feat(tksupport): 전사 행정지원 서비스 신규 구축 (Phase 1 - 휴가신청)

sso_users 기반 전사 휴가신청/승인/잔여일 관리 서비스. 기존 tkfb의 workers 종속 휴가 기능을 전사 확장. - API: Express + MariaDB, SSO JWT 인증, 자동 마이그레이션 - Web: 대시보드, 휴가 신청/현황/승인 페이지 (보라색 테마) - DB: sp_vacation_requests, sp_vacation_balances 신규 테이블 - Docker: API(30600), Web(30680) 포트 구성 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 15:39:59 +09:00
parent fa61bdbb30
commit 3011495e6d
18 changed files with 2100 additions and 0 deletions
--- a/tksupport/api/Dockerfile
+++ b/tksupport/api/Dockerfile
@@ -0,0 +1,11 @@
+FROM node:18-alpine
+WORKDIR /usr/src/app
+COPY package*.json ./
+RUN npm install --omit=dev
+COPY . .
+RUN chown -R node:node /usr/src/app
+USER node
+EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=3s --start-period=20s --retries=3 \
+  CMD node -e "require('http').get('http://localhost:3000/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1); })"
+CMD ["node", "index.js"]
--- a/tksupport/api/controllers/vacationController.js
+++ b/tksupport/api/controllers/vacationController.js
@@ -0,0 +1,319 @@
+const vacationRequestModel = require('../models/vacationRequestModel');
+const vacationBalanceModel = require('../models/vacationBalanceModel');
+const { getPool } = require('../middleware/auth');
+
+const vacationController = {
+  // ─── 휴가 신청 ───
+
+  async createRequest(req, res) {
+    try {
+      const { vacation_type_id, start_date, end_date, days_used, reason } = req.body;
+      const user_id = req.user.user_id || req.user.id;
+
+      if (!vacation_type_id || !start_date || !end_date || !days_used) {
+        return res.status(400).json({ success: false, error: '필수 필드가 누락되었습니다' });
+      }
+      if (new Date(end_date) < new Date(start_date)) {
+        return res.status(400).json({ success: false, error: '종료일은 시작일보다 이후여야 합니다' });
+      }
+
+      const overlapRows = await vacationRequestModel.checkOverlap(user_id, start_date, end_date);
+      if (overlapRows[0].count > 0) {
+        return res.status(400).json({ success: false, error: '해당 기간에 이미 신청된 휴가가 있습니다' });
+      }
+
+      const result = await vacationRequestModel.create({
+        user_id, vacation_type_id, start_date, end_date,
+        days_used, reason: reason || null, status: 'pending'
+      });
+
+      res.status(201).json({
+        success: true,
+        message: '휴가 신청이 완료되었습니다',
+        data: { request_id: result.insertId }
+      });
+    } catch (error) {
+      console.error('휴가 신청 생성 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async getRequests(req, res) {
+    try {
+      const role = (req.user.role || '').toLowerCase();
+      const userId = req.user.user_id || req.user.id;
+      const filters = {
+        status: req.query.status,
+        start_date: req.query.start_date,
+        end_date: req.query.end_date,
+        vacation_type_id: req.query.vacation_type_id
+      };
+
+      if (!['admin', 'system'].includes(role)) {
+        filters.user_id = userId;
+      } else if (req.query.user_id) {
+        filters.user_id = req.query.user_id;
+      }
+
+      const results = await vacationRequestModel.getAll(filters);
+      res.json({ success: true, data: results });
+    } catch (error) {
+      console.error('휴가 신청 목록 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async getRequestById(req, res) {
+    try {
+      const results = await vacationRequestModel.getById(req.params.id);
+      if (results.length === 0) {
+        return res.status(404).json({ success: false, error: '해당 휴가 신청을 찾을 수 없습니다' });
+      }
+      const request = results[0];
+      const role = (req.user.role || '').toLowerCase();
