npm - @thinkingcat/auth-utils - Versions diffs - 1.0.7 → 1.0.9 - Mend

@thinkingcat/auth-utils 1.0.7 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyToken = verifyToken;
 exports.extractRoleFromPayload = extractRoleFromPayload;
@@ -16,6 +49,7 @@ exports.redirectToError = redirectToError;
 exports.clearAuthCookies = clearAuthCookies;
 exports.getEffectiveRole = getEffectiveRole;
 exports.requiresSubscription = requiresSubscription;
+exports.checkLicenseKey = checkLicenseKey;
 exports.checkRoleAccess = checkRoleAccess;
 exports.redirectToSSOLogin = redirectToSSOLogin;
 exports.redirectToRoleDashboard = redirectToRoleDashboard;
@@ -33,6 +67,7 @@ exports.handleMiddleware = handleMiddleware;
 const jwt_1 = require("next-auth/jwt");
 const jose_1 = require("jose");
 const server_1 = require("next/server");
+const crypto_1 = require("crypto");
 /**
  * 토큰 검증 및 디코딩
  * @param accessToken JWT access token
@@ -55,11 +90,11 @@ async function verifyToken(accessToken, secret) {
 /**
  * payload에서 역할 추출 (서비스별)
  * @param payload JWT payload
- * @param serviceId 서비스 ID (기본값: 'checkon')
+ * @param serviceId 서비스 ID (필수)
  * @param defaultRole 기본 역할 (기본값: 'ADMIN')
  * @returns 추출된 역할
  */
-function extractRoleFromPayload(payload, serviceId = 'checkon', defaultRole = 'ADMIN') {
+function extractRoleFromPayload(payload, serviceId, defaultRole = 'ADMIN') {
     const services = payload.services || [];
     const service = services.find((s) => s.serviceId === serviceId);
     return service?.role || payload.role || defaultRole;
@@ -67,18 +102,19 @@ function extractRoleFromPayload(payload, serviceId = 'checkon', defaultRole = 'A
 /**
  * payload에서 NextAuth JWT 객체 생성
  * @param payload JWT payload
+ * @param serviceId 서비스 ID (필수)
  * @param includeAcademies academies 정보 포함 여부
  * @returns NextAuth JWT 객체
  */
-function createNextAuthJWT(payload, includeAcademies = false) {
+function createNextAuthJWT(payload, serviceId, includeAcademies = false) {
     const services = payload.services || [];
-    const checkonService = services.find((s) => s.serviceId === 'checkon');
-    const effectiveRole = checkonService?.role || payload.role || 'ADMIN';
+    const service = services.find((s) => s.serviceId === serviceId);
+    const effectiveRole = service?.role || payload.role || 'ADMIN';
     const jwt = {
         id: (payload.id || payload.sub),
         email: payload.email,
         name: payload.name,
-        role: effectiveRole, // Role enum 타입
+        role: effectiveRole, // Role enum 타입 (string으로 캐스팅)
         services: payload.services,
         academies: includeAcademies
             ? payload.academies || []
@@ -142,7 +178,10 @@ function setCustomTokens(response, accessToken, optionsOrRefreshToken, options)
     if (typeof optionsOrRefreshToken === 'string') {
         // 기존 방식: refreshToken이 문자열로 전달된 경우
         refreshTokenValue = optionsOrRefreshToken;
-        const { cookiePrefix: prefix = 'checkon', isProduction: prod = false, } = options || {};
+        const { cookiePrefix: prefix, isProduction: prod = false, } = options || {};
+        if (!prefix) {
+            throw new Error('cookiePrefix is required');
+        }
         cookiePrefix = prefix;
         isProduction = prod;
     }
@@ -150,7 +189,10 @@ function setCustomTokens(response, accessToken, optionsOrRefreshToken, options)
         // 새로운 방식: options 객체로 전달된 경우
         const opts = optionsOrRefreshToken || {};
         refreshTokenValue = opts.refreshToken;
-        cookiePrefix = opts.cookiePrefix || 'checkon';
+        if (!opts.cookiePrefix) {
+            throw new Error('cookiePrefix is required');
+        }
+        cookiePrefix = opts.cookiePrefix;
         isProduction = opts.isProduction || false;
     }
     // access_token 설정
