@things-factory/integration-label-studio 9.1.19

package/dist-server/controller/user-provisioning-service.js

@@ -0,0 +1,264 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserProvisioningService = void 0;
+const tslib_1 = require("tslib");
+const axios_1 = tslib_1.__importDefault(require("axios"));
+const auth_base_1 = require("@things-factory/auth-base");
+const env_1 = require("@things-factory/env");
+const label_studio_role_mapper_js_1 = require("./label-studio-role-mapper.js");
+const shell_1 = require("@things-factory/shell");
+// Get Label Studio config from server config file
+function getLabelStudioConfig() {
+    return env_1.config.get('labelStudio', {
+        serverUrl: '',
+        apiToken: '',
+        interfaces: 'panel,controls,annotations:menu'
+    });
+}
+/**
+ * Label Studio 사용자 프로비저닝 서비스
+ *
+ * Things-Factory 사용자를 Label Studio에 배치 동기화합니다.
+ */
+class UserProvisioningService {
+    /**
+     * 설정 검증
+     */
+    static validateConfig() {
+        const config = getLabelStudioConfig();
+        if (!config.apiToken) {
+            throw new Error('Label Studio API token is not configured');
+        }
+        if (!config.serverUrl) {
+            throw new Error('Label Studio server URL is not configured');
+        }
+    }
+    /**
+     * 단일 사용자 동기화
+     *
+     * @param domain Things-Factory 도메인
+     * @param user Things-Factory 사용자
+     * @returns 동기화 결과
+     */
+    static async syncUser(domain, user) {
+        // 설정 검증
+        this.validateConfig();
+        const config = getLabelStudioConfig();
+        try {
+            // 1. Label Studio 권한 확인
+            const hasLSPrivilege = (await auth_base_1.User.hasPrivilege('label-studio', 'query', domain, user)) ||
+                (await auth_base_1.User.hasPrivilege('label-studio', 'mutation', domain, user));
+            if (!hasLSPrivilege) {
+                // Label Studio 권한 없음 → Label Studio에서 비활성화
+                const deactivated = await this.deactivateUser(user.email, config);
+                return {
+                    success: true,
+                    email: user.email,
+                    action: deactivated ? 'deactivated' : 'skipped'
+                };
+            }
+            // 2. Label Studio 권한 매핑
+            const lsPermissions = await label_studio_role_mapper_js_1.LabelStudioRoleMapper.mapUserPermissions(domain, user);
+            // 3. Label Studio API로 사용자 생성 또는 업데이트
+            const result = await this.createOrUpdateLabelStudioUser(user, lsPermissions, config);
+            return {
+                success: true,
+                email: user.email,
+                action: result.created ? 'created' : 'updated',
+                lsUserId: result.id.toString(),
+                lsPermissions: label_studio_role_mapper_js_1.LabelStudioRoleMapper.getPermissionsDescription(lsPermissions)
+            };
+        }
+        catch (error) {
+            console.error(`Failed to sync user ${user.email}:`, error.message);
+            return {
+                success: false,
+                email: user.email,
+                action: 'error',
+                error: error.message
+            };
+        }
+    }
+    static async getDomainUsers(domain) {
+        const qb = (0, shell_1.getRepository)(auth_base_1.User).createQueryBuilder('USER');
+        qb.select().andWhere(qb => {
+            const subQuery = qb
+                .subQuery()
+                .select('USERS_DOMAINS.users_id')
+                .from('users_domains', 'USERS_DOMAINS')
+                .where('USERS_DOMAINS.domains_id = :domainId', { domainId: domain.id })
+                .getQuery();
+            return 'USER.id IN ' + subQuery;
+        });
+        const [items, total] = await qb.getManyAndCount();
+        const foundUsers = items.map((item) => {
+            item.owner = item.id === domain.owner;
+            return item;
+        });
+        return foundUsers;
+    }
+    /**
+     * 도메인의 모든 사용자 일괄 동기화
+     *
+     * @param domain Things-Factory 도메인
+     * @returns 동기화 요약
+     */
+    static async syncAllUsers(domain) {
+        // 설정 검증
+        this.validateConfig();
+        // 도메인의 모든 활성 사용자 조회
+        const users = await UserProvisioningService.getDomainUsers(domain);
+        console.log(`🔄 Starting batch sync for ${users.length} users...`);
+        const results = [];
+        // 각 사용자 동기화
+        for (const user of users) {
+            const result = await this.syncUser(domain, user);
+            results.push(result);
+            // API Rate Limiting 방지
+            await this.sleep(100);
+        }
+        // 요약 생성
+        const summary = {
+            total: users.length,
+            created: results.filter(r => r.action === 'created').length,
+            updated: results.filter(r => r.action === 'updated').length,
+            deactivated: results.filter(r => r.action === 'deactivated').length,
+            skipped: results.filter(r => r.action === 'skipped').length,
+            errors: results.filter(r => r.action === 'error').length,
+            results
+        };
+        console.log(`✅ Batch sync completed:`, {
+            total: summary.total,
+            created: summary.created,
+            updated: summary.updated,
+            deactivated: summary.deactivated,
+            skipped: summary.skipped,
+            errors: summary.errors
+        });
+        return summary;
+    }
+    /**
+     * Label Studio API를 통해 사용자 생성 또는 업데이트
+     */
+    static async createOrUpdateLabelStudioUser(user, lsPermissions, config) {
+        const apiUrl = this.buildApiUrl(config.serverUrl, '/api/users');
+        // 이름 파싱
+        const nameParts = (user.name || user.email).split(' ');
+        const firstName = nameParts[0] || user.email;
+        const lastName = nameParts.slice(1).join(' ') || '';
+        try {
+            // 이메일로 기존 사용자 조회
+            const searchResponse = await axios_1.default.get(apiUrl, {
+                headers: {
+                    Authorization: `Token ${config.apiToken}`
+                },
+                params: {
+                    email: user.email
+                }
+            });
