검증 미들웨어
  * 사용자가 자신의 리소스에만 접근할 수 있도록 제한
  * admin 역할은 모든 리소스 접근 가능
+ * service 역할(API Key)은 모든 리소스 접근 가능
  *
  * @param {string} paramName - 라우트 파라미터 이름 (기본값: 'userId')
  * @returns {Function} Express 미들웨어
@@ -233,17 +219,12 @@ function requireAccess(requiredAccess) {
  */
 function requireOwnership(paramName = 'userId') {
   return (req, res, next) => {
-    // API 키 인증인 경우 스킵
-    if (req.skipAuthorization || req.apiKeyVerified) {
-      return next();
-    }
-
     const userId = req.user?.userId || req.userId;
     const resourceOwnerId = req.params[paramName];
 
-    // admin은 모든 리소스 접근 가능
+    // admin, service 역할은 모든 리소스 접근 가능
     const userRole = req.user?.userRole || req.userRole;
-    if (userRole === 'admin') {
+    if (userRole === 'admin' || userRole === 'service') {
       return next();
     }
 
@@ -285,11 +266,6 @@ function requireOwnership(paramName = 'userId') {
  */
 function requireAny(options = {}) {
   return async (req, res, next) => {
-    // API 키 인증인 경우 스킵
-    if (req.skipAuthorization || req.apiKeyVerified) {
-      return next();
-    }
-
     const userRole = req.user?.userRole || req.userRole;
 
     if (!userRole) {