@@ -204,10 +246,10 @@ function setNextAuthToken(response, sessionToken, options = {}) {
 /**
  * 리다이렉트용 HTML 생성
  * @param redirectPath 리다이렉트할 경로
- * @param text 표시할 텍스트 (기본값: 'checkon')
+ * @param text 표시할 텍스트 (필수)
  * @returns HTML 문자열
  */
-function createRedirectHTML(redirectPath, text = 'checkon') {
+function createRedirectHTML(redirectPath, text) {
     return `
     <!DOCTYPE html>
     <html>
@@ -282,14 +324,15 @@ function createRedirectHTML(redirectPath, text = 'checkon') {
  * @param options 추가 옵션
  * @param options.refreshToken refresh token (선택)
  * @param options.redirectPath 리다이렉트할 경로 (기본값: 페이지 리로드)
- * @param options.text 리다이렉트 HTML에 표시할 텍스트 (기본값: 'checkon')
- * @param options.cookiePrefix 쿠키 이름 접두사 (기본값: 'checkon')
+ * @param options.text 리다이렉트 HTML에 표시할 텍스트 (선택사항)
+ * @param options.cookiePrefix 쿠키 이름 접두사 (필수)
  * @param options.isProduction 프로덕션 환경 여부 (기본값: false)
  * @param options.cookieDomain 쿠키 도메인 (선택)
  * @returns NextResponse 객체
  */
-async function createAuthResponse(accessToken, secret, options = {}) {
-    const { refreshToken, redirectPath, text = 'checkon', cookiePrefix = 'checkon', isProduction = false, cookieDomain, } = options;
+async function createAuthResponse(accessToken, secret, options) {
+    checkLicenseKey(options.licenseKey);
+    const { refreshToken, redirectPath, text, cookiePrefix, isProduction = false, cookieDomain, serviceId, } = options;
     // 1. 토큰 검증
     const tokenResult = await verifyToken(accessToken, secret);
     if (!tokenResult) {
@@ -297,14 +340,15 @@ async function createAuthResponse(accessToken, secret, options = {}) {
     }
     const { payload } = tokenResult;
     // 2. 역할 추출
-    const role = extractRoleFromPayload(payload);
+    const role = extractRoleFromPayload(payload, serviceId);
     // 3. NextAuth JWT 생성 및 인코딩
-    const jwt = createNextAuthJWT(payload);
+    const jwt = createNextAuthJWT(payload, serviceId);
     const sessionToken = await encodeNextAuthToken(jwt, secret);
     // 4. HTML 생성
+    const displayText = text || serviceId;
     const html = redirectPath
-        ? createRedirectHTML(redirectPath, text)
-        : createRedirectHTML('', text).replace("window.location.href = ''", "window.location.reload()");
+        ? createRedirectHTML(redirectPath, displayText)
+        : createRedirectHTML('', displayText).replace("window.location.href = ''", "window.location.reload()");
     // 5. Response 생성
     const response = new server_1.NextResponse(html, {
         status: 200,
@@ -339,21 +383,22 @@ async function createAuthResponse(accessToken, secret, options = {}) {
  * 서비스 구독 유효성 확인 함수
  * @param services 서비스 정보 배열
  * @param serviceId 확인할 서비스 ID
+ * @param ssoBaseURL SSO 서버 기본 URL (필수)
  * @returns 구독 유효성 결과
  */
-function validateServiceSubscription(services, serviceId) {
+function validateServiceSubscription(services, serviceId, ssoBaseURL) {
     const filteredServices = services.filter(service => service.serviceId === serviceId);
     if (filteredServices.length === 0) {
         return {
             isValid: false,
-            redirectUrl: `${process.env.SSO_AUTH_SERVER_URL || 'http://localhost:3000'}/services/${serviceId}?type=subscription_required`
+            redirectUrl: `${ssoBaseURL}/services/${serviceId}?type=subscription_required`
         };
     }
     const service = filteredServices[0];
     if (service.status !== "ACTIVE") {
         return {
             isValid: false,
-            redirectUrl: `${process.env.SSO_AUTH_SERVER_URL || 'http://localhost:3000'}/services/${service.serviceId}?type=subscription_required`,
+            redirectUrl: `${ssoBaseURL}/services/${service.serviceId}?type=subscription_required`,
             service
         };
     }
@@ -366,13 +411,12 @@ function validateServiceSubscription(services, serviceId) {