+            if (searchResponse.data.results && searchResponse.data.results.length > 0) {
+                // 기존 사용자 업데이트
+                const existingUser = searchResponse.data.results[0];
+                const updateResponse = await axios_1.default.patch(`${apiUrl}/${existingUser.id}/`, {
+                    email: user.email,
+                    username: user.email,
+                    first_name: firstName,
+                    last_name: lastName,
+                    is_superuser: lsPermissions.is_superuser,
+                    is_staff: lsPermissions.is_staff,
+                    is_active: lsPermissions.is_active
+                }, {
+                    headers: {
+                        Authorization: `Token ${config.apiToken}`,
+                        'Content-Type': 'application/json'
+                    }
+                });
+                return {
+                    ...updateResponse.data,
+                    created: false
+                };
+            }
+            else {
+                // 새 사용자 생성
+                const createResponse = await axios_1.default.post(apiUrl, {
+                    email: user.email,
+                    username: user.email,
+                    first_name: firstName,
+                    last_name: lastName,
+                    password: this.generateRandomPassword(),
+                    is_superuser: lsPermissions.is_superuser,
+                    is_staff: lsPermissions.is_staff,
+                    is_active: lsPermissions.is_active
+                }, {
+                    headers: {
+                        Authorization: `Token ${config.apiToken}`,
+                        'Content-Type': 'application/json'
+                    }
+                });
+                return {
+                    ...createResponse.data,
+                    created: true
+                };
+            }
+        }
+        catch (error) {
+            console.error(`Label Studio API error for ${user.email}:`, error.response?.data || error.message);
+            throw error;
+        }
+    }
+    /**
+     * Label Studio에서 사용자 비활성화
+     */
+    static async deactivateUser(email, config) {
+        const apiUrl = this.buildApiUrl(config.serverUrl, '/api/users');
+        try {
+            // 이메일로 사용자 조회
+            const searchResponse = await axios_1.default.get(apiUrl, {
+                headers: {
+                    Authorization: `Token ${config.apiToken}`
+                },
+                params: { email }
+            });
+            if (searchResponse.data.results && searchResponse.data.results.length > 0) {
+                const user = searchResponse.data.results[0];
+                // 비활성화
+                await axios_1.default.patch(`${apiUrl}/${user.id}/`, { is_active: false }, {
+                    headers: {
+                        Authorization: `Token ${config.apiToken}`,
+                        'Content-Type': 'application/json'
+                    }
+                });
+                return true;
+            }
+            return false;
+        }
+        catch (error) {
+            console.error(`Failed to deactivate user ${email}:`, error.message);
+            return false;
+        }
+    }
+    /**
+     * API URL 빌드
+     */
+    static buildApiUrl(serverUrl, path) {
+        let url = serverUrl.replace(/\/$/, '');
+        if (!url.startsWith('http://') && !url.startsWith('https://')) {
+            url = `https://${url}`;
+        }
+        return `${url}${path}`;
+    }
+    /**
+     * 랜덤 비밀번호 생성 (SSO 사용으로 실제로는 사용 안 됨)
+     */
+    static generateRandomPassword() {
+        return Math.random().toString(36).slice(-16) + Math.random().toString(36).slice(-16);
+    }
+    /**
+     * Sleep 유틸리티
+     */
+    static sleep(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+}
+exports.UserProvisioningService = UserProvisioningService;
+//# sourceMappingURL=user-provisioning-service.js.map

package/dist-server/controller/user-provisioning-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-provisioning-service.js","sourceRoot":"","sources":["../../server/controller/user-provisioning-service.ts"],"names":[],"mappings":";;;;AAAA,0DAAyB;AACzB,yDAAgD;AAChD,6CAA4C;AAC5C,+EAA6F;AAC7F,iDAA6D;AAQ7D,kDAAkD;AAClD,SAAS,oBAAoB;IAC3B,OAAO,YAAM,CAAC,GAAG,CAAC,aAAa,EAAE;QAC/B,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;QACZ,UAAU,EAAE,iCAAiC;KAC9C,CAAC,CAAA;AACJ,CAAC;AAqBD;;;;GAIG;AACH,MAAa,uBAAuB;IAClC;;OAEG;IACK,MAAM,CAAC,cAAc;QAC3B,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAA;QAErC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;QAC7D,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;QAC9D,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAc,EAAE,IAAU;QAC9C,QAAQ;QACR,IAAI,CAAC,cAAc,EAAE,CAAA;QAErB,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAA;QACrC,IAAI,CAAC;YACH,wBAAwB;YACxB,MAAM,cAAc,GAClB,CAAC,MAAM,gBAAI,CAAC,YAAY,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;gBAChE,CAAC,MAAM,gBAAI,CAAC,YAAY,CAAC,cAAc,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAA;YAErE,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,2CAA2C;gBAC3C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;gBAEjE,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;iBAChD,CAAA;YACH,CAAC;YAED,wBAAwB;YACxB,MAAM,aAAa,GAAG,MAAM,mDAAqB,CAAC,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAElF,sCAAsC;YACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,IAAI,EAAE,aAAa,EAAE,MAAM,CAAC,CAAA;YAEpF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBAC9C,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,QAAQ,EAAE;gBAC9B,aAAa,EAAE,mDAAqB,CAAC,yBAAyB,CAAC,aAAa,CAAC;aAC9E,CAAA;QACH,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,CAAC,KAAK,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;YAElE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,KAAK,CAAC,OAAO;aACrB,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,MAAc;QACxC,MAAM,EAAE,GAAG,IAAA,qBAAa,EAAC,gBAAI,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAA;QACzD,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE;YACxB,MAAM,QAAQ,GAAG,EAAE;iBAChB,QAAQ,EAAE;iBACV,MAAM,CAAC,wBAAwB,CAAC;iBAChC,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC;iBACtC,KAAK,CAAC,sCAAsC,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;iBACtE,QAAQ,EAAE,CAAA;YAEb,OAAO,aAAa,GAAG,QAAQ,CAAA;QACjC,CAAC,CAAC,CAAA;QAEF,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,eAAe,EAAE,CAAA;QAEjD,MAAM,UAAU,GAAW,KAAK,CAAC,GAAG,CAAC,CAAC,IAAU,EAAE,EAAE;YAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,KAAK,MAAM,CAAC,KAAK,CAAA;YACrC,OAAO,IAAI,CAAA;QACb,CAAC,CAAC,CAAA;QAEF,OAAO,UAAU,CAAA;IACnB,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,MAAc;QACtC,QAAQ;QACR,IAAI,CAAC,cAAc,EAAE,CAAA;QAErB,oBAAoB;QACpB,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,cAAc,CAAC,MAAM,CAAC,CAAA;QAElE,OAAO,CAAC,GAAG,CAAC,8BAA8B,KAAK,CAAC,MAAM,WAAW,CAAC,CAAA;QAElE,MAAM,OAAO,GAAiB,EAAE,CAAA;QAEhC,YAAY;QACZ,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAChD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAEpB,uBAAuB;YACvB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvB,CAAC;QAED,QAAQ;QACR,MAAM,OAAO,GAAgB;YAC3B,KAAK,EAAE,KAAK,CAAC,MAAM;YACnB,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YAC3D,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YAC3D,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,aAAa,CAAC,CAAC,MAAM;YACnE,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YAC3D,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;YACxD,OAAO;SACR,CAAA;QAED,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE;YACrC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAA;QAEF,OAAO,OAAO,CAAA;IAChB,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAChD,IAAU,EACV,aAAqC,EACrC,MAAyB;QAEzB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,CAAA;QAE/D,QAAQ;QACR,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACtD,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAA;QAC5C,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;QAEnD,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,cAAc,GAAG,MAAM,eAAK,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC7C,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,MAAM,CAAC,QAAQ,EAAE;iBAC1C;gBACD,MAAM,EAAE;oBACN,KAAK,EAAE,IAAI,CAAC,KAAK;iBAClB;aACF,CAAC,CAAA;YAEF,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1E,cAAc;gBACd,MAAM,YAAY,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;gBAEnD,MAAM,cAAc,GAAG,MAAM,eAAK,CAAC,KAAK,CACtC,GAAG,MAAM,IAAI,YAAY,CAAC,EAAE,GAAG,EAC/B;oBACE,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ,EAAE,IAAI,CAAC,KAAK;oBACpB,UAAU,EAAE,SAAS;oBACrB,SAAS,EAAE,QAAQ;oBACnB,YAAY,EAAE,aAAa,CAAC,YAAY;oBACxC,QAAQ,EAAE,aAAa,CAAC,QAAQ;oBAChC,SAAS,EAAE,aAAa,CAAC,SAAS;iBACnC,EACD;oBACE,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,MAAM,CAAC,QAAQ,EAAE;wBACzC,cAAc,EAAE,kBAAkB;qBACnC;iBACF,CACF,CAAA;gBAED,OAAO;oBACL,GAAG,cAAc,CAAC,IAAI;oBACtB,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,WAAW;gBACX,MAAM,cAAc,GAAG,MAAM,eAAK,CAAC,IAAI,CACrC,MAAM,EACN;oBACE,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ,EAAE,IAAI,CAAC,KAAK;oBACpB,UAAU,EAAE,SAAS;oBACrB,SAAS,EAAE,QAAQ;oBACnB,QAAQ,EAAE,IAAI,CAAC,sBAAsB,EAAE;oBACvC,YAAY,EAAE,aAAa,CAAC,YAAY;oBACxC,QAAQ,EAAE,aAAa,CAAC,QAAQ;oBAChC,SAAS,EAAE,aAAa,CAAC,SAAS;iBACnC,EACD;oBACE,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,MAAM,CAAC,QAAQ,EAAE;wBACzC,cAAc,EAAE,kBAAkB;qBACnC;iBACF,CACF,CAAA;gBAED,OAAO;oBACL,GAAG,cAAc,CAAC,IAAI;oBACtB,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,8BAA8B,IAAI,CAAC,KAAK,GAAG,EAAE,KAAK,CAAC,QAAQ,EAAE,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,CAAA;YACjG,MAAM,KAAK,CAAA;QACb,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,KAAa,EAAE,MAAyB;QAC1E,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,CAAA;QAE/D,IAAI,CAAC;YACH,cAAc;YACd,MAAM,cAAc,GAAG,MAAM,eAAK,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC7C,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,MAAM,CAAC,QAAQ,EAAE;iBAC1C;gBACD,MAAM,EAAE,EAAE,KAAK,EAAE;aAClB,CAAC,CAAA;YAEF,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1E,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;gBAE3C,OAAO;gBACP,MAAM,eAAK,CAAC,KAAK,CACf,GAAG,MAAM,IAAI,IAAI,CAAC,EAAE,GAAG,EACvB,EAAE,SAAS,EAAE,KAAK,EAAE,EACpB;oBACE,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,MAAM,CAAC,QAAQ,EAAE;wBACzC,cAAc,EAAE,kBAAkB;qBACnC;iBACF,CACF,CAAA;gBAED,OAAO,IAAI,CAAA;YACb,CAAC;YAED,OAAO,KAAK,CAAA;QACd,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,6BAA6B,KAAK,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;YACnE,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,WAAW,CAAC,SAAiB,EAAE,IAAY;QACxD,IAAI,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QAEtC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,GAAG,GAAG,WAAW,GAAG,EAAE,CAAA;QACxB,CAAC;QAED,OAAO,GAAG,GAAG,GAAG,IAAI,EAAE,CAAA;IACxB,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,sBAAsB;QACnC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAA;IACtF,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAK,CAAC,EAAU;QAC7B,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;IACxD,CAAC;CACF;AAtSD,0DAsSC","sourcesContent":["import axios from 'axios'\nimport { User } from '@things-factory/auth-base'\nimport { config } from '@things-factory/env'\nimport { LabelStudioRoleMapper, LabelStudioPermissions } from './label-studio-role-mapper.js'\nimport { Domain, getRepository } from '@things-factory/shell'\n\ntype LabelStudioConfig = {\n  serverUrl: string\n  apiToken: string\n  interfaces: string\n}\n\n// Get Label Studio config from server config file\nfunction getLabelStudioConfig(): LabelStudioConfig {\n  return config.get('labelStudio', {\n    serverUrl: '',\n    apiToken: '',\n    interfaces: 'panel,controls,annotations:menu'\n  })\n}\n\nexport interface SyncResult {\n  success: boolean\n  email: string\n  action: 'created' | 'updated' | 'deactivated' | 'skipped' | 'error'\n  lsUserId?: string\n  lsPermissions?: string // 'Admin (Full access)' | 'Staff (Labeling only)' | 'Inactive'\n  error?: string\n}\n\nexport interface SyncSummary {\n  total: number\n  created: number\n  updated: number\n  deactivated: number\n  skipped: number\n  errors: number\n  results: SyncResult[]\n}\n\n/**\n * Label Studio 사용자 프로비저닝 서비스\n *\n * Things-Factory 사용자를 Label Studio에 배치 동기화합니다.