+      const userId = req.user.user_id || req.user.id;
+      if (!['admin', 'system'].includes(role) && userId !== request.user_id) {
+        return res.status(403).json({ success: false, error: '권한이 없습니다' });
+      }
+      res.json({ success: true, data: request });
+    } catch (error) {
+      console.error('휴가 신청 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async updateRequest(req, res) {
+    try {
+      const { id } = req.params;
+      const { start_date, end_date, days_used, reason, vacation_type_id } = req.body;
+
+      const results = await vacationRequestModel.getById(id);
+      if (results.length === 0) {
+        return res.status(404).json({ success: false, error: '해당 휴가 신청을 찾을 수 없습니다' });
+      }
+
+      const existing = results[0];
+      const role = (req.user.role || '').toLowerCase();
+      const userId = req.user.user_id || req.user.id;
+      if (!['admin', 'system'].includes(role) && userId !== existing.user_id) {
+        return res.status(403).json({ success: false, error: '권한이 없습니다' });
+      }
+      if (existing.status !== 'pending') {
+        return res.status(400).json({ success: false, error: '대기 중인 신청만 수정할 수 있습니다' });
+      }
+
+      const updateData = {};
+      if (vacation_type_id) updateData.vacation_type_id = vacation_type_id;
+      if (start_date) updateData.start_date = start_date;
+      if (end_date) updateData.end_date = end_date;
+      if (days_used) updateData.days_used = days_used;
+      if (reason !== undefined) updateData.reason = reason;
+
+      if (start_date || end_date) {
+        const newStart = start_date || existing.start_date;
+        const newEnd = end_date || existing.end_date;
+        const overlapRows = await vacationRequestModel.checkOverlap(existing.user_id, newStart, newEnd, id);
+        if (overlapRows[0].count > 0) {
+          return res.status(400).json({ success: false, error: '해당 기간에 이미 신청된 휴가가 있습니다' });
+        }
+      }
+
+      await vacationRequestModel.update(id, updateData);
+      res.json({ success: true, message: '휴가 신청이 수정되었습니다' });
+    } catch (error) {
+      console.error('휴가 신청 수정 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async cancelRequest(req, res) {
+    try {
+      const { id } = req.params;
+      const results = await vacationRequestModel.getById(id);
+      if (results.length === 0) {
+        return res.status(404).json({ success: false, error: '해당 휴가 신청을 찾을 수 없습니다' });
+      }
+
+      const existing = results[0];
+      const role = (req.user.role || '').toLowerCase();
+      const userId = req.user.user_id || req.user.id;
+      if (!['admin', 'system'].includes(role) && userId !== existing.user_id) {
+        return res.status(403).json({ success: false, error: '권한이 없습니다' });
+      }
+      if (existing.status === 'cancelled') {
+        return res.status(400).json({ success: false, error: '이미 취소된 신청입니다' });
+      }
+
+      // 승인된 건 취소 시 잔여일 복구
+      if (existing.status === 'approved') {
+        const year = new Date(existing.start_date).getFullYear();
+        await vacationBalanceModel.restoreDays(
+          existing.user_id, existing.vacation_type_id, year, parseFloat(existing.days_used)
+        );
+      }
+
+      await vacationRequestModel.updateStatus(id, {
+        status: 'cancelled',
+        reviewed_by: userId,
+        review_note: '취소됨'
+      });
+      res.json({ success: true, message: '휴가 신청이 취소되었습니다' });
+    } catch (error) {
+      console.error('휴가 취소 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  // ─── 승인/반려 (관리자) ───
+
