npm - @thinkingcat/auth-utils - Versions diffs - 1.0.5 → 1.0.7 - Mend

@thinkingcat/auth-utils 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -291,6 +291,29 @@ export interface RoleAccessConfig {
         allowedRoles?: string[];
     };
 }
+/**
+ * 미들웨어 설정 인터페이스
+ */
+export interface MiddlewareConfig {
+    /** 공개 접근 가능한 경로 배열 */
+    publicPaths?: string[];
+    /** 구독이 필요한 경로 배열 */
+    subscriptionRequiredPaths?: string[];
+    /** 구독 상태 확인을 제외할 API 경로 배열 */
+    subscriptionExemptApiPaths?: string[];
+    /** 인증 관련 API 경로 배열 */
+    authApiPaths?: string[];
+    /** 역할별 대시보드 경로 객체 */
+    rolePaths?: Record<string, string>;
+    /** 역할 기반 접근 제어 설정 */
+    roleAccessConfig?: RoleAccessConfig;
+    /** 서비스 ID */
+    serviceId?: string;
+    /** 시스템 관리자 역할명 (기본값: 'SYSTEM_ADMIN') */
+    systemAdminRole?: string;
+    /** 에러 페이지 경로 (기본값: '/error') */
+    errorPath?: string;
+}
 export declare function checkRoleAccess(pathname: string, role: string, roleConfig: RoleAccessConfig): {
     allowed: boolean;
     message?: string;
@@ -404,3 +427,18 @@ export declare function verifyAndRefreshTokenWithNextAuth(req: NextRequest, next
     error?: string;
     payload?: JWTPayload;
 }>;
+/**
+ * 기본 미들웨어 설정을 생성하는 함수
+ * @param config 커스텀 설정 (선택사항)
+ * @returns 미들웨어 설정 객체
+ */
+export declare function createMiddlewareConfig(config?: Partial<MiddlewareConfig>): Required<Omit<MiddlewareConfig, 'serviceId'>> & Pick<MiddlewareConfig, 'serviceId'>;
+/**
+ * 통합 미들웨어 핸들러 함수
+ * 모든 인증, 권한, 구독 체크를 포함한 완전한 미들웨어 로직
+ * @param req NextRequest 객체
+ * @param config 미들웨어 설정
+ * @param getNextAuthToken NextAuth 토큰을 가져오는 함수
+ * @returns NextResponse 또는 null (다음 미들웨어로 진행)
+ */
+export declare function handleMiddleware(req: NextRequest, config: Required<Omit<MiddlewareConfig, 'serviceId'>> & Pick<MiddlewareConfig, 'serviceId'>, getNextAuthToken: (req: NextRequest) => Promise<JWT | null>): Promise<NextResponse | null>;

package/dist/index.js CHANGED Viewed

@@ -28,6 +28,8 @@ exports.isApiPath = isApiPath;
 exports.isProtectedApiPath = isProtectedApiPath;
 exports.checkAuthentication = checkAuthentication;
 exports.verifyAndRefreshTokenWithNextAuth = verifyAndRefreshTokenWithNextAuth;
+exports.createMiddlewareConfig = createMiddlewareConfig;
+exports.handleMiddleware = handleMiddleware;
 const jwt_1 = require("next-auth/jwt");
 const jose_1 = require("jose");
 const server_1 = require("next/server");
@@ -726,3 +728,220 @@ async function verifyAndRefreshTokenWithNextAuth(req, nextAuthToken, secret, opt
     const authCheck = await verifyAndRefreshToken(req, secret, options);
     return authCheck;
 }
+/**
+ * 기본 미들웨어 설정을 생성하는 함수
+ * @param config 커스텀 설정 (선택사항)
+ * @returns 미들웨어 설정 객체
+ */
+function createMiddlewareConfig(config) {
+    const defaultConfig = {
+        publicPaths: [
+            '/robots.txt',
+            '/sitemap.xml',
+            '/ads.txt',
+            '/images',
+            '/login',
+            '/register',
+            '/forgot-password',
+            '/reset-password',
+            '/about',
+            '/pricing',
+            '/support',
+            '/terms',
+            '/privacy',
+            '/refund',
+            '/error',
+        ],
+        subscriptionRequiredPaths: [
