refactor: move buildable .NET source into src/, update CI/doc paths
TaxBaik CI/CD / build-and-deploy (push) Successful in 2m7s
TaxBaik CI/CD / build-and-deploy (push) Successful in 2m7s
Groups the repo root into src (buildable source), docs (already existed), and everything else (db/, scripts/, tests/, deploy/ - deployment/ops/test assets that aren't compiled, already organized as their own folders). CI now only needs src/ to build: dotnet restore/build/test/publish all point at src/TaxBaik.sln, src/TaxBaik.Web/, src/TaxBaik.Proxy/. - git mv every project (Domain, Infrastructure, Application, Application.Tests, Web, Web.Client, Proxy) and TaxBaik.sln into src/ as a unit, so relative ProjectReference/.sln paths stay valid unchanged. - .gitea/workflows/deploy.yml: 6 dotnet restore/clean/build/test/publish invocations now point at src/. db/migrations and scripts/ stay at root (deploy_gb.sh and browser-e2e.yml only touch published output and the deployed URL, not source paths - verified, no changes needed there). - scripts/validate_admin_render.sh: admin render-mode file paths now src/TaxBaik.Web.Client/... - scripts/validate_kst_timestamps.sh: dropped deploy.sh from its target list - that script was removed in the prior cleanup commit (dead, no CI workflow referenced it) but this validator still expected it to exist. - CLAUDE.md, docs/ENGINEERING_HARNESS.md, docs/ADMIN_PATTERN_CRITIQUE_WBS.md: updated project-structure diagram, dotnet run/build commands, and grep targets to the new src/ paths (also fixed a pre-existing stale path in ADMIN_PATTERN_CRITIQUE_WBS.md that still said TaxBaik.Web/Components/Admin from before that ever moved to TaxBaik.Web.Client). - Added a Repo Root harness rule + Architecture Guardrail entries: new files belong under src/docs/tests/scripts/db/deploy, not loose at root; temp work stays outside the repo (or under a gitignored .scratch/) and is never committed. Verified locally: dotnet build/test src/TaxBaik.sln (26/26 tests), and all three scripts/validate_*.sh pass against the new layout. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,231 +0,0 @@
|
||||
using System.IdentityModel.Tokens.Jwt;
|
||||
using System.Security.Claims;
|
||||
using System.Text;
|
||||
using BCrypt.Net;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
using TaxBaik.Domain.Entities;
|
||||
using TaxBaik.Domain.Interfaces;
|
||||
|
||||
namespace TaxBaik.Web.Services;
|
||||
|
||||
public class AuthService
|
||||
{
|
||||
private readonly IAdminUserRepository _adminUserRepository;
|
||||
private readonly ILogger<AuthService> _logger;
|
||||
private readonly ITelegramNotificationService _telegramService;
|
||||
private readonly string _jwtSecretKey;
|
||||
private readonly string? _passwordResetToken;
|
||||
private readonly int _accessTokenExpirationMinutes = 60; // Access Token: 1시간 (사용성 향상)
|
||||
private readonly int _refreshTokenExpirationMinutes = 10080; // Refresh Token: 7일
|
||||
|
||||
public AuthService(
|
||||
IAdminUserRepository adminUserRepository,
|
||||
ILogger<AuthService> logger,
|
||||
IConfiguration configuration,
|
||||
ITelegramNotificationService telegramService)
|
||||
{
|
||||
_adminUserRepository = adminUserRepository;
|
||||
_logger = logger;
|
||||
_telegramService = telegramService;
|
||||
_jwtSecretKey = configuration["Jwt:SecretKey"] ?? throw new InvalidOperationException("Missing 'Jwt:SecretKey' configuration.");
|
||||
_passwordResetToken = configuration["Admin:PasswordResetToken"];
|
||||
}
|
||||
|
||||
public async Task<AuthTokenPair?> AuthenticateAndGenerateTokenPairAsync(string username, string password)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
|
||||
return null;
|
||||
|
||||
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
||||
if (user == null)
|
||||
{
|
||||
_logger.LogWarning("로그인 시도: 존재하지 않는 사용자 '{Username}'", username);
|
||||
return null;
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(user.PasswordHash))
|
||||
{
|
||||
_logger.LogError("로그인 실패: 사용자 '{Username}'의 PasswordHash가 비어 있습니다.", username);
|
||||
return null;
|
||||
}
|
||||
|
||||
if (!BCrypt.Net.BCrypt.Verify(password, user.PasswordHash))
|
||||
{
|
||||
_logger.LogWarning("로그인 시도: 잘못된 비밀번호 '{Username}'", username);
|
||||
// 실패한 로그인은 알림하지 않음 (로그만 남김)
|
||||
return null;
|
||||
}
|
||||
|
||||
_logger.LogInformation("로그인 성공: {Username}", username);
|
||||
// 로그인 알림은 제거 (로그만 남김)
|
||||
await _adminUserRepository.UpdateLastLoginAtAsync(user.Id);
|
||||
return GenerateTokenPair(user);
|
||||
}
|
||||
|
||||
public async Task<AuthTokenPair?> RefreshAccessTokenAsync(string refreshToken)
|
||||
{
|
||||
try
|
||||
{
|
||||
var principal = ValidateRefreshToken(refreshToken);
|
||||
if (principal == null)
|
||||
{
|
||||
_logger.LogWarning("Refresh token 검증 실패");
|
||||
return null;
|
||||
}
|
||||
|
||||
var username = principal.FindFirstValue(ClaimTypes.Name);
|
||||
if (string.IsNullOrWhiteSpace(username))
|
||||
return null;
|
||||
|
||||
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
||||
if (user == null)
|
||||