+  async getPending(req, res) {
+    try {
+      const results = await vacationRequestModel.getAllPending();
+      res.json({ success: true, data: results });
+    } catch (error) {
+      console.error('대기 목록 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async approveRequest(req, res) {
+    try {
+      const { id } = req.params;
+      const { review_note } = req.body;
+      const reviewed_by = req.user.user_id || req.user.id;
+
+      const results = await vacationRequestModel.getById(id);
+      if (results.length === 0) {
+        return res.status(404).json({ success: false, error: '해당 휴가 신청을 찾을 수 없습니다' });
+      }
+      if (results[0].status !== 'pending') {
+        return res.status(400).json({ success: false, error: '이미 처리된 신청입니다' });
+      }
+
+      const request = results[0];
+
+      // 잔여일 차감
+      const year = new Date(request.start_date).getFullYear();
+      await vacationBalanceModel.deductDays(
+        request.user_id, request.vacation_type_id, year, parseFloat(request.days_used)
+      );
+
+      await vacationRequestModel.updateStatus(id, { status: 'approved', reviewed_by, review_note });
+      res.json({ success: true, message: '휴가 신청이 승인되었습니다' });
+    } catch (error) {
+      console.error('휴가 승인 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async rejectRequest(req, res) {
+    try {
+      const { id } = req.params;
+      const { review_note } = req.body;
+      const reviewed_by = req.user.user_id || req.user.id;
+
+      const results = await vacationRequestModel.getById(id);
+      if (results.length === 0) {
+        return res.status(404).json({ success: false, error: '해당 휴가 신청을 찾을 수 없습니다' });
+      }
+      if (results[0].status !== 'pending') {
+        return res.status(400).json({ success: false, error: '이미 처리된 신청입니다' });
+      }
+
+      await vacationRequestModel.updateStatus(id, { status: 'rejected', reviewed_by, review_note });
+      res.json({ success: true, message: '휴가 신청이 반려되었습니다' });
+    } catch (error) {
+      console.error('휴가 반려 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  // ─── 잔여일 ───
+
+  async getMyBalance(req, res) {
+    try {
+      const userId = req.user.user_id || req.user.id;
+      const year = parseInt(req.query.year) || new Date().getFullYear();
+      const balances = await vacationBalanceModel.getByUserAndYear(userId, year);
+      const hireDate = await vacationBalanceModel.getUserHireDate(userId);
+      res.json({ success: true, data: { balances, hire_date: hireDate } });
+    } catch (error) {
+      console.error('잔여일 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async getUserBalance(req, res) {
+    try {
+      const { userId } = req.params;
+      const year = parseInt(req.query.year) || new Date().getFullYear();
+      const balances = await vacationBalanceModel.getByUserAndYear(userId, year);
+      const hireDate = await vacationBalanceModel.getUserHireDate(userId);
+      res.json({ success: true, data: { balances, hire_date: hireDate } });
+    } catch (error) {
+      console.error('사용자 잔여일 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async allocateBalance(req, res) {
+    try {
+      const { user_id, vacation_type_id, year, total_days, notes } = req.body;
+      const created_by = req.user.user_id || req.user.id;
+
+      if (!user_id || !vacation_type_id || !year || total_days === undefined) {
+        return res.status(400).json({ success: false, error: '필수 필드가 누락되었습니다' });
+      }
+
+      await vacationBalanceModel.allocate({ user_id, vacation_type_id, year, total_days, notes, created_by });