+            '/admin',
+            '/teacher',
+            '/student',
+            '/personal',
+        ],
+        subscriptionExemptApiPaths: [
+            '/api/auth',
+            '/api/sso',
+            '/api/admin/subscription',
+            '/api/admin/payment-methods',
+        ],
+        authApiPaths: [
+            '/api/auth/send-verification',
+            '/api/auth/verify-code',
+            '/api/auth/verify-user',
+            '/api/auth/select-academy',
+        ],
+        rolePaths: {
+            SYSTEM_ADMIN: '/system',
+            ADMIN: '/admin',
+            TEACHER: '/teacher',
+            STUDENT: '/student',
+        },
+        roleAccessConfig: {},
+        systemAdminRole: 'SYSTEM_ADMIN',
+        errorPath: '/error',
+        serviceId: config?.serviceId,
+    };
+    // 커스텀 설정으로 병합
+    return {
+        ...defaultConfig,
+        ...config,
+        publicPaths: config?.publicPaths || defaultConfig.publicPaths,
+        subscriptionRequiredPaths: config?.subscriptionRequiredPaths || defaultConfig.subscriptionRequiredPaths,
+        subscriptionExemptApiPaths: config?.subscriptionExemptApiPaths || defaultConfig.subscriptionExemptApiPaths,
+        authApiPaths: config?.authApiPaths || defaultConfig.authApiPaths,
+        rolePaths: config?.rolePaths || defaultConfig.rolePaths,
+        roleAccessConfig: config?.roleAccessConfig || defaultConfig.roleAccessConfig,
+    };
+}
+/**
+ * 통합 미들웨어 핸들러 함수
+ * 모든 인증, 권한, 구독 체크를 포함한 완전한 미들웨어 로직
+ * @param req NextRequest 객체
+ * @param config 미들웨어 설정
+ * @param getNextAuthToken NextAuth 토큰을 가져오는 함수
+ * @returns NextResponse 또는 null (다음 미들웨어로 진행)
+ */
+async function handleMiddleware(req, config, getNextAuthToken) {
+    try {
+        const pathname = req.nextUrl.pathname;
+        const secret = process.env.NEXTAUTH_SECRET;
+        const isProduction = process.env.NODE_ENV === 'production';
+        const cookieDomain = process.env.COOKIE_DOMAIN;
+        const serviceId = config.serviceId || 'checkon';
+        const cookiePrefix = serviceId;
+        const token = await getNextAuthToken(req);
+        const effectiveRole = getEffectiveRole(token, serviceId);
+        // 1. API 요청 처리
+        if (pathname.startsWith('/api/')) {
+            if (config.authApiPaths.includes(pathname)) {
+                return server_1.NextResponse.next();
+            }
+            if (config.subscriptionExemptApiPaths.some((path) => pathname.startsWith(path))) {
+                return server_1.NextResponse.next();
+            }
+            const authCheck = await verifyAndRefreshTokenWithNextAuth(req, token, secret, {
+                cookiePrefix,
+                isProduction,
+                cookieDomain,
+                text: serviceId,
+            });
+            if (authCheck.response) {
+                return authCheck.response;
+            }
+            if (!authCheck.isValid) {
+                const response = redirectToError(req, 'UNAUTHORIZED', '인증이 필요합니다.', config.errorPath);
+                return clearAuthCookies(response, cookiePrefix);
+            }
+            return server_1.NextResponse.next();
+        }
+        // 2. 루트 경로 처리 - SSO 토큰 처리 (인증 체크보다 먼저!)
