1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
|
// auth/config.ts - 업데이트된 NextAuth 설정
import NextAuth, {
NextAuthOptions,
Session,
User,
Account
} from 'next-auth'
import { JWT } from "next-auth/jwt"
import CredentialsProvider from 'next-auth/providers/credentials'
import { SAMLProvider } from './saml/provider'
import { getUserByEmail, getUserById } from '@/lib/users/repository'
import { authenticateWithSGips, verifyExternalCredentials } from '@/lib/users/auth/verifyCredentails'
import { verifyOtpTemp } from '@/lib/users/verifyOtp'
import { getSecuritySettings } from '@/lib/password-policy/service'
import { verifySmsToken } from '@/lib/users/auth/passwordUtil'
import { SessionRepository } from '@/lib/users/session/repository'
import { loginSessions } from '@/db/schema'
// 인증 방식 타입 정의
type AuthMethod = 'otp' | 'email' | 'sgips' | 'saml'
// 모듈 보강 선언 (기존과 동일)
declare module "next-auth" {
interface Session {
user: {
id: string
name?: string | null
email?: string | null
image?: string | null
companyId?: number | null
techCompanyId?: number | null
domain?: string | null
reAuthTime?: number | null
authMethod?: AuthMethod
sessionExpiredAt?: number | null
dbSessionId?: string | null // DB 세션 ID 추가
}
}
interface User {
id: string
imageUrl?: string | null
companyId?: number | null
techCompanyId?: number | null
domain?: string | null
reAuthTime?: number | null
authMethod?: AuthMethod
dbSessionId?: string | null
}
}
declare module "next-auth/jwt" {
interface JWT {
id?: string
imageUrl?: string | null
companyId?: number | null
techCompanyId?: number | null
domain?: string | null
reAuthTime?: number | null
authMethod?: AuthMethod
sessionExpiredAt?: number | null
dbSessionId?: string | null
}
}
// 보안 설정 캐시 (기존과 동일)
let securitySettingsCache: {
data: any | null
lastFetch: number
ttl: number
} = {
data: null,
lastFetch: 0,
ttl: 5 * 60 * 1000 // 5분 캐시
}
async function getCachedSecuritySettings() {
const now = Date.now()
if (!securitySettingsCache.data ||
(now - securitySettingsCache.lastFetch) > securitySettingsCache.ttl) {
try {
securitySettingsCache.data = await getSecuritySettings()
securitySettingsCache.lastFetch = now
} catch (error) {
console.error('Failed to fetch security settings:', error)
securitySettingsCache.data = {
sessionTimeoutMinutes: 480 // 8시간 기본값
}
}
}
return securitySettingsCache.data
}
// 클라이언트 IP 추출 헬퍼
function getClientIP(req: any): string {
const forwarded = req.headers['x-forwarded-for']
const realIP = req.headers['x-real-ip']
if (forwarded) {
return forwarded.split(',')[0].trim()
}
if (realIP) {
return realIP
}
return req.ip || req.connection?.remoteAddress || '127.0.0.1'
}
export const authOptions: NextAuthOptions = {
providers: [
// OTP 로그인 (기존 유지)
CredentialsProvider({
id: 'credentials-otp',
name: 'OTP',
credentials: {
email: { label: 'Email', type: 'text' },
code: { label: 'OTP code', type: 'text' },
},
async authorize(credentials, req) {
const { email, code } = credentials ?? {}
const user = await verifyOtpTemp(email ?? '')
if (!user) {
return null
}
const securitySettings = await getCachedSecuritySettings()
const reAuthTime = Date.now()
return {
id: String(user.id ?? email ?? "dts"),
email: user.email,
imageUrl: user.imageUrl ?? null,
name: user.name,
companyId: user.companyId,
techCompanyId: user.techCompanyId as number | undefined,
domain: user.domain,
reAuthTime,
authMethod: 'otp' as AuthMethod,
}
},
}),
// MFA 완료 후 최종 인증 (DB 연동 버전)
CredentialsProvider({
id: 'credentials-mfa',
name: 'MFA Verification',
credentials: {
userId: { label: 'User ID', type: 'text' },