+      res.json({ success: true, message: '휴가 잔여일이 배정되었습니다' });
+    } catch (error) {
+      console.error('잔여일 배정 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  async getAllBalances(req, res) {
+    try {
+      const year = parseInt(req.query.year) || new Date().getFullYear();
+      const balances = await vacationBalanceModel.getAllByYear(year);
+      res.json({ success: true, data: balances });
+    } catch (error) {
+      console.error('전체 잔여일 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  // ─── 참조 데이터 ───
+
+  async getVacationTypes(req, res) {
+    try {
+      const db = getPool();
+      const [rows] = await db.query('SELECT * FROM vacation_types ORDER BY priority ASC, type_name ASC');
+      res.json({ success: true, data: rows });
+    } catch (error) {
+      console.error('휴가 유형 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  },
+
+  // ─── 사용자 목록 (관리자 - 배정용) ───
+
+  async getUsers(req, res) {
+    try {
+      const db = getPool();
+      const [rows] = await db.query(`
+        SELECT user_id, username, name, hire_date
+        FROM sso_users
+        WHERE is_active = 1
+        ORDER BY name ASC
+      `);
+      res.json({ success: true, data: rows });
+    } catch (error) {
+      console.error('사용자 목록 조회 오류:', error);
+      res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    }
+  }
+};
+
+module.exports = vacationController;
--- a/tksupport/api/db/migrations/001_create_sp_tables.sql
+++ b/tksupport/api/db/migrations/001_create_sp_tables.sql
@@ -0,0 +1,42 @@
+-- sso_users에 입사일 추가
+ALTER TABLE sso_users ADD COLUMN IF NOT EXISTS hire_date DATE NULL COMMENT '입사일';
+
+-- 전사 휴가 신청
+CREATE TABLE IF NOT EXISTS sp_vacation_requests (
+  request_id INT AUTO_INCREMENT PRIMARY KEY,
+  user_id INT NOT NULL COMMENT 'sso_users.user_id',
+  vacation_type_id INT UNSIGNED NOT NULL,
+  start_date DATE NOT NULL,
+  end_date DATE NOT NULL,
+  days_used DECIMAL(4,1) NOT NULL,
+  reason TEXT,
+  status ENUM('pending','approved','rejected','cancelled') DEFAULT 'pending',
+  reviewed_by INT NULL,
+  reviewed_at TIMESTAMP NULL,
+  review_note TEXT,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  FOREIGN KEY (user_id) REFERENCES sso_users(user_id),
+  FOREIGN KEY (reviewed_by) REFERENCES sso_users(user_id),
+  FOREIGN KEY (vacation_type_id) REFERENCES vacation_types(id),
+  INDEX idx_user_status (user_id, status),
+  INDEX idx_dates (start_date, end_date)
+);
+
+-- 전사 휴가 잔여일
+CREATE TABLE IF NOT EXISTS sp_vacation_balances (
+  id INT AUTO_INCREMENT PRIMARY KEY,
+  user_id INT NOT NULL COMMENT 'sso_users.user_id',
+  vacation_type_id INT UNSIGNED NOT NULL,
+  year INT NOT NULL,
+  total_days DECIMAL(4,1) DEFAULT 0,
+  used_days DECIMAL(4,1) DEFAULT 0,
+  notes TEXT,
+  created_by INT NOT NULL,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  UNIQUE KEY unique_user_type_year (user_id, vacation_type_id, year),
+  FOREIGN KEY (user_id) REFERENCES sso_users(user_id),
+  FOREIGN KEY (created_by) REFERENCES sso_users(user_id),
+  FOREIGN KEY (vacation_type_id) REFERENCES vacation_types(id)
+);
--- a/tksupport/api/index.js
+++ b/tksupport/api/index.js
@@ -0,0 +1,62 @@
+const express = require('express');
+const cors = require('cors');
+const vacationRoutes = require('./routes/vacationRoutes');
+const vacationRequestModel = require('./models/vacationRequestModel');
+const { requireAuth } = require('./middleware/auth');
+
+const app = express();
+const PORT = process.env.PORT || 3000;
+
+const allowedOrigins = [
+  'https://tkfb.technicalkorea.net',
+  'https://tkreport.technicalkorea.net',