  * SSO 서버에서 refresh token을 사용하여 새로운 access token을 발급받는 함수
  * @param refreshToken refresh token
  * @param options 옵션
- * @param options.ssoBaseURL SSO 서버 기본 URL (기본값: 환경 변수 또는 기본값)
+ * @param options.ssoBaseURL SSO 서버 기본 URL (필수)
  * @param options.authServiceKey 인증 서비스 키 (기본값: 환경 변수)
  * @returns SSO refresh token 응답
  */
 async function refreshSSOToken(refreshToken, options) {
-    const ssoBaseURL = options?.ssoBaseURL || process.env.NEXT_PUBLIC_SSO_BASE_URL || 'https://sso.thinkingcatworks.com';
-    const authServiceKey = options?.authServiceKey || process.env.AUTH_SERVICE_SECRET_KEY;
+    const { ssoBaseURL, authServiceKey } = options;
     if (!authServiceKey) {
         throw new Error('AUTH_SERVICE_SECRET_KEY not configured');
     }
@@ -391,13 +435,12 @@ async function refreshSSOToken(refreshToken, options) {
  * @param userId 사용자 ID
  * @param accessToken access token
  * @param options 옵션
- * @param options.ssoBaseURL SSO 서버 기본 URL (기본값: 환경 변수 또는 기본값)
+ * @param options.ssoBaseURL SSO 서버 기본 URL (필수)
  * @param options.authServiceKey 인증 서비스 키 (기본값: 환경 변수)
  * @returns refresh token 또는 null
  */
 async function getRefreshTokenFromSSO(userId, accessToken, options) {
-    const ssoBaseURL = options?.ssoBaseURL || process.env.NEXT_PUBLIC_SSO_BASE_URL || 'https://sso.thinkingcatworks.com';
-    const authServiceKey = options?.authServiceKey || process.env.AUTH_SERVICE_SECRET_KEY;
+    const { ssoBaseURL, authServiceKey } = options;
     if (!authServiceKey) {
         return null;
     }
@@ -423,56 +466,59 @@ async function getRefreshTokenFromSSO(userId, accessToken, options) {
     }
     return null;
 }
-/**
- * 토큰 검증 및 리프레시 처리 공통 함수
- *
- * @param req - NextRequest 객체
- * @param secret - JWT 서명에 사용할 secret key
- * @param options - 옵션
- * @param options.cookiePrefix - 쿠키 이름 접두사 (기본값: 'checkon')
- * @param options.isProduction - 프로덕션 환경 여부 (기본값: false)
- * @param options.cookieDomain - 쿠키 도메인 (선택)
- * @param options.text - 리다이렉트 HTML에 표시할 텍스트 (기본값: 'checkon')
- * @param options.ssoBaseURL - SSO 서버 기본 URL (기본값: 환경 변수 또는 기본값)
- * @param options.authServiceKey - 인증 서비스 키 (기본값: 환경 변수)
- * @returns 검증 결과 및 필요시 리프레시된 응답
- */
 async function verifyAndRefreshToken(req, secret, options) {
-    const { cookiePrefix = 'checkon', isProduction = false, cookieDomain, text = 'checkon', } = options || {};
+    const { cookiePrefix, serviceId, isProduction, cookieDomain, text, ssoBaseURL, authServiceKey, } = options;
     // 1. access_token 쿠키 확인
     const accessTokenName = `${cookiePrefix}_access_token`;
     const accessToken = req.cookies.get(accessTokenName)?.value;
     if (accessToken) {
-        const tokenResult = await verifyToken(accessToken, secret);
-        if (tokenResult) {
-            return { isValid: true, payload: tokenResult.payload };
+        try {
+            const secretBytes = new TextEncoder().encode(secret);
+            const { payload } = await (0, jose_1.jwtVerify)(accessToken, secretBytes);
+            if (payload && typeof payload === 'object' && payload.email) {
+                return { isValid: true, payload: payload };
+            }
+        }
+        catch {
+            // 토큰 검증 실패
         }
-        // 토큰이 만료되었거나 유효하지 않음 (리프레시 시도)
     }
-    // 2. 리프레시 토큰으로 갱신 시도
+    // 리프레시 토큰으로 갱신 시도
     const refreshTokenName = `${cookiePrefix}_refresh_token`;
     const refreshToken = req.cookies.get(refreshTokenName)?.value;
     if (refreshToken) {
         try {
+            if (!ssoBaseURL || !authServiceKey) {
+                return { isValid: false, error: 'SSO_CONFIG_MISSING' };
+            }
             const refreshResult = await refreshSSOToken(refreshToken, {
-                ssoBaseURL: options?.ssoBaseURL,
-                authServiceKey: options?.authServiceKey,
+                ssoBaseURL,
+                authServiceKey,
