feat: SSO 쿠키 인증 통합 + 서브도메인 라우팅 아키텍처

- Path-based 라우팅을 서브도메인 기반으로 전환 (tkfb/tkreport/tkqc.technicalkorea.net) - 3개 시스템 프론트엔드에 SSO 쿠키 인증 통합 (domain=.technicalkorea.net, localStorage 폴백) - Gateway: 포털+로그인+System1 프록시, 쿠키 SSO 설정 - System 1: 토큰키 통일, nginx.conf 생성, 신고페이지 리다이렉트 - System 2: api-base.js/app-init.js 생성, getSSOToken() 통합 - System 3: TokenManager 쿠키 지원, 중앙 로그인 리다이렉트 - docker-compose.yml에 cloudflared 서비스 추가 - DEPLOY-GUIDE.md 배포 가이드 작성 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 18:41:44 +09:00
parent 550633b89d
commit 6495b8af32
114 changed files with 1729 additions and 4335 deletions
--- a/system3-nonconformance/api/routers/auth.py
+++ b/system3-nonconformance/api/routers/auth.py
@@ -21,13 +21,33 @@ async def get_current_user(token: str = Depends(oauth2_scheme), db: Session = De
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
-    token_data = verify_token(token, credentials_exception)
-    user = db.query(User).filter(User.username == token_data.username).first()
-    if user is None:
-        raise credentials_exception
-    if not user.is_active:
-        raise HTTPException(status_code=400, detail="Inactive user")
-    return user
+    payload = verify_token(token, credentials_exception)
+    username = payload.get("sub")
+
+    # 로컬 DB에서 사용자 조회
+    user = db.query(User).filter(User.username == username).first()
+    if user is not None:
+        if not user.is_active:
+            raise HTTPException(status_code=400, detail="Inactive user")
+        return user
+
+    # DB에 없는 SSO 사용자: JWT payload로 임시 User 객체 생성
+    sso_role = payload.get("role", "user")
+    role_map = {
+        "Admin": UserRole.admin,
+        "System Admin": UserRole.admin,
+    }
+    mapped_role = role_map.get(sso_role, UserRole.user)
+
+    sso_user = User(
+        id=0,
+        username=username,
+        hashed_password="",
+        full_name=payload.get("name", username),
+        role=mapped_role,
+        is_active=True,
+    )
+    return sso_user

 async def get_current_admin(current_user: User = Depends(get_current_user)):
    if current_user.role != UserRole.admin:
--- a/system3-nonconformance/api/services/auth_service.py
+++ b/system3-nonconformance/api/services/auth_service.py
@@ -7,7 +7,7 @@ import os
 import bcrypt as bcrypt_lib

 from database.models import User, UserRole
-from database.schemas import TokenData
+from database.schemas import TokenData  # kept for compatibility

 # 환경 변수 - SSO 공유 시크릿 사용 (docker-compose에서 SECRET_KEY=SSO_JWT_SECRET)
 SECRET_KEY = os.getenv("SECRET_KEY", "your-secret-key-here")
@@ -56,16 +56,13 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
    return encoded_jwt

 def verify_token(token: str, credentials_exception):
-    """JWT 토큰 검증 - SSO 토큰 페이로드 구조 지원"""
+    """JWT 토큰 검증 - SSO 토큰 전체 페이로드 반환"""
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-        # SSO 토큰: "sub" 필드에 username
-        # 기존 M-Project 토큰: "sub" 필드에 username
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception
-        token_data = TokenData(username=username)
-        return token_data
+        return payload
    except JWTError:
        raise credentials_exception