+  'https://tkqc.technicalkorea.net',
+  'https://tkuser.technicalkorea.net',
+  'https://tkpurchase.technicalkorea.net',
+  'https://tksafety.technicalkorea.net',
+  'https://tksupport.technicalkorea.net',
+];
+if (process.env.NODE_ENV === 'development') {
+  allowedOrigins.push('http://localhost:30680');
+}
+app.use(cors({
+  origin: function(origin, cb) {
+    if (!origin || allowedOrigins.includes(origin) || /^http:\/\/192\.168\.\d+\.\d+(:\d+)?$/.test(origin)) return cb(null, true);
+    cb(new Error('CORS blocked: ' + origin));
+  },
+  credentials: true
+}));
+app.use(express.json());
+
+// Health check
+app.get('/health', (req, res) => {
+  res.json({ status: 'ok', service: 'tksupport-api', timestamp: new Date().toISOString() });
+});
+
+// Routes
+app.use('/api/vacation', vacationRoutes);
+
+// 404
+app.use((req, res) => {
+  res.status(404).json({ success: false, error: 'Not Found' });
+});
+
+// Error handler
+app.use((err, req, res, next) => {
+  console.error('tksupport-api Error:', err.message);
+  res.status(err.status || 500).json({
+    success: false,
+    error: err.message || 'Internal Server Error'
+  });
+});
+
+app.listen(PORT, async () => {
+  console.log(`tksupport-api running on port ${PORT}`);
+  try {
+    await vacationRequestModel.runMigration();
+  } catch (err) {
+    console.error('Migration error:', err.message);
+  }
+});
+
+module.exports = app;
--- a/tksupport/api/middleware/auth.js
+++ b/tksupport/api/middleware/auth.js
@@ -0,0 +1,98 @@
+const jwt = require('jsonwebtoken');
+const mysql = require('mysql2/promise');
+
+const JWT_SECRET = process.env.SSO_JWT_SECRET;
+
+let pool;
+function getPool() {
+  if (!pool) {
+    pool = mysql.createPool({
+      host: process.env.DB_HOST || 'mariadb',
+      port: parseInt(process.env.DB_PORT) || 3306,
+      user: process.env.DB_USER || 'hyungi_user',
+      password: process.env.DB_PASSWORD,
+      database: process.env.DB_NAME || 'hyungi',
+      waitForConnections: true,
+      connectionLimit: 5,
+      queueLimit: 0
+    });
+  }
+  return pool;
+}
+
+function extractToken(req) {
+  const authHeader = req.headers['authorization'];
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    return authHeader.split(' ')[1];
+  }
+  if (req.cookies && req.cookies.sso_token) {
+    return req.cookies.sso_token;
+  }
+  return null;
+}
+
+function requireAuth(req, res, next) {
+  const token = extractToken(req);
+  if (!token) {
+    return res.status(401).json({ success: false, error: '인증이 필요합니다' });
+  }
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    req.user = decoded;
+    next();
+  } catch {
+    return res.status(401).json({ success: false, error: '유효하지 않은 토큰입니다' });
+  }
+}
+
+function requireAdmin(req, res, next) {
+  const token = extractToken(req);
+  if (!token) {
+    return res.status(401).json({ success: false, error: '인증이 필요합니다' });
+  }
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    if (!['admin', 'system'].includes((decoded.role || '').toLowerCase())) {
+      return res.status(403).json({ success: false, error: '관리자 권한이 필요합니다' });
+    }
+    req.user = decoded;
+    next();
+  } catch {
+    return res.status(401).json({ success: false, error: '유효하지 않은 토큰입니다' });
+  }
+}
+
+function requirePage(pageName) {
+  return async (req, res, next) => {
+    const userId = req.user.user_id || req.user.id;
+    const role = (req.user.role || '').toLowerCase();
+    if (role === 'admin' || role === 'system') return next();
+
+    try {
+      const db = getPool();
+      const [rows] = await db.query(