             });
             if (refreshResult.success && refreshResult.accessToken) {
-                // 토큰 갱신 성공 - createAuthResponse 사용
                 const newRefreshToken = refreshResult.refreshToken || refreshToken;
                 try {
+                    let payload;
+                    try {
+                        const secretBytes = new TextEncoder().encode(secret);
+                        const { payload: tokenPayload } = await (0, jose_1.jwtVerify)(refreshResult.accessToken, secretBytes);
+                        if (tokenPayload && typeof tokenPayload === 'object' && tokenPayload.email) {
+                            payload = tokenPayload;
+                        }
+                    }
+                    catch {
+                        // 토큰 검증 실패
+                    }
                     const response = await createAuthResponse(refreshResult.accessToken, secret, {
                         refreshToken: newRefreshToken,
-                        redirectPath: '', // 리다이렉트 없이 현재 페이지 유지
-                        text,
+                        redirectPath: '',
+                        text: text || serviceId,
                         cookiePrefix,
                         isProduction,
                         cookieDomain,
+                        serviceId,
+                        licenseKey: options.licenseKey,
                     });
-                    // payload 추출을 위해 토큰 검증
-                    const tokenResult = await verifyToken(refreshResult.accessToken, secret);
-                    const payload = tokenResult?.payload;
                     return { isValid: true, response, payload };
                 }
                 catch (error) {
@@ -508,10 +554,10 @@ function redirectToError(req, code, message, errorPath = '/error') {
 /**
  * 인증 쿠키를 삭제하는 헬퍼 함수
  * @param response NextResponse 객체
- * @param cookiePrefix 쿠키 이름 접두사 (기본값: 'checkon')
+ * @param cookiePrefix 쿠키 이름 접두사 (필수)
  * @returns NextResponse 객체
  */
-function clearAuthCookies(response, cookiePrefix = 'checkon') {
+function clearAuthCookies(response, cookiePrefix) {
     response.cookies.delete(`${cookiePrefix}_access_token`);
     response.cookies.delete(`${cookiePrefix}_refresh_token`);
     return response;
@@ -519,10 +565,10 @@ function clearAuthCookies(response, cookiePrefix = 'checkon') {
 /**
  * JWT에서 서비스별 역할을 추출하는 헬퍼 함수
  * @param token NextAuth JWT 객체 또는 null
- * @param serviceId 서비스 ID (기본값: 'checkon')
+ * @param serviceId 서비스 ID (필수)
  * @returns 추출된 역할 또는 undefined
  */
-function getEffectiveRole(token, serviceId = 'checkon') {
+function getEffectiveRole(token, serviceId) {
     if (!token)
         return undefined;
     // token이 이미 JWT 객체인 경우 role을 직접 사용
@@ -550,6 +596,19 @@ function requiresSubscription(pathname, role, subscriptionRequiredPaths, systemA
     // 구독이 필요한 경로인지 확인
     return subscriptionRequiredPaths.some(path => pathname.startsWith(path));
 }
+// 유효한 라이센스 키 해시 목록
+const VALID_LICENSE_KEY_HASHES = new Set([
+    '73bce4f3b64804c255cdab450d759a8b53038f9edb59ae42d9988b08dfd007e2',
+]);
+function checkLicenseKey(licenseKey) {
+    if (!licenseKey || licenseKey.length < 10) {
+        throw new Error('License key is required');
+    }
+    const keyHash = (0, crypto_1.createHash)('sha256').update(licenseKey).digest('hex');
+    if (!VALID_LICENSE_KEY_HASHES.has(keyHash)) {
+        throw new Error('Invalid license key');
+    }
+}
 function checkRoleAccess(pathname, role, roleConfig) {
     // 각 역할 설정을 확인
     for (const [configRole, config] of Object.entries(roleConfig)) {
@@ -570,12 +629,11 @@ function checkRoleAccess(pathname, role, roleConfig) {
  * SSO 로그인 페이지로 리다이렉트하는 헬퍼 함수
  * @param req NextRequest 객체
  * @param serviceId 서비스 ID
- * @param ssoBaseURL SSO 서버 기본 URL (기본값: 환경 변수 또는 기본값)