+        if (pathname === '/') {
+            const tokenParam = req.nextUrl.searchParams.get('token');
+            if (tokenParam) {
+                try {
+                    // 1. 토큰 검증
+                    const tokenResult = await verifyToken(tokenParam, secret);
+                    if (!tokenResult) {
+                        throw new Error('Invalid token');
+                    }
+                    const { payload } = tokenResult;
+                    // 2. 역할 추출
+                    const defaultRole = Object.keys(config.rolePaths)[0] || 'ADMIN';
+                    const tokenRole = extractRoleFromPayload(payload, serviceId, defaultRole);
+                    // 3. Refresh token 가져오기 (서버 간 통신)
+                    const userId = payload.sub || payload.userId || '';
+                    const refreshToken = await getRefreshTokenFromSSO(userId, tokenParam) || '';
+                    // 4. 자체 토큰 생성 및 쿠키 설정
+                    const redirectPath = config.rolePaths[tokenRole] || config.rolePaths[defaultRole] || '/admin';
+                    const response = await createAuthResponse(tokenParam, secret, {
+                        refreshToken: refreshToken || undefined,
+                        redirectPath,
+                        text: serviceId,
+                        cookiePrefix,
+                        isProduction,
+                        cookieDomain,
+                    });
+                    return response;
+                }
+                catch {
+                    // 토큰 검증 실패 시 SSO 로그인으로 리다이렉트
+                    return redirectToSSOLogin(req, serviceId);
+                }
+            }
+            // 토큰이 없고 이미 인증된 경우 역할별 대시보드로 리다이렉트
+            if (token && effectiveRole) {
+                return redirectToRoleDashboard(req, effectiveRole, config.rolePaths);
+            }
+            // 인증되지 않은 경우 SSO 로그인 페이지로 리다이렉트
+            return redirectToSSOLogin(req, serviceId);
+        }
+        // 3. 공개 경로 처리
+        if (config.publicPaths.some((path) => pathname === path || pathname.startsWith(path))) {
+            if (pathname === '/error' || pathname === '/verification') {
+                return server_1.NextResponse.next();
+            }
+            if (token && effectiveRole) {
+                return redirectToRoleDashboard(req, effectiveRole, config.rolePaths);
+            }
+            return server_1.NextResponse.next();
+        }
+        // 4. 인증 체크
+        const authCheck = await verifyAndRefreshTokenWithNextAuth(req, token, secret, {
+            cookiePrefix,
+            isProduction,
+            cookieDomain,
+            text: serviceId,
+        });
+        if (authCheck.response) {
+            return authCheck.response;
+        }
+        if (!authCheck.isValid) {
+            return redirectToSSOLogin(req, serviceId);
+        }
+        // 5. 토큰 확인 및 변환
+        let finalToken = token || await getNextAuthToken(req);
+        // verifyAndRefreshToken이 성공했는데 NextAuth 토큰이 없으면, 자체 토큰을 사용
+        if (!finalToken && authCheck.isValid) {
+            const accessToken = req.cookies.get(`${cookiePrefix}_access_token`)?.value;
+            if (accessToken) {
+                const tokenResult = await verifyToken(accessToken, secret);
+                if (tokenResult) {
+                    const { payload } = tokenResult;
+                    finalToken = createNextAuthJWT(payload, true); // academies 포함
+                }
+            }
+        }
+        if (!finalToken) {
+            return redirectToSSOLogin(req, serviceId);
+        }
+        // 6. 토큰 에러 체크
+        if (finalToken.error === "RefreshAccessTokenError") {
+            return redirectToSSOLogin(req, serviceId);
+        }
+        // 7. 토큰 유효성 체크
+        if (!finalToken.role || !finalToken.email) {
+            return redirectToSSOLogin(req, serviceId);
+        }
+        // 8. 역할 기반 접근 제어
+        const finalEffectiveRole = finalToken.role || getEffectiveRole(finalToken, serviceId) || effectiveRole || '';
+        if (config.roleAccessConfig && Object.keys(config.roleAccessConfig).length > 0 && finalEffectiveRole) {
+            const roleCheck = checkRoleAccess(pathname, finalEffectiveRole, config.roleAccessConfig);
+            if (!roleCheck.allowed) {
+                return redirectToError(req, 'ACCESS_DENIED', roleCheck.message || '접근 권한이 없습니다.', config.errorPath);
+            }
+        }
+        // 9. 구독 상태 확인 (시스템 관리자 제외)
+        if (finalEffectiveRole && requiresSubscription(pathname, finalEffectiveRole, config.subscriptionRequiredPaths, config.systemAdminRole)) {
+            const services = finalToken.services || [];
+            const subscriptionCheck = validateServiceSubscription(services, serviceId);
+            if (!subscriptionCheck.isValid) {
+                return server_1.NextResponse.redirect(subscriptionCheck.redirectUrl);
+            }
+        }
+        return null; // 다음 미들웨어로 진행
+    }
+    catch (error) {
+        console.error('Middleware error:', error);
+        return redirectToError(req, 'INTERNAL_ERROR', '서버 오류가 발생했습니다.', config.errorPath);
+    }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@thinkingcat/auth-utils",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "Authentication utilities for ThinkingCat SSO services",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",