+        'SELECT can_access FROM user_page_permissions WHERE user_id = ? AND page_name = ?',
+        [userId, pageName]
+      );
+      if (rows.length > 0) {
+        return rows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+      }
+      const [userRows] = await db.query('SELECT department_id FROM sso_users WHERE user_id = ?', [userId]);
+      if (userRows.length > 0 && userRows[0].department_id) {
+        const [deptRows] = await db.query(
+          'SELECT can_access FROM department_page_permissions WHERE department_id = ? AND page_name = ?',
+          [userRows[0].department_id, pageName]
+        );
+        if (deptRows.length > 0) {
+          return deptRows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+        }
+      }
+      return res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+    } catch (err) {
+      console.error('Permission check error:', err);
+      return res.status(500).json({ success: false, error: '권한 확인 실패' });
+    }
+  };
+}
+
+module.exports = { getPool, extractToken, requireAuth, requireAdmin, requirePage };
--- a/tksupport/api/models/vacationBalanceModel.js
+++ b/tksupport/api/models/vacationBalanceModel.js
@@ -0,0 +1,96 @@
+const { getPool } = require('../middleware/auth');
+
+const vacationBalanceModel = {
+  async getByUserAndYear(userId, year) {
+    const db = getPool();
+    const [rows] = await db.query(`
+      SELECT
+        vb.*,
+        vt.type_name,
+        vt.type_code,
+        vt.priority,
+        vt.is_special,
+        (vb.total_days - vb.used_days) as remaining_days
+      FROM sp_vacation_balances vb
+      INNER JOIN vacation_types vt ON vb.vacation_type_id = vt.id
+      WHERE vb.user_id = ? AND vb.year = ?
+      ORDER BY vt.priority ASC, vt.type_name ASC
+    `, [userId, year]);
+    return rows;
+  },
+
+  async getAllByYear(year) {
+    const db = getPool();
+    const [rows] = await db.query(`
+      SELECT
+        vb.*,
+        su.name as user_name,
+        su.username,
+        su.hire_date,
+        vt.type_name,
+        vt.type_code,
+        vt.priority,
+        (vb.total_days - vb.used_days) as remaining_days
+      FROM sp_vacation_balances vb
+      INNER JOIN sso_users su ON vb.user_id = su.user_id
+      INNER JOIN vacation_types vt ON vb.vacation_type_id = vt.id
+      WHERE vb.year = ? AND su.is_active = 1
+      ORDER BY su.name ASC, vt.priority ASC
+    `, [year]);
+    return rows;
+  },
+
+  async allocate(data) {
+    const db = getPool();
+    const [result] = await db.query(`
+      INSERT INTO sp_vacation_balances (user_id, vacation_type_id, year, total_days, used_days, notes, created_by)
+      VALUES (?, ?, ?, ?, 0, ?, ?)
+      ON DUPLICATE KEY UPDATE
+        total_days = VALUES(total_days),
+        notes = VALUES(notes),
+        updated_at = NOW()
+    `, [data.user_id, data.vacation_type_id, data.year, data.total_days, data.notes || null, data.created_by]);
+    return result;
+  },
+
+  async deductDays(userId, vacationTypeId, year, daysToDeduct) {
+    const db = getPool();
+    const [result] = await db.query(`
+      UPDATE sp_vacation_balances
+      SET used_days = used_days + ?, updated_at = NOW()
+      WHERE user_id = ? AND vacation_type_id = ? AND year = ?
+    `, [daysToDeduct, userId, vacationTypeId, year]);
+    return result;
+  },
+
+  async restoreDays(userId, vacationTypeId, year, daysToRestore) {
+    const db = getPool();
+    const [result] = await db.query(`
+      UPDATE sp_vacation_balances
+      SET used_days = GREATEST(0, used_days - ?), updated_at = NOW()
+      WHERE user_id = ? AND vacation_type_id = ? AND year = ?