+ * @param ssoBaseURL SSO 서버 기본 URL (필수)
  * @returns NextResponse 리다이렉트 응답
  */
 function redirectToSSOLogin(req, serviceId, ssoBaseURL) {
-    const baseURL = ssoBaseURL || process.env.NEXT_PUBLIC_SSO_BASE_URL || "https://sso.thinkingcatworks.com";
-    return server_1.NextResponse.redirect(new URL(`${baseURL}/auth/login?serviceId=${serviceId}`, req.url));
+    return server_1.NextResponse.redirect(new URL(`${ssoBaseURL}/auth/login?serviceId=${serviceId}`, req.url));
 }
 /**
  * 역할별 대시보드 경로로 리다이렉트하는 헬퍼 함수
@@ -620,10 +678,10 @@ function isValidToken(token) {
  * 특정 역할을 가지고 있는지 확인하는 함수
  * @param token NextAuth JWT 객체
  * @param role 확인할 역할
- * @param serviceId 서비스 ID (기본값: 'checkon')
+ * @param serviceId 서비스 ID (필수)
  * @returns 역할 보유 여부
  */
-function hasRole(token, role, serviceId = 'checkon') {
+function hasRole(token, role, serviceId) {
     if (!token)
         return false;
     const effectiveRole = getEffectiveRole(token, serviceId);
@@ -633,10 +691,10 @@ function hasRole(token, role, serviceId = 'checkon') {
  * 여러 역할 중 하나라도 가지고 있는지 확인하는 함수
  * @param token NextAuth JWT 객체
  * @param roles 확인할 역할 배열
- * @param serviceId 서비스 ID (기본값: 'checkon')
+ * @param serviceId 서비스 ID (필수)
  * @returns 역할 보유 여부
  */
-function hasAnyRole(token, roles, serviceId = 'checkon') {
+function hasAnyRole(token, roles, serviceId) {
     if (!token)
         return false;
     const effectiveRole = getEffectiveRole(token, serviceId);
@@ -678,8 +736,7 @@ function isProtectedApiPath(pathname, exemptPaths = []) {
  * @returns 인증 결과
  */
 async function checkAuthentication(req, secret, options) {
-    const { cookiePrefix = 'checkon', getNextAuthToken, } = options || {};
-    // 1. NextAuth 토큰 확인
+    const { cookiePrefix, serviceId, getNextAuthToken, } = options;
     let nextAuthToken = null;
     if (getNextAuthToken) {
         nextAuthToken = await getNextAuthToken(req);
@@ -690,7 +747,6 @@ async function checkAuthentication(req, secret, options) {
             token: nextAuthToken,
         };
     }
-    // 2. 자체 토큰 확인
     const authCheck = await verifyAndRefreshToken(req, secret, options);
     if (authCheck.response) {
         return {
@@ -720,77 +776,74 @@ async function checkAuthentication(req, secret, options) {
  * @returns 인증 결과
  */
 async function verifyAndRefreshTokenWithNextAuth(req, nextAuthToken, secret, options) {
-    // 1. NextAuth 토큰이 있고 유효하면 통과
     if (nextAuthToken && isValidToken(nextAuthToken)) {
         return { isValid: true };
     }
-    // 2. 자체 토큰 확인 및 리프레시
     const authCheck = await verifyAndRefreshToken(req, secret, options);
     return authCheck;
 }
 /**
  * 기본 미들웨어 설정을 생성하는 함수
- * @param config 커스텀 설정 (선택사항)
+ * @param config 커스텀 설정 (필수: serviceId 포함)
+ * @param defaults 기본 설정값 (선택사항, 제공하지 않으면 최소 기본값 사용)
  * @returns 미들웨어 설정 객체
  */
-function createMiddlewareConfig(config) {
-    const defaultConfig = {
-        publicPaths: [
-            '/robots.txt',
-            '/sitemap.xml',
-            '/ads.txt',
-            '/images',
-            '/login',
-            '/register',
-            '/forgot-password',
-            '/reset-password',
-            '/about',
-            '/pricing',
-            '/support',
-            '/terms',
-            '/privacy',
-            '/refund',
-            '/error',
-        ],
-        subscriptionRequiredPaths: [
-            '/admin',
-            '/teacher',
-            '/student',
-            '/personal',
-        ],
-        subscriptionExemptApiPaths: [
-            '/api/auth',
-            '/api/sso',
-            '/api/admin/subscription',
-            '/api/admin/payment-methods',
-        ],
-        authApiPaths: [
-            '/api/auth/send-verification',
-            '/api/auth/verify-code',
-            '/api/auth/verify-user',