return null;
|
||||
|
||||
return GenerateTokenPair(user);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
_logger.LogError(ex, "Refresh token 처리 중 오류");
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<bool> ChangePasswordAsync(string username, string currentPassword, string newPassword)
|
||||
{
|
||||
if (!IsValidPassword(newPassword))
|
||||
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
|
||||
|
||||
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
||||
if (user == null || string.IsNullOrWhiteSpace(user.PasswordHash))
|
||||
return false;
|
||||
|
||||
if (!BCrypt.Net.BCrypt.Verify(currentPassword, user.PasswordHash))
|
||||
return false;
|
||||
|
||||
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
|
||||
_logger.LogInformation("관리자 비밀번호 변경: {Username}", username);
|
||||
return true;
|
||||
}
|
||||
|
||||
public async Task<bool> ResetPasswordAsync(string username, string newPassword, string resetToken)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(_passwordResetToken))
|
||||
throw new InvalidOperationException("Admin:PasswordResetToken is not configured.");
|
||||
|
||||
if (!TimeConstantEquals(resetToken, _passwordResetToken))
|
||||
return false;
|
||||
|
||||
if (!IsValidPassword(newPassword))
|
||||
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
|
||||
|
||||
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
||||
if (user == null)
|
||||
return false;
|
||||
|
||||
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
|
||||
_logger.LogWarning("관리자 비밀번호 재설정 API 사용: {Username}", username);
|
||||
return true;
|
||||
}
|
||||
|
||||
private AuthTokenPair GenerateTokenPair(AdminUser user)
|
||||
{
|
||||
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
||||
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
|
||||
|
||||
var claims = new[]
|
||||
{
|
||||
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
|
||||
new Claim(ClaimTypes.Name, user.Username),
|
||||
new Claim("username", user.Username)
|
||||
};
|
||||
|
||||
var accessToken = new JwtSecurityToken(
|
||||
issuer: "taxbaik-admin",
|
||||
audience: "taxbaik-admin-client",
|
||||
claims: claims,
|
||||
expires: DateTime.UtcNow.AddMinutes(_accessTokenExpirationMinutes),
|
||||
signingCredentials: creds);
|
||||
|
||||
var refreshToken = new JwtSecurityToken(
|
||||
issuer: "taxbaik-admin",
|
||||
audience: "taxbaik-admin-client",
|
||||
claims: claims,
|
||||
expires: DateTime.UtcNow.AddMinutes(_refreshTokenExpirationMinutes),
|
||||
signingCredentials: creds);
|
||||
|
||||
return new AuthTokenPair(
|
||||
new JwtSecurityTokenHandler().WriteToken(accessToken),
|
||||
new JwtSecurityTokenHandler().WriteToken(refreshToken),
|
||||
_accessTokenExpirationMinutes * 60
|
||||
);
|
||||
}
|
||||
|
||||
public ClaimsPrincipal? ValidateRefreshToken(string token)
|
||||
{
|
||||
try
|
||||
{
|
||||
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
||||
var handler = new JwtSecurityTokenHandler();
|
||||
var principal = handler.ValidateToken(token, new TokenValidationParameters
|
||||
{
|
||||
ValidateIssuerSigningKey = true,
|
||||
IssuerSigningKey = key,
|
||||
ValidateIssuer = true,
|
||||
ValidIssuer = "taxbaik-admin",
|
||||
ValidateAudience = true,
|
||||
ValidAudience = "taxbaik-admin-client",
|
||||
ValidateLifetime = true,
|
||||
ClockSkew = TimeSpan.Zero
|
||||
}, out SecurityToken validatedToken);
|
||||
|
||||
return principal;
|
||||
}
|
||||
catch
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
public ClaimsPrincipal? ValidateToken(string token)
|
||||
{
|
||||
try
|
||||
{
|
||||
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
||||
var handler = new JwtSecurityTokenHandler();
|
||||
var principal = handler.ValidateToken(token, new TokenValidationParameters
|
||||
{
|
||||
ValidateIssuerSigningKey = true,
|
||||
IssuerSigningKey = key,
|
||||
ValidateIssuer = true,
|
||||
ValidIssuer = "taxbaik-admin",
|
||||
ValidateAudience = true,
|
||||
ValidAudience = "taxbaik-admin-client",
|
||||
ValidateLifetime = true,
|
||||
ClockSkew = TimeSpan.Zero
|
||||
}, out SecurityToken validatedToken);
|
||||
|
||||
return principal;
|
||||
}
|
||||
catch
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private static bool IsValidPassword(string password) => !string.IsNullOrWhiteSpace(password) && password.Length >= 12;
|
||||
|
||||
private static bool TimeConstantEquals(string value, string expected)
|
||||
{
|
||||
var valueBytes = Encoding.UTF8.GetBytes(value);
|
||||
var expectedBytes = Encoding.UTF8.GetBytes(expected);
|
||||
return valueBytes.Length == expectedBytes.Length
|
||||
&& System.Security.Cryptography.CryptographicOperations.FixedTimeEquals(valueBytes, expectedBytes);
|
||||
}
|
||||
}
|
||||
|
||||
public class AuthTokenPair(string accessToken, string refreshToken, int expiresIn)
|
||||
{
|
||||
public string AccessToken { get; } = accessToken;
|
||||
public string RefreshToken { get; } = refreshToken;
|
||||
public int ExpiresIn { get; } = expiresIn;
|
||||
}
|
||||
Reference in New Issue
Block a user