+    `, [daysToRestore, userId, vacationTypeId, year]);
+    return result;
+  },
+
+  calculateAnnualLeaveDays(hireDate, targetYear) {
+    const hire = new Date(hireDate);
+    const targetDate = new Date(targetYear, 0, 1);
+    const monthsDiff = (targetDate.getFullYear() - hire.getFullYear()) * 12
+                     + (targetDate.getMonth() - hire.getMonth());
+    if (monthsDiff < 12) {
+      return Math.floor(monthsDiff);
+    }
+    const yearsWorked = Math.floor(monthsDiff / 12);
+    const additionalDays = Math.floor((yearsWorked - 1) / 2);
+    return Math.min(15 + additionalDays, 25);
+  },
+
+  async getUserHireDate(userId) {
+    const db = getPool();
+    const [rows] = await db.query('SELECT hire_date FROM sso_users WHERE user_id = ?', [userId]);
+    return rows.length > 0 ? rows[0].hire_date : null;
+  }
+};
+
+module.exports = vacationBalanceModel;
--- a/tksupport/api/models/vacationRequestModel.js
+++ b/tksupport/api/models/vacationRequestModel.js
@@ -0,0 +1,149 @@
+const { getPool } = require('../middleware/auth');
+
+const vacationRequestModel = {
+  async create(data) {
+    const db = getPool();
+    const [result] = await db.query('INSERT INTO sp_vacation_requests SET ?', data);
+    return result;
+  },
+
+  async getAll(filters = {}) {
+    const db = getPool();
+    let query = `
+      SELECT
+        vr.*,
+        su.name as user_name,
+        su.username,
+        vt.type_name as vacation_type_name,
+        vt.type_code,
+        reviewer.name as reviewer_name
+      FROM sp_vacation_requests vr
+      INNER JOIN sso_users su ON vr.user_id = su.user_id
+      INNER JOIN vacation_types vt ON vr.vacation_type_id = vt.id
+      LEFT JOIN sso_users reviewer ON vr.reviewed_by = reviewer.user_id
+      WHERE 1=1
+    `;
+    const params = [];
+
+    if (filters.user_id) {
+      query += ' AND vr.user_id = ?';
+      params.push(filters.user_id);
+    }
+    if (filters.status) {
+      query += ' AND vr.status = ?';
+      params.push(filters.status);
+    }
+    if (filters.start_date) {
+      query += ' AND vr.start_date >= ?';
+      params.push(filters.start_date);
+    }
+    if (filters.end_date) {
+      query += ' AND vr.end_date <= ?';
+      params.push(filters.end_date);
+    }
+    if (filters.vacation_type_id) {
+      query += ' AND vr.vacation_type_id = ?';
+      params.push(filters.vacation_type_id);
+    }
+
+    query += ' ORDER BY vr.created_at DESC';
+
+    const [rows] = await db.query(query, params);
+    return rows;
+  },
+
+  async getById(requestId) {
+    const db = getPool();
+    const [rows] = await db.query(`
+      SELECT
+        vr.*,
+        su.name as user_name,
+        su.username,
+        vt.type_name as vacation_type_name,
+        vt.type_code,
+        reviewer.name as reviewer_name
+      FROM sp_vacation_requests vr
+      INNER JOIN sso_users su ON vr.user_id = su.user_id
+      INNER JOIN vacation_types vt ON vr.vacation_type_id = vt.id
+      LEFT JOIN sso_users reviewer ON vr.reviewed_by = reviewer.user_id
+      WHERE vr.request_id = ?
+    `, [requestId]);
+    return rows;
+  },
+
+  async update(requestId, data) {
+    const db = getPool();
+    const [result] = await db.query('UPDATE sp_vacation_requests SET ? WHERE request_id = ?', [data, requestId]);
+    return result;
+  },
+
+  async updateStatus(requestId, statusData) {
+    const db = getPool();
+    const [result] = await db.query(`
+      UPDATE sp_vacation_requests
+      SET status = ?, reviewed_by = ?, reviewed_at = NOW(), review_note = ?
+      WHERE request_id = ?
+    `, [statusData.status, statusData.reviewed_by, statusData.review_note || null, requestId]);
+    return result;
+  },
+
+  async checkOverlap(userId, startDate, endDate, excludeRequestId = null) {
+    const db = getPool();
+    let query = `
+      SELECT COUNT(*) as count FROM sp_vacation_requests
+      WHERE user_id = ?