-            '/api/auth/select-academy',
-        ],
-        rolePaths: {
-            SYSTEM_ADMIN: '/system',
-            ADMIN: '/admin',
-            TEACHER: '/teacher',
-            STUDENT: '/student',
-        },
-        roleAccessConfig: {},
-        systemAdminRole: 'SYSTEM_ADMIN',
-        errorPath: '/error',
-        serviceId: config?.serviceId,
+function createMiddlewareConfig(config, defaults) {
+    // 기본값 설정
+    const defaultPublicPaths = defaults?.publicPaths || [
+        '/robots.txt',
+        '/sitemap.xml',
+        '/ads.txt',
+        '/images',
+        '/login',
+        '/register',
+        '/forgot-password',
+        '/reset-password',
+        '/about',
+        '/pricing',
+        '/support',
+        '/terms',
+        '/privacy',
+        '/refund',
+        '/error',
+    ];
+    const defaultSubscriptionRequiredPaths = defaults?.subscriptionRequiredPaths || [
+        '/admin',
+        '/teacher',
+        '/student',
+        '/personal',
+    ];
+    const defaultSubscriptionExemptApiPaths = defaults?.subscriptionExemptApiPaths || [
+        '/api/auth',
+        '/api/sso',
+        '/api/admin/subscription',
+        '/api/admin/payment-methods',
+    ];
+    const defaultAuthApiPaths = defaults?.authApiPaths || [
+        '/api/auth/send-verification',
+        '/api/auth/verify-code',
+        '/api/auth/verify-user',
+        '/api/auth/select-academy',
+    ];
+    const defaultRolePaths = defaults?.rolePaths || {
+        SYSTEM_ADMIN: '/system',
+        ADMIN: '/admin',
+        TEACHER: '/teacher',
+        STUDENT: '/student',
     };
+    const defaultSystemAdminRole = defaults?.systemAdminRole || 'SYSTEM_ADMIN';
+    const defaultErrorPath = defaults?.errorPath || '/error';
     // 커스텀 설정으로 병합
     return {
-        ...defaultConfig,
-        ...config,
-        publicPaths: config?.publicPaths || defaultConfig.publicPaths,
-        subscriptionRequiredPaths: config?.subscriptionRequiredPaths || defaultConfig.subscriptionRequiredPaths,
-        subscriptionExemptApiPaths: config?.subscriptionExemptApiPaths || defaultConfig.subscriptionExemptApiPaths,
-        authApiPaths: config?.authApiPaths || defaultConfig.authApiPaths,
-        rolePaths: config?.rolePaths || defaultConfig.rolePaths,
-        roleAccessConfig: config?.roleAccessConfig || defaultConfig.roleAccessConfig,
+        publicPaths: config.publicPaths || defaultPublicPaths,
+        subscriptionRequiredPaths: config.subscriptionRequiredPaths || defaultSubscriptionRequiredPaths,
+        subscriptionExemptApiPaths: config.subscriptionExemptApiPaths || defaultSubscriptionExemptApiPaths,
+        authApiPaths: config.authApiPaths || defaultAuthApiPaths,
+        rolePaths: config.rolePaths || defaultRolePaths,
+        roleAccessConfig: config.roleAccessConfig || {},
+        systemAdminRole: config.systemAdminRole || defaultSystemAdminRole,
+        errorPath: config.errorPath || defaultErrorPath,
+        serviceId: config.serviceId,
     };
 }
 /**
@@ -798,18 +851,33 @@ function createMiddlewareConfig(config) {
  * 모든 인증, 권한, 구독 체크를 포함한 완전한 미들웨어 로직
  * @param req NextRequest 객체
  * @param config 미들웨어 설정
- * @param getNextAuthToken NextAuth 토큰을 가져오는 함수
+ * @param options 미들웨어 실행 옵션 (secret 필수)
  * @returns NextResponse 또는 null (다음 미들웨어로 진행)
  */
-async function handleMiddleware(req, config, getNextAuthToken) {
+async function handleMiddleware(req, config, options) {
     try {
         const pathname = req.nextUrl.pathname;
-        const secret = process.env.NEXTAUTH_SECRET;
-        const isProduction = process.env.NODE_ENV === 'production';
-        const cookieDomain = process.env.COOKIE_DOMAIN;
-        const serviceId = config.serviceId || 'checkon';
+        const { secret, isProduction, cookieDomain, getNextAuthToken, licenseKey } = options;