\n */\nexport class UserProvisioningService {\n  /**\n   * 설정 검증\n   */\n  private static validateConfig(): void {\n    const config = getLabelStudioConfig()\n\n    if (!config.apiToken) {\n      throw new Error('Label Studio API token is not configured')\n    }\n\n    if (!config.serverUrl) {\n      throw new Error('Label Studio server URL is not configured')\n    }\n  }\n\n  /**\n   * 단일 사용자 동기화\n   *\n   * @param domain Things-Factory 도메인\n   * @param user Things-Factory 사용자\n   * @returns 동기화 결과\n   */\n  static async syncUser(domain: Domain, user: User): Promise<SyncResult> {\n    // 설정 검증\n    this.validateConfig()\n\n    const config = getLabelStudioConfig()\n    try {\n      // 1. Label Studio 권한 확인\n      const hasLSPrivilege =\n        (await User.hasPrivilege('label-studio', 'query', domain, user)) ||\n        (await User.hasPrivilege('label-studio', 'mutation', domain, user))\n\n      if (!hasLSPrivilege) {\n        // Label Studio 권한 없음 → Label Studio에서 비활성화\n        const deactivated = await this.deactivateUser(user.email, config)\n\n        return {\n          success: true,\n          email: user.email,\n          action: deactivated ? 'deactivated' : 'skipped'\n        }\n      }\n\n      // 2. Label Studio 권한 매핑\n      const lsPermissions = await LabelStudioRoleMapper.mapUserPermissions(domain, user)\n\n      // 3. Label Studio API로 사용자 생성 또는 업데이트\n      const result = await this.createOrUpdateLabelStudioUser(user, lsPermissions, config)\n\n      return {\n        success: true,\n        email: user.email,\n        action: result.created ? 'created' : 'updated',\n        lsUserId: result.id.toString(),\n        lsPermissions: LabelStudioRoleMapper.getPermissionsDescription(lsPermissions)\n      }\n    } catch (error: any) {\n      console.error(`Failed to sync user ${user.email}:`, error.message)\n\n      return {\n        success: false,\n        email: user.email,\n        action: 'error',\n        error: error.message\n      }\n    }\n  }\n\n  static async getDomainUsers(domain: Domain): Promise<User[]> {\n    const qb = getRepository(User).createQueryBuilder('USER')\n    qb.select().andWhere(qb => {\n      const subQuery = qb\n        .subQuery()\n        .select('USERS_DOMAINS.users_id')\n        .from('users_domains', 'USERS_DOMAINS')\n        .where('USERS_DOMAINS.domains_id = :domainId', { domainId: domain.id })\n        .getQuery()\n\n      return 'USER.id IN ' + subQuery\n    })\n\n    const [items, total] = await qb.getManyAndCount()\n\n    const foundUsers: User[] = items.map((item: User) => {\n      item.owner = item.id === domain.owner\n      return item\n    })\n\n    return foundUsers\n  }\n\n  /**\n   * 도메인의 모든 사용자 일괄 동기화\n   *\n   * @param domain Things-Factory 도메인\n   * @returns 동기화 요약\n   */\n  static async syncAllUsers(domain: Domain): Promise<SyncSummary> {\n    // 설정 검증\n    this.validateConfig()\n\n    // 도메인의 모든 활성 사용자 조회\n    const users = await UserProvisioningService.getDomainUsers(domain)\n\n    console.log(`🔄 Starting batch sync for ${users.length} users...`)\n\n    const results: SyncResult[] = []\n\n    // 각 사용자 동기화\n    for (const user of users) {\n      const result = await this.syncUser(domain, user)\n      results.push(result)\n\n      // API Rate Limiting 방지\n      await this.sleep(100)\n    }\n\n    // 요약 생성\n    const summary: SyncSummary = {\n      total: users.length,\n      created: results.filter(r => r.action === 'created').length,\n      updated: results.filter(r => r.action === 'updated').length,\n      deactivated: results.filter(r => r.action === 'deactivated').length,\n      skipped: results.filter(r => r.action === 'skipped').length,\n      errors: results.filter(r => r.action === 'error').length,\n      results\n    }\n\n    console.log(`✅ Batch sync completed:`, {\n      total: summary.total,\n      created: summary.created,\n      updated: summary.updated,\n      deactivated: summary.deactivated,\n      skipped: summary.skipped,\n      errors: summary.errors\n    })\n\n    return summary\n  }\n\n  /**\n   * Label Studio API를 통해 사용자 생성 또는 업데이트\n   */\n  private static async createOrUpdateLabelStudioUser(\n    user: User,\n    lsPermissions: LabelStudioPermissions,\n    config: LabelStudioConfig\n  ): Promise<any> {\n    const apiUrl = this.buildApiUrl(config.serverUrl, '/api/users')\n\n    // 이름 파싱\n    const nameParts = (user.name || user.email).split(' ')\n    const firstName = nameParts[0] || user.email\n    const lastName = nameParts.slice(1).join(' ') || ''\n\n    try {\n      // 이메일로 기존 사용자 조회\n      const searchResponse = await axios.get(apiUrl, {\n        headers: {\n          Authorization: `Token ${config.apiToken}`\n        },\n        params: {\n          email: user.email\n        }\n      })\n\n      if (searchResponse.data.results && searchResponse.data.results.length > 0) {\n        // 기존 사용자 업데이트\n        const existingUser = searchResponse.data.results[0]\n\n        const updateResponse = await axios.patch(\n          `${apiUrl}/${existingUser.id}/`,\n          {\n            email: user.email,\n            username: user.email,\n            first_name: firstName,\n            last_name: lastName,\n            is_superuser: lsPermissions.is_superuser,\n            is_staff: lsPermissions.is_staff,\n            is_active: lsPermissions.is_active\n          },\n          {\n            headers: {\n              Authorization: `Token ${config.apiToken}`,\n              'Content-Type': 'application/json'\n            }\n          }\n        )\n\n        return {\n          ...updateResponse.data,\n          created: false\n        }\n      } else {\n        // 새 사용자 생성\n        const createResponse = await axios.post(\n          apiUrl,\n          {\n            email: user.email,\n            username: user.email,\n            first_name: firstName,\n            last_name: lastName,\n            password: this.generateRandomPassword(),\n            is_superuser: lsPermissions.is_superuser,\n            is_staff: lsPermissions.is_staff,\n            is_active: lsPermissions.is_active\n          },\n          {\n            headers: {\n              Authorization: `Token ${config.apiToken}`,\n              'Content-Type': 'application/json'\n            }\n          }\n        )\n\n        return {\n          ...createResponse.data,\n          created: true\n        }\n      }\n    } catch (error: any) {\n      console.error(`Label Studio API error for ${user.email}:`, error.response?.data || error.message)\n      throw error\n    }\n  }\n\n  /**\n   * Label Studio에서 사용자 비활성화\n   */\n  private static async deactivateUser(email: string, config: LabelStudioConfig): Promise<boolean> {\n    const apiUrl = this.buildApiUrl(config.serverUrl, '/api/users')\n\n    try {\n      // 이메일로 사용자 조회\n      const searchResponse = await axios.get(apiUrl, {\n        headers: {\n          Authorization: `Token ${config.apiToken}`\n        },\n        params: { email }\n      })\n\n      if (searchResponse.data.results && searchResponse.data.results.length > 0) {\n        const user = searchResponse.data.results[0]\n\n        // 비활성화\n        await axios.patch(\n          `${apiUrl}/${user.id}/`,\n          { is_active: false },\n          {\n            headers: {\n              Authorization: `Token ${config.apiToken}`,\n              'Content-Type': 'application/json'\n            }\n          }\n        )\n\n        return true\n      }\n\n      return false\n    } catch (error: any) {\n      console.error(`Failed to deactivate user ${email}:`, error.message)\n      return false\n    }\n  }\n\n  /**\n   * API URL 빌드\n   */\n  private static buildApiUrl(serverUrl: string, path: string): string {\n    let url = serverUrl.replace(/\\/$/, '')\n\n    if (!url.startsWith('http://') && !url.startsWith('https://')) {\n      url = `https://${url}`\n    }\n\n    return `${url}${path}`\n  }\n\n  /**\n   * 랜덤 비밀번호 생성 (SSO 사용으로 실제로는 사용 안 됨)\n   */\n  private static generateRandomPassword(): string {\n    return Math.random().toString(36).slice(-16) + Math.random().toString(36).slice(-16)\n  }\n\n  /**\n   * Sleep 유틸리티\n   */\n  private static sleep(ms: number): Promise<void> {\n    return new Promise(resolve => setTimeout(resolve, ms))\n  }\n}\n"]}

package/dist-server/index.d.ts

@@ -0,0 +1,7 @@
+export * from './service/index.js';
+export * from './utils/label-config-builder.js';
+export * from './utils/task-transformer.js';
+export * from './utils/annotation-exporter.js';
+export { WebhookAction, WebhookPayload, WebhookHandler, registerWebhookHandler, unregisterWebhookHandler, clearWebhookHandlers } from './route/webhook.js';
+import './route.js';
+import './route/webhook.js';

package/dist-server/index.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clearWebhookHandlers = exports.unregisterWebhookHandler = exports.registerWebhookHandler = exports.WebhookAction = void 0;
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./service/index.js"), exports);
+tslib_1.__exportStar(require("./utils/label-config-builder.js"), exports);
+tslib_1.__exportStar(require("./utils/task-transformer.js"), exports);
+tslib_1.__exportStar(require("./utils/annotation-exporter.js"), exports);
+var webhook_js_1 = require("./route/webhook.js");
+Object.defineProperty(exports, "WebhookAction", { enumerable: true, get: function () { return webhook_js_1.WebhookAction; } });
+Object.defineProperty(exports, "registerWebhookHandler", { enumerable: true, get: function () { return webhook_js_1.registerWebhookHandler; } });
+Object.defineProperty(exports, "unregisterWebhookHandler", { enumerable: true, get: function () { return webhook_js_1.unregisterWebhookHandler; } });
+Object.defineProperty(exports, "clearWebhookHandlers", { enumerable: true, get: function () { return webhook_js_1.clearWebhookHandlers; } });
+require("./route.js");
+require("./route/webhook.js");
+process.on('bootstrap-module-start', async ({ app, config, client }) => {
+    console.log('[integration-label-studio:bootstrap] Label Studio integration initialized with subdomain cookie-sharing SSO');
+});
+//# sourceMappingURL=index.js.map

package/dist-server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../server/index.ts"],"names":[],"mappings":";;;;AAAA,6DAAkC;AAClC,0EAA+C;AAC/C,sEAA2C;AAC3C,yEAA8C;AAC9C,iDAO2B;AANzB,2GAAA,aAAa,OAAA;AAGb,oHAAA,sBAAsB,OAAA;AACtB,sHAAA,wBAAwB,OAAA;AACxB,kHAAA,oBAAoB,OAAA;AAGtB,sBAAmB;AACnB,8BAA2B;AAE3B,OAAO,CAAC,EAAE,CAAC,wBAA+B,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAO,EAAE,EAAE;IACjF,OAAO,CAAC,GAAG,CAAC,6GAA6G,CAAC,CAAA;AAC5H,CAAC,CAAC,CAAA","sourcesContent":["export * from './service/index.js'\nexport * from './utils/label-config-builder.js'\nexport * from './utils/task-transformer.js'\nexport * from './utils/annotation-exporter.js'\nexport {\n  WebhookAction,\n  WebhookPayload,\n  WebhookHandler,\n  registerWebhookHandler,\n  unregisterWebhookHandler,\n  clearWebhookHandlers\n} from './route/webhook.js'\n\nimport './route.js'\nimport './route/webhook.js'\n\nprocess.on('bootstrap-module-start' as any, async ({ app, config, client }: any) => {\n  console.log('[integration-label-studio:bootstrap] Label Studio integration initialized with subdomain cookie-sharing SSO')\n})\n"]}

package/dist-server/route/label-studio-sso.d.ts

@@ -0,0 +1,2 @@
+declare const ssoRouter: any;
+export { ssoRouter };

package/dist-server/route/label-studio-sso.js

@@ -0,0 +1,156 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ssoRouter = void 0;
+const tslib_1 = require("tslib");
+const koa_router_1 = tslib_1.__importDefault(require("koa-router"));
+const env_1 = require("@things-factory/env");
+const label_studio_sso_service_js_1 = require("../service/label-studio-sso-service.js");
+const ssoRouter = new koa_router_1.default();
+exports.ssoRouter = ssoRouter;
+/**
+ * Get Label Studio configuration
+ */
+function getLabelStudioConfig() {
+    const labelStudioConfig = env_1.config.get('labelStudio', {
+        serverUrl: 'http://localhost:8080',
+        apiToken: '',
+        cookieDomain: '' // e.g., '.nubison.localhost' for subdomain sharing
+    });
+    return {
+        serverUrl: labelStudioConfig.serverUrl,
+        apiToken: labelStudioConfig.apiToken,
+        cookieDomain: labelStudioConfig.cookieDomain || ''
+    };
+}
+/**
+ * SSO Setup Endpoint
+ *
+ * This endpoint must be called by the client before loading Label Studio iframe
+ * to establish SSO authentication using subdomain cookie sharing.
