create-entity-app-server 0.0.3

package/src/app/routes/messages/chat/entities/user_chat_room_member.json

@@ -0,0 +1,49 @@
+{
+    "name": "user_chat_room_member",
+    "description": "채팅방 참여자. 사용자 환경에 맞게 fields를 자유롭게 확장할 수 있습니다.",
+    "license_scope": false,
+    "fields": {
+        "is_muted": {
+            "index": true,
+            "comment": "알림 음소거",
+            "default": false
+        },
+        "joined_time": {
+            "index": true,
+            "comment": "참여시각"
+        },
+        "last_read_seq": {
+            "index": true,
+            "comment": "마지막 읽은 메시지seq"
+        },
+        "role": {
+            "index": true,
+            "comment": "방 내 역할",
+            "type": [
+                "owner",
+                "admin",
+                "member"
+            ],
+            "default": "member"
+        },
+        "room_seq": {
+            "index": true,
+            "comment": "채팅방seq",
+            "required": true
+        },
+        "user_seq": {
+            "index": true,
+            "comment": "참여자seq",
+            "required": true
+        }
+    },
+    "unique": [
+        [
+            "room_seq",
+            "user_seq"
+        ]
+    ],
+    "fk": {
+        "room_seq": "user_chat_room.seq"
+    }
+}

package/src/app/routes/messages/chat/routes.ts

@@ -0,0 +1,28 @@
+/**
+ * Chat 라우트 플러그인
+ *
+ * 자동 로더가 `app/routes/chat/routes.ts`를 탐색하여
+ * prefix `/api/v1/chat` 으로 등록한다.
+ *
+ * 엔티티:
+ *   - user_chat_room        — 채팅방
+ *   - user_chat_room_member — 채팅방 멤버
+ *   - user_chat             — 채팅 메시지
+ *   - user_chat_files       — 채팅 첨부파일
+ */
+
+import type { FastifyInstance } from "fastify";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { logger, ensurePluginEntities } from "@gateway/api";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export default async function chatRoutes(app: FastifyInstance): Promise<void> {
+    await ensurePluginEntities(__dirname).catch((err) =>
+        logger.warn({ err }, "chat: ensureEntities failed"),
+    );
+
+    // TODO: 채팅방/메시지 라우트 핸들러 추가
+    void app;
+}

package/src/app/routes/messages/msgbox/config.json

@@ -0,0 +1,5 @@
+{
+    "enabled": false,
+    "deploy": false,
+    "minify": false
+}

package/src/app/routes/messages/msgbox/entities/user_msgbox.json

@@ -0,0 +1,73 @@
+{
+    "name": "user_msgbox",
+    "description": "사용자 알림 메시지 (통지 전용). insert 시 수신자 디바이스로 푸시 알림 자동 전송. 사용자 환경에 맞게 fields를 자유롭게 확장할 수 있습니다.",
+    "fields": {
+        "is_read": {
+            "index": true,
+            "comment": "읽음 여부",
+            "default": false
+        },
+        "msg_type": {
+            "index": true,
+            "comment": "메시지 타입",
+            "type": [
+                "notification",
+                "system",
+                "alert"
+            ],
+            "default": "notification",
+            "required": true
+        },
+        "priority": {
+            "index": true,
+            "comment": "우선순위",
+            "type": [
+                "low",
+                "normal",
+                "high",
+                "urgent"
+            ],
+            "default": "normal"
+        },
+        "read_time": {
+            "index": true,
+            "comment": "읽음시각"
+        },
+        "ref_entity": {
+            "index": true,
+            "comment": "참조 엔티티명"
+        },
+        "ref_seq": {
+            "index": true,
+            "comment": "참조 데이터seq"
+        },
+        "sender_seq": {
+            "index": true,
+            "comment": "발신자seq (시스템 알림은 0)"
+        },
+        "user_seq": {
+            "index": true,
+            "comment": "수신자seq",
+            "required": true
+        }
+    },
+    "fk": {
+        "sender_seq": "user.seq"
+    },
+    "hooks": {
+        "after_insert": [
+            {
+                "type": "push",
+                "target_user_field": "user_seq",
+                "title": "새 알림",
+                "push_body": "${new.body}",
+                "push_data": {
+                    "msg_type": "${new.msg_type}",
+                    "ref_entity": "${new.ref_entity}",
+                    "ref_seq": "${new.ref_seq}",
+                    "msgbox_seq": "${new.seq}"
+                }
+            }
+        ]
+    }
+}