+        checkLicenseKey(licenseKey);
+        if (!config.serviceId) {
+            throw new Error('serviceId is required in middleware config');
+        }
+        const serviceId = config.serviceId;
         const cookiePrefix = serviceId;
-        const token = await getNextAuthToken(req);
+        let token = null;
+        if (getNextAuthToken) {
+            token = await getNextAuthToken(req);
+        }
+        else {
+            // 기본적으로 secret을 사용하여 토큰 가져오기
+            try {
+                const { getToken } = await Promise.resolve().then(() => __importStar(require('next-auth/jwt')));
+                token = await getToken({ req, secret });
+            }
+            catch {
+                // NextAuth가 없으면 null 유지
+            }
+        }
         const effectiveRole = getEffectiveRole(token, serviceId);
         // 1. API 요청 처리
         if (pathname.startsWith('/api/')) {
@@ -821,9 +889,13 @@ async function handleMiddleware(req, config, getNextAuthToken) {
             }
             const authCheck = await verifyAndRefreshTokenWithNextAuth(req, token, secret, {
                 cookiePrefix,
+                serviceId,
                 isProduction,
                 cookieDomain,
                 text: serviceId,
+                ssoBaseURL: options.ssoBaseURL,
+                authServiceKey: options.authServiceKey,
+                licenseKey: options.licenseKey,
             });
             if (authCheck.response) {
                 return authCheck.response;
@@ -850,7 +922,11 @@ async function handleMiddleware(req, config, getNextAuthToken) {
                     const tokenRole = extractRoleFromPayload(payload, serviceId, defaultRole);
                     // 3. Refresh token 가져오기 (서버 간 통신)
                     const userId = payload.sub || payload.userId || '';
-                    const refreshToken = await getRefreshTokenFromSSO(userId, tokenParam) || '';
+                    const ssoBaseURL = options.ssoBaseURL;
+                    const authServiceKey = options.authServiceKey;
+                    const refreshToken = authServiceKey
+                        ? await getRefreshTokenFromSSO(userId, tokenParam, { ssoBaseURL, authServiceKey }) || ''
+                        : '';
                     // 4. 자체 토큰 생성 및 쿠키 설정
                     const redirectPath = config.rolePaths[tokenRole] || config.rolePaths[defaultRole] || '/admin';
                     const response = await createAuthResponse(tokenParam, secret, {
@@ -860,12 +936,15 @@ async function handleMiddleware(req, config, getNextAuthToken) {
                         cookiePrefix,
                         isProduction,
                         cookieDomain,
+                        serviceId,
+                        licenseKey: options.licenseKey,
                     });
                     return response;
                 }
                 catch {
                     // 토큰 검증 실패 시 SSO 로그인으로 리다이렉트
-                    return redirectToSSOLogin(req, serviceId);
+                    const ssoBaseURL = options.ssoBaseURL;
+                    return redirectToSSOLogin(req, serviceId, ssoBaseURL);
                 }
             }
             // 토큰이 없고 이미 인증된 경우 역할별 대시보드로 리다이렉트
@@ -873,7 +952,8 @@ async function handleMiddleware(req, config, getNextAuthToken) {
                 return redirectToRoleDashboard(req, effectiveRole, config.rolePaths);
             }
             // 인증되지 않은 경우 SSO 로그인 페이지로 리다이렉트
-            return redirectToSSOLogin(req, serviceId);
+            const ssoBaseURL = options.ssoBaseURL;
+            return redirectToSSOLogin(req, serviceId, ssoBaseURL);
         }
         // 3. 공개 경로 처리
         if (config.publicPaths.some((path) => pathname === path || pathname.startsWith(path))) {