+ *
+ * Flow:
+ * 1. Client calls /label-studio/sso/setup
+ * 2. Backend requests JWT token from Label Studio
+ * 3. Backend sets ls_auth_token cookie with shared domain
+ * 4. Client loads Label Studio iframe - auto-login succeeds
+ *
+ * @example
+ * fetch('/label-studio/sso/setup', { credentials: 'include' })
+ */
+ssoRouter.get('/label-studio/sso/setup', async (ctx) => {
+    try {
+        const user = ctx.state.user;
+        if (!user || !user.email) {
+            ctx.status = 401;
+            ctx.body = {
+                success: false,
+                error: 'Unauthorized',
+                message: 'User authentication required'
+            };
+            return;
+        }
+        const { cookieDomain } = getLabelStudioConfig();
+        // Cookie name must match Label Studio's JWT_SSO_COOKIE_NAME setting
+        const cookieName = 'ls_auth_token';
+        const existingToken = ctx.cookies.get(cookieName);
+        if (existingToken) {
+            // Token already exists
+            ctx.status = 200;
+            ctx.body = {
+                success: true,
+                message: 'SSO token already exists',
+                user: user.email
+            };
+            return;
+        }
+        console.log(`[Label Studio SSO] Setting up token for ${user.email}`);
+        // Request JWT token from Label Studio
+        const tokenData = await label_studio_sso_service_js_1.LabelStudioSSOService.getSSOToken(user.email);
+        if (tokenData) {
+            // Clear existing sessionid to prevent conflict with SSO token
+            ctx.cookies.set('sessionid', '', {
+                domain: cookieDomain || undefined,
+                path: '/',
+                maxAge: 0 // Expire immediately
+            });
+            // Set cookie with shared domain for subdomain access
+            const cookieOptions = {
+                httpOnly: false, // Allow client-side access for debugging
+                secure: ctx.protocol === 'https',
+                sameSite: 'lax',
+                path: '/',
+                maxAge: tokenData.expires_in * 1000 // Convert seconds to milliseconds
+            };
+            // Only set domain if cookieDomain is configured
+            // This allows same-origin cookie for single domain setup
+            if (cookieDomain) {
+                cookieOptions.domain = cookieDomain;
+                console.log(`[Label Studio SSO] Using shared cookie domain: ${cookieDomain}`);
+            }
+            ctx.cookies.set(cookieName, tokenData.token, cookieOptions);
+            console.log(`[Label Studio SSO] Token set for ${user.email} (expires in ${tokenData.expires_in}s, domain: ${cookieDomain || 'same-origin'})`);
+            ctx.status = 200;
+            ctx.body = {
+                success: true,
+                message: 'SSO token setup complete',
+                user: user.email,
+                expiresIn: tokenData.expires_in,
+                cookieDomain: cookieDomain || 'same-origin'
+            };
+        }
+        else {
+            console.error(`[Label Studio SSO] Failed to acquire token for ${user.email}`);
+            ctx.status = 500;
+            ctx.body = {
+                success: false,
+                error: 'Token Acquisition Failed',
+                message: 'Failed to acquire SSO token from Label Studio'
+            };
+        }
+    }
+    catch (error) {
+        console.error('[Label Studio SSO] Setup error:', error.message);
+        ctx.status = 500;
+        ctx.body = {
+            success: false,
+            error: 'Internal Server Error',
+            message: error.message
+        };
+    }
+});
+/**
+ * Health check endpoint
+ */
+ssoRouter.get('/label-studio/sso/health', async (ctx) => {
+    try {
+        const { serverUrl, cookieDomain } = getLabelStudioConfig();
+        ctx.status = 200;
+        ctx.body = {
+            status: 'ok',
+            labelStudioUrl: serverUrl || 'not configured',
+            cookieDomain: cookieDomain || 'same-origin',
+            message: 'Label Studio SSO is running'
+        };
+    }
+    catch (error) {
+        ctx.status = 503;
+        ctx.body = {
+            status: 'error',
+            message: error.message
+        };
+    }
+});
+/**
+ * Configuration endpoint
+ */
+ssoRouter.get('/label-studio/sso/config', async (ctx) => {
+    const { serverUrl, apiToken, cookieDomain } = getLabelStudioConfig();
+    ctx.status = 200;
+    ctx.body = {
+        labelStudioUrl: serverUrl || 'not configured',
+        cookieDomain: cookieDomain || 'same-origin',
+        hasApiToken: !!apiToken,
+        ssoConfigured: label_studio_sso_service_js_1.LabelStudioSSOService.verifyConfig()
+    };
+});
+//# sourceMappingURL=label-studio-sso.js.map