package/src/app/routes/messages/msgbox/routes.ts

@@ -0,0 +1,28 @@
+/**
+ * Msgbox 라우트 플러그인
+ *
+ * 자동 로더가 `app/routes/msgbox/routes.ts`를 탐색하여
+ * prefix `/api/v1/msgbox` 으로 등록한다.
+ *
+ * 엔티티:
+ *   - user_msgbox       — 메시지함 (쪽지/알림 수신함)
+ *   - user_msgbox_files — 메시지함 첨부파일
+ */
+
+import type { FastifyInstance } from "fastify";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { logger, ensurePluginEntities } from "@gateway/api";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export default async function msgboxRoutes(
+    app: FastifyInstance,
+): Promise<void> {
+    await ensurePluginEntities(__dirname).catch((err) =>
+        logger.warn({ err }, "msgbox: ensureEntities failed"),
+    );
+
+    // TODO: 메시지함 조회·전송 라우트 핸들러 추가
+    void app;
+}

package/src/app/routes/password-reset/config.example.json

@@ -0,0 +1,13 @@
+{
+    "enabled": true,
+    "mode": "temp_password",
+    "temp_password_ttl_sec": 300,
+    "temp_password_length": 12,
+    "link_base_url": "https://example.com/reset-password",
+    "link_token_ttl_sec": 300,
+    "rate_limit": {
+        "per_email_per_hour": 5,
+        "per_ip_per_minute": 10
+    },
+    "email_subject": "비밀번호 재설정"
+}

package/src/app/routes/password-reset/config.json

@@ -0,0 +1,15 @@
+{
+    "enabled": true,
+    "mode": "temp_password",
+    "temp_password_ttl_sec": 300,
+    "temp_password_length": 12,
+    "link_base_url": "",
+    "link_token_ttl_sec": 300,
+    "rate_limit": {
+        "per_email_per_hour": 5,
+        "per_ip_per_minute": 10
+    },
+    "email_subject": "비밀번호 재설정",
+    "deploy": true,
+    "minify": false
+}

package/src/app/routes/password-reset/entities/account.json

@@ -0,0 +1,13 @@
+{
+    "name": "account",
+    "description": "비밀번호 재설정 라우트의 link 모드 활성화 시 account 엔티티에 추가되는 필드. temp_password 모드 필드(temp_password_hash, temp_password_issued_time)는 Go 서버가 관리하므로 entities/System/Auth/account.json에 정의되어 있습니다.",
+    "fields": {
+        "password_reset_token": {
+            "type": "varchar(128)",
+            "comment": "비밀번호 재설정 링크 토큰의 SHA-256 해시 (link 모드 전용)"
+        },
+        "password_reset_expires": {
+            "comment": "비밀번호 재설정 토큰 만료 시각 (ISO 8601, link 모드 전용)"
+        }
+    }
+}