smsToken: { label: 'SMS Token', type: 'text' },
tempAuthKey: { label: 'Temp Auth Key', type: 'text' },
},
async authorize(credentials, req) {
if (!credentials?.userId || !credentials?.smsToken || !credentials?.tempAuthKey) {
console.error('MFA credentials missing')
return null
}
try {
// DB에서 임시 인증 정보 확인
const tempAuth = await SessionRepository.getTempAuthSession(credentials.tempAuthKey)
if (!tempAuth || tempAuth.userId !== credentials.userId) {
console.error('Temp auth expired or not found')
return null
}
// SMS 토큰 검증
const smsVerificationResult = await verifySmsToken(Number(credentials.userId), credentials.smsToken)
if (!smsVerificationResult || !smsVerificationResult.success) {
console.error('SMS token verification failed')
return null
}
// 사용자 정보 조회
const user = await getUserById(Number(credentials.userId))
if (!user) {
console.error('User not found after MFA verification')
return null
}
// 임시 인증 정보를 사용됨으로 표시
await SessionRepository.markTempAuthSessionAsUsed(credentials.tempAuthKey)
// 보안 설정 및 세션 정보 설정
const securitySettings = await getCachedSecuritySettings()
const reAuthTime = Date.now()
const sessionExpiredAt = new Date(reAuthTime + (securitySettings.sessionTimeoutMinutes * 60 * 1000))
// DB에 로그인 세션 생성
const ipAddress = getClientIP(req)
const userAgent = req.headers?.['user-agent']
const dbSession = await SessionRepository.createLoginSession({
userId: String(user.id),
ipAddress,
userAgent,
authMethod: tempAuth.authMethod,
sessionExpiredAt,
})
console.log(`MFA completed for user ${user.email} (${tempAuth.authMethod})`)
return {
id: String(user.id),
email: user.email,
imageUrl: user.imageUrl ?? null,
name: user.name,
companyId: user.companyId,
techCompanyId: user.techCompanyId as number | undefined,
domain: user.domain,
reAuthTime,
authMethod: tempAuth.authMethod as AuthMethod,
dbSessionId: dbSession.id,
}
} catch (error) {
console.error('MFA authorization error:', error)
return null
}
},
}),
// 1차 인증용 프로바이더 (기존 유지)
CredentialsProvider({
id: 'credentials-first-auth',
name: 'First Factor Authentication',
credentials: {
username: { label: "Username", type: "text" },
password: { label: "Password", type: "password" },
provider: { label: "Provider", type: "text" },
},
async authorize(credentials, req) {
return null
}
}),
// SAML Provider (기존 유지)
SAMLProvider({
id: "credentials-saml",
name: "SAML SSO",
idp: {
sso_login_url: process.env.SAML_IDP_SSO_URL!,
sso_logout_url: process.env.SAML_IDP_SLO_URL || '',
certificates: [process.env.SAML_IDP_CERT!]
},
sp: {
entity_id: process.env.SAML_SP_ENTITY_ID!,
private_key: process.env.SAML_SP_PRIVATE_KEY || '',
certificate: process.env.SAML_SP_CERT || '',
assert_endpoint: process.env.SAML_SP_CALLBACK_URL || `${process.env.NEXTAUTH_URL}/api/saml/callback`
}
})
],
session: {
strategy: 'jwt',
maxAge: 30 * 24 * 60 * 60, // 30일
},
callbacks: {
async jwt({ token, user, account, trigger, session }) {
const securitySettings = await getCachedSecuritySettings()
const sessionTimeoutMs = securitySettings.sessionTimeoutMinutes * 60 * 1000
// 최초 로그인 시 (MFA 완료 후)
if (user) {
const reAuthTime = Date.now()
token.id = user.id
token.email = user.email
token.name = user.name
token.companyId = user.companyId
token.techCompanyId = user.techCompanyId
token.domain = user.domain
token.imageUrl = user.imageUrl
token.reAuthTime = reAuthTime
token.authMethod = user.authMethod
token.sessionExpiredAt = reAuthTime + sessionTimeoutMs
token.dbSessionId = user.dbSessionId
}
// SAML 인증 시 DB 세션 생성
if (account && account.provider === 'credentials-saml' && token.id) {
const reAuthTime = Date.now()