package/dist-server/route/label-studio-sso.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"label-studio-sso.js","sourceRoot":"","sources":["../../server/route/label-studio-sso.ts"],"names":[],"mappings":";;;;AAqBA,oEAA+B;AAC/B,6CAA4C;AAC5C,wFAA8E;AAE9E,MAAM,SAAS,GAAG,IAAI,oBAAM,EAAE,CAAA;AAwKrB,8BAAS;AAtKlB;;GAEG;AACH,SAAS,oBAAoB;IAC3B,MAAM,iBAAiB,GAAG,YAAM,CAAC,GAAG,CAAC,aAAa,EAAE;QAClD,SAAS,EAAE,uBAAuB;QAClC,QAAQ,EAAE,EAAE;QACZ,YAAY,EAAE,EAAE,CAAC,mDAAmD;KACrE,CAAC,CAAA;IAEF,OAAO;QACL,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;QACpC,YAAY,EAAE,iBAAiB,CAAC,YAAY,IAAI,EAAE;KACnD,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,CAAC,GAAG,CAAC,yBAAyB,EAAE,KAAK,EAAE,GAAgB,EAAE,EAAE;IAClE,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAA;QAE3B,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACzB,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;YAChB,GAAG,CAAC,IAAI,GAAG;gBACT,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,8BAA8B;aACxC,CAAA;YACD,OAAM;QACR,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,GAAG,oBAAoB,EAAE,CAAA;QAE/C,oEAAoE;QACpE,MAAM,UAAU,GAAG,eAAe,CAAA;QAClC,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAEjD,IAAI,aAAa,EAAE,CAAC;YAClB,uBAAuB;YACvB,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;YAChB,GAAG,CAAC,IAAI,GAAG;gBACT,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,0BAA0B;gBACnC,IAAI,EAAE,IAAI,CAAC,KAAK;aACjB,CAAA;YACD,OAAM;QACR,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,2CAA2C,IAAI,CAAC,KAAK,EAAE,CAAC,CAAA;QAEpE,sCAAsC;QACtC,MAAM,SAAS,GAAG,MAAM,mDAAqB,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAErE,IAAI,SAAS,EAAE,CAAC;YACd,8DAA8D;YAC9D,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,EAAE;gBAC/B,MAAM,EAAE,YAAY,IAAI,SAAS;gBACjC,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,CAAC,CAAC,qBAAqB;aAChC,CAAC,CAAA;YAEF,qDAAqD;YACrD,MAAM,aAAa,GAAQ;gBACzB,QAAQ,EAAE,KAAK,EAAE,yCAAyC;gBAC1D,MAAM,EAAE,GAAG,CAAC,QAAQ,KAAK,OAAO;gBAChC,QAAQ,EAAE,KAAK;gBACf,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,SAAS,CAAC,UAAU,GAAG,IAAI,CAAC,kCAAkC;aACvE,CAAA;YAED,gDAAgD;YAChD,yDAAyD;YACzD,IAAI,YAAY,EAAE,CAAC;gBACjB,aAAa,CAAC,MAAM,GAAG,YAAY,CAAA;gBACnC,OAAO,CAAC,GAAG,CAAC,kDAAkD,YAAY,EAAE,CAAC,CAAA;YAC/E,CAAC;YAED,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,KAAK,EAAE,aAAa,CAAC,CAAA;YAE3D,OAAO,CAAC,GAAG,CACT,oCAAoC,IAAI,CAAC,KAAK,gBAAgB,SAAS,CAAC,UAAU,cAAc,YAAY,IAAI,aAAa,GAAG,CACjI,CAAA;YAED,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;YAChB,GAAG,CAAC,IAAI,GAAG;gBACT,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,0BAA0B;gBACnC,IAAI,EAAE,IAAI,CAAC,KAAK;gBAChB,SAAS,EAAE,SAAS,CAAC,UAAU;gBAC/B,YAAY,EAAE,YAAY,IAAI,aAAa;aAC5C,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,kDAAkD,IAAI,CAAC,KAAK,EAAE,CAAC,CAAA;YAE7E,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;YAChB,GAAG,CAAC,IAAI,GAAG;gBACT,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,0BAA0B;gBACjC,OAAO,EAAE,+CAA+C;aACzD,CAAA;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;QAE/D,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;QAChB,GAAG,CAAC,IAAI,GAAG;YACT,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAA;IACH,CAAC;AACH,CAAC,CAAC,CAAA;AAEF;;GAEG;AACH,SAAS,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,EAAE,GAAgB,EAAE,EAAE;IACnE,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,oBAAoB,EAAE,CAAA;QAE1D,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;QAChB,GAAG,CAAC,IAAI,GAAG;YACT,MAAM,EAAE,IAAI;YACZ,cAAc,EAAE,SAAS,IAAI,gBAAgB;YAC7C,YAAY,EAAE,YAAY,IAAI,aAAa;YAC3C,OAAO,EAAE,6BAA6B;SACvC,CAAA;IACH,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;QAChB,GAAG,CAAC,IAAI,GAAG;YACT,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAA;IACH,CAAC;AACH,CAAC,CAAC,CAAA;AAEF;;GAEG;AACH,SAAS,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,EAAE,GAAgB,EAAE,EAAE;IACnE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,oBAAoB,EAAE,CAAA;IAEpE,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;IAChB,GAAG,CAAC,IAAI,GAAG;QACT,cAAc,EAAE,SAAS,IAAI,gBAAgB;QAC7C,YAAY,EAAE,YAAY,IAAI,aAAa;QAC3C,WAAW,EAAE,CAAC,CAAC,QAAQ;QACvB,aAAa,EAAE,mDAAqB,CAAC,YAAY,EAAE;KACpD,CAAA;AACH,CAAC,CAAC,CAAA","sourcesContent":["/**\n * Label Studio SSO Route\n *\n * Implements subdomain-based cookie sharing for Label Studio SSO authentication.\n * This approach eliminates the need for proxy by using shared domain cookies.\n *\n * ## Architecture:\n * 1. Client calls /label-studio/sso/setup\n * 2. Backend gets JWT token from Label Studio using API Token\n * 3. Backend sets cookie with shared domain (e.g., .nubison.localhost)\n * 4. Client loads Label Studio directly in iframe\n * 5. Cookie is automatically sent with iframe requests\n *\n * ## Configuration:\n * Label Studio .env must include:\n * - JWT_SSO_SECRET: Shared secret for JWT signing\n * - JWT_SSO_COOKIE_NAME: Cookie name (default: ls_auth_token)\n * - CSRF_TRUSTED_ORIGINS: Include all frontend domains\n * - ALLOWED_HOSTS: Include all subdomain patterns\n */\nimport Koa from 'koa'\nimport Router from 'koa-router'\nimport { config } from '@things-factory/env'\nimport { LabelStudioSSOService } from '../service/label-studio-sso-service.js'\n\nconst ssoRouter = new Router()\n\n/**\n * Get Label Studio configuration\n */\nfunction getLabelStudioConfig() {\n  const labelStudioConfig = config.get('labelStudio', {\n    serverUrl: 'http://localhost:8080',\n    apiToken: '',\n    cookieDomain: '' // e.g., '.nubison.localhost' for subdomain sharing\n  })\n\n  return {\n    serverUrl: labelStudioConfig.serverUrl,\n    apiToken: labelStudioConfig.apiToken,\n    cookieDomain: labelStudioConfig.cookieDomain || ''\n  }\n}\n\n/**\n * SSO Setup Endpoint\n *\n * This endpoint must be called by the client before loading Label Studio iframe\n * to establish SSO authentication using subdomain cookie sharing.