package/src/app/routes/password-reset/handlers.ts

@@ -0,0 +1,335 @@
+/**
+ * 비밀번호 재설정 핸들러
+ *
+ * Go `internal/handler/password_reset_handler.go`에서 포팅.
+ *
+ * 두 가지 모드 지원 (config.mode):
+ * 1. "temp_password" — 임시 비밀번호 발급 → 이메일 → /auth/login 으로 로그인
+ * 2. "link" — 토큰 기반 리셋 링크 → 이메일 → /password-reset/verify 로 새 비밀번호 설정
+ */
+
+import type { FastifyRequest, FastifyReply } from "fastify";
+import { ok, fail, entityServer, logger, sendEmail } from "@gateway/api";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const TEMPLATES_DIR = join(__dirname, "templates");
+
+import type {
+    PasswordResetConfig,
+    PasswordResetRequestBody,
+    PasswordResetVerifyBody,
+    PasswordResetValidateParams,
+    AccountResetFields,
+    RateLimitEntry,
+} from "./types/index.ts";
+
+import {
+    hashPassword,
+    generateTempPassword,
+    generateResetToken,
+    hashToken,
+    verifyPassword,
+} from "./password-utils.ts";
+
+/* ──────────── Rate Limit (인메모리) ──────────── */
+
+const emailLimits = new Map<string, RateLimitEntry>();
+const ipLimits = new Map<string, RateLimitEntry>();
+
+const HOUR_MS = 3_600_000;
+const MINUTE_MS = 60_000;
+
+/** 오래된 항목 자동 정리 (5분마다) */
+function cleanupLimits(): void {
+    const now = Date.now();
+    for (const [key, entry] of emailLimits) {
+        if (entry.resetAt <= now) emailLimits.delete(key);
+    }
+    for (const [key, entry] of ipLimits) {
+        if (entry.resetAt <= now) ipLimits.delete(key);
+    }
+}
+
+const _cleanupInterval = setInterval(cleanupLimits, 5 * MINUTE_MS);
+// Node.js가 이 타이머 때문에 종료 대기하지 않도록
+if (_cleanupInterval.unref) _cleanupInterval.unref();
+
+function isRateLimited(
+    map: Map<string, RateLimitEntry>,
+    key: string,
+    maxCount: number,
+    windowMs: number,
+): boolean {
+    const now = Date.now();
+    const entry = map.get(key);
+    if (!entry || entry.resetAt <= now) {
+        map.set(key, { count: 1, resetAt: now + windowMs });
+        return false;
+    }
+    entry.count++;
+    return entry.count > maxCount;
+}
+
+/* ──────────── 공통 유틸 ──────────── */
+
+/** 계정 열거 공격 방지 — 항상 동일한 성공 응답 */
+const ALWAYS_SUCCESS = { ok: true, message: "요청이 처리되었습니다." };
+
+function nowIsoString(): string {
+    return new Date().toISOString().replace("T", " ").replace("Z", "").slice(0, 19);
+}
+
+function getClientIp(req: FastifyRequest): string {
+    return (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim() ?? req.ip ?? "unknown";
+}
+
+/* ══════════════════════════════════════════════════════════════════════
+ * POST /request — 비밀번호 재설정 요청
+ * ════════════════════════════════════════════════════════════════════ */
+export function createRequestHandler(cfg: PasswordResetConfig) {
+    return async function handlePasswordResetRequest(
+        req: FastifyRequest<{ Body: PasswordResetRequestBody }>,
+        reply: FastifyReply,
+    ): Promise<void> {
+        const email = (req.body?.email ?? "").trim().toLowerCase();
+        if (!email) {
+            reply.code(400).send(fail("email is required"));
+            return;
+        }
+
+        // Rate limit 확인
+        const clientIp = getClientIp(req);
+        if (isRateLimited(ipLimits, clientIp, cfg.rate_limit.per_ip_per_minute, MINUTE_MS)) {
+            // 과도한 요청 — 하지만 열거 공격 방지를 위해 동일 응답
+            logger.warn({ ip: clientIp }, "Password reset IP rate limit exceeded");
+            reply.send(ALWAYS_SUCCESS);
+            return;
+        }
+        if (isRateLimited(emailLimits, email, cfg.rate_limit.per_email_per_hour, HOUR_MS)) {
+            logger.warn({ email }, "Password reset email rate limit exceeded");
+            reply.send(ALWAYS_SUCCESS);
+            return;
+        }
+
+        // 계정 조회
+        let account: Record<string, unknown> | null = null;
+        try {
+            const result = await entityServer.find<Record<string, unknown>>("account", { email });
+            account = result?.data ?? null;
+        } catch {
+            // 계정 없음 → 동일 응답
+        }
+
+        if (!account || !account.seq) {
+            reply.send(ALWAYS_SUCCESS);
+            return;
+        }
+        const accountSeq = Number(account.seq);
+
+        try {
+            if (cfg.mode === "link") {
+                await handleLinkMode(cfg, email, accountSeq);
+            } else {
+                await handleTempPasswordMode(cfg, email, accountSeq);
+            }
+        } catch (err) {
+            logger.error({ err, email }, "Password reset request failed");
+        }
+
+        reply.send(ALWAYS_SUCCESS);
+    };
+}
+
+/** temp_password 모드 핸들링 */
+async function handleTempPasswordMode(
+    cfg: PasswordResetConfig,
+    email: string,
+    accountSeq: number,
+): Promise<void> {
+    const length = cfg.temp_password_length || 12;
+    const ttlSec = cfg.temp_password_ttl_sec || 300;
+
+    const tempPwd = generateTempPassword(length);
+    const tempHash = hashPassword(tempPwd);
+
+    // account 업데이트 (기존 비밀번호 유지)
+    await entityServer.submit("account", {
+        seq: accountSeq,
+        temp_password_hash: tempHash,
+        temp_password_issued_time: nowIsoString(),
+    } as Record<string, unknown>);
+
+    // 이메일 발송
+    const expiresMin = Math.ceil(ttlSec / 60);
+    await sendEmail({
+        to: [email],
+        subject: cfg.email_subject || "비밀번호 재설정",
+        templateDir: TEMPLATES_DIR,
+        templateName: "password_reset",
+        templateData: {
+            temp_password: tempPwd,