@@ -888,18 +968,35 @@ async function handleMiddleware(req, config, getNextAuthToken) {
         // 4. 인증 체크
         const authCheck = await verifyAndRefreshTokenWithNextAuth(req, token, secret, {
             cookiePrefix,
+            serviceId,
             isProduction,
             cookieDomain,
             text: serviceId,
+            ssoBaseURL: options.ssoBaseURL,
+            authServiceKey: options.authServiceKey,
+            licenseKey: options.licenseKey,
         });
         if (authCheck.response) {
             return authCheck.response;
         }
         if (!authCheck.isValid) {
-            return redirectToSSOLogin(req, serviceId);
+            const ssoBaseURL = options.ssoBaseURL;
+            return redirectToSSOLogin(req, serviceId, ssoBaseURL);
         }
         // 5. 토큰 확인 및 변환
-        let finalToken = token || await getNextAuthToken(req);
+        let finalToken = token;
+        if (!finalToken && getNextAuthToken) {
+            finalToken = await getNextAuthToken(req);
+        }
+        else if (!finalToken) {
+            try {
+                const { getToken } = await Promise.resolve().then(() => __importStar(require('next-auth/jwt')));
+                finalToken = await getToken({ req, secret });
+            }
+            catch {
+                // NextAuth가 없으면 null 유지
+            }
+        }
         // verifyAndRefreshToken이 성공했는데 NextAuth 토큰이 없으면, 자체 토큰을 사용
         if (!finalToken && authCheck.isValid) {
             const accessToken = req.cookies.get(`${cookiePrefix}_access_token`)?.value;
@@ -907,20 +1004,23 @@ async function handleMiddleware(req, config, getNextAuthToken) {
                 const tokenResult = await verifyToken(accessToken, secret);
                 if (tokenResult) {
                     const { payload } = tokenResult;
-                    finalToken = createNextAuthJWT(payload, true); // academies 포함
+                    finalToken = createNextAuthJWT(payload, serviceId, true); // academies 포함
                 }
             }
         }
         if (!finalToken) {
-            return redirectToSSOLogin(req, serviceId);
+            const ssoBaseURL = options.ssoBaseURL;
+            return redirectToSSOLogin(req, serviceId, ssoBaseURL);
         }
         // 6. 토큰 에러 체크
         if (finalToken.error === "RefreshAccessTokenError") {
-            return redirectToSSOLogin(req, serviceId);
+            const ssoBaseURL = options.ssoBaseURL;
+            return redirectToSSOLogin(req, serviceId, ssoBaseURL);
         }
         // 7. 토큰 유효성 체크
         if (!finalToken.role || !finalToken.email) {
-            return redirectToSSOLogin(req, serviceId);
+            const ssoBaseURL = options.ssoBaseURL;
+            return redirectToSSOLogin(req, serviceId, ssoBaseURL);
         }
         // 8. 역할 기반 접근 제어
         const finalEffectiveRole = finalToken.role || getEffectiveRole(finalToken, serviceId) || effectiveRole || '';
@@ -933,7 +1033,11 @@ async function handleMiddleware(req, config, getNextAuthToken) {
         // 9. 구독 상태 확인 (시스템 관리자 제외)
         if (finalEffectiveRole && requiresSubscription(pathname, finalEffectiveRole, config.subscriptionRequiredPaths, config.systemAdminRole)) {
             const services = finalToken.services || [];
-            const subscriptionCheck = validateServiceSubscription(services, serviceId);
+            const ssoBaseURL = options.ssoBaseURL;
+            if (!ssoBaseURL) {
+                throw new Error('ssoBaseURL is required in middleware options');
+            }
+            const subscriptionCheck = validateServiceSubscription(services, serviceId, ssoBaseURL);
             if (!subscriptionCheck.isValid) {
                 return server_1.NextResponse.redirect(subscriptionCheck.redirectUrl);
             }