\n *\n * Flow:\n * 1. Client calls /label-studio/sso/setup\n * 2. Backend requests JWT token from Label Studio\n * 3. Backend sets ls_auth_token cookie with shared domain\n * 4. Client loads Label Studio iframe - auto-login succeeds\n *\n * @example\n * fetch('/label-studio/sso/setup', { credentials: 'include' })\n */\nssoRouter.get('/label-studio/sso/setup', async (ctx: Koa.Context) => {\n  try {\n    const user = ctx.state.user\n\n    if (!user || !user.email) {\n      ctx.status = 401\n      ctx.body = {\n        success: false,\n        error: 'Unauthorized',\n        message: 'User authentication required'\n      }\n      return\n    }\n\n    const { cookieDomain } = getLabelStudioConfig()\n\n    // Cookie name must match Label Studio's JWT_SSO_COOKIE_NAME setting\n    const cookieName = 'ls_auth_token'\n    const existingToken = ctx.cookies.get(cookieName)\n\n    if (existingToken) {\n      // Token already exists\n      ctx.status = 200\n      ctx.body = {\n        success: true,\n        message: 'SSO token already exists',\n        user: user.email\n      }\n      return\n    }\n\n    console.log(`[Label Studio SSO] Setting up token for ${user.email}`)\n\n    // Request JWT token from Label Studio\n    const tokenData = await LabelStudioSSOService.getSSOToken(user.email)\n\n    if (tokenData) {\n      // Clear existing sessionid to prevent conflict with SSO token\n      ctx.cookies.set('sessionid', '', {\n        domain: cookieDomain || undefined,\n        path: '/',\n        maxAge: 0 // Expire immediately\n      })\n\n      // Set cookie with shared domain for subdomain access\n      const cookieOptions: any = {\n        httpOnly: false, // Allow client-side access for debugging\n        secure: ctx.protocol === 'https',\n        sameSite: 'lax',\n        path: '/',\n        maxAge: tokenData.expires_in * 1000 // Convert seconds to milliseconds\n      }\n\n      // Only set domain if cookieDomain is configured\n      // This allows same-origin cookie for single domain setup\n      if (cookieDomain) {\n        cookieOptions.domain = cookieDomain\n        console.log(`[Label Studio SSO] Using shared cookie domain: ${cookieDomain}`)\n      }\n\n      ctx.cookies.set(cookieName, tokenData.token, cookieOptions)\n\n      console.log(\n        `[Label Studio SSO] Token set for ${user.email} (expires in ${tokenData.expires_in}s, domain: ${cookieDomain || 'same-origin'})`\n      )\n\n      ctx.status = 200\n      ctx.body = {\n        success: true,\n        message: 'SSO token setup complete',\n        user: user.email,\n        expiresIn: tokenData.expires_in,\n        cookieDomain: cookieDomain || 'same-origin'\n      }\n    } else {\n      console.error(`[Label Studio SSO] Failed to acquire token for ${user.email}`)\n\n      ctx.status = 500\n      ctx.body = {\n        success: false,\n        error: 'Token Acquisition Failed',\n        message: 'Failed to acquire SSO token from Label Studio'\n      }\n    }\n  } catch (error: any) {\n    console.error('[Label Studio SSO] Setup error:', error.message)\n\n    ctx.status = 500\n    ctx.body = {\n      success: false,\n      error: 'Internal Server Error',\n      message: error.message\n    }\n  }\n})\n\n/**\n * Health check endpoint\n */\nssoRouter.get('/label-studio/sso/health', async (ctx: Koa.Context) => {\n  try {\n    const { serverUrl, cookieDomain } = getLabelStudioConfig()\n\n    ctx.status = 200\n    ctx.body = {\n      status: 'ok',\n      labelStudioUrl: serverUrl || 'not configured',\n      cookieDomain: cookieDomain || 'same-origin',\n      message: 'Label Studio SSO is running'\n    }\n  } catch (error: any) {\n    ctx.status = 503\n    ctx.body = {\n      status: 'error',\n      message: error.message\n    }\n  }\n})\n\n/**\n * Configuration endpoint\n */\nssoRouter.get('/label-studio/sso/config', async (ctx: Koa.Context) => {\n  const { serverUrl, apiToken, cookieDomain } = getLabelStudioConfig()\n\n  ctx.status = 200\n  ctx.body = {\n    labelStudioUrl: serverUrl || 'not configured',\n    cookieDomain: cookieDomain || 'same-origin',\n    hasApiToken: !!apiToken,\n    ssoConfigured: LabelStudioSSOService.verifyConfig()\n  }\n})\n\nexport { ssoRouter }\n"]}

package/dist-server/route/webhook.d.ts

@@ -0,0 +1,65 @@
+import Koa from 'koa';
+declare const webhookRouter: any;
+/**
+ * Label Studio Webhook Event Types
+ */
+export declare enum WebhookAction {
+    ANNOTATION_CREATED = "ANNOTATION_CREATED",
+    ANNOTATION_UPDATED = "ANNOTATION_UPDATED",
+    ANNOTATION_DELETED = "ANNOTATION_DELETED",
+    TASK_CREATED = "TASK_CREATED",
+    TASK_UPDATED = "TASK_UPDATED",
+    TASK_DELETED = "TASK_DELETED",
+    PROJECT_UPDATED = "PROJECT_UPDATED"
+}
+export interface WebhookPayload {
+    action: WebhookAction;
+    project: {
+        id: number;
+        title: string;
+    };
+    task?: {
+        id: number;
+        data: any;
+        annotations: any[];
+    };
+    annotation?: {
+        id: number;
+        result: any[];
+        completed_by: {
+            id: number;
+            email: string;
+        };
+        lead_time: number;
+    };
+}
+/**
+ * Webhook handler function type
+ * Applications can register custom handlers for any webhook action
+ */
+export type WebhookHandler = (payload: WebhookPayload, context: Koa.Context) => Promise<void>;
+/**
+ * Register a custom webhook handler
+ * Handlers are executed in registration order
+ *
+ * @param action - Webhook action to handle
+ * @param handler - Handler function
+ *
+ * @example
+ * registerWebhookHandler(WebhookAction.ANNOTATION_CREATED, async (payload, ctx) => {
+ *   console.log('Custom handler:', payload.annotation?.id)
+ *   // Store annotation in database
+ *   // Trigger ML training
+ *   // Send notifications
+ * })
+ */
+export declare function registerWebhookHandler(action: WebhookAction, handler: WebhookHandler): void;
+/**
+ * Unregister a webhook handler
+ */
+export declare function unregisterWebhookHandler(action: WebhookAction, handler: WebhookHandler): void;
+/**
+ * Clear all custom handlers for an action
+ */
+export declare function clearWebhookHandlers(action?: WebhookAction): void;
+export { webhookRouter };