+            expires_in: `${expiresMin}분`,
+            email,
+        },
+    });
+
+    logger.info({ accountSeq }, "Temp password issued");
+}
+
+/** link 모드 핸들링 */
+async function handleLinkMode(
+    cfg: PasswordResetConfig,
+    email: string,
+    accountSeq: number,
+): Promise<void> {
+    const ttlSec = cfg.link_token_ttl_sec || 300;
+
+    const [rawToken, tokenHash] = generateResetToken();
+    const expiresAt = new Date(Date.now() + ttlSec * 1000).toISOString();
+
+    // account 업데이트
+    await entityServer.submit("account", {
+        seq: accountSeq,
+        password_reset_token: tokenHash,
+        password_reset_expires: expiresAt,
+    } as Record<string, unknown>);
+
+    // 리셋 URL 구성
+    const baseUrl = cfg.link_base_url || "https://example.com/reset-password";
+    const resetUrl = `${baseUrl}?token=${rawToken}`;
+    const expiresMin = Math.ceil(ttlSec / 60);
+
+    // 이메일 발송
+    await sendEmail({
+        to: [email],
+        subject: cfg.email_subject || "비밀번호 재설정",
+        templateDir: TEMPLATES_DIR,
+        templateName: "password_reset_link",
+        templateData: {
+            reset_url: resetUrl,
+            expires_in: `${expiresMin}분`,
+            email,
+        },
+    });
+
+    logger.info({ accountSeq }, "Password reset link issued");
+}
+
+/* ══════════════════════════════════════════════════════════════════════
+ * GET /validate/:token — 토큰 유효성 확인 (link 모드 전용)
+ * ════════════════════════════════════════════════════════════════════ */
+export function createValidateHandler(cfg: PasswordResetConfig) {
+    return async function handlePasswordResetValidate(
+        req: FastifyRequest<{ Params: PasswordResetValidateParams }>,
+        reply: FastifyReply,
+    ): Promise<void> {
+        if (cfg.mode !== "link") {
+            reply.code(404).send(fail("This endpoint is available only in link mode"));
+            return;
+        }
+
+        const { token } = req.params;
+        if (!token || token.length !== 64) {
+            reply.send(ok({ valid: false }));
+            return;
+        }
+
+        const tokenH = hashToken(token);
+
+        // token 해시로 account 조회
+        let account: AccountResetFields | null = null;
+        try {
+            const result = await entityServer.find<AccountResetFields>("account", {
+                password_reset_token: tokenH,
+            });
+            account = result?.data ?? null;
+        } catch {
+            // not found
+        }
+
+        if (!account || !account.password_reset_expires) {
+            reply.send(ok({ valid: false }));
+            return;
+        }
+
+        const expiresAt = new Date(account.password_reset_expires).getTime();
+        const now = Date.now();
+        if (expiresAt <= now) {
+            reply.send(ok({ valid: false }));
+            return;
+        }
+
+        reply.send(ok({ valid: true, expires_in_sec: Math.floor((expiresAt - now) / 1000) }));
+    };
+}
+
+/* ══════════════════════════════════════════════════════════════════════
+ * POST /verify — 토큰 검증 + 새 비밀번호 설정 (link 모드 전용)
+ * ════════════════════════════════════════════════════════════════════ */
+export function createVerifyHandler(cfg: PasswordResetConfig) {
+    return async function handlePasswordResetVerify(
+        req: FastifyRequest<{ Body: PasswordResetVerifyBody }>,
+        reply: FastifyReply,
+    ): Promise<void> {
+        if (cfg.mode !== "link") {
+            reply.code(404).send(fail("This endpoint is available only in link mode"));
+            return;
+        }
+
+        const token = req.body?.token ?? "";
+        const newPassword = req.body?.new_password ?? "";
+
+        if (!token || token.length !== 64) {
+            reply.code(400).send(fail("유효하지 않은 토큰입니다."));
+            return;
+        }
+        if (!newPassword || newPassword.length < 4) {
+            reply.code(400).send(fail("새 비밀번호를 입력하세요."));
+            return;
+        }
+
+        const tokenH = hashToken(token);
+
+        // account 조회
+        let account: AccountResetFields | null = null;
+        try {
+            const result = await entityServer.find<AccountResetFields>("account", {
+                password_reset_token: tokenH,
+            });
+            account = result?.data ?? null;
+        } catch {
+            reply.code(400).send(fail("유효하지 않은 토큰입니다."));
+            return;
+        }
+
+        if (!account || !account.seq || !account.password_reset_expires) {
+            reply.code(400).send(fail("유효하지 않은 토큰입니다."));
+            return;
+        }
+
+        // 만료 확인
+        const expiresAt = new Date(account.password_reset_expires).getTime();
+        if (expiresAt <= Date.now()) {
+            reply.code(400).send(fail("토큰이 만료되었습니다."));
+            return;
+        }
+
+        // 새 비밀번호 해싱 (Go 호환)
+        const newHash = hashPassword(newPassword);
+
+        // account 업데이트 — 비밀번호 변경 + 토큰 삭제 + 강제변경 해제
+        await entityServer.submit("account", {
+            seq: account.seq,
+            passwd: newHash,
+            passwd_changed_time: nowIsoString(),
+            force_password_change: false,
+            password_reset_token: null,
+            password_reset_expires: null,
+        } as Record<string, unknown>);
+
+        logger.info({ accountSeq: account.seq }, "Password reset completed via link");
+        reply.send(ok({ message: "비밀번호가 변경되었습니다." }));
+    };
+}