+        AND status IN ('pending', 'approved')
+        AND start_date <= ? AND end_date >= ?
+    `;
+    const params = [userId, endDate, startDate];
+
+    if (excludeRequestId) {
+      query += ' AND request_id != ?';
+      params.push(excludeRequestId);
+    }
+
+    const [rows] = await db.query(query, params);
+    return rows;
+  },
+
+  async getAllPending() {
+    const db = getPool();
+    const [rows] = await db.query(`
+      SELECT
+        vr.*,
+        su.name as user_name,
+        su.username,
+        vt.type_name as vacation_type_name,
+        vt.type_code
+      FROM sp_vacation_requests vr
+      INNER JOIN sso_users su ON vr.user_id = su.user_id
+      INNER JOIN vacation_types vt ON vr.vacation_type_id = vt.id
+      WHERE vr.status = 'pending'
+      ORDER BY vr.created_at ASC
+    `);
+    return rows;
+  },
+
+  async runMigration() {
+    const db = getPool();
+    const fs = require('fs');
+    const path = require('path');
+    const sqlFile = path.join(__dirname, '..', 'db', 'migrations', '001_create_sp_tables.sql');
+    const sql = fs.readFileSync(sqlFile, 'utf8');
+    const statements = sql.split(';').map(s => s.trim()).filter(s => s.length > 0);
+    for (const stmt of statements) {
+      try {
+        await db.query(stmt);
+      } catch (err) {
+        if (err.code === 'ER_DUP_FIELDNAME' || err.code === 'ER_TABLE_EXISTS_ERROR') {
+          // Already migrated
+        } else {
+          throw err;
+        }
+      }
+    }
+    console.log('[tksupport] Migration completed');
+  }
+};
+
+module.exports = vacationRequestModel;
--- a/tksupport/api/package.json
+++ b/tksupport/api/package.json
@@ -0,0 +1,16 @@
+{
+  "name": "tksupport-api",
+  "version": "1.0.0",
+  "description": "TK Factory Services - 전사 행정지원 서비스",
+  "main": "index.js",
+  "scripts": {
+    "start": "node index.js",
+    "dev": "node --watch index.js"
+  },
+  "dependencies": {
+    "cors": "^2.8.5",
+    "express": "^4.18.2",
+    "jsonwebtoken": "^9.0.0",
+    "mysql2": "^3.14.1"
+  }
+}
--- a/tksupport/api/routes/vacationRoutes.js
+++ b/tksupport/api/routes/vacationRoutes.js
@@ -0,0 +1,32 @@
+const express = require('express');
+const router = express.Router();
+const { requireAuth, requireAdmin } = require('../middleware/auth');
+const ctrl = require('../controllers/vacationController');
+
+router.use(requireAuth);
+
+// 참조 데이터
+router.get('/types', ctrl.getVacationTypes);
+
+// 휴가 신청
+router.post('/requests', ctrl.createRequest);
+router.get('/requests', ctrl.getRequests);
+router.get('/requests/:id', ctrl.getRequestById);
+router.put('/requests/:id', ctrl.updateRequest);
+router.patch('/requests/:id/cancel', ctrl.cancelRequest);
+
+// 승인 (관리자)
+router.get('/pending', requireAdmin, ctrl.getPending);
+router.patch('/requests/:id/approve', requireAdmin, ctrl.approveRequest);
+router.patch('/requests/:id/reject', requireAdmin, ctrl.rejectRequest);
+
+// 잔여일
+router.get('/balance', ctrl.getMyBalance);
+router.get('/balance/all', requireAdmin, ctrl.getAllBalances);
+router.get('/balance/:userId', requireAdmin, ctrl.getUserBalance);
+router.post('/balance/allocate', requireAdmin, ctrl.allocateBalance);
+
+// 사용자 목록 (관리자)
+router.get('/users', requireAdmin, ctrl.getUsers);
+
+module.exports = router;