const sessionExpiredAt = new Date(reAuthTime + sessionTimeoutMs)
try {
const dbSession = await SessionRepository.createLoginSession({
userId: token.id,
ipAddress: '0.0.0.0', // SAML의 경우 IP 추적 제한적
authMethod: 'saml',
sessionExpiredAt,
})
token.authMethod = 'saml'
token.reAuthTime = reAuthTime
token.sessionExpiredAt = reAuthTime + sessionTimeoutMs
token.dbSessionId = dbSession.id
} catch (error) {
console.error('Failed to create SAML session:', error)
}
}
// 세션 업데이트 시
if (trigger === "update" && session) {
if (session.reAuthTime !== undefined) {
token.reAuthTime = session.reAuthTime
token.sessionExpiredAt = session.reAuthTime + sessionTimeoutMs
// DB 세션 업데이트
if (token.dbSessionId) {
await SessionRepository.updateLoginSession(token.dbSessionId, {
lastActivityAt: new Date(),
sessionExpiredAt: new Date(session.reAuthTime + sessionTimeoutMs)
})
}
}
if (session.user) {
if (session.user.name !== undefined) token.name = session.user.name
if (session.user.email !== undefined) token.email = session.user.email
if (session.user.image !== undefined) token.imageUrl = session.user.image
}
}
return token
},
async session({ session, token }: { session: Session; token: JWT }) {
// 세션 만료 체크
if (token.sessionExpiredAt && Date.now() > token.sessionExpiredAt) {
console.log(`Session expired for user ${token.email}. Expired at: ${new Date(token.sessionExpiredAt)}`)
// DB 세션 만료 처리
if (token.dbSessionId) {
await SessionRepository.logoutSession(token.dbSessionId)
}
return {
expires: new Date(0).toISOString(),
user: null as any
}
}
if (token) {
session.user = {
id: token.id as string,
email: token.email as string,
name: token.name as string,
domain: token.domain as string,
companyId: token.companyId as number,
techCompanyId: token.techCompanyId as number,
image: token.imageUrl ?? null,
reAuthTime: token.reAuthTime as number | null,
authMethod: token.authMethod as AuthMethod,
sessionExpiredAt: token.sessionExpiredAt as number | null,
dbSessionId: token.dbSessionId as string | null,
}
}
return session
},
async redirect({ url, baseUrl }) {
if (url.startsWith("/")) {
return `${baseUrl}${url}`;
}
else if (new URL(url).origin === baseUrl) {
return url;
}
return baseUrl;
},
},
pages: {
signIn: '/auth/login',
error: '/auth/error',
},
events: {
async signIn({ user, account, profile }) {
const securitySettings = await getCachedSecuritySettings()
console.log(`User ${user.email} signed in via ${account?.provider} (authMethod: ${user.authMethod}), session timeout: ${securitySettings.sessionTimeoutMinutes} minutes`);
// 이미 MFA에서 DB 세션이 생성된 경우가 아니라면 여기서 생성
if (account?.provider !== 'credentials-mfa' && user.id) {
try {
// 기존 활성 세션 확인
const existingSession = await SessionRepository.getActiveSessionByUserId(user.id)
if (!existingSession) {
const sessionExpiredAt = new Date(Date.now() + (securitySettings.sessionTimeoutMinutes * 60 * 1000))
await SessionRepository.createLoginSession({
userId: user.id,
ipAddress: '0.0.0.0', // signIn 이벤트에서는 IP 접근 제한적
authMethod: user.authMethod || 'unknown',
sessionExpiredAt,
})
}
} catch (error) {
console.error('Failed to create session in signIn event:', error)
}
}
},
async signOut({ session, token }) {
console.log(`User ${session?.user?.email || token?.email} signed out`);
// DB에서 세션 로그아웃 처리
const userId = session?.user?.id || token?.id
const dbSessionId = session?.user?.dbSessionId || token?.dbSessionId
if (dbSessionId) {
await SessionRepository.logoutSession(dbSessionId)
} else if (userId) {
// dbSessionId가 없는 경우 사용자의 모든 활성 세션 로그아웃
await SessionRepository.logoutAllUserSessions(userId)
}
}
}
}
|