package/src/app/routes/password-reset/password-utils.ts

@@ -0,0 +1,96 @@
+/**
+ * 비밀번호 유틸리티 — Go 엔티티서버 `internal/security/password.go` 호환
+ *
+ * - SHA-256 + 16-byte salt 해싱 (형식: "hex(sha256(salt+pwd)).hex(salt)")
+ * - 임시 비밀번호 생성 (혼동 문자 제외)
+ * - 리셋 토큰 생성 (32-byte hex + SHA-256 해시)
+ */
+
+import { createHash, randomBytes, randomInt, timingSafeEqual } from "node:crypto";
+
+/**
+ * 비밀번호를 SHA-256+salt 형식으로 해싱한다.
+ *
+ * Go 호환 형식: `hex(sha256(salt_bytes + password_bytes)).hex(salt_bytes)`
+ * salt는 16바이트 랜덤
+ */
+export function hashPassword(password: string): string {
+    const salt = randomBytes(16);
+    const hash = createHash("sha256")
+        .update(Buffer.concat([salt, Buffer.from(password, "utf-8")]))
+        .digest("hex");
+    return `${hash}.${salt.toString("hex")}`;
+}
+
+/**
+ * 비밀번호를 해시와 비교한다 (constant-time).
+ *
+ * 지원 형식:
+ * - `"hex_hash.hex_salt"` — SHA-256(salt + password)
+ * - `"hex_hash"` (64자) — 레거시 SHA-256(password) 형식
+ */
+export function verifyPassword(password: string, storedHash: string): boolean {
+    const parts = storedHash.split(".");
+    if (parts.length === 2) {
+        const [hashHex, saltHex] = parts;
+        const salt = Buffer.from(saltHex!, "hex");
+        const computed = createHash("sha256")
+            .update(Buffer.concat([salt, Buffer.from(password, "utf-8")]))
+            .digest("hex");
+        try {
+            return timingSafeEqual(Buffer.from(computed, "hex"), Buffer.from(hashHex!, "hex"));
+        } catch {
+            return false;
+        }
+    }
+    // 레거시: 솔트 없는 SHA-256(password)
+    if (storedHash.length === 64) {
+        const computed = createHash("sha256")
+            .update(Buffer.from(password, "utf-8"))
+            .digest("hex");
+        try {
+            return timingSafeEqual(Buffer.from(computed, "hex"), Buffer.from(storedHash, "hex"));
+        } catch {
+            return false;
+        }
+    }
+    return false;
+}
+
+/**
+ * 혼동 문자를 제외한 랜덤 임시 비밀번호를 생성한다.
+ *
+ * Go `security.GenerateTempPassword` 호환:
+ * - 문자셋: `abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789`
+ * - 제외: 0/O, 1/l/I
+ */
+export function generateTempPassword(length: number): string {
+    const chars = "abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+    const result: string[] = [];
+    for (let i = 0; i < length; i++) {
+        result.push(chars[randomInt(chars.length)]!);
+    }
+    return result.join("");
+}
+
+/**
+ * 32-byte 랜덤 리셋 토큰을 생성한다.
+ *
+ * @returns [rawToken (64-char hex), sha256Hash (64-char hex)]
+ */
+export function generateResetToken(): [string, string] {
+    const raw = randomBytes(32).toString("hex");
+    const hash = createHash("sha256")
+        .update(Buffer.from(raw, "utf-8"))
+        .digest("hex");
+    return [raw, hash];
+}
+
+/**
+ * 토큰 원문으로부터 SHA-256 해시를 생성한다.
+ */
+export function hashToken(token: string): string {
+    return createHash("sha256")
+        .update(Buffer.from(token, "utf-8"))
+        .